Document 12915550

advertisement
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015
Identifying Spoofed Packets Origin using Hop Count Filtering
and Defence Mechanisms against Spoofing Attacks
Israel Umana 1, Sornalakshmi Krishnan 2
1
2
M.Tech Student, Information Security and Cyber Forensic, Dept. of Information Technology
Faculty of Engineering & Technology, SRM University, India
Assistant Professor, Information Security and Cyber Forensic, Dept. of Information Technology
Faculty of Engineering & Technology, SRM University, India
Abstract
Spoofing is a technique used by hackers to conceal
their identities in the Internet. Thus, one can launch
attacks from a particular location and assumes the
identity of someone else that either does not exist or
exists in a completely different location. Distributed
Denial of Service (DDoS) attacks, among other kinds
of atttaks, are successful through IP spoofing. Over
the years, efforts to combat the popular DDoS attacks
have always implied efforts to identify spoofed packets,
hence a lot of work has been done to identify IP
packets that do not originate from where they claim to
have originated from. However, efforts to trace back
to the true source of spoofed packets have been faced
with a number of challenges which include ease of
deployment, extra overhead on routers and the need
for it to be implemented in all the routers in the
internet. This paper presents a new methodology that
does not require any deployment but utilizes already
existing features implemented in routers to reveal the
true location of the attacker. We focused on trusted
networks and utilize hop count filtering to identify
spoofed packets and to implement a trace back to the
node from which the spoofed packet originated. We
also propose a secure three-way handshake that
would prevent the attacker from getting a false
connection to a victim by simply guessing the
sequence numbers.
attacker as it bears his identity. Most cyber-attacks
directly or indirectly involve spoofing attacks as the
attackers, most times, would not want to be traced.
The popular Distributed Denial of service (DDoS)
attack exploits IP spoofing technique to send rogue
requests from fake IP addresses to a single target [1].
Because the requests come from different spoofed IP
addresses, it becomes difficult to trace the true
generator of such malicious packets. Thus, the attacker
ends up impersonating legitimate owners of the
addresses used in the spoofing activity. This is a
breach of authentication. Usually, the spoofer is not
interested in the response packet as they are sent to the
spoofed addresses which, truly, did not request for
such. Therefore, system resources allocated for such
packets lay waste, while denying legitimate requests
for those resources – denial of service (DoS) attack.
Keywords — Spoofing; Back scatter; Hop Count
filtering; IP Trace back; secure three-way handshake
Figure 1: IPv4 and IPv6 Headers
I.
Introduction
Malicious Hackers are everywhere! One thing that is
common among hackers, except for the suicide
hackers, is that they want to remain anonymous in the
internet. They do this by masquerading themselves
and pretending to be who they are not. This act of
concealing one’s identity in the internet is known as IP
address spoofing. The IPv4 and IPv6 headers both
have fields marked as Source Address and Destination
Address as shown in figure 1. The source address is
the part of the header that is usually forged by the
ISSN: 2231-5381
In this paper, we study the IP spoofing activity by
analysing the backscatter messages captured by an
internet monitor called network telescope or darknet
[2]. Network Telescope is a passive traffic monitoring
system which is a globally routed /8 network. It
captures unsolicited response packets which are
usually sent from a spoofing attack victim back to the
spoofed addresses. These response packets could be a
SYN packet or ICMP error messages, also known as
path backscatter. Though the network telescope is
primarily aimed at observing Distributed Denial of
service attacks (as depicted in figure 2), the
http://www.ijettjournal.org
Page 281
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015
backscatter messages, if collected, can be useful in
identifying the true origin of the spoofed packets.
We try to explore the ICMP error messages, which
holds some details that can lead to the disclosure of
the spoofer location. As presented in RFC792 [3],
ICMP error messages are generated on certain
occasions. For instance, the ICMP time exceeded
message is generated when the TTL value gets
exhausted while packet is on transit or when fragment
reassembly time is exceeded. The headers of these
messages hold sensitive information that may reveal
the original IP header (figure 3). Thus, by probing the
ICMP error messages, one can discover the original
source IP address of the packet which, in most cases,
is that of the spoofers’ gateway.
Figure 2: Backscatter monitor with darknet
(Source: [2])
Figure 3: ICMP header format
ISSN: 2231-5381
II.
Review of Existing Work
A. Existing works on IP Trace back
Mechanisms
A lot of literatures have been published on
methodologies to identify the true location of the IP
spoofing attacker. Apart from the recent work
published by [4], other IP traceback mechanisms can
broadly be classified into two – Packet Marking and
Packet Logging. In the packet marking method,
presented in [5], the routers append their identification
information on the packet header while traversing
through the network. The IP header has limited space
for marking, therefore the router probabilistically
mark packets such that each marked packet carries just
a partial information about the network path. This
method of packet marking is called Probabilistic
Packet Marking (PPM). The network path is
constructed using a number of marked packets
received. Another variant of the packet marking
method is the Deterministic Packet Marking (DPM)
proposed in [6] and [7]. In this method, the packet
marking is deterministically done by only the ingress
edge routers while exempting other routers from the
marking task. This reduction in the number of routers
engaged in the packet marking task makes DPM most
effective in handling large scale Distributed Denial of
Service. The major challenges of the packet marking
method is that it requires a number of packets in order
to determine the network path. This is because a single
marked packet carries but partial path information.
Packet Logging approach requires the routers on the
path to the destination to store path information of a
packet the router memory. These logged information
are then used to derive the network path of the packet.
This, as noted in [8], consumes enormous storage and
processing resources given the limited storage
capacity of routers. Apart from the storage limitation,
it also poses a privacy threat as the logged information
may reveal the topology of the network and ISPs are
sceptical
about
implementing
features
that
compromise the privacy of individuals.
Though some authors like [8] and [9] have published
articles on a hybrid of these two methods in an attempt
to overcome the inherent drawback, the unattended
challenge has always been the deployment difficulty.
This is because it requires that all routers in the
Internet be configured to implement packet marking
and logging as proposed by these authors. It also
requires collaboration with ISPs who are not readily
willing to implement policies that have no business
value for them. These, among other factors have led to
more research into traceback mechanisms that do not
require deployment on all routers and that is equally
effective in identifying the origin of spoofed traffic.
http://www.ijettjournal.org
Page 282
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015
A. Defence against IP Spoofing
A lot of defence mechanisms have been proposed by
many authors against the impersonation attack known
as IP spoofing. Fu-Yuan Lee et al, [10] , proposed an
Anti-DDoS scheme called ANTID which focusses on
identifying spoofed packets and discarding them when
DDoS attacks occur. His scheme was inspired by hop
count filtering and path identification. This, again
required huge deployment cost as each of the routers
was expected to mark the packets with a path
information.
Another method is presented in [11] which is based on
traceroute and the cooperation with trusted adjacent
nodes. It requires mutual cooperation among trusted
adjacent nodes to block intruders from external
network which intrudes trusted networks by IP
spoofing attacks. In this model, the author employs an
adjacent trusted node, referred to as detection node, to
detect when the hijacked node is unreachable due to
the presence of an impersonator. The challenge with
this method is getting external nodes to cooperate in
detecting spoofers over the Internet.
Pimpalkar, et al [12] propose a cryptographic hash
technique of defending against spoofing attacks. In the
algorithm, certain fields in the IP header are extracted
and encrypted by using a hashing technique. The
encryption secret key is computed from certain packet
field values and then an XOR operation is carried out
on the computed values. This constitute extra
overhead on the network.
III.
outside the network must first be authenticated. In our
work, we simulated 49 nodes within the network and
illustrated how the traceback process is implemented.
The following section explains the spoofing process in
detail.
Figure 4: Trusted and Untrusted network
Figure 5: Spoofing Process
OUR WORK
A. HOW SPOOFING IS DONE IN A TRUSTED
NETWORK
The schematics of a trusted network is illustrated in
figure 4. In this architecture, each trusted node has
access authority of others. Thus, each trusted node in
the network has access information of other nodes
such as node name, IP address, hop count and
traceroute from self to other trusted nodes. The trusted
nodes can however be virtually connected together.
That is, as opposed to the idea illustrated in figure 4,
hosts A, B and C can be in different geographical
locations but still make up the trusted network. Thus,
if host A communicates with node B, node B can
verify the authenticity of the message received by
comparing the information retrieved from the message
with the stored access information about node A. This
way, a spoofer trying to mimic the IP address of a
trusted node can be identified since he has no idea of
other information such as hop counts between trusted
nodes, computer names, etc. In general, there can be a
number of routers (Henceforth referred to as nodes)
forming the trusted networks. Thus, any packet from
ISSN: 2231-5381
The spoofing process generally works as depicted in
the figure 5. The hosts with IP addresses of
192.168.1.100(Host A) and 192.168.1.1(Host B) are
considered a trusted hosts. An attacker IP address of
10.0.0.1 (Host C) first attacks and controls Host A and
blocks it from communicating with the internet. Next
it sends a TCP SYN connection request to Host B
pretending to be Host A. When Host B receives the
request, it sends a SYN + ACK to node A. However,
node A cannot receive such response since it did not
request for it. But, since Host A is under the control of
Host C, Host C sniffs and captures the sequence
number and uses that to send an ACK packet to Host
B, hence completing the three-way handshaking
process. Thus, for an attacker to successfully spoof the
source address of a trusted host, he must first obtain
the control of that source. This is a kind of man-in-themiddle (MITM) attack which requires that the attacker
breaks into the network (usually through one of the
weak links within the trusted network) before he can
successfully impersonate another user.
