International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015 Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks Israel Umana 1, Sornalakshmi Krishnan 2 1 2 M.Tech Student, Information Security and Cyber Forensic, Dept. of Information Technology Faculty of Engineering & Technology, SRM University, India Assistant Professor, Information Security and Cyber Forensic, Dept. of Information Technology Faculty of Engineering & Technology, SRM University, India Abstract Spoofing is a technique used by hackers to conceal their identities in the Internet. Thus, one can launch attacks from a particular location and assumes the identity of someone else that either does not exist or exists in a completely different location. Distributed Denial of Service (DDoS) attacks, among other kinds of atttaks, are successful through IP spoofing. Over the years, efforts to combat the popular DDoS attacks have always implied efforts to identify spoofed packets, hence a lot of work has been done to identify IP packets that do not originate from where they claim to have originated from. However, efforts to trace back to the true source of spoofed packets have been faced with a number of challenges which include ease of deployment, extra overhead on routers and the need for it to be implemented in all the routers in the internet. This paper presents a new methodology that does not require any deployment but utilizes already existing features implemented in routers to reveal the true location of the attacker. We focused on trusted networks and utilize hop count filtering to identify spoofed packets and to implement a trace back to the node from which the spoofed packet originated. We also propose a secure three-way handshake that would prevent the attacker from getting a false connection to a victim by simply guessing the sequence numbers. attacker as it bears his identity. Most cyber-attacks directly or indirectly involve spoofing attacks as the attackers, most times, would not want to be traced. The popular Distributed Denial of service (DDoS) attack exploits IP spoofing technique to send rogue requests from fake IP addresses to a single target [1]. Because the requests come from different spoofed IP addresses, it becomes difficult to trace the true generator of such malicious packets. Thus, the attacker ends up impersonating legitimate owners of the addresses used in the spoofing activity. This is a breach of authentication. Usually, the spoofer is not interested in the response packet as they are sent to the spoofed addresses which, truly, did not request for such. Therefore, system resources allocated for such packets lay waste, while denying legitimate requests for those resources – denial of service (DoS) attack. Keywords — Spoofing; Back scatter; Hop Count filtering; IP Trace back; secure three-way handshake Figure 1: IPv4 and IPv6 Headers I. Introduction Malicious Hackers are everywhere! One thing that is common among hackers, except for the suicide hackers, is that they want to remain anonymous in the internet. They do this by masquerading themselves and pretending to be who they are not. This act of concealing one’s identity in the internet is known as IP address spoofing. The IPv4 and IPv6 headers both have fields marked as Source Address and Destination Address as shown in figure 1. The source address is the part of the header that is usually forged by the ISSN: 2231-5381 In this paper, we study the IP spoofing activity by analysing the backscatter messages captured by an internet monitor called network telescope or darknet [2]. Network Telescope is a passive traffic monitoring system which is a globally routed /8 network. It captures unsolicited response packets which are usually sent from a spoofing attack victim back to the spoofed addresses. These response packets could be a SYN packet or ICMP error messages, also known as path backscatter. Though the network telescope is primarily aimed at observing Distributed Denial of service attacks (as depicted in figure 2), the http://www.ijettjournal.org Page 281 International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015 backscatter messages, if collected, can be useful in identifying the true origin of the spoofed packets. We try to explore the ICMP error messages, which holds some details that can lead to the disclosure of the spoofer location. As presented in RFC792 [3], ICMP error messages are generated on certain occasions. For instance, the ICMP time exceeded message is generated when the TTL value gets exhausted while packet is on transit or when fragment reassembly time is exceeded. The headers of these messages hold sensitive information that may reveal the original IP header (figure 3). Thus, by probing the ICMP error messages, one can discover the original source IP address of the packet which, in most cases, is that of the spoofers’ gateway. Figure 2: Backscatter monitor with darknet (Source: [2]) Figure 3: ICMP header format ISSN: 2231-5381 II. Review of Existing Work A. Existing works on IP Trace back Mechanisms A lot of literatures have been published on methodologies to identify the true location of the IP spoofing attacker. Apart from the recent work published by [4], other IP traceback mechanisms can broadly be classified into two – Packet Marking and Packet Logging. In the packet marking method, presented in [5], the routers append their identification information on the packet header while traversing