Various Anti IP Spoofing Techniques

Size: px

Start display at page:

Download "Various Anti IP Spoofing Techniques"

Lynn Stevenson
6 years ago
Views:

1 Various Anti IP Spoofing Techniques Sonal Patel, M.E Student, Department of CSE, Parul Institute of Engineering & Technology, Vadodara, India Vikas Jha, Assistant Professor, Department of CSE, Parul Institute of Engineering & Technology, Vadodara,India, Abstract Anti IP Spoofing techniques prevent your system or your Network from the IP Spoofing. IP Spoofing is attack that takes place in Network. It is used to gain unauthorized access to computer by spoofing the IP Address from the IP (Internet Protocol) Packet Header. The main Purpose of IP Spoofing attack is to hide the true identity of the attacker. IP Spoofing is used by the popular attacks like Dos (Denial o Service), DDos (Distributed Denial of Service), and Man in Middle. This Paper Describe various techniques for detecting and preventing IP Spoofing. Keywords:. Anti IP Spoofing, IP Spoofing, Dos, Filtering, Host Based, Router Based. Introduction IP Spoofing forge the IP Address from the IP header and the packet with the forged IP Address is send to the victim. Router is responsible for routing, whenever packet is come to the router, it checks the destination address and sends the packet according to the destination address. Source IP Address is not checked by the router that whether it is proper or not, and simply it send to the destination [1]. Internet Protocol (IP) is not provided security so attacker can easily alter the IP Address from the packet header. IP Spoofing attack is become very popular because it is used by the Dos attack. In Dos attack, Attacker will send many packets to the victim from different source addresses. Dos is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic, it is impossible to stop the attack simply by blocking a single IP address, To trace the True location of the attacker is very difficult. To prevent your network from the IP Spoofing attack or any other attack that is involving IP Spoofing, Some Authors describe the Techniques to overcome this problem. This is a survey paper that includes some of the Anti IP Spoofing techniques. Anti IP Spoofing Techniques Ingress Filtering This is the Simple approach for preventing IP Spoofing attack. It is the basic filtering approach. This Approach is depends on the ACL (Access Control List). ACL contains list of rules, on the base of these rules, packet will be filtered [2]. In this approach ACL has list of IP Address prefix, these IP Address prefix belong to the particular AS (Autonomous System).It filter the inbound packet at the border router of the AS (Autonomous System). When the AS s address space changes, operator must learns the changes otherwise it will drop the valid data packet [2]. Ingress filtering requires full deployment. Egress Filtering This is also simple and basic filtering approach. It is same as Ingress Filtering, But it filter outbound packet [2]. Whenever packet come to the border router from the AS, It will check the source IP Address of the packet, If it is not belong to the IP Address prefix List then it will block that IP Packet. It will not allow that packet to go outside the network. Egress Filtering will not filter the Inbound Packet [2]. Unicast Reverse Path forwarding (urpf) Unicast Reverse path forwarding (urpf) reversely uses the forwarding table for Filtering the Packet. It looks up the outgoing interface toward the source address of an incoming packet. The packet is mark as spoofed and drops if the outgoing interface is different from the packet s incoming interface [2]. If forwarding paths are symmetric, then this technique will works correctly, But under route asymmetry, which is very prevalent on the current Internet, urpf may drop valid packets. Hope Count Filtering (HCF) Hope Count Filtering is depends on the number of hops through packet travel. An attacker can forge any field in the IP header; he cannot falsify the number of hops an IP packet takes to reach its destination [3]. On the base of information of Mapping between IP Address and their hope count, server can identify the spoofed packet, because spoofed packet has different hope count than valid packet. Hope count value is directly obtained from the TTL field of IP Packet. Hope count information is not directly stored in TTL field; one has to compute the value on the base of final TTL field value [3]. TTL is 8-bit field, it originally uses for the life time of each packet in the network, TTL is Time to Live. Whenever packet is come to the intermediate router, it will decrement the TTL value before forwarding it to the next hope. At the destination, it can see only the final value of the TTL. It has to compute the TTL value at the destination, Final TTL value is equal to initial TTL value minus number of hopes though the packet come. All the Operating Systems use the same Initial TTL value. One can determine the initial TTL value of a packet by selecting the smallest initial value in the set that is larger than its final TTL. For example, if the final TTL value is 112, the initial TTL value is 128 [3]. Open Access Journals Blue Ocean Research Journals 27