http://www.ijettjournal.org
Page 283
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015
B. DETECTION OF SPOOFED PACKETS
BASED ON HOP COUNT FILTERING
Within a trusted network, each node maintains an IPto-HopCount table, indexed by IP addresses within the
network, which indicates how many hops it takes to
reach all the hosts within the network. Unfortunately,
hop count values are not directly captured in the IP
header but rather is implied in the time-to-live (TTL)
values. TTL is used to specify the maximum number
of nodes a packet will need to traverse before getting
to the destination. Sometimes, hackers set a small TTL
values with the intension of triggering ICMP error
messages for him to determine exactly how far the
target system is away from him. When a packet
traverses a node (router), the TTL value is
decremented by 1. However, the initial TTL values are
not uniform across different platforms. While some
will set at 30 or 30, some will set at 64 or 128, etc,
depending on the operating systems. Thus, obtaining
the initial TTL value of a packet can be obscure.
Given the advantage that we are considering a trusted
network in which we know so much details about each
node, we can predict the initial TTL value of the
packet.
To determine whether or not a packet is from a
genuine source, we first extract the source IP address
from the packet header. We label this address as S. We
extract the final TTL from the header and label it as T.
We infer the initial TTL, T0, from the knowledge of
initial TTL usually generated within the network,
which is depending on the host operating systems.
From these values we compute the hop count, Hc.
From the IP-to-HopCount table, we index the source
IP address, S, to obtain the stored hop count, Hs,
between the source IP address and the destination. We
then compare the value of Hc with that of Hs; if they
match, then the packet is from the genuine source,
otherwise, the packet is spoofed.
the spoofed packet was sent. First, when a spoofed
packet is detected, the trace back module got
triggered. First, the system tries to identify the path
between the source, S, node and itself, D, and the
number of nodes, p, between S and D. With this, it
identifies all the nodes between the source and
destination as a set of suspect nodes, Ns.
Ns = {Ni: 1 <= i <= p}
This is done by sending route requests to neighbouring
nodes and obtaining the route replies for evaluation.
With this, the most efficient path between S and D is
identified as well as Ns. After identifying the set of
suspect nodes, Ns, it probes the distances between S
and each of the nodes, Ni, to find which of them has
hop count equal to the earlier computed value. Once a
match is found, that node is designated the spoofing
node, otherwise, the test fails. Our aim is to identify
which of the nodes the attacker broke into the network
and to take necessary measures to secure such nodes.
Further probing can be done, though not covered in
the scope of this work, to determine which host
connected to the spoofing node actually launched the
attack.
D. SECURE THREE-WAY HANDSHAKING
We reasoned that spoofing becomes successful in a
trusted network due to the ability of the attacker to
guess the sequence number of the packets transmitted
between legitimate hosts within the network. Thus, if
some additional credentials that cannot be guessed is
requested for and verified during the three-way
handshake, the attacker will find more difficult to
establish connection with the victim using a spoofed
address.
Therefore, we propose the secure three-way
handshaking in a trusted network based on the
spoofing scenario depicted in figure 5. We present two
models: one based on pre-shared secret key (K)
among the trusted hosts and the other based on the
shared identifiers (ID) among the trusted hosts. The
two schemas are illustrated in figure 6 and figure 7.
The algorithm works as follows:
For each packet:
extract the final TTL T and IP address S;
infer the initial TTL To
compute the hop-count, Hc = T – To;
index S to get the stored hop-count Hs;
if (Hs == Hc)
packet is legitimate;
else
packet is spoofed;
C. TRACEBACK BASED ON HOP COUNT
We now present a method we employed in our
implementation to trace the node that through which
ISSN: 2231-5381
Figure 6: Secure 3-way Handshake based on
Shared key
http://www.ijettjournal.org
Page 284
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015
Figure 7: Secure 3-way handshake based on shared
Identity
In the first model, if there is a shared symmetric
encryption key among the trusted nodes for the
purpose of authentication, then this can be
incorporated into the connection negotiation process.
When a host within a trusted network wishes to
communicate with another host, it sends a SYN packet
to the destination. The destination generates a random
value (rand), encrypts it with the shared key (K) using
any agreed symmetric encryption algorithm, sends a
SYN + ACK and piggybacks it with the encrypted
rand to source. If the source is genuine, it will have the
shared key and therefore be able to decrypt the rand,
piggyback it with an ACK packet and send to the
destination. The destination grants the connection if
the sent rand matches the one it had earlier generated.
