Development of a Snort IPv6 Plugin - Detection of Attacks on the Neighbor Discovery Protocol

Martin Schütte, Thomas Scheffler, Bettina Schnor

2012

Abstract

This paper describes the implementation and use of a preprocessor module for the open source Intrusion Detection System Snort. Our implementation utilizes preprocessor APIs for the extension of Snort and provides several new IPv6-specific rule options that make the definition of IPv6-specific attack signatures possible. The preprocessor detects attacks against the IPv6 Neighbor Discovery Protocol and can identify suspicious activity in local IPv6 networks. This includes misconfigured network elements, as well as malicious activities from attackers on the network. To our knowledge this is the first such implementation in an Open Source IDS.

References

  1. Beck, F., Cholez, T., Festor, O., and Chrisment, I. (2007). Monitoring the Neighbor Discovery Protocol. In The Second International Workshop on IPv6 Today - Technology and Deployment - IPv6TD 2007, Guadeloupe.
  2. Eran˜a, E. I. and Scheffler, T. (2010). IPv6 Intrusion Detection mit Snort. In Forschungsbericht der Beuth Hochschule für Technik Berlin. Beuth Verlag GmbH Berlin-Wien-Zürich.
  3. Heuse, M. (nd). THC IPv6 attack tool kit.
  4. Hogg, S. and Vyncke, E. (2009). IPv6 Security. Cisco Press, Indianapolis, IN 46240 USA.
  5. Levy-Abegnoli, E., de Velde, G. V., Popoviciu, C., and Mohacsi, J. (2011). IPv6 Router Advertisement Guard. RFC 6105, Internet Engineering Task Force.
  6. Nikander, P. (2002). Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World. In Christianson, B., Malcolm, J., Crispo, B., and Roe, M., editors, Security Protocols, volume 2467 of Lecture Notes in Computer Science, pages 12-21. Springer, Berlin/Heidelberg.
  7. Nikander, P., Kempf, J., and Nordmark, E. (2004). IPv6 Neighbor Discovery (ND) Trust Models and Threats. RFC 3756, Internet Engineering Task Force.
  8. Roesch, M. (1999). Snort: Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX conference on System administration, pages 229-238.
  9. Wheeler, J. S. (nd). IPv6 NDP Table Exhaustion Attack.
Download


Paper Citation


in Harvard Style

Schütte M., Scheffler T. and Schnor B. (2012). Development of a Snort IPv6 Plugin - Detection of Attacks on the Neighbor Discovery Protocol . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 399-402. DOI: 10.5220/0004073303990402


in Bibtex Style

@conference{secrypt12,
author={Martin Schütte and Thomas Scheffler and Bettina Schnor},
title={Development of a Snort IPv6 Plugin - Detection of Attacks on the Neighbor Discovery Protocol},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},
year={2012},
pages={399-402},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004073303990402},
isbn={978-989-8565-24-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - Development of a Snort IPv6 Plugin - Detection of Attacks on the Neighbor Discovery Protocol
SN - 978-989-8565-24-2
AU - Schütte M.
AU - Scheffler T.
AU - Schnor B.
PY - 2012
SP - 399
EP - 402
DO - 10.5220/0004073303990402