2 Hope Count Filtering (HCF) builds the IP Address to Hope Count Mapping table [4].At the destination Hope count value is calculated, IP Address and Corresponding Hope count value is searched into the mapping table, it compare the calculated hope count and incoming packet s hope count value from the table, if calculated hope count value and packet s hope count value are different then it will discard the packet. If attacker has knowledge about the hopes between the sender and receiver then it can easily spoof the IP Packet. Route Based Filtering (RBF) Route based filtering (RBF) is depends on the incoming interface of the packet. Packets that arrive on different incoming interface are assumed as a spoofed and those packets will drop. Whenever the packet come at the router then router will check the incoming interface, if the incoming interface of the packet is different than expected incoming interface, packet will consider as spoofed and discard [5]. the packet and not able to identify the spoofed packet because Interface of A and B are same. Packet Passport System Packet passport system is cryptography based authentication technique to verify the source address at the destination. It is based on symmetric cryptography and hash algorithm. Passport tends to solve the source address spoofing which happening in the Inter-domain network environment [6]. The packet with the valid passport will be considered as a valid packet. If the passport value is different so packet will mark as spoofed and discard the packet. Packet passport technique requires light weight MAC (Message Authentication Code) computation. Source includes MAC value into the Option field of IP header or shim layer [7]. Fig 1.2 passport packet Fig. 1.1 Route based Filtering Router has filtering table. As packet arrive at the border router, it will Search the entry of IP Address that has arrived on router, then compare the IP Address and its corresponding Interface with the entry in the Routing table. As shown in Figure 1.1, if A want to send a packet to the D then, at R it will check the incoming packet interface of A from the routing table, here expected interface and incoming interface is same so R will forward packet further. If C wants to send a packet to the D, at R it will check the interface, expected interface and incoming interface both are 1 so R will forward the packet to the D. If T spoof the IP Address of the A and send it with Destination Address E. At R it will check the incoming interface, it will discard the packet because expected interface is 2 and incoming interface is 2. In some condition RBF cannot identify the spoofed packet [5]. If B spoof the IP Address of A and send the packet. R will check the interface, it will forward As shown in Figure 1.2, example of passport packet is given. Passport provides its own header. For computation of MAC value key is distributed among the source and destination. Diffie-Hellman key exchange protocol is used for the distribution of the Key [7]. Each MAC is computed using a secret key shared between the source AS and the AS on the path. If we have a two Autonomous System ASi and ASj, then Key will be K(ASi, ASj). Here as shown in Figure 1.2 if AS1 want to communicate with the AS2 then first border router of AS1 will generate the key. Key is shared between the AS1 and AS2. Here border router of AS1 is R2, R2 will generate the MAC value for all routers that packet will going through. R2 generate three MAC value for three border routers, pairs for three MAC values are (AS1,AS2), (AS2,AS3),(AS3,AS4). Border router of Autonomous System will check the MAC value from the each packet. At border router of Autonomous System will calculated MAC and compare this calculated MAC with the packet s MAC value if the value Open Access Journals Blue Ocean Research Journals 28