through the network. The IP header has limited space for marking, therefore the router probabilistically mark packets such that each marked packet carries just a partial information about the network path. This method of packet marking is called Probabilistic Packet Marking (PPM). The network path is constructed using a number of marked packets received. Another variant of the packet marking method is the Deterministic Packet Marking (DPM) proposed in [6] and [7]. In this method, the packet marking is deterministically done by only the ingress edge routers while exempting other routers from the marking task. This reduction in the number of routers engaged in the packet marking task makes DPM most effective in handling large scale Distributed Denial of Service. The major challenges of the packet marking method is that it requires a number of packets in order to determine the network path. This is because a single marked packet carries but partial path information. Packet Logging approach requires the routers on the path to the destination to store path information of a packet the router memory. These logged information are then used to derive the network path of the packet. This, as noted in [8], consumes enormous storage and processing resources given the limited storage capacity of routers. Apart from the storage limitation, it also poses a privacy threat as the logged information may reveal the topology of the network and ISPs are sceptical about implementing features that compromise the privacy of individuals. Though some authors like [8] and [9] have published articles on a hybrid of these two methods in an attempt to overcome the inherent drawback, the unattended challenge has always been the deployment difficulty. This is because it requires that all routers in the Internet be configured to implement packet marking and logging as proposed by these authors. It also requires collaboration with ISPs who are not readily willing to implement policies that have no business value for them. These, among other factors have led to more research into traceback mechanisms that do not require deployment on all routers and that is equally effective in identifying the origin of spoofed traffic. http://www.ijettjournal.org Page 282 International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015 A. Defence against IP Spoofing A lot of defence mechanisms have been proposed by many authors against the impersonation attack known as IP spoofing. Fu-Yuan Lee et al, [10] , proposed an Anti-DDoS scheme called ANTID which focusses on identifying spoofed packets and discarding them when DDoS attacks occur. His scheme was inspired by hop count filtering and path identification. This, again required huge deployment cost as each of the routers was expected to mark the packets with a path information. Another method is presented in [11] which is based on traceroute and the cooperation with trusted adjacent nodes. It requires mutual cooperation among trusted adjacent nodes to block intruders from external network which intrudes trusted networks by IP spoofing attacks. In this model, the author employs an adjacent trusted node, referred to as detection node, to detect when the hijacked node is unreachable due to the presence of an impersonator. The challenge with this method is getting external nodes to cooperate in detecting spoofers over the Internet. Pimpalkar, et al [12] propose a cryptographic hash technique of defending against spoofing attacks. In the algorithm, certain fields in the IP header are extracted and encrypted by using a hashing technique. The encryption secret key is computed from certain packet field values and then an XOR operation is carried out on the computed values. This constitute extra overhead on the network. III. outside the network must first be authenticated. In our work, we simulated 49 nodes within the network and illustrated how the traceback process is implemented. The following section explains the spoofing process in detail. Figure 4: Trusted and Untrusted network Figure 5: Spoofing Process OUR WORK A. HOW SPOOFING IS DONE IN A TRUSTED NETWORK The schematics of a trusted network is illustrated in figure 4. In this architecture, each trusted node has access authority of others. Thus, each trusted node in the network has access information of other nodes such as node name, IP address, hop count and traceroute from self to other trusted nodes. The trusted nodes can however be virtually connected together. That is, as opposed to the idea illustrated in figure 4, hosts A, B and C can be in different geographical locations but still make up the trusted network. Thus, if host A communicates with node B, node B can verify the authenticity of the message received by comparing the information retrieved from the message with the stored access information about node A. This way, a spoofer trying to mimic the IP address of a trusted node can be identified since he has no idea of other information such as hop counts between trusted nodes, computer names, etc. In general, there can be a number of routers (Henceforth referred to as nodes) forming the trusted networks. Thus, any packet from ISSN: 2231-5381 The spoofing process generally works as depicted in the figure 5. The hosts with IP addresses of 192.168.1.100(Host A) and 192.168.1.1(Host B) are considered a trusted hosts. An attacker IP address of 10.0.0.1 (Host C) first attacks and controls Host A and blocks it