Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Network forensics is the capture, recording, and analysis of network

advertisement 
Network Forensics is the capture, recording, and analysis of network events in order to
discover the source of security attacks or other problem incidents.
The current process of network analysis and forensics follows a bottom up approach,
where the traffic is traced back, hop-by-hop starting from the victim back to the source of
attack.
A variety of IP traceback techniques exist. They are as follows:
1) Ingress Filtering
2) Link Testing
3) Input Debugging
4) Control Flooding
5) ICMP Trace Back
Such a trace back involves he use of various tools such as trace route, ping packets,
reverse DNS lookup etc.This method of tracing the source of attack backwards, starting
from the victim node, has its own shortcomings. Often firewalls in the path block the
trace routes, so the network administrator’s ability to analyze the traffic is limited to the
network in his/her control, therefore a successful trace back requires the cooperation of a
number of administrators.
In IPv4 there is an option of ‘record route’. When this option is set, the routers in the
path embed their IP addresses in the packet. Various researchers have suggested packet
marking, using this option. The technique will eliminate attacker’s ability to conceal the
true source, but the major drawback is that any such marking technique would need to be
implemented globally, in order to be effective.
Since the IPv6 standard is still under development, we propose to include certain features
in the standard which will make network forensics fast and easy.
The “Point of Origin” information which we propose to embed in the IPv6 header will
have two components:
1) The hardware address of the source node.
2) The IP address of the incoming interface of the first router which the packet will
encounter.
We intend to propose relevant fields in the IPv6 header which will make it a standard to
include this “Point of Origin” information in every packet on the internet. The technique
has many advantages:
1) It will make spoofing difficult for the attackers because now they will have to spoof,
not only their IP address and hardware address but also the address of the first router
which the packet will encounter.
This will prevent the attackers from taking advantage of the anonymity which exists in
the internet today.
2) It will be effective in cases where the attacker uses Zombies (or reflectors); these are
the unsuspecting nodes, which are used as slaves to carry out a packet storm attack (like
in distributed denial of service attack). In event of such an attack the “Point of Origin”
field will be used to identify the zombies and the networks to which they belong.
3) It will prevent email spoofing, because the receiver of a suspicious email can check
its “Point of Origin” using the proposed field in the IPv6 header.
Similarly there are many advantages of this approach vis-à-vis, hop to hop trace back,
we intend to explore and highlight these advantages during the course of project work.
We also intend to analyze the shortcomings and drawbacks of such a scheme, and suggest
an optimal network forensic technique for an Ipv6 packet, using the new “point of origin”
information which we intend to embed in the Ipv6 standard.
As far as the practical aspect of our study is considered we will attempt to simulate the
IPv6 environment using standard network simulators. Once this is achieved we will
compare the existing forensics techniques with our proposed solution.
The study will have far reaching implications as IPv6 is still an evolving technology and
hence open to changes. Our team has already registered with the Internet Engineering
Task Force (IETF) working group for IPv6 development, and we are on the IETF
mailing list. Once our study is completed, we intend to convey the results to all the
members of the working group. We hope and we pray that suggestions will find a place
in the final IPv6 standard.
Related documents
APNIC Focus Group and Survey Action Plan
APNIC Focus Group and Survey Action Plan
Reaction Papers
Reaction Papers
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
IPv6 Deployment for ADSL Address allocation and Configuration
IPv6 Deployment for ADSL Address allocation and Configuration
Chapter 9b IPv6 Subnetting
Chapter 9b IPv6 Subnetting
ISOC.PH: Internet & v6
ISOC.PH: Internet & v6
PPT Version
PPT Version
IPv6 Introduction: Network and Applications
IPv6 Introduction: Network and Applications
Module 6
Module 6
NAT.IPv6.MPLS.Long.Version.of.5
NAT.IPv6.MPLS.Long.Version.of.5
Malaysia Towards IPv6
Malaysia Towards IPv6
Document
Document
Lecture - 12
Lecture - 12
IPv6 Forum Honors Four IPv6 Evangelists with its Internet Pioneer
IPv6 Forum Honors Four IPv6 Evangelists with its Internet Pioneer
Addressing
Addressing
6LoWPAN (Introduction & Problem Statement)
6LoWPAN (Introduction & Problem Statement)
IP security over ATM CS 329
IP security over ATM CS 329
IPv6
IPv6
IPv4 to IPv6 Network Address Translation
IPv4 to IPv6 Network Address Translation
IPv6 - Internet Protocol Version 6
IPv6 - Internet Protocol Version 6
Presentation on the IPv6 STF 276 project
Presentation on the IPv6 STF 276 project
The ISP Column
The ISP Column
Download
advertisement