Patent Application
20080134339
This application claims the priority of Korean Patent Application No. 10-2006-121834, filed on Dec. 4, 2006, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein by reference.
1. Field of the Invention
The present invention relates to an apparatus and method for detecting an attack packet in Internet Protocol version 6 (IPv6), and more particularly to an apparatus and method for detecting an attack packet in IPv6, which is configured to detect and cope with an attack or intrusion of an IPv6 packet.
This work was supported by the IT R&D program of MIC/IITA [2005-S-402-02, The Development of the High Performance Network Security System]
2. Description of the Related Art
IPv6 is a next generation Internet protocol, which has new features such as extension of an IP address space, simplification of a basic header format, improvement of an extension header structure, enhancement of Internet control message protocol version 6 (ICMPv6), neighbor discovery protocol (NDP), and automatic address configuration. Recently, network devices such as routers and switches that support the IPv6 environment are being emerged, increasing needs for technologies that serve to detect and handle an attack packet in IPv6. However, because main focus has been on the design of intrusion detecting and handling technologies suitable for an IPv4 environment, it is difficult to detect and handle a network attack of a packet based on an IPv6 protocol specification.
An aspect of the present invention provides an apparatus and method for detecting an attack packet in IPv6, which is configured to detect and cope with an intrusion on the basis of features of an IPv6 packet and an IPv4/IPv6 tunneling packet.
According to an aspect of the present invention, there is provided an apparatus for detecting an attack packet in Internet Protocol version 6 (IPv6), including: a control unit configured to set a rule for attack determination and a rule for processing of an attack packet; a preprocessing unit configured to decode an IPv6 packet and a tunneling packet, and divide the decoded packet into each header and payload; an attack determining unit configured to determine possibility of attack of the divided packet according to the rule for attack determination by using information of the divided packet, the rule being set at the control unit; and a packet processing unit configured to perform at least one function of packet filtering, packet deleting, packet forwarding, and intrusion alarming according to a result of the determination of the attack determining unit, and the rule for processing of an attack packet, the rule being set at the control unit.
The apparatus for detecting an attack packet in IPv6 may further include a traffic information storage unit configured to store traffic information of a packet determined as an attack packet, so that the control unit can control the attack determining unit and the packet processing unit with reference to the information stored in the traffic information storage unit.
According to another aspect of the present invention, there is provided a method for detecting an attack packet in Internet Protocol version 6 (IPv6), including: setting a rule for attack determination, and a rule for processing of an attack packet; decoding an IPv6 packet and a tunneling packet; dividing the decoded packet into payload and each header; determining possibility of attack of the divided packet according to the rule for attack determination by using information of the divided packet; and performing at least one function of packet filtering, packet deleting, packet forwarding, and intrusion alarming according to a result of the determining of the possibility of attack and the set rule for processing an attack packet.
The method for detecting an attack packet in IPv6 may further include storing traffic information when it is determined that the corresponding packet has the possibility of attack, so that the traffic information can be used in the setting of the rule for attack determination and the rule for processing of an attack packet.
The above and other aspects, features and other advantages of the present invention will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings, in which:
Exemplary embodiments of the present invention that would be easily embodied by those of ordinary skill in the art will now be described in detail with reference to the accompanying drawings. However, in detailed description of operational principle according to the exemplary embodiments, well-known functions, well-known structures will not be described in detail to avoid ambiguous interpretation of the present invention. Also, like reference numerals are used for like elements throughout the specification.
The preprocessing unit 100 collects and decodes an IPv6 packet and a tunneling packet, and divides the decoded IPv6 packet into payload and each header. Thereafter, the preprocessing unit 100 transmits the divided packet to the attack determining unit 200.
The attack determining unit 200 determines whether the divided packet from the preprocessing unit 100 have a feature of an attack packet.
When the attack determining unit determines that the divided packet is an attack packet, the packet processing unit 300 filters and/or deletes the packet, and associated traffic information may be transmitted and stored in the traffic information storage unit 500 so that another packet with the same feature can be quickly detected and handled. Also, to properly cope with the attack packet, an intrusion alarm is generated to report an attack to a security system or a manager employing the present invention. In contrast, if it is determined that the packet is not an attack packet, the corresponding packet is forwarded.