In the second model, the identity information which is
accessible to all the trusted hosts is utilized. Here,
when a trusted host receives a SYN request from
another trusted host, it asks, “hey, do you know my
identity?” by sending a hash of the identity along with
a SYN + ACK packet. The host that initiated the
connection request then sends an ACK along with the
ID of the destination which can be verified before
granting the connection request.
We illustrate this concept with NS2. We simulate a
trusted network with 49 nodes as shown in figure 8. In
the implementation, we simulate an attacker mapping
the network to find out the topology of the network
and hence, the nodes between the source and
destination that can be compromised. He monitors the
traffic and then takes control of the intermediate nodes.
He then pretends to be the original source by using the
original source IP address as his IP address. At the
destination, the spoofer detection module is run
whenever a packet is received. Whenever a spoofed
packet is identified, the trace back module is
automatically run.
The system was tested with different sets of source
nodes, destination nodes and spoofing nodes. The end
to end delay, Spoofer detection rate and Packet
delivery ratio generated by NS2 are as shown in the
output graphs of figure 9, figure 10 and figure 11.
Figure 9: End-To-End Delay output
With this, we can terminate the connection between
the spoofer and the target host right during the
connection negotiation process.
E. IMPLEMENTATION AND RESULT
Figure 10: IP Spoofer Detection
Figure 11: Packet Delivery Ratio
Figure 8: Set of nodes in a trusted network
ISSN: 2231-5381
http://www.ijettjournal.org
Page 285
International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015
IV
CONCLUSION AND FUTURE WORK
In this paper, we present a method of IP trace back
using hop count. We limited our study to a trusted
network where the nodes collaborate with one another
to detect anomalous activities. This method is easy to
implement and, with optimized algorithm, the spoofer
can be detected and traced before much damage is
done.
Innivative Research in Computer and Communication
Engineering, vol. 3, no. 3, pp. 1919 - 1926, 2015.
[13] D. Davis, “TechRepublic,” 14 March 2007. [Online].
Available: http://www.techrepublic.com/article/prevent-ipspoofing-with-the-cisco-ios/. [Accessed 30 August 2015].
There is however need to extend the trace back with
hop count to address spoofing attack in untrusted
networks where there is no collaboration between
neighbouring nodes or any shared information
between nodes. Research is also needed in the area of
determining the initial TTL value of a packet so as to
be able to determine, with a greater level of precision,
the hop count between nodes.
References
[1] Y. Xiang and W. Zhou, “A Defense System Against DDoS
Attacks by Large-Scale IP Traceback,” in Third International
Conference on Information Technology and Applications
(ICITA’05), Australia, 2005.
[2] CAIDA, “Network Telescope,” CAIDA, 23 April 2015.
[Online]. Available:
https://www.caida.org/projects/network_telescope/. [Accessed
17 August 2015].
[3] J. Postel, “Internet Control Message Protocol, RFC792,” 5
September 1981. [Online]. Available:
https://tools.ietf.org/html/rfc792. [Accessed 18 August 2015].
[4] G. Yoa, J. Bi and A. V. Vasilakos, “Passive IP Traceback:
Disclosing the Locations of IP Spoofers from Path
Backscatter,” IEEE TRANSACTIONS ON INFORMATION
FORENSICS AND SECURITY, vol. 10, no. 3, pp. 471 - 484,
2015.
[5] B. C. Hal Burch, “Tracing Anonymous Packets to Their
Approximate Source,” in 14th Usenix Systems Administration
Conf., LISA, 2000.
[6] A. B. a. N. Ansari, “IP Traceback with Deterministic packet
marking,” IEEE Communication Letter, vol. 7, pp. 162 - 164,
2003.
[7] A. B. a. N. Ansari, “Tracing Multiple Attackers with
deterministic packet marking (DPM),” in IEEE Pacific Rim
Conference, 2003.
[8] W. Xiao-jing and X. You-lin, “IP Traceback based on
Deterministic Packet Marking and Logging,” in Eighth IEEE
International Conference on Embedded Computing; IEEE
International Conference on Scalable Computing and
Communications, China, 2002.
[9] C. Gong and Sarac Kamil, “A More Practical Approach for
Single-Packet IP Traceback Using Logging and Marking,”
IEEE Transactions on Parallel Distributed Systems, vol. 19,
no. 10, pp. 1310 - 1325, 2008.
[10] F.-Y. Lee and S. Shieh, “Defending against spoofed DDoS
attacks with path fingerprint,” ELSEVIER - Computers &
Security, vol. 2005, no. 24, pp. 571 - 586, 2005.
[11] Y. Ma, “An Effective Method for Defense against IP Spoofing
Attack,” IEEE, pp. 978 - 982, 2010.
[12] A. S. Pimpalkar and A. R. B. Patil, “Defence Against DDoS
Attack Using IP Address Spoofing,” International Journal of
ISSN: 2231-5381
http://www.ijettjournal.org
Page 286
Download