Impacts Evaluation of DoS Attacks Over IPv6 Neighbor Discovery Protocol

: The Neighbor Discovery Protocol (NDP) is one of the main protocols in the Internet Protocol version 6 (IPv6) suite. It provides many basic functions for the normal operations of IPv6 in a Local Area Network (LAN), such as address auto-configuration and address resolution. However, NDP has several vulnerabilities that can be used by malicious nodes to launch attacks, because NDP messages are easily spoofed. Surrounding this problem many solutions have been proposed for securing NDP but these solutions either proposed new protocols that need to be supported by all nodes or built mechanisms that require the cooperation of all nodes. In this paper we overview NDP vulnerabilities and available solutions to overcome their impacts on IPv6 network. In addition a research test bed setup to implement these vulnerabilities was introduced. Moreover attacks that prove these vulnerabilities are implemented on different types of operating systems, Windows and Linux platforms. Three network metrics throughput, delay and resources consumption have been chosen to investigate, analyze and evaluate the impacts of NDP related attacks on IPv6 link-local communication. Overall, the results had shown that performance of Linux based operating system is better than Windows based operating system.


Introduction
IPv6 is a protocol designed as the successor to IPv4 protocol (Hakiem et al., 2015). It is used to solve the problems faced by IPv4 in today's internet, such as IP address space limitation, security and scalability. Compared with the 32-bit length of the IP address in IPv4, the IPv6 address comprises 128 bits. This is absolutely enough in the foreseeable future as it supports an IP address for each single meter on the earth. The NDP is an auxiliary protocol for IPv6 and it comprises two Requests For Comments (RFC): Neighbor Discovery for IPv6 (Anbar et al., 2016) and IPv6 Stateless Address Auto Configuration (SLAAC) (Ahmed et al., 2017). The former is used for discovery of the IPv6 nodes on the same link and the latter allows the hosts to automatically configure the IPv6 address without the outside help like Dynamic Host Configuration Protocol (DHCP) server.
As the IPv6 address is long and its address space is huge, SLAAC is a very convenient function and makes the IPv6 network become plug-and-play. For the normal operation of IPv6, NDP also provides other functions including router/prefix/parameter discovery, address resolution, next-hop determination, Neighbor Unreachability Detection (NUD), Duplicate Address Detection (DAD) and redirection. All of these functions are based on the transmission of NDP messages, which are encapsulated in Internet Control Message Protocol Version 6 (ICMPv6) packets. NDP messages are confined to a link and only transmitted in the scope of a LAN. This means attached routers will not forward NDP messages from one network to another. According to Anbar et al. (2016), NDP uses five types of ICMPv6 messages as follows. Router Solicitation (RS), hosts send RS messages to find the default router and request for the network information from routers. Router Advertisement (RA), RA message is sent by routers periodically or in response to the RS message. Neighbor Solicitation (NS), nodes send NS message to resolve a neighbor node's IPv6 address to its Media Access Control (MAC) address or to detect the reachability of a neighbor. Neighbor Advertisement (NA), a node sends NA message to answer solicited NS message or sends unsolicited NA message to propagate its changed information, such as the MAC address variation. Redirect Message (RM), routers send redirect packets to inform a host of a better first-hop node on the path to a destination, a summary of NDP messages and functions presented in Table 1.
Here, we introduce two procedures of the functions to show how the NDP messages are used. The first is address resolution. When a node wants to communicate with another node using IPv6 address without knowing the corresponding MAC address, it will firstly send a multicast NS message to ask all nodes in the LAN who has this IPv6 address. Then, the node occupying this address will send back a unicast NA message to advise its MAC address. The second is DAD procedure. When a node auto-configures itself with an IPv6 address, it will firstly verify the uniqueness of this address. It orderly sends several NS messages with setting the destination as solicited-node multicast address.
Then, if it receives any NA message in response to this solicitation, this address is already used. Otherwise, this address could be issued on the network by this node. From these two examples, we could find that both procedures are vulnerable to be attacked through spoofing. A fake reply to address resolution may lead to Man-in-the-Middle (MITM) attack and forged NAs to DAD will result in Denial of Service (DoS) attack.
From all of the above, we discern that NDP is an essential component in an IPv6 network LAN. However, there are many security issues related to NDP that can be used by attackers to impact the legitimate communication of users. Although the NDP defined many rules for the nodes to send or receive NDP messages legitimately, there is no compulsive method to guarantee the node behaves normally. Therefore, malicious nodes can launch attacks through illegally using NDP messages. An effective authentication mechanism is very important for securing the NDP. The necessity to have a test bed along with its correspondent configurations, topologies, attacking tools and data gathering techniques to study NDP cannot be denied. Such setup will allow researchers to study the behavior of the real networks under different types of NDP attacks. Moreover, the test bed setup could help researchers in future with newly proposed solutions, against NDP attacks, to test the effectiveness and efficiency of these solutions. In this paper we provide a complete test bed setup for examining IPv6 NDP related attacks. The impacts of these attacks under different types of operating systems have been investigated, analyzed and evaluated. This paper is organized as follow; in part two we overviewed DoS attacks showing their types and classifications. Following by part three in which NDP vulnerabilities are well explained and categorized according to their relation to the routing process. The test bed setup along with corresponding configurations to implement NDP attacks was given in part four. Gained results of impacts evaluation for the attacks are presented in part five. Existing solutions in the era also covered in part six and we provide conclusion in part seven.

