Evaluating Distributed Denial of Service Defense Systems in IPv6

Peter DiMarco, Virginia Tech
Stephen Groat, Virginia Tech
Randy Marchany, Virginia Tech
Joseph Tront, Virginia Tech

Background. Distributed Denial-of-Service (DDoS) attacks cause an immense amount of strain on the resources of both the target and the intermittent hops. In response, various host-based defenses have been developed to help mitigate these effects. But with Internet Protocol version 6 (IPv6) slowly becoming the standard, there are new challenges associated with these aging defenses. Therefore, these defenses may not perform effectively under this new environment.

Aim. Tools that are used as Host-based DDoS Defenses such as Internet Protocol Security (IPsec) and Firewalls were created over 20 years ago, were designed for the protocol at the time and then later adapted to fit the current needs. Moving Target IPv6 Defense (MT6D) was developed at Virginia Tech recently and leverages the emerging standard to provide enhanced security as compared to the existing defenses. This work intends to show that this new DDoS defense mechanism is more effective overall than the pre-existing ones.

Method. A small testbed consisting of attackers, clients, routers, and a server was used to recreate DDoS attack situations. The types of attacks and client to server interactions were modified throughout the test to provide different scenarios. During these tests, the amount of client interaction and strain on the machines was recorded.

Results. Tests show that the MT6D implementation was the most effective at maintaining client throughput while under different DDoS attack scenarios. IPsec was a close second but saw poor scalability in certain situations. Under most conditions both IPsec and MT6D were able to maintain flat, constant throughput while under various amounts of a DDoS attack. Firewall had poor scalability and fell victim to the attacks under most conditions.

Conclusions. IPsec has been in development for many years and is highly optimized. MT6D is new and still under development, but still achieves relative throughput when compared to IPsec. Even with this extensive work on IPsec, MT6D is still able to perform as good as IPsec and even better in some situations. In addition, while MT6D achieves mildly less throughput than IPsec, it does provide the added security of obscurity to outside viewers, further preventing the man-in-the-middle (MITM) attacks.