ISSN: 2277-3754 ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 2, Issue 5, December 2012 89 DoS Attacker Identification in MANET IPv6 Using ICMPv6 S. Feslin Anish Mon, Dr. Raj Kumar Saha, Dr. L. Rajaji Research Student, BR Ambedkar Bihar University, Bihar, India Professor, BR Ambedkar Bihar University, India Professor, PB College of Engineering, Chennai, India Abstract— Internet became a source of information which is convenient for any user to access it anywhere. This accessibility makes it extremely vulnerable to enthused and well-equipped users intent on disrupting the flow of information or using it for personal gain. The Internet is becoming the pervasive means of communications for data in particular. However, its pervasiveness has also generated many security problems, such as authentication, data confidentiality, data integrity, intrusion etc., among which, Denial-of-service (DoS) and Distributed DoS (DDoS) pose significant problems, as they are disruptive to the useful traffics and are hard to prevent. In a mobile ad-hoc networks, where the nodes are typically devices with limited bandwidth, computational resources, battery power and unpredictable routing topology, additional constraint is placed on detection and tracing technique to locate the attack sources efficiently[1]. In this paper an overview is made on the issues of trace back in the context of IPv6 and mobile IPv6. A technique has been proposed then which consists of ICMPV6v6 Trace back with Cumulative path (ITrace-CP), and thereby retrieves the entire attack path information in the ICMPV6 trace back message to facilitate the trace back mechanism in a mobile ad hoc network[1]. Keywords— Distributed Denial of Service, Mobile IPv6, ICMPv6, IP Trace back. I. INTRODUCTION Denial-of-service (DOS) attacks are a pressing problem in today’s Internet. Their impact is often more serious than network congestion due to their targeted and concentrated nature. In a distributed DOS (DDOS) attack, the attacker uses a number of compromised slaves to increase the transmission power and orchestrate a coordinated flooding attack. Highly automated attack tools have been developed where a common ingredient is the use of spoofed source addresses. Particularly, DDOS attacks with hundreds or thousands of compromised hosts, often residing on different networks, may lead to the target system overload and crash. Due to the stateless nature of the Internet, the dilution of locality in the flooding stream combined with spoofed source addresses undermines the effectiveness of trace back techniques for locating the sources. By the use of IP spoofing, stepping stone techniques, and zombie slaves, attackers can quite easily hide their identity. Therefore, finding the true identity of an attacker includes many steps of which tracing the machines that directly generates the attack packets really is only the first step. Another way to render efficient DDOS attacks, which do not include the use of compromised slaves, is by bouncing Numerous mechanisms have been proposed to detect and trace back the real sources. Most of such works have been addressing the IP version 4. In this paper, focus has been made on trace back mechanisms for the DDoS scenario in the context of IPv6 in an Mobile Ad Hoc network [1]. The present paper is organized as follows: Section 1 gives the Introduction. Section 2 gives some information of DDoS attack on IPv6 and Mobile IPv6. Section 3 discusses proposed mechanism of DDoS detection and trace back. Section 4 describes the proposed trace back technique. Section 5 concludes the paper [1]. II. BACKGROUND Scenarios of DDoS attacks The key transformations introduce by the Mobile IPv6 protocols are the IPv6 tunneling and swapping of home address with the CoA. The varous possible scenarios of attacks, where the HA, CN or MN is under DoS or DDoS attacks are analyzed below. 1) HA under attack This case is not specific to Mobile IPv6. It can be treated as a normal attack of IPv6. 2) CN under attack When CN is the victim of an attack and that the attack packers contains a ―destination home address option‖, the CN should reconstruct the actual packer that has traversed the network by substituting the source address field with the MN’s CoA and the destination option contains the MN’s home address. 3) MN under attack The MN can be attacked in two different ways: directly and indirectly. When it is attacked directly, packets are destinated to its CoA. In the other case, packets are sent to its home address. From the view point of the types of packets, the MN can receive on its interface the three following formats : a) IP packets without routing header. These are packets sent to the MN’s CoA, without any reference to its HoA. b) IP packets with routing header containing the MN’s home address, for example, packets sent to MN by CN who has acquired the MN’s CoA binding. c) Tunneled IP packet, for example, packets sent by CN to the MN’s HoA and then tunneled to the MN. The first case is actually the generic scenario that can be processed normally. In the second case when the routing header is used, the MN has to reconstruct the actual packer