Overview of Denial of Service Attacks
One of the major concerns in interconnected networks of the current era is the network security. Network traffic can be disrupted by attack on one node which could severely affect the other nodes in a network. A network server may encounter various kinds of attacks, time to time, which results in the degrading of the performance of server in the network. A DoS which is considered to be a really troublesome problem to handle is one example of these attacks. A DoS attack takes place by preventing the victim node, by a malicious node, from communicate with other nodes on the network, as per Fig. 1. Consequently the victim node won't be able to process requests received from all other nodes. And because of this, the services needed by the authentic users could not get provided to them. Due to this, the inspection of the network traffic is essential to find the malicious or infected packets. And it should be done in such a way that the malicious packets are isolated from the uninfected ones thereby delivering services to the authentic users or clients smoothly. A small amount of resources and bandwidth are essential for the attackers to execute DoS attack. The attacks can take place in several ways, one way in which software vulnerabilities present in the victim node are exploited by an attacker and another way wherein an attacker produces a huge number of malicious packets (Rehman and Manickam, 2016). A web server can be crashed by these types of attacks no matter what hardware capabilities it possesses. The first major DoS attack, recognized as email worm, was executed in Europe in the year 1987 by an IBM employee. The attack gathered quite some attention because IBM's shared network became overloaded and crashed in both continents Europe and USA. As a result of system downtime and recovery (Rehman and Manickam, 2015a), a significant damage is still being caused to the productivity and revenues of corporates networks by these types of attacks. IPv6, which was created by the Internet Engineering Task Force (IETF) in order to address the limitations of IPv4, is exposed to DoS attacks. Legitimate nodes are prevented from acquiring access to network resources as a result of DoS attacks. Stealing of information is not included in a DoS attack instead the security of a network is violated and tends to discontinuing network connections. As these types of attacks are designed for the IP network, they can target any system regardless of its operating system. Therefore, any operating system using IPv4 or IPv6 can encounter these attacks (Rehman and Manickam, 2015b). Even though they are frequently aimed at IP network services, DoS attacks can also threating VoIP and other real-time services. The source of the DoS attack can be hidden by the attackers by means of spoofing, i.e., IP address spoofing or MAC address spoofing.

Classification of Denial of Service Attacks
A single computer is needed in launching of a DoS attack, while Distributed Denial of Service (DDoS) attack is more complex than a DoS attack. A DDoS attack involves a number of compromised computers, known as zombies, which are all used at the same time (Baishya et al., 2017). Accordingly, flooding-based attacks could be initiated from one source in case of DoS attack or multiple sources in case of DDoS attack. Below we will explain the differences between software and flooding types of DoS attacks.

Software Exploits
A low-rate DoS attack which, in order to remain hidden, keeps a low profile is referred to as software exploit. For the purpose of making use of the system vulnerabilities, to prevent authentic users from acquiring access to services and available resources, the attacker utilizes malicious nodes in a software exploits attacks (Kavitha and Padmavathi, 2017).

Flooding
In this type of DoS attack, the attacker sends a nonstoppable massive amount of packets to the victim's node to dissipate resources that can be earned by legitimate users. Due to this, the victim node freezes as the processing of the flood of malicious packets consumed all available resources. Traffic may be transferred from other nodes to the victim mode by the attacker during flooding attack (Najjar et al., 2015). Resulting in causing network congestion and consume the resources of the victim node like Central Processing Unit (CPU), memory or bandwidth. Consequently, network communication amongst the victim and other nodes is prevented by this type of attack (Rehman and Manickam, 2015c).

