A dual Stack IPv4/IPv6 Testbed for Malware detection in IPv6 Networks Altyeb Altaher National Advanced IPv6 Center Universiti Sains Malaysia, Malaysia altyeb@nav6.org Sureswaran Ramadass, Ammar Ali National Advanced IPv6 Center Universiti Sains Malaysia, Malaysia Sures , Ammarali @nav6.org Abstract-The exhaustion of IPv4 addresses on November 2011 has made the future of the internet in the IPv6 and raised new challenges in the network security research. This paper proposed a dual stack ipv4/ipv6 network testbed for dealing with the designation and implementation of an intelligent approach for malware detection in IPv6 networks. All the equipments, tools and network are configured based on real implementation of a dual stack ip4/ipv6 network. With fully functional operation for handling basic transition between IPv6 clients over IPv4 networks, the dual stack IPV4/IPv6 testbed is suitable for investigating the malware detection in real ipv6 networks. The experimental results from the testing phase show the efficiency and the functionality of the dual stack IPv4/IPv6 testbed. Keywords- Dual stack ipv4/ipv6; network testbed; malware detection I. INTRODUCTION (HEADING 1) IPv6 or IP version 6 is the next generation Internet protocol which will eventually replace the current protocol IPv4. IPv6 has a number of improvements and simplifications when compared to IPv4. The primary difference is that IPv6 uses 128 bit addresses as compared to the 32 bit addresses used with IPv4 [1]. This means that there are more available IP addresses using IPv6 than are available with IPv4 alone. The shortage of IPv4 addresses, which are fully exhausted on November 2011, and the growing need for an enhanced next-generation Internet protocol, have made IPv6 deployment urgent. Many kinds of systems over the Internet such as online shopping, Internet banking, trading stocks and foreign exchange, and online auction have been developed based on IPv6. However, due to the open society of the Internet, the security of our computer systems and data is always at risk. The extensive growth of the Internet has prompted malware detection to become a critical component of infrastructure protection mechanisms. This work in progress paper is organized as follows. Section 1 is an introduction .In section 2, malware in IPv6 based networks is presented. In section 3, the proposed dual stack IPv4/IPv6 testbed is presented. Section 4concludes our work. II. MALWARE IN IPV6 BASED NETWORKS Malware" is an abbreviation for 'malicious software' and is used to refer to any software designed to cause damage to a single computer, server, or computer network [2].According to Kaspersky labs in February 2011, 252,187,961 malicious programs detected [3]. This worryingly high number is only likely to increase, especially as the malware author's incentives for writing such software is now mainly a financial one. According to its propagation methods, malicious code is usually classified into the following categories [4], [5],[6]: viruses, worms, Trojan horses, backdoors and spyware . Due to the significant loss and damages induced by malicious executables, the malware detection becomes one of the most critical issues in the field of computer security. Smart malware can first detect some vulnerable hosts in IPv6 subnet, after all the vulnerable hosts in a subnet are infected, the dual-stack malware can migrate across different IPv6 networks via many well-known random-scanning schemes (e.g., DNS, email, IPv4 address) [7, 8, 9, 10]. Although, the current mitigation techniques for identifying malware in IPv4 are still valid in IPv6, network administrators will need to be wary of possible new malware proliferation methods. Reconnaissance Attacks Reconnaissance Attacks used by attackers to collect information about a target network. The information gathered by the reconnaissance attacks used later for access or denial of service attacks, there are many ways may be used to gather information about a network, examples might include ICMP ping. The reconnaissance attacks are popular in ipv4 networks because the ipv4 addresses are limited and this will easy the process of reconnaissance attackers. In contrast to the limited addresses in ipv4, the number of ipv6 addresses in huge, and this will make the Reconnaissance Attacks so difficult if its not impossible. Man-in-the-middle attack In the man in middle attck the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. 168