The control unit 400 controls operations of the attack determining unit 200 or the packet processing unit 300. That is, the control unit 400 determines which occasion a packet is classified as one that has possibility of attack, and how to process a packet with possibility of attack and a packet with none. Here, the control unit 400 can control operations of the attack determining unit 200 and the packet processing unit 300 by using the traffic information of the attack packet, which is stored in the traffic information storage unit 500.
An operation of each element will now be described in more detail.
The IPv6 packet decoder 310 and the tunneling packet decoder 320 perform decoding through decomposing based on a standard protocol defined in RFC.
The packet classifier 330 divides the decoded IPv6 packet into a basic header, an extension header, a layer 4 (L4) protocol header, payload, and so on. The packet classifier 330 also divides the decoded tunneling packet into an IPv6 header and an IPv4 header. The decoding and dividing are performed to determine possibility of attack for each header and payload. The divided packet is sent to the attack determining unit 200 for determination of possibility of attack.
The basic header examination unit 410 extracts source address information, destination address information, version information, next header information, and payload length information from the basic header received from the preprocessing unit 100, and determines whether the corresponding packet has possibility of attack from at least one piece of the extracted information. The extension header examination unit 420 extracts hop-by-hop extension header information, routing extension header information, fragment extension header information, destination extension header information, Internet protocol security protocol (IPsec) extension header information, and authentication extension header information from the extension header received from the preprocessing unit 100. Then, the extension header examination unit 420 determines whether the corresponding packet has possibility of attack by using at least one piece of the extracted information.
The payload examination unit 430 determines whether a payload field from the preprocessing unit 100 includes possibility of attack. The L4 protocol examination unit 440 determines whether a L4 protocol field of the corresponding packet includes possibility of attack by examining a transmission control protocol (TCP) header or user datagram protocol (UDP) header.
The IPv6 protocol vulnerability examining unit 450 detects an attack taking advantage of vulnerability of neighbor discovery protocol (NDP), duplicate address detection (DAD), and Internet control message protocol version 6 (ICMPv6), which occurs due to a configuration of protocol itself.
The IPv6 header examination unit 460 for a tunneling packet and the IPv4 header examination unit 470 for a tunneling packet respectively determine whether IPv6 and IPv4 headers have possibility of attack taking advantage of a transition technology from IPv4 to IPv6 such as Configuration tunnel, 6 to 4, 6over4, intra-site automatic tunnel addressing protocol (ISATAP), Teredo, and IPv6 over multi protocol label switching (MPLS), i.e., a dual stack transition mechanism. In general, since a tunneling packet in an IPv6 environment includes both an IPv6 header field and an IPv4 header field, the IPv6 header examination unit 460 and the IPv4 header examination unit 470 can separately perform the attack determination.
The attack determination setting unit 510 sets rules for detecting an attack packet, and sends information of a corresponding rule to the attack determining unit 200. The rule for detecting an attack packet can be adjusted flexibly in a setting of a manager or in a security system employing the present invention. Also, rules for determining an attack packet can be set by using information of a packet previously determined as an attack packet, which is stored in the traffic information storage unit 500, so that attack packets having similar characteristics can be detected and handled more quickly.
The packet processing setting unit 520 sets rules for processing an attack packet, and sends information of the corresponding rule to the packet processing unit 300. For example, a packet determined as an attack packet is filtered and/or deleted, and associated information is transmitted to the traffic information storage unit 500, so that the information can be used for the next packet. When an attack packet is detected, an intrusion alarm is generated so that a manager or a security system employing the present invention can properly cope with the attack packet. The rule can be set with reference to the information of an existing attack packet stored in the traffic information storage unit 500, so that processing of a specific packet can be adjusted.
In an apparatus and method for detecting an attack packet in IPv6 according to embodiments of the present invention, an IPv6 packet and a tunneling packet are examined for determination of possibility of attack, and a packet having possibility of attack is filtered and/or deleted, so that an attack packet can be detected and handled in IPv6.
While the present invention has been shown and described in connection with the exemplary embodiments, it will be apparent to those skilled in the art that modifications and variations can be made without departing from the spirit and scope of the invention as defined by the appended claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10-2006-0121834 | Dec 2006 | KR | national |