DoS Attacks on Internal Networks
Web servers, which do not have a direct link to the internal network of an organization, are not the only targets of DoS attacks. Internal networks are also susceptible to DoS attacks. In order to acquire access of the internal network, the attackers may utilize malware. Saad et al. (2015) mentioned that a research, which included respondents from 130 organizations, was held in 2012 for the purpose of recognizing the security concerns of organizations like those related to internal IPv6 networks. In accordance with 70% of the respondent, we came to know that DoS attacks were amongst their IPv6 security concerns. Compromised hosts on the internal networks were face by approximately 50% of the respondents. We can understand from this that the respondents were really concerned about the monitoring and guarding the availability of services on their internal IPv6 networks. Due to the need of the attacker to get access to the local IPv6 network in order to initiate attack, these types of attacks may be considered as minor. Nevertheless, access to the local network can be granted through a number of techniques and tools. For the purpose of stopping the

Attacker User
Legitimasted user's requests can't be processed Bombs server with flooded requests Server malicious packets from passing through a firewall or a Demilitarized Zone (DMZ) (Shrivastava et al., 2010). Malware can be utilized by an attacker in order to avoid firewalls so that access can be granted to the internal LAN. A number of organizations have encountered network attacks initiated by malicious insiders; a trusted person from the organization is referred to as an insider. In case those malicious insiders are the ones who are initiating attacks, it will be troublesome to find them out because of the fact that insiders generally have knowledge about the security mechanisms of the organization's network (Kuldeep and Tyagi, 2014). A link-local DoS attack cannot be prevented with the utilization of encryption and integrity checks, which are commonly used to encounter attacks that take place outside the network. Packets of DoS attack may be signed by a server and they might contain real or fake IP address.
With the usage of imaginary key the attack packets can also be encrypted. Accordingly, attacks cannot be stopped by use of encryption and integrity checks and the devices inside of an internal network can be flooded by an attacker causing them to stop working.

DoS Attacks via IPv6 Tunneling
We can suppose, provided that an enterprise is not using IPv6, that the IPv4 network is secured from IPv6 attacks. However, network administrators may not realize that cryptic IPv6 tunneling is taking place in the network, in order to deal with IPv4 only networks . On the network, a malicious IPv6 appliance might be there. A number of operating systems have IPv6 enabled by default including, Windows 7, Linux, MAC OS/X. With IPv4, IPv6 traffic can be tunneled therefore evading security controls which are meant for IPv4 only. Actually, IPv6 tunnel can serve as being a backdoor into the inside network. IPv4 to IPv6 transition mechanisms can be utilized by the attackers, which include Teredo, for initiating DoS attacks. IPv6 over IPv4 tunneling protocols can be detected by the edge devices, for instance routers or firewalls, even if encapsulated IPv6 packets cannot be secured by these devices. Conventional network security tools, for instance Intrusion Detection Systems (IDS), which perform in IPv4 environments only, are not useful for IPv6 transition mechanisms like tunneling. While an IPv6 flooding-based DoS attack is taking place, these tools may not be successful in detecting of anomalies.

NDP Vulnerabilities
According to RFC 3756, NDP vulnerabilities have three common types. The redirect attacks are the first vulnerability type whereby the malicious nodes are to direct away the packets from the legitimated nodes. Hence, we cannot trace the packets from the last hop router. It is important to mention that other genuine receivers are directed to alternative nodes upon facing the redirect attacks. The DoS is believed to be the second category of NDP vulnerabilities. The preventions of information flow between the attacked nodes and all other nodes, performed by malicious nodes, are likely to describe this type of attack (Ahmed et al., 2015a). The communication is also disallowed between the attacked nodes and specific intended addresses. Thirdly, the NDP is encountered by the attack of Flooding DoS (Ahmed et al., 2015b). The malicious nodes direct the traffic of other hosts to the victim node in such attack. A scenario of flooded bogus traffic is created whereby the victim host is the target. Three sub sections are used to identify threats, of NDP, with regarding to routing process in the given below section. These are: Threats that are related to the routing data, router independent threats and threats that can be remotely manipulated. We used NDP trust models and threats in RFC 3756 to outline those categories of threats.