from communicating with the internet. Next it sends a TCP SYN connection request to Host B pretending to be Host A. When Host B receives the request, it sends a SYN + ACK to node A. However, node A cannot receive such response since it did not request for it. But, since Host A is under the control of Host C, Host C sniffs and captures the sequence number and uses that to send an ACK packet to Host B, hence completing the three-way handshaking process. Thus, for an attacker to successfully spoof the source address of a trusted host, he must first obtain the control of that source. This is a kind of man-in-themiddle (MITM) attack which requires that the attacker breaks into the network (usually through one of the weak links within the trusted network) before he can successfully impersonate another user. http://www.ijettjournal.org Page 283 International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015 B. DETECTION OF SPOOFED PACKETS BASED ON HOP COUNT FILTERING Within a trusted network, each node maintains an IPto-HopCount table, indexed by IP addresses within the network, which indicates how many hops it takes to reach all the hosts within the network. Unfortunately, hop count values are not directly captured in the IP header but rather is implied in the time-to-live (TTL) values. TTL is used to specify the maximum number of nodes a packet will need to traverse before getting to the destination. Sometimes, hackers set a small TTL values with the intension of triggering ICMP error messages for him to determine exactly how far the target system is away from him. When a packet traverses a node (router), the TTL value is decremented by 1. However, the initial TTL values are not uniform across different platforms. While some will set at 30 or 30, some will set at 64 or 128, etc, depending on the operating systems. Thus, obtaining the initial TTL value of a packet can be obscure. Given the advantage that we are considering a trusted network in which we know so much details about each node, we can predict the initial TTL value of the packet. To determine whether or not a packet is from a genuine source, we first extract the source IP address from the packet header. We label this address as S. We extract the final TTL from the header and label it as T. We infer the initial TTL, T0, from the knowledge of initial TTL usually generated within the network, which is depending on the host operating systems. From these values we compute the hop count, Hc. From the IP-to-HopCount table, we index the source IP address, S, to obtain the stored hop count, Hs, between the source IP address and the destination. We then compare the value of Hc with that of Hs; if they match, then the packet is from the genuine source, otherwise, the packet is spoofed. the spoofed packet was sent. First, when a spoofed packet is detected, the trace back module got triggered. First, the system tries to identify the path between the source, S, node and itself, D, and the number of nodes, p, between S and D. With this, it identifies all the nodes between the source and destination as a set of suspect nodes, Ns. Ns = {Ni: 1 <= i <= p} This is done by sending route requests to neighbouring nodes and obtaining the route replies for evaluation. With this, the most efficient path between S and D is identified as well as Ns. After identifying the set of suspect nodes, Ns, it probes the distances between S and each of the nodes, Ni, to find which of them has hop count equal to the earlier computed value. Once a match is found, that node is designated the spoofing node, otherwise, the test fails. Our aim is to identify which of the nodes the attacker broke into the network and to take necessary measures to secure such nodes. Further probing can be done, though not covered in the scope of this work, to determine which host connected to the spoofing node actually launched the attack. D. SECURE THREE-WAY HANDSHAKING We reasoned that spoofing becomes successful in a trusted network due to the ability of the attacker to guess the sequence number of the packets transmitted between legitimate hosts within the network. Thus, if some additional credentials that cannot be guessed is requested for and verified during the three-way handshake, the attacker will find more difficult to establish connection with the victim using a spoofed address. Therefore, we propose the secure three-way handshaking in a trusted network based on the spoofing scenario depicted in figure 5. We present two models: one based on pre-shared secret key (K) among the trusted hosts and the other based on the shared identifiers (ID) among the trusted hosts. The two schemas are illustrated in figure 6 and figure 7. The algorithm works as follows: For each packet: extract the final TTL T and IP address S; infer the initial TTL To compute the hop-count, Hc = T – To; index S to get the stored hop-count Hs; if (Hs == Hc) packet is legitimate; else packet is spoofed; C. TRACEBACK BASED ON HOP COUNT We now present a method we employed in our implementation to trace the node that through which ISSN: 2231-5381 Figure 6: Secure 3-way Handshake based on Shared key http://www.ijettjournal.org Page 284 International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015 Figure 7: Secure 3-way handshake based on shared Identity In the first model, if there is a shared symmetric encryption key among the trusted nodes for the purpose of authentication, then this can be