IPT Framework: A Technical & Administrative Approach for IP Packets Traceback and Identifying Cyber Criminals

Transcription

1 IPT Framework: A Technical & Administrative Approach for IP Packets Traceback and Identifying Cyber Criminals Abolfazl Amirkhan MSc student, Information Technology Management Payame Noor University Tehran Iran Amirkhanimonfared@yahoo.com Davood Vahdat Lecturer, Member of Information Technology Scientific Group Payame Noor University Tehran Iran vahdat@pnu.ac.ir Nasrollah Moghaddam Cherkari Assistance Professor, Computer Engineering Scientific Group Tarbiyat Modares University Tehran Iran Charkari@modares.ac.ir Abstract: In recent years the use of internet has become wider and include many financial transactions and business information too. And these usages have led to the increasing of abuse from the internet. Although a lot of security software and hardware are designed to prevent cyber attacks, the efficiency of these tools hasn t been fully reliable. As a result, the study around the topic of identifying cyber criminals becomes too important. But for achieving this goal it s needed to trace any internet packets and relate it s IP address to a real person. But there are a lot of limitations in the structure of the internet to trace any internet packets. Also because this structure, primarily established for information transfer in academic and scientific environments on the basis of mutual trust, no identity confirmation is applied for the parties in communication protocols of TCP/IP model. During the past 10 years, subtle techniques have been introduced for tracing IP packets; however, considering the lack of proper infrastructure, the process of applying them has not yet become administrative. In this paper IPT framework will be introduced as an effective and administrative method for traceback of IP packets and identification of cyber criminal specially for crimes lead to data theft. Keywords: Cyber attacks- data theft- IP traceback- identity confirmation- ISP- anonymizer proxy- public servicelog file 1- Introduction The spread of Internet has led to the emergence of a world information community and fast transfer of information among different parts of companies, partners, and providers. Also governments would benefit from this network to offer better services to the citizens at both national and international levels. Besides all these benefits, information transferring which is provided by the Internet has made conditions for the access of illegal individuals to this kind of information which they may steal or damage them. The biggest problem for preventing this attack is that there is no physical and traditional border in these attacks and they are done through the very broad network structure of the Internet, and attackers leave the slightest sign after the attack. As a result, an effective defense mechanism against these attacks is the greatest challenge in the cyber space development. Currently, different types of security software and hardware are designed to defend cyber threats (various firewalls and anti-malware software, etc.al). Also subtle defense strategies in the shape of standards and advises (like standard series of ISO 27000) are introduced to protect information and financial properties. The effectiveness of these security tools and defense strategies are becoming better each day, and in the case of suitable usage, will play an effective role in the reduction of Internet threats. Nevertheless, their function is not fully reliable [3]. The most important reason which has caused abuse of internet issues from the originality of the internet connections. An internet connection is based on mutual trust and cooperation and not according to mutual identity confirmation. In a common connection, just the IP address of both sides will remain [1]. In many cases, IP doesn t introduce the identity of the persons. Most people often communicate through public terminals. Too many connections perform through ISP and most of them use DHCP protocol to give temporal address to their ISSN: ISBN:

2 customers and after disconnection that IP will be transmitted to anyone else [2]. Moreover, existing software that make connection between internal and public networks, like proxy or NAT servers and also softwares which are designed especially for making anonymity with encoding techniques and making connecting tunnels, have made it difficult or even impossible to allocate one IP address to one individual. So criminals without being recognized do their crime actions without accepting any responsibility about making any damages. Hence, one of the effective solution for reducing internet threats is to establish some conditions to trace any attack and identify the attacker. Because by legal tracking, it makes the criminals responsible for their acts. But this goal requires some technical solutions and policies to remove existing barriers for IP address traceback to their original place and allocating it to a specific individual. 2- The limitation of existing IP traceback methods During recent years numerous studies has been conducted on IP address traceback and different techniques like Hop-by-Hop traceback, Backscatter, Centertrace, ITRACE, and Probably Packet Marking (PPM) have been introduced [4, 5, 6]. But all these methods use the capability of routers for logging any packets passed through and this capability hasn t been designed especially for traceback purpose. Also these methods are only efficient for attack that is continuous like denial of service (DOS) and they aren t effective to trace a single packet that occur in most attacks that cause data theft [7, 8]. To traceback a single packet it is necessary to save all packets passing through routers. But applying this method is too difficult in practice. Especially in routers that pass high traffic, saving all packets is impossible. However an approach has been introduced for resolving the problem of saving a high volume of information, called Hash Base Tracing which uses Hash algorithm and a saving technique named Bloomfilter [9] and by using this method, it is possible to reduce a given volume for saving up to 5%, but this method also has some limitations. Although Hash and Bloomfilter techniques reduce saved information volume, it still is not possible in routers passing a high traffic to store all information in a practical period of time and it may disorder the main function of routers. 