Neighbor Solicitation/Advertisement Spoofing
In this type of attack, legitimated nodes will not receive their legitimated packets. Instead the attacker will divert it to other node either by sending NA message with incorrect target link layer address or NS message with incorrect source link layer address, as per Fig. 2.

Neighbor Unreachability Detection (NUD) Failure
This attack success because the attacker send a fabricated NA message in response to the victim NS message during NUD process (Praptodiyono et al., 2015a). The victim will be cheated by receiving this fabricated NA message and thought the neighbor is still reachable, while it is not.

Duplicate Address Detection DoS Attack
When a new node join an IPv6 link, it will make DAD check for the address that it trying to use. This is the nature of SLAAC mechanism within IPv6 communication link. As a response the attacker will replay to every single check for an IPv6 address that victim trying to use, claiming that he (attacker) already using this address (Rehman and Manickam, 2015c). This will prevent the victim from gaining a valid address and consequently denied access to the communication link, as per Fig. 3.

Malicious Last Hop Router
Attacker in this type of attack pretending to act as last hop router by sending spoofed RA messages either as a response to RS message or in a routine base. This spoofed RA message, with the last hop router source address, has a short router life time. Followed by another RA message, has attacker source address, but with longer router life time (Song and Ji, 2016). Once the victim select attacker address as default router all traffic will be directed to the attacker's host instead of the last hop router, as per Fig. 4.

Default Router is Killed
In this type of attack the victim assumes that all nodes are local. This is simply happened because attacker killed the default router, either by launching a DoS attack against the router or sends a spoofed RA message with zero life time and make default router list empty (Praptodiyono et al., 2015b). Consequently and according to RFC 2461 victim will never send packets to the default router, as per Fig. 5.

Good Router Goes Bad
A router that earlier was trusted is compromised in such attack. This is known as a redirect/DoS attack.

Spoofed Redirect Message
This attack used to redirect packets for a specific destination to another node attached to the local link. The attacker uses the current first hop router's link-local address to send spoofed redirect message (Perumal and Priya, 2016). Packets will continue to flow to that specific destination as long as attacker replays to NUD messages.

Bogus On -Link Prefix
The attacker cheats the victim that some prefix is on-link by sending fabricated RA message.
Accordingly the victim will assume the nodes are onlink and instead of send the packets to router it will send NS messages that will never be responded and lead to service denying to that node.

Bogus Address Configuration Prefix
In this type of attack the victim received a bogus RA message from attacker that identify wrong subnet prefix. Consequently and according to SLACC procedure the victim will use this invalid prefix and construct invalid address. The victim will denied service as a result because nodes will replay using invalid source address of the victim when sending packets to victim's host (Shah, 2016).

Parameter Spoofing
As a part of SLAAC procedure the RA message contains some parameters that should be used by nodes in order to establish communication. The attacker executing this attack by sending RA messages that include incorrect parameters that may cause the communication between nodes to be interrupted (Shah and Parvez, 2015).

Replay Attacks
The replay attacks are susceptible to all router discovery and neighbor discovery messages. The valid messages can also be captured by an attacker and he/she would replay them later, even if they were cryptographically secured so that one cannot falsify their contents. Hence, a secure mechanism must be established for protection against replay attacks.

Neighbor Discovery DoS Attack
The addresses are fabricated with the subnet prefix and packets are continuously being sent to the victims in such type of attack. After sending neighbor solicitation packets, these addresses are resolved by the last hop router (Najjar et al., 2016). From the last hop router, the neighbor discovery service is not obtained by a legitimate host attempting to enter the network as it will be already busy with sending other solicitations. Since the attacker may be off-link, this DoS attack is different from the other attacks. In this attack, the conceptual neighbor cache is the resource being attacked, which will be occupied with attempts to resolve IPv6 addresses containing a valid prefix but invalid suffix (Mohamed et al., 2017).