incorporated into the connection negotiation process. When a host within a trusted network wishes to communicate with another host, it sends a SYN packet to the destination. The destination generates a random value (rand), encrypts it with the shared key (K) using any agreed symmetric encryption algorithm, sends a SYN + ACK and piggybacks it with the encrypted rand to source. If the source is genuine, it will have the shared key and therefore be able to decrypt the rand, piggyback it with an ACK packet and send to the destination. The destination grants the connection if the sent rand matches the one it had earlier generated. In the second model, the identity information which is accessible to all the trusted hosts is utilized. Here, when a trusted host receives a SYN request from another trusted host, it asks, “hey, do you know my identity?” by sending a hash of the identity along with a SYN + ACK packet. The host that initiated the connection request then sends an ACK along with the ID of the destination which can be verified before granting the connection request. We illustrate this concept with NS2. We simulate a trusted network with 49 nodes as shown in figure 8. In the implementation, we simulate an attacker mapping the network to find out the topology of the network and hence, the nodes between the source and destination that can be compromised. He monitors the traffic and then takes control of the intermediate nodes. He then pretends to be the original source by using the original source IP address as his IP address. At the destination, the spoofer detection module is run whenever a packet is received. Whenever a spoofed packet is identified, the trace back module is automatically run. The system was tested with different sets of source nodes, destination nodes and spoofing nodes. The end to end delay, Spoofer detection rate and Packet delivery ratio generated by NS2 are as shown in the output graphs of figure 9, figure 10 and figure 11. Figure 9: End-To-End Delay output With this, we can terminate the connection between the spoofer and the target host right during the connection negotiation process. E. IMPLEMENTATION AND RESULT Figure 10: IP Spoofer Detection Figure 11: Packet Delivery Ratio Figure 8: Set of nodes in a trusted network ISSN: 2231-5381 http://www.ijettjournal.org Page 285 International Journal of Engineering Trends and Technology (IJETT) – Volume 27 Number 6 - September 2015 IV CONCLUSION AND FUTURE WORK In this paper, we present a method of IP trace back using hop count. We limited our study to a trusted network where the nodes collaborate with one another to detect anomalous activities. This method is easy to implement and, with optimized algorithm, the spoofer can be detected and traced before much damage is done. Innivative Research in Computer and Communication Engineering, vol. 3, no. 3, pp. 1919 - 1926, 2015. [13] D. Davis, “TechRepublic,” 14 March 2007. [Online]. Available: http://www.techrepublic.com/article/prevent-ipspoofing-with-the-cisco-ios/. [Accessed 30 August 2015]. There is however need to extend the trace back with hop count to address spoofing attack in untrusted networks where there is no collaboration between neighbouring nodes or any shared information between nodes. Research is also needed in the area of determining the initial TTL value of a packet so as to be able to determine, with a greater level of precision, the hop count between nodes. References [1] Y. Xiang and W. Zhou, “A Defense System Against DDoS Attacks by Large-Scale IP Traceback,” in Third International Conference on Information Technology and Applications (ICITA’05), Australia, 2005. [2] CAIDA, “Network Telescope,” CAIDA, 23 April 2015. [Online]. Available: https://www.caida.org/projects/network_telescope/. [Accessed 17 August 2015]. [3] J. Postel, “Internet Control Message Protocol, RFC792,” 5 September 1981. [Online]. Available: https://tools.ietf.org/html/rfc792. [Accessed 18 August 2015]. [4] G. Yoa, J. Bi and A. V. Vasilakos, “Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backscatter,” IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, vol. 10, no. 3, pp. 471 - 484, 2015. [5] B. C. Hal Burch, “Tracing Anonymous Packets to Their Approximate Source,” in 14th Usenix Systems Administration Conf., LISA, 2000. [6] A. B. a. N. Ansari, “IP Traceback with Deterministic packet marking,” IEEE Communication Letter, vol. 7, pp. 162 - 164, 2003. [7] A. B. a. N. Ansari, “Tracing Multiple Attackers with deterministic packet marking (DPM),” in IEEE Pacific Rim Conference, 2003. [8] W. Xiao-jing and X. You-lin, “IP Traceback based on Deterministic Packet Marking and Logging,” in Eighth IEEE International Conference on Embedded Computing; IEEE International Conference on Scalable Computing and Communications, China, 2002. [9] C. Gong and Sarac Kamil, “A More Practical Approach for Single-Packet IP Traceback Using Logging and Marking,” IEEE Transactions on Parallel Distributed Systems, vol. 19, no. 10, pp. 1310 - 1325, 2008. [10] F.-Y. Lee and S. Shieh, “Defending against spoofed DDoS attacks with path fingerprint,” ELSEVIER - Computers & Security, vol. 2005, no. 24, pp. 571 - 586, 2005. [11] Y. Ma, “An Effective Method for Defense against IP Spoofing Attack,” IEEE, pp. 978 - 982, 2010. [12] A. S. Pimpalkar and A. R. B. Patil, “Defence Against DDoS Attack Using IP Address Spoofing,” International Journal of ISSN: 2231-5381 http://www.ijettjournal.org Page 286