3 are same then it will forward the packet to the next router. If values are different then packet mark as Spoofed packet and discard the packet. As shown in figure 1.2, border router of AS2 is R3, R3 will calculated MAC value and compare it with the incoming packet which has came from the AS1, as border routers R5, R7 will going to check the MAC value. Packet passport system does not restrict how a domain implements intra domain host identification [7]. Packet passport system allows only verify the domain origin of the packet not host origin of the packet. It works only with the Inter Autonomous System. Stack Pi Packet is mark deterministically by the routers along its path towards a destination [8]. The router will mark bits in the packet s IP identification field. The deterministic marking will guarantee that the packets travelling with the same path will have the same marking. If the packet is spoofed then marking field will not match. Stack Pi (path identifier) used marking scheme for the path identifier to ensure that packet follow the same path that source has chosen to the destination. Pi marking scheme is deterministic at the path level: all packets traversing the same path receive the same marking. Receiver only needs to identify the marking value so if it found any spoofed packet then it can block all subsequent IP Packets arriving from the same path. Stack Pi uses IP identification field to mark the packet. Each router marks the packet and forwards it. In stack Pi, it treat IP Identification field as a Stack. Upon receipt of a packet, a router shifts the IP Identification field of the packet to the left by n bits and writes its marking bits into the least significant bits that were cleared by the shifting [8]. Router simply pushes its value into the IP identification field. As shown on a figure 1.3 source send a packet to the destination, at R1 it will mark the value m1 and forward it to the R2, R2 will mark its marking value m2 and forward it further. Figure 1.3 shows how the Stack Pi mark evolves as the Packet traverses routers Rl through R9. Initially, the marking field contains arbitrary data. In this example, the field has space for four router markings. Each router marks the incoming link. There are only 16 bit identification field, there are 2^16 number of Pi marks. As number of attacker increases it is more possible that any given Pi mark will receive some attack packets, which will cause all valid packets to be dropped. BGP Anti Spoofing Extension (BASE) BASE is the combination of marking and filtering approach with the BGP update. The BASE mechanism distributes marking value through BGP update Message. The marking in BASE is path based instead of IP based. It means it uses a Network Address instead of individual IP Address to reduce the storage capacity [9]. Receiver has Routing table which have entry of Network address corresponding to its marking value. So the marking value in the filtering table of each router is mapped based on Network Address. Every Packet with the same source address has the same Mark value. A BASE router can communicate with another BASE router with the use of BGP update message. Marking values are calculated by one way hash value and distributed it with the BGP update massage. It stores all legitimate marking value in the table. When BGP update arrives at Routers, marking value will be stored in the table [9]. BASE mechanism has on demand filtering. BASE routers are only able to filter spoofing packets after receiving instructions to filter. Source Address Validation Enforcement (SAVE) SAVE operates similarly on routers that filter packets based on their incoming direction. SAVE runs on individual routers and build incoming table. Incoming table has entry of IP Address with corresponding Packet interface. Each router allow to map incoming interface to IP Address with the existing one to check whether it come from the valid interface or not. If that packet has valid interface then router will deliver that packet otherwise it will simply discard the packet [10]. SAVE keeps information of two types of table. Forwarding table and incoming table. Forwarding table has information of outgoing packet s IP address with its interface and incoming table has incoming packet s IP address with its interface. Fig 1.3 Pi Marking SAVE update should be design to inform all routers about the proper route which has been already decided. So all Open Access Journals Blue Ocean Research Journals 29