Evaluation Methods
Simulation is commonly used for finding answers to network performance questions. However, simulation software cannot be used to produce experimental results that are as accurate as the results obtained using a real network such as a test bed. For example some devices, such as switches and routers, are only modeled at high levels in well-known simulators like Network Simulator 2 (NS-2). The ranges of latencies within devices and maximum rates at which packets are forwarded, in commercial forwarding devices, are not included in such simulators.
Experiments can be conducted in a mini-network, such as a test bed, which provides a more realistic evaluation environment compared to simulation. One of the reasons is that real operating systems, applications and real hardware are used to conduct experiments.
Both legitimate and DoS traffic can be generated and customized in a number of ways with such experiments. Even though it is time consuming compared to the simulation methods, test beds usually produce results that are more reliable.
In this paper a network test bed was deployed to report the impacts of DoS attacks over NDP. Figure 6 Illustrates the test bed we used to collect data, from experiments conducted, before and during the different types of DoS attacks. For the cabling we did used the Category 5 Enhanced (Cat5e) cable type and default IPv6 subnet size/64 were used. Once RA DoS attack launched, all hosts configured with automatic IPv6 addresses, excluding the attacker, lost their connectivity to the communication link. Therefore we used static and dynamic IP addressing plans as automatic IP addressing is not suitable to study and evaluate some DoS attacks. The test bed consists of monitoring computer, one attacking computer and two victim's computers. As shown in Fig. 7a Windows-based computer with static IPv6 address FE80::1, to test the Transfer Control Protocol (TCP) throughput and Round Trip Time (RTT) before and during the attacks, was set up as monitoring computer. Two victims' computers Windows and Linux based, which had a statically configured IPv6 address FE80::2 and FE80::3 respectively, were used to test their behaviors and performance before and during attacks. Kali Linux was used to launch attacks with IPv6 address FE80::4. We need the automatics IP addressing configuration to test some routing related attacks. For the purpose of automatic assignment of IP addresses, using SLAAC, a D-Link router was used. Because NDP attacks are local-link scope, the router does not connect to an outside network.

Performance Metrics
Three performance metrics were used TCP Throughput, RTT delay and CPU utilization to evaluate the impacts of DoS attacks over NDP.
Network throughput defined as the average number of bytes received successfully by the intended receiver at a given time. Impacts of DoS over a network could be measured using a parameter such as TCP Throughput. Throughput is important for TCP based traffic, as it may lower the ratio at which it sends packets in case of network congestion occurred. TCP Throughput was measured on Windows 10 client using Iperf, it was measured in Mega Bytes per second (MBps).
RTT is calculated by subtracting the time at which a network packet were sent from the time at which acknowledge, for this packet, is received. RTT is significant because it used for measuring delay within computers networks. A packet considered lost if it is go beyond its predefined RTT, that's why during DoS attack retransmissions always occurred. RTT delay was measured on Windows 10 using Windows Ping utility, it was measured in milliseconds.  During DoS based attacks packet transmission exhaust the processor, which in turn reduce the host's performance. CPU utilization was measured as percentage using resource monitor and system monitor on Windows 8 and Ubuntu 16.04 respectively.

Data Collection Tools
A test bed environment was deployed to carry out experiments and collecting data for analysis as mentioned earlier. After then, gained results were entered to Microsoft Excel spreadsheet to generate graphs.
Iperf is a network tool that measures TCP or Unit Datagram Protocol (UDP) bandwidth. By default, Iperf uses port 5001 and 10 sec tests time periods. In our experiment we used 20 sec test time periods for more consistency. Iperf can measure the maximum amount of data transmitted between any two hosts at any given time. For Iperf to work correctly it needs to be installed on two hosts one act as Iperf client and the other act as Iperf server.
In this study, Iperf was installed on Windows 10, Windows 8 and Ubuntu 16.04. Windows 8 and Ubuntu 16.04 are defined as Iperf servers and Windows 10 is defined as Iperf client. Thus, TCP Throughput was measured between Windows 10 and Windows 8 and then it was measured between Windows 10 and Ubuntu 16.04.
Ping is a network utility used to test the reachability of a node within IP networks. It measures the RTT for packets sent from a source node to destination node. The name of Ping comes from active sonar terminology that sends a pulse of sound and listens for the echo to detect objects under water.
Ping operates by sending ICMP/ICMPv6 echo request messages to the target node and waiting for an ICMP/ICMPv6 echo reply messages. The Ping utility program reports errors, packet loss and a statistical summary of the packets journey. Typically including the minimum, maximum, the mean round-trip times and standard deviation of the mean for the packets sent.    In our experiment, Ping measured RTT between monitoring computer and victims' computers. Ping was installed by default on Windows 10, which connected to the Windows 8 and Ubuntu 16.04 victims' computers to measure the RTT. We test the RTT 30 times between the monitor computer and victims' computers for more consistency.
A built in tool, resource monitor, came bundled with Windows operating systems families. It allows the users to see processor utilization, hard disk, network and memory usage. For Linux based systems the same tool did exist under the name system monitor.
In our experiment, resource monitor and system monitor are used to monitor the computer's processor usage on Windows 8 and Ubuntu 16.04 respectively for a period of 60 sec. Table 2 shows the NDP attacks and corresponding commands to execute it. In Table 3 we show the legends used for generating the graphs. Table 4 illustrates the software and hardware specifications of the joint nodes and the role of each node as well.

