Evaluation of Moving Target IPv6 Defense and Distributed Denial of Service Defenses

Abstract

A Denial-of-Service (DoS) attack is a network attack from a single machine that attempts to prevent the victim, the targeted machine, from communicating to other devices on the network or perform its normal tasks. The extension of these attacks to include many malicious machines became known as Distributed Denial-of-Service (DDoS) attacks. DDoS attacks cause an immense amount of strain on both the victim and the devices used to reach the victim. In reaction to these attacks, preexisting technologies were used as DDoS defenses to mitigate the effects. The two most notable defenses used are the firewall and Internet Protocol Security (IPsec). The technologies behind these defenses emerged over twenty years ago and since then have been updated to conform to the newest Internet protocols. While these changes have kept the technologies viable, these defenses have still fallen victim to successful attacks.

Because of the number of Internet connected devices and the small address space in Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6) was developed to solve the address space problem. With IPv6 however, there are new problems to address; therefore, these aforementioned defenses have to be further modifed to accommodate the new protocol. Moving Target IPv6 Defense (MT6D) has been developed to attempt to leverage the new standard against DDoS attacks in the IPv6 arena. This research evaluates the DDoS prevention capabilities of the aging defenses relative to the newly developed MT6D to determine which defense is best suited to defend against these attacks for a variety of scenarios. The threat environment in this study is limited to Synchronize (SYN) Flood, HTTP/GET Flood, Denial6, Dos-New-IP6, and Slowloris attacks. Attacks on the MT6D key distribution mechanism are not considered. Strengths and weaknesses of the aforementioned defenses are presented and analyzed.

This project examines different metrics including the performance impact on the machines and the client throughput in an instrumented testbed. MT6D has high operating costs and low throughput compared to the other defenses. Under DDoS attacks, the firewall is unable to prevent attacks in IPv6 due to the inability to determine the same host from multiple Internet Protocol (IP) addresses. Overall, IPsec and MT6D effectively mitigate the DDoS attacks. Although, MT6D is susceptible to some attacks due to its operating at the guest level. At this point in MT6D's development, the difference in performance could be considered a reasonable price to pay for the added benefits from MT6D.