3-IPT framework for packets traceback In this chapter, the IP traceback framework (IPT) is introduced for traceback action and identifying cyber criminals. This framework introduced to achieve two goals: Making possible to traceback any IP packet Delivering solutions for making it possible to identify actual criminal by IP address To traceback the actual origin of IP packets, storing capability of headers of IP packets from different layers of TCP/IP model in Network access system (NAS), Network address translation system (NAT), firewall or some other kinds of systems that used in the internet network will be used. These headers bear important information like origin and destination IP addresses, internal and external ports, and other information that are useful for traceback action [11]. IP traceback center (IPTC) performs as the central core of this framework. To perform traceback action, this center creates an exclusive communication with users and any ISP and anonymizer proxy. Figure 1 indicates proposal framework and its main elements. Anonymizer service Public service Physical connection User task ISP IPTC center Virtual private connection 1Fig.1: IPT framework and its elements This framework includes 3 main elements: user, IPTC center, service provider reaching the IPT objective by interaction with each other and doing defined tasks. Service providers include internet service provider(isp) and anonymizer service provider and Public service provider like service, file transferring service and instant message service. Internet service providers and anonymizer ISSN: ISBN:

3 service provider should connect with IPTC and run all defined technical and administrative policies of the IPTC. Public service provider should cooperate with IPTC and apply its policies. The steps of Traceback action in IPT are as follows. 1. User identify the event of any attack that lead to data leakage or data theft by traffic monitoring software and request traceback action from IPTC center by sending essential information like local and remote IP address, input and output port number, etc, extracted from that traffic. 2. IPTC will check IP address of remote side. If the address is not in the framework, it will identify the identity of owner's IP by using "Whois database". Whois database has been created by IANA organization that is responsible for delivering domain name and IP address to the companies and other applicants and perform this action around the world through some confirmed registers like AfriNIC, APNIC, ARIN, LACNIC and RIPE NCC. After recognizing the actual agent, IPTC may do more research or restrict the network activity of that agent or apply some legal punishment to compensate victim's loss. 3. If IP address be for one of internet service provider or anonymizer service provider, cooperating in IPT framework, required information is request from them. Depending on the type of provider, information can lead to identifying the main agent or may contain another IP address which in this case the trace back action returns to step 2 once more. 3-1 IPTC center IPTC center plays the base role in IPT framework and does the following tasks: Providing a secure path to communicate with users and service providers by Public key Infrastructure Designing software for connecting users and internet or anonymizer service providers to IPTC Defining the protocol and information type which should be interacted between the IPT framework elements. Identifying events which shows a kind of attack and appoint them as crime document and sending them for users. Teaching and enhancing user s knowledge about internet protocol and make them capable to detect event of data theft by providing efficient software for them. Defining policies and technical and administrative approaches for different service providers in order to remove current limitations for trackback IP packets. IPTC is connected with user's and service providers through the following structure. Master Responsible for Traceback (MRT): After receiving traceback request through CLIENT RT the MRT program checks the IP address of remote side. If this address is not among the IP of service providers in IPT framework, it will announce it, so the IPTC center will identify the owner of IP address by using Whois database and IPTC will do any appropriate actions related to its policies. If the IP address belongs to one of a service provider of the framework, the MRT will send a request to SRD of that service provider. DATABASE OF IP OF INTERNET SERVICE PROVIDER OR ANONYMIZER SERVICE PROVIDER COLLABORATING IN IPT FRAMEWORK SRD MRT Internet TRACEBACK LOG Client RT 2Fig.2: IPTC connection with other elements in IPT frame System Responsibe to Delivery data (SRD): this program is connected to log files of some different services and regarding to receive data from MRT, it will receive given information from the log files and will send it to MRT. Client Request to Traceback (Client RT): This program sends to the MRT, the traceback request for an IP address which the user's information has been sent to it illegally. For an address to become possible for trackback in addition to remote IP address, the user should send another important information including IP address of local system, input and output ports, and the time a logical connection is made and when it is finished with the other side. Essential information (such as local and remote IP address, the input and output port number and the time a logical connection starts and ends) and the amount of time passed from the interaction between two points, are two factors which play the main role in order to traceback an IP address successfully and to identify the main agent of a cyber theft. It is possible to ISSN: ISBN:

4 traceback and identify cyber criminals by having enough information about the connection which is caused the event of data theft in case not much time is passed from that connection, because in this case, important information needed to track and traceback is available at the log files of the servers in service providers. The elements in IPT framework use special structure to exchange required information for IP address traceback and identifying the identity of remote agent. In this structure the TCP protocol is used in transfer layer because it is reliable and the port number 72 is allocated to it. The information are encoded and signed digitally by SSL protocol in order to make it secure. In this way all information sent by MRT to Client RT or SRT, will be signed by private key of IPTC. Also the sent information to MRT will be encoded by the public key of IPTC so only MRT will be able to read the information. 3-2 Service provider in the IPT framework Internet service providers in IPT framework Internet Service Providers are the main service provider in IPT framework. An ISP makes it possible for subscribers to create an internet connection from different sources. Depending on the subscriber's demand, an ISP will provide services for subscribers by using analog, ISDN or DSL modems or frame relay or other high bandwidth techniques. Although transfering technology and some properties like bandwidth, reliability and cost are different in each of these services, at last they make it possible for subscribers to reach the internet. As any internet connection is made through an ISP, they play an important role in the IPT framework and have valuable information for tracing any IP address. network access systems (NAS) which are the input point for users to connect to the internet has log file that contain important information about physical connection point and start and finishing time of a connection to the internet made by users [12]. Many ISP give internet services to their subscribers dynamically using DHCP protocol. As in these servicing it may happen two different users in two distinctive times make connection with the same IP address, the information saved in this log file is so important to identify actual person who established a connection to the internet at the specified time. ISPs use accounting services for confirming identity and credit of the subscribers. These services connect to NAS services with Radious or +Taccas protocols [12]. As accounting service logs information of the identity, in case different users use the same physical point for connection, they play an important role in recognizing the main agent in traceback action. ISPs use NAT service Where there are too many subscribers and there is a limitation for allocating valid IP to all subscribers and also sometimes for enhancing interior security of the network [12]. NAT is between interior and internet network. In this topology, ISP offers private IP addresses to the subscribers dynamically or constantly. But all sent requests to the internet network will be sent with a valid IP address by NAT and received responses also will be changed to main IP after translation. NAT service uses different logical port numbers in 3 rd layer to distinguish received responses and sends each request with a distinctive port number. So remote sides see all made connections with a single IP with different port numbers and in the case of tracing an IP packet made by NAT service, that traceback will end to valid IP address of NAT. In this topology, logging of NAT events is essential in order to traceback And through these log files, it is possible to recognize to which interior IP a connection is related regarding output port. Also log file of the firewalls contain important information about connections created between interior and external points. Available information in this file can be used for receiving essential information when the user requests to know the information of all IP addresses communicate to its system in specific times and to know the kind of those connections. In IPT framework depending on the type of topology each ISP used, the process for IP address traceback differs. If ISP allocates a valid address to a person or organization constantly, this information will be saved in the database of SRD and when a traceback request for this IP address is received from MRT, information of the owner of that IP will be sent to MRT. If ISP serves subscribers dynamically, the log file of NAS contains information about time of internet connection and allocated IP address to each subscriber and phone number or dsl port with which connection has been made. This information has been given by SRD and will be sent to MRT. If ISP uses accounting service, SRD will be able to gain information of user s name and password in addition to above information. If ISP uses NAT service, when receiving a traceback request, first SRD finds characteristics of interior IP address from NAT log ISSN: ISBN:

5 file and then receive information about that IP from NAS or accounting service. Also log file of the firewalls can be used for receiving essential information when a user requests a complete traceback action. An SRD connection topology with different services in ISP is indicated in figure 3. this providers. So in order to trace an IP address successfully, cooperation of these service providers in IPT framework is essential, so that as long as traceback action end to them, they provide actual IP address for IPTC until the main target become recognized finally. To / from user Intranet network ANONYMIZER SERVER Intranet network Db of dedicated IP 3Fig.3: SRD connection topology in ISP MRT send a request on port 72 from public network to IP address which belongs to an ISP or anonymizer service provider in the framework. Listening on the port 72, SRD receives the request. Regarding to structure of ISP and data received from MRT, SRD use 5 state to find required information. These states have hierarchical in function as follows: Complete: SRD request the information of any IP addresses have made connection to given IP address in the specific time from log file of firewall Direct: in this state, SRD first searches information about given IP address in its database. NAT: is the second priority of SRD and if this mode is active, it finds IP address and port number of user side from NAT log file according to the received information. Accounting: SRD receives information of given IP address which has been sent directly from MRT or translated by NAT, through accounting service log file. This information includes phone number or user port, user s name and password and start and finish time of connection. NAS: is the lowest state of function. If accounting mode is not active, SRD will receive requested information including phone number or user port and start and finish time of connection through NAS log files Anonymizer service provider Unfortunately abuse of anonymizer proxy Services for doing crime actions is increasing. This capability makes it possible for cyber criminals to do their action and hide their identity without being worry of becoming recognized. Traceback the attacks done through these services lead to IP address of server of 4 Fig.4: SRD topology in anonymizer service When traceback of an IP address ends to anonymizer server, MRT receives information about actual IP address from these servers through SRD and follows its traceback according to actual IP address. If any of these providers don t cooperate in the IPT framework and traceback of IP address leads to the server owned by them, they ll be responsible. Also users of IPTC framework must use those anonymizer services which are confirmed by IPTC Structure of public services in IPT framework These services are used widely for cyber information theft. , FTP and IM servers offer 24 hours services, so criminals can gain given information from victim computer via them. Traceback these thefts leads to IP address of the server of these services. In many FTP services, uploading and downloading information anonymously is free, and in case of downloading robbed information it is not possible to accuse an individual as the agent of theft. In case of services, although user s name and password is essential for receiving and it is achievable through log file of IMAP or POP3 services to gain this information,but this information do not clarify the person s identity. Because during the creating an account, nothing is done for identity confirmation. However, these servers log the IP address through which information is read and it is possible to recognize the last target by using traceback approach. But if criminals used public places to have access to the network, the result of ISSN: ISBN:

6 this traceback will not work successfully. In General, if a server which gives services to different users generally and freely and without verification of identity, it is impossible to identify the real identity of the persons who use such services from public places. Therefore, a suitable strategy should be used and predict the appropriate policies in order to prevent these services being misused for malicious purposes. The method which is used within IPT framework for this purpose is based on prevention malwares to transfer information to public services. Also, IPTC apply the systematic limiting policies for public places of access to internet by which the offenders can not use such places to penetrate into the victim computer. These policies have been described later. The solution way used in IPT framework for prevention malwares to transfer information to public services is Captcha technique. Captcha denotes use of ambiguous phrases which are not readable by the machine but human may identify them only through adjustment them with the previous findings [13]. Currently, this technique is used in webmail (such Yahoo webmail) to prevent from spread of spams and some web pages to avoid identification of password through execution of several alternatives (Dictionary Attack) by the machine. But this given technique has not been predicted in SMTP, FTP, and IM. So to use these capabilities, some changes should be exerted in FTP, SMTP, and IM protocol. To implement these changes, Experts in IETF Organization who are responsible for interpretation of new protocols must to cooperate in IPT framework. Regarding to IM services, with respect to the fact that there is no any standard protocol for them and that different software companies use various techniques and specific exclusive protocols for them, IPTC shall oblige these companies to create such ability in their own products and warn the users against the risks which exist in IM software without Captcha ability. 