TCP Throughput
RA flood attack and NS/NA spoofing attack caused the Windows 8 and Ubuntu 16.04 TCP Throughput to drop from around 1400 and 1700 MBps respectively to almost 0 MBps. Legitimate packets could not be transmitted during these two attacks. During NA, NS and RS flooding attacks throughput dropped from 1400 MBps to just few MBps for Windows 8 while for Ubuntu 16.04 the throughput were dropped slightly compared to Windows 8. Thus, legitimate packets could be transmitted at lower rates on both operating systems during NA, NS and RS flooding attacks. The detailed rates of the TCP Throughput before and during NS, NA, RS, RA flooding attacks and NS/NA spoofing attack are shown in Fig. 8 to Fig. 12.

CPU Utilization
CPU utilization was expected to increase on both Windows 8 and Ubuntu 16.04. However, the CPU utilization on Ubuntu 16.04 did not show any significant changes before and during the NS, NA, RS and RA flooding attacks. On the contrary, during RA flooding Windows 8 CPU utilization reached 100% rapidly and dropped to around 37%. During RS and NA flooding attacks CPU utilization only increased from almost 3% to 28%, while for NS flooding attack it reach to 40% and then dropped to 30%. The detailed rates of the CPU utilization percentage before and during NS, NA, RS and RA flooding attacks are shown in Fig. 13 to 16.

Round Trip Time
NS flooding attack and NS/NA spoofing attack make Windows 8 and Ubuntu 16.04 operating systems RTT to increase significantly, the packets during these two attacks are totally lost. During NA and RS flooding attacks RTT results for Ubuntu 16.04 were even not changed from normal. While for Windows 8 RTT results were considerably high during the attacks compared to the RTT during the normal operations. For RA flooding attack both operating systems were considerably has higher RTT results compare to normal status. The detailed rates of the RTT before and during NS, NA, RS, RA flooding attacks and NS/NA spoofing attack are shown in Fig. 17 to 21. Figure 22 to 26, a the packets drop ratio is presented. In most of the attacks results shown better resistance for Linux operating systems when compare to Windows operating system. Only in RA flooding attack both operating systems have almost the same influence ratio.       Note that for some types of NDP attacks, such as DAD DoS attack, there is no tangible performance metric that we can use to evaluate the impacts of the attacks. For such type of attacks, non-tangible, we used Wireshark to capture the frames and analyze it according to the contents it has. Figure 27 shown a normal ICMPv6 echo request packet from FE80::1 to FE80::3. As we seen in the frame details the echo request has been responded by echo replay message in the following frame, number 366. We then run the NS/NA spoofing attack on the attacker machine, as per Fig. 28, which start listening to the communication link and waiting for the victim to send NS messages in order to spoof IP addresses. Again we sent ICMPv6 echo request packet from FE80::1 to FE80::3. As per Fig. 29 illustrates, the echo request packet between the monitoring computer and Ubuntu 16.04 never been respondent. The attacker send a spoofed ICMPv6 echo replay packet in response to ICMPv6 echo request packet sent by the victim, using victim's IP address FE80::3 but with attacker's own MAC address 00:1E:33:3A:D3:9D. As a result the victim will never get replied because all the packets will be diverted to the attacker's machine. For spoofed redirect message DoS attack the scenario will be the same, as both attacks based on spoofing victim's IP address.

Packets Drop Ratio
For Default Router is Killed DoS attack, the attacker killing the router by setting router life time to zero. It sends a spoofed RA message to all nodes multicast address, pretending to be the router,   Fig. 30 and 31. In Fig. 32 we shown a packet of RS message during executing good router goes bad DoS attack, the attacker soliciting about existing router addresses in order to compromise them. For malicious last hop router and good router goes bad DoS attacks the scenario will be the same, because three attacks are based on reducing the router life time using spoofed RA message.     For DAD DoS attack we run the attack in attacker's machine and then we try to connect new nodes to the link, Windows 8 and Ubuntu 16.04 respectively. As we seen in Fig. 33 to 37, Windows 8 try ten times to gain an IP address before it quit DAD operations while for Ubuntu 16.04 it try three times. This is because of they have different DAD procedures programing within their kernel's IP stack. We arrange frames based on protocol type, which is ICMPv6, to easily trace NS and NA messages during the attack. Local Link 4) 1) 2) 3) • Node A join a local link and multicast its public key to all other attached links  Table 5.

Existing Solutions
Some other sophisticated attacks, that are the combination of one or two of the mentioned earlier attacks, could be used to exploit NDP vulnerabilities during SLAAC or ND procedures. The name of the attack usually is given based on the type of the NDP messages utilized for executing that attack. From the above, we conclude that all attacks rely on the spoofing or abusing of the NDP message. If there is a perfect authentication mechanism to verify the NDP messages, this protocol can be protected comprehensively and have strong resistibility to various attacks. Many works to secure NDP are making efforts toward this direction and several related works will be talked about next.
According to IETF two types of solutions have been introduced to protect NDP, which are Internet Protocol Security (IPSec) and Secure Neighbor Discovery (SEND), as we will explain in the sections below.

Internet Protocol Security (IPSec)
IPSec is used to ensure that the IP packets between the IP layer and the transport layer remain confidential and accurate. This protocol comprises the Authentication Header (AH) protocol, the Encapsulation Security Payload (ESP) protocol and the Internet Key Exchange (IKE) protocol. The AH protocol mainly keeps transmitted packets private and accurate. The ESP protocol ensures the authenticity of the origin in the encryption process. The IKE protocol uses a Diffie-Hellman key exchange mechanism to prepare Security Associations (SA) for IPSec communication. The two modes of IPSec, namely the transport mode and the tunnel mode, enables users to implement IPSec even under various network environments. IPSec under the transport mode protects the information being delivered from the transport layer to the network layer. On the contrary, IPSec under the tunnel mode protects entire IP packets. The original specifications of NDP recommend using IPSec in ensuring the protection of NDP messages even while the details and associated limitations have yet to be explained (Nikander, 2001). NDP intended to use IPSec to protect itself through IP layer authentication, but IPsec is not suited for the auto-configuration in SLAAC as there is a bootstrapping problem existed. There have been several proposals for IPSec protocol, regarding keys distribution and amongst them the IKE is considered the standard (Aiello et al., 2002;Blaze, 2001). For this application, IPSec is compatible with manual keying whereas the currently standardized IKE key management protocols may not be deployed considering NDP using multicasts which are not supported through IKE. Consequently, a chicken-andegg problem (Arkko, 2002) is raised in using IKE (Harkins and Carrel, 1998) prior to ND being considered operational. Regardless of manual keying could be utilized for neighbor discovery, the number of SAs required will be truly extensive   (Chiu and Gamess, 2010). More importantly, the utilization of symmetric security doesn't prevent verified nodes from start masquerading as routers for different hosts, provided that multicast is utilized. Finally, the absence of nitty gritty information, to RFC 2461, around how should set up the fundamental SAs makes a trouble to administrators and might be a breaking point of interoperability. Proposals to utilize IPSec and make it workable for securing NDP are introduced in (Liu and Dai, 2013;Kim et al., 2008).

Secure Neighbor Discovery (SEND)
SEND is developed by the IETF to specify security mechanisms for NDP. SEND proposed three mechanisms to protect NDP messages. The first is router authorization, SEND uses Authorization Delegation Discovery (ADD) procedure to validate and authorize the IPv6 routers.

Proposed Solution
A proposed solution have been introduced in . In IPv6 Neighbor Discovery Protocol, an attacking node can cause packets for legitimate nodes, both hosts and routers, to be sent to some other link-layer address. This can be done by either sending a Neighbor Solicitation (NS) with a spoofed source link-layer address, or sending a Neighbor Advertisement (NA) with a spoofed target link-layer address. If the spoofed link-layer address is a valid one, packets will continue to be redirected, this is also lead to Man-in-The-Middle attack. The other part of the attack is Neighbor Discovery DoS attack in this attack; the attacking node fabricates addresses with the subnet prefix of the target network and continuously sends packets to them. The last hop router is obligated to resolve the addresses with the Neighbor Discovery protocol. A legitimate host attempting to enter the network may be unable to obtain Neighbor Discovery service from the last hop router as the router is already busy with resolving the bogus addresses. The proposed mechanism is a cryptographic based solution. It is working according to the digital signature procedure. The nodes (Router/Hosts) will advertise their public keys once they are joined a local link to all other attached link in the network in a form of multicast message. Nodes will update their cash values with the new entries, now the nodes have each other public keys. In future any nodes receiving a message from another node will decrypt it with the sender public key they already have. If the message is spoofed one the nodes will detect this because the accompanied private key of the sender inside the message will mismatch with the sender public key that the receiver already have, the receiver will drop the message. Algorithm 1 shows the steps for the proposed mechanism and Fig. 33  This is based on a trusted third party, called trust anchor, to issue the certifications. Only after the router is authorized it can act as a router and every node must certify the router via the trust anchor before setting the router as a default router. The second mechanism provided by SEND is Cryptographically Generated Addresses (CGA). A node cryptographically generates IPv6 address by using a one-way hash function from the node's public key and some other parameters. CGA is used to make sure that the sender of NDP packets is the owner of the claimed address. The third mechanism used by SEND aims to protect the integrity of the messages and authenticate the identity of their sender.
In order to activate these three mechanisms SEND introduces four NDP options which are CGA option to prevent IPv6 address stealing, nonce and timestamp option to protect NDP from replay attack and RSA signature option to do authentication. The main problem on SEND is the complexity on the address generation, CGA option generation and the signing of the RSA signature option (AlSa'deh and Meinel, 2012;An et al., 2007). Moreover SEND was only implement by a very few number of operation systems and network devices. In addition, it is also vulnerable to DoS attack that could exploit the SEND messages. Attacker may send more packets with the four NDP options to force the victim to process it. Moreover, the new options add more than one Kbyte to each NDP packet().  A preliminary experimentation on flooding attack targeting a SEND machine showed that the SEND machine could only process up to 442 NS messages within 1.43 seconds before the machine getting crash (Praptodiyono et al., 2015c). In a word, SEND has many limitations including computation, deployment and security (Ahmed et al., 2017;Gelogo et al., 2011). Proposals to enhance SEND and make it applicable were introduced in (Sarma, 2014;Rafiee et al., 2011;Doja and Saggar, 2012;Kempf et al., 2006;Park et al., 2007;Cheneau and Laurent, 2011;Huang et al., 2009;Oh and Chae, 2007;Vasić et al., 2011;Lu et al., 2017). A small test bed consists of three computers; switch and router were used to implement DoS attacks against SeND. The computers consists of one attacking node (Kali Linux 3.20.2) and two victims nodes (Windows 10 Home and Ubuntu 16.04 respectively). THC-IPv6 attacking tools were used to implement DoS attack using sendpees6. Two performance metrics, processor utilization and network bandwidth consumption, were used to evaluate the impacts of the DoS attack. The attack successfully consumes avilabe resources because it keeps sends incorrect parameters that made CGA verification process to fail (Qadir et al., 2015a;. Experiment have proved that both Windows and Linux, SeND implementations, are still suffers from DoS attack. Results shown that Linux is more resistible to DoS attack compares to Windows as per Fig. 38 to 41.

Conclusion
NDP is the core protocol of IPv6 suite. When NDP was developed there is an assumption that mutual hosts within a subnet will trust each other. This assumption was proved wrong when it turn into implementation especially in a wireless environment such as airports, cafes and public restaurants. NDP lack security and vulnerable to several DoS attacks that may lead to a total system crash. A test bed setup and corresponding configurations to evaluate the impacts of NDP attacks on Windows and Linux based operating systems were provided in this study. The impacts of each DoS attack were evaluated using TCP Throughput, RTT and CPU utilization metrics between monitoring and victims computers before and during attacks. Overall, the results have shown that the performance of Linux based operating system was better than Windows based operating system. It was mainly because Linux accept a few number of prefixes while Windows do accept a big number of prefixes during these attacks. We summarized the industry available solutions, describing their technical specifications and components, in addition to highlighting pros and cons of each solution. We also presented available proposals and researches in the era that aim to protect NDP messages and enhance its overall security.

Ethics
Authors ensure novelty and ownership of the work and results carried out on this paper. Although we did understand that Journal of Computer Science is an open MBps access based journal, we have no objections to refer, reuse or re-cite any part of the work that have been done on this paper.