4 router can make proper entry about those packets and interfaces. The goal of the SAVE protocol is to build a table at each router that specifies the valid incoming interface for packets carrying a given source address. Routers use this table to filter those packets with forged source addresses. In SAVE protocol, for each entry in forwarding table SAVE update is sent to the destination to inform about this interface and to make an entry with the specific interface along with route [10]. This SAVE is periodically generated SAVE updates. A router generates SAVE updates for each entry in its forwarding table. If router R has source address space Sr and has a forwarding entry for destination address space D, the corresponding SAVE update will be: < destination address space = D, ASV = <Sr >, appendable = true >. Here ASV (address space vector) records source address spaces on the path that this SAVE update has traversed [8]. The ASV field records the path that the SAVE updates has traversed. An ASV records ordered list of address spaces, not a list of routers. Initially, the ASV in a SAVE update contains only the origin router s source addresses space. The ASV expands as the SAVE update crosses intermediate routers; an intermediate router can append its address space to the SAVE update s ASV. SAVE update is being encapsulated inside an IP datagram whose destination address is randomly chosen from D, allowing routers not running SAVE to still forward SAVE updates [10]. Another main part of the SAVE protocol is invention of incoming tree. Every router maintains its incoming tree on the basis of SAVE updates. That keeps the topological relationship of source address space. Thus, when one routing change affects the incoming direction of many spaces, a router can automatically update the information for every affected space. Analysis IP Spoofing is a major attack, so many mechanisms has introduced to mitigate the IP Spoofing. This defense Mechanism that has described in this paper can be broken down into three categories [11]. End host based solution, Router based solution and use of both Router and End host based solution. End host based solution is depends on the end host, at the end host filtering is perform. End host based solution does not depend on the Routers. This technique is less effective because it act too late [11]. Router Based solution is depends on the routers. This technique design with the Routers. Prevention Mechanism performs on the Border routers or legacy Routers. This Technique is more effective than End host based solution because it discard spoofed packet before it reach to the End host. Router based solution require high deploy ability than End host Based Solution. Table 1 Anti IP Spoofing Solutions [11] End Host Based Solution Router Solution Based Hope Count Filtering(HCF) Ingress/Egress Filtering, Passport, SAVE,BASE Use of both End Hosts and Routers Stack Pi All the Mechanism that is discussed until now, all provide Inter AS level Spoofing Defense Mechanism. Inter AS level means between two AS(Autonomous System), and Intra AS level means within the AS (Autonomous System). There are very few Techniques those provide Intra AS level Spoofing defense Mechanism like Automatic Peer-to-Peer Based Anti-Spoofing Method (APPA) [12]. Ingress /Egress Filtering has 100% Efficiency if it has full deployment otherwise it is poor. Stack Pi, BASE relay on Packet marking, so deployment problem take place when the IP Identification Field is reserved for other purposes. SAVE is good approach but at all intermediate routers again and again MAC value has to be calculated, it may be take more time, so SAVE works with the incremental Deployment [11]. Hope Count Filtering cannot locate the attacker, that from where attack has been triggered. Passport and SAVE may locate the attacker. Passport enabled routers can identify the Location of Attacker [11]. All the spoofing defense mechanism requires at least some level of overhead like some storage cost, computational cost and Bandwidth Cost. Conclusion IP Spoofing is most popular attacks since it is use by the Dos, DDos, Man in middle attack etc. In this paper, described some of the IP Spoofing defense mechanisms. Researchers have provides IP Spoofing defense mechanism with their advantages and disadvantages. All the techniques have great efficiency depends on the some policies and assumptions; they can mitigate the IP Spoofing at some level. We can mitigate the IP Spoofing attack by using appropriate technique base on the situation; it is the best way to mitigate the IP Spoofing effectively. References [1] R. Beverly, S. Bauer. "The Spoofer Project: Inferring the Extent of Source Address Filtering on the Internet", USENIX SRUTI [2] Bingyang Liu, Jun Bi and Athanasios V. Vasilakos. Toward Incentivizing Anti-Spoofing Deployment, IEEE TRANSACTIONS ON INFORMATION FO- RENSICS AND SECURITY, VOL. 9, NO. 3, MARCH Open Access Journals Blue Ocean Research Journals 30

5 [3] Haining Wang, Member, IEEE, Cheng Jin, and Kang G. Shin, Fellow, IEEE, Defense Against Spoofed IP Traffic Using Hop-Count Filtering, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 1, FEBRUARY [4] C. Jin, H. Wang, and K. Shin, Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic, Proc. 10th ACM Conf. Computer and Comm. Security, Oct [5] Jelena Mirkovic, Nikola Jevtic and Peter Reiher, "A Practical IP Spoofing Defense through Route-Based Fltering" University of Delaware, CIS department, Technical Report, CIS-TR,2006. [6] Ning-ning Lu, Hua-chun Zhou and Hong-ke Zhang, The Effectiveness of Passport Source Address Validation Scheme, Asia-Pacific Conference on Information Processing, IEEE, [7] X. Liu, X. Yang, D. Wetherall, and T. Anderson, Efficient and Secure Source Authentication with Packet Passport, Proc. Second Usenix Workshop Steps to Reducing Unwanted Traffic on the Internet (SRUTI- 06), July [8] Yaar, A. Perrig, and D. Song, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, Proc. IEEE Symp. Security and Privacy, May [9] Heejo Lee, Minjin Kwon, Geoffrey Hasker, Adrian Perrig, BASE: An Incrementally Deployable Mechanism for Viable IP Spoofing Prevention,ASIACCS 07, Singapore, March 20-22, [10] Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang, SAVE: Source Address V alidity Enforcement Protocol, IEEE [11] Toby Ehrenkranz and Jun Li,University of Oregon, On the State of IP Spoofing Defense, ACM Trans. Internet Technology 9, 2, Article 6 May [12] YanShen, JunBi, Jianping Wu and Qiang Liu, A two Level Source Address Spooing Prevention Based on Automatic Signature and verification Mechanism, Published in IEEE Open Access Journals Blue Ocean Research Journals 31

Experience with SPM in IPv6

Experience with SPM in IPv6 Mingjiang Ye, Jianping Wu, and Miao Zhang Department of Computer Science, Tsinghua University, Beijing, 100084, P.R. China yemingjiang@csnet1.cs.tsinghua.edu.cn {zm,jianping}@cernet.edu.cn