3-3 Technical consideration for service providers within IPT framework In order to achieve IPTC goal, internet service providers should use hardware and software equipments with special capability and execute IPTC security policies as follows: Using firewalls and saving important information that is in header of packets, including origin and destination IP addresses, input and output ports, connection startup and termination times with W3c Standard Format in real time. These firewalls should be able to filter passing packets in Full State and should be able to filter them based on input and output IP address, input and output ports, Transfer and application layer protocol criteria. NAS equipment should save the information relating to the IP address include start and termination times of any internet connection and the connection terminal specification (telephone number, physical port, etc.al) in W3c Standard Format in real time. If internet service providers use NAT service, the information of internal IP addresses, external IP addresses, input and output ports and startup and termination time should be saved for each logical connection within W3c standard format. If internet service providers use their valid IP addresses for the normal subscribers (ones who only intend to use internet services), filter of firewall should be adjusted in such a way that it deletes the requests which are sent via internet to create a logical connection with these interior systems (SYC request in layer3). Considering that the systems with valid IP can be accessible throughout internet network, if some malware is installed on them and it activates a passive port, the victimized system is converted into a server, and malicious individuals may connect to this system at any point and extract its information. As it implied, if the attacker uses public places, tracking of such attacks will failed. This law guarantees that no normal system of ISP can be converted into a server. When one of subscribers would like to provide a service, only a port is opened which allocated for the given service and it is allowed to create a connection to the given port while the rest ports remain one- way. All internet service providers shall cooperate with IPTC and connect SRD software to log files of their own equipment according to the offered topology. Anonymizer service providers shall save all information of any actual IP addresses and actual ports, the altered IP addresses and ports, startup and termination times for each logical connection within W3c format. These service providers are also obliged to cooperate with IPTC and connect SRD program to log file of their servers and register their IP address and domain name in IPTC bank. and FTP service providers must use the modified protocol to give services to the subscribers ISSN: ISBN:

7 and register their IP address and domain name in IPTC database. Instant message service providers should use the software with Captcha ability and register their IP address and domain name in IPTC database. After verification by IPTC, a list of such IM software will be presented to users. In the case any of ISP, anonymizer or public service providers do not observe IPTC policies and would not cooperate with it, they will be responsible for any attack which ended to their IP addresses, and IPTC take the necessary measures to restrict their activity and or receiving any compensation for the losses incurred by users according to its regulations. 4- Conclusion The nature of communication protocols in TCP/IP model which is the prevalent model in the internet network is in such a way that no identity is verified for a transaction. Also, the existing of different kinds of services like anonymizer proxy, NAT, and DHCP services cause a failure for the traceback action of the IP address in most occasions. To limit cyber attacks, particularly ones that lead to users information theft, it requires offering a strategy for removing such limitations in order to make it possible to trace any IP addresses and identify attackers. In this paper IPT framework has been offered for making it possible to tracback the specified IP address, when a crime action occurred in TCP/IP based networks like internet and to identify it s agent. This goal achieved through communication and cooperation between IPTC and ISP service providers, anonymizer service providers and Public service providers. Implementation of this framework can be as an effective limiting factor for criminals who commit crime actions and threaten financial and intellectual capitals of users. available at: (Accessed: December 2009). [3] 2010 CyberSecurity Watch Survey, The Computer Crime Research Center (CCRC), available at: (Accessed: February 2010) [4] Alex C. Snoeren, et al, Hash-Based IP Traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, Pages: 3-14 [5] Belenky, A. and Ansari, N., IP traceback with deterministic packet marking, IEEE Communications Magazine, v7 i [6] Andrey Belenky, Nirwan Ansari, Internet Deployment of DPM-based IP Traceback, Journal of Computing and Information Technology, 2008, CIT 16, 2, [7] Belenky, A. and Ansari, N., On IP traceback. IEEE Communications Magazine. v41 i [8] S.Karthik, V.PArunachlam, T.Ravichandran, A Comparative Study of Various IP Traceback Strategies and Simulation of IP Traceback, Asian Journal of Information Technolojy, 2008, 7(10), pp [9] Snoeren, C.A, et al., Single-Packet IP Traceback, IEEE/ACM Transactions on Networking (ToN), Volume 10, 2002, Pages: [10] Savage S, Wetherall D, Karlin A., Anderson T, Practical Network Support for IP Traceback. ACM SIGCOMM Computer Communication Review, Volume 30, 2003, Pages: [11] Cisco systems learning, Interconnecting Cisco Networking Devices, Cisco systems inc, 2007, part1, volume2. [12] Cisco systems learning, Building Scalable Cisco Internet works, Cisco systems inc, 2007, Volume1. [13] Rich Gossweiler, Maryam Kamvar, Shumeet Baluja, What s up CAPTCHA? A CAPTCHA Based On Image Orientation, ACM, Proceedings of the 18th International World Wide Web Conference, April 20 24, 2009, Pages: References: [1] Postel, RFC793: Transmission Control Protocol, Internet Engineering Task Force (IETF), available at: (Accessed: December 2009). [2] Droms, RFC 2131: Dynamic Host Configuration Protocol, Internet Engineering Task Force (IETF), ISSN: ISBN: