Identification and Prevention of ARP Spoofing, Sybil Attacks in Mobile Ad Hoc Networks

Transcription

1 Identification and Prevention of ARP Spoofing, Sybil Attacks in Mobile Ad Hoc Networks Anup W. Burange anup.burange6@gmail.com Harshal D. Misalkar harshalmisalkar@gmail.com Umesh V. Nikam umeshnikam3@gmail.com Abstract: - Mobile ad hoc network (MANET) is a aggregation of mobile nodes that communicate with each other without any permanent infrastructure or a central repository network. From a security design perspective, MANETs have no built-in security. Thus, the wireless channel is accessible to both legal network users and malicious attackers. This is a proposed technique to avoid ARP spoofing attacks, which frequently configures static ARP entries.. In this paper, we proposed the technique to detect ARP cache poisoning. The prevention technique is a client-server protocol that prevents ARP spoofing by mechanically configuring static ARP entries. A Sybil attacker can either create multiple identity on a single physical device in order to start a synchronized attack on the network or can change identities in order to fade the detection process. The proposed RSP algorithm is improved to detect the Sybil nodes in the network. The destination receives data from each mobile node with different speeds, for prevention the proposed technique is to compare MAC addresses. Keywords: RSP,MAC,Spoofing,Sybil attack process for identifying out a path. Reactive protocols initiates to identify routes on-demand. ARP Spoofing involves creation of forged ARP request and reply packets. By forwarding fake ARP replies, a destined (targeted) computer could be ensure to send frames destined for computer A to instead go to computer B, this referred to as ARP poisoning. The process of updating a target computer s ARP cache with a forged entry is called as poisoning. In the Sybil attack a single node creates many forged identities to another nodes in the network. Sybil attacks creates a immense threat to decentralized systems like peer-to-peer networks and other routing protocols.. Routing under normal condition I. INTRODUCTION Mobile ad-hoc networks are such type of network that can get connected "anywhere and at any time". Each device in a MANET network is able to move independently in any direction, and will therefore change its links to other devices timely. Each device act as a router. MANET is more vulnerable than wired network due to mobile nodes, threats from compromised nodes within the network,inadequate security, dynamic topology, scalability and lack of centralized management. Because of these vulnerabilities, MANET is more likely to be a target of security attacks. Classification of routing protocols in mobile ad hoc network can be done in different ways, but most of these are done depending on routing strategy and network structure. The routing protocols can be categorized as Proactive and Reactive routing. Proactive MANETs protocols are also called as tabledriven protocols and will dynamically determine the design of the network. In Reactive whenever a node desires a route from particular source to destination, it starts a route discovery Fig. 1(a). Routing in normal condition Routing subject to ARP cache poisoning Fig. 1(b). Routing in normal condition A Sybil attacker can make a harm to the ad-hoc networks in different ways. For example, a Sybil attacker can upset location-based or multipath routing by relating in the routing, giving the forged sense of being separate nodes on different locations. ARP protocol is based on the equally trust, it is a stateless protocol. ARP request is sent by broadcasting, each node that does not receive the request can send out ARP response package arbitrarily, when ARP buffer without 21

2 authentication mechanism received the ARP response it will actively updating the cache directly, it provides the spoofing condition. ARP Spoofing is a hacking procedure to send forged ARP request or ARP reply, ARP spoofing problem arises due to the way the ARP protocol works. As ARP is known to be stateless protocol, many operating systems generally will update whether they sent out any actual request or not. II. LITERATURE REVIEW In order to poison the ARP cache,arp spoofing allows any computer in the LAN to have one of the most damaging and dangerous attack postures in the security. This kind of attack called Man-in-the-Middle attack is able to capture, modify and filter all the data meant to be travelling between two trusted hosts of the network, And there would be nothing to prevent it from filling all the hosts cache with its own IP and MAC association, thus enabling it to become effectively the master hub for all the information moving in the network. The whole concept of network security is based to have information security. The major goals of this information security are: Confidentiality: protection of the information that is present in a system from unauthorized people is known as Confidentiality. Such as information regarding customer s credit card, information of patients in hospitals, information related to employees of an organization. If information of such level of confidentiality is not secured, the company or the organization concerned will probably lose its status and goodwill in the market. Integrity: It indicates that information available in an organization should be complete and total. It should not be changed by any illegal person. Any kind of intentional or unplanned alterations of the information will lead to destructive and making of information unreliable. A good example of such a case would be account information in a Bank. If anything goes wrong with banking information, it is destructive and the Bank will eventually lose its customers and business. Authenticity: It guarantees that the access to the data should be to authorized people only. Valid usernames and passwords should be given and these should be kept secured. Availability: It says the requested information or information required by the authorized users should be available, always. For example, suppose a company met with a natural calamity and it has lost its computers and all the important data. In such cases, the affected company should be able to setup new computers and recover its data from backups. Suppose, if the company had any proper backup plans, they would definitely unable to recover their data and resume their operations. Spoofing in network language is making the computer users think that the flow of information to their system is from authorized user, but in actual it is not. Three main methods of spoofing are as follows: 1. Internet Protocol Spoofing 2. Domain Name System Spoofing 3. Address Resolution Protocol Spoofing Internet Protocol Spoofing: This method exposes the commonly used filtering devices based on IP addresses, such as firewalls. In this case, the attacker s goal is to spoof the client s IP address to bypass the security controls in the server side. Here attacker s box can be located in any intermediate network between the client and the server. DNS Spoofing: It directs the users to an incorrect location direct the users to a different website and making the user to fill false web forms to collect personal information. DNS Spoofing is very unsafe since, DNS is responsible for running the domain names and create corresponding IP addresses. Suppose, there is a domain with the name and DNS redirect this site to the IP of any hacker s website, then he is able to collect data of user easily. Sniffing: It is the term used to illustrate the reading of all packets on a network segment. Network cards can enter into the state called as inspection mode in which they are allowed to inspect frames that are destined for MAC addresses other than their own. This way it helps in locating any network problems. But if hacker gets to sniff the packets, he can easily get used ID s and passwords. Denial of Service: This attack is prepared to bring down the targeted network and making it to provide its services to the genuine users. For this attack, a simple ping command can also work, or updating ARP caches with missing MAC addresses will cause frames to be dropped. These could be sent out in a broad manner to all clients on the network in order to cause a Denial of Service attack. III. METHODOLOGY I. ARP DETECTION AND PREVENTION TECHNIQUES Identification of ARP cache poisoning attack If any host who has performed ARP cache poisoning attacks on other hosts on the network, started IP packet routing,then they must also be the ones sniffing data that will be travelling in the network. This technique will act as, it will first alter the ARP cache of a suspicious host so as to make it to forward the data packets that it is capturing from the sufferers to the Test host. Then, Test host will examine the forwarded data to identify whether the suspicious host has performed the attack or not. To illustrate this mechanism, we assumed that E, F, G, H and I are 5 hosts on the LAN. Hosts E and F are communicating and sharing data packets. Host H is the 22

3 suspicious on and has its IP packet routing enabled. Also, host H is the one who has poisoned the ARP caches of hosts E and F, for sniffing their data traffic. However, ARP cache of host G is not poisoned; being it not targeted by the malicious host H. Let Host I be our Test host. The initial <IP, MAC> pairings in the respective ARP caches of hosts E, F, G and H, before Test Host corrupt the cache of Host H are as follow: ARP cache of host E (Host E has poisoned cache) i.e. <IP_F, MAC_H> ARP cache of host F (Host F has poisoned cache) i.e. <IP_E, MAC_H> ARP cache of host G (Host G is not poisoned): i.e <IP_E, MAC_E> and <IP_F, MAC_F> ARP cache of host H: i.e <IP_E, MAC_E> and <IP_F, MAC_F> For every suspicious host, we will first poison its cache, using the ARP cache poisoning attack. For that, Test host I sends spoofed packets to the suspicious host H so that all the cache entries of host H will point the MAC of Test Host. After poisoning of cache of Host H, its ARP cache has: <IP_E,MAC_I>, <IP_F, MAC_I> and <IP_G, MAC_I>. Accordingly, all the data packets that the host E sends to host F will go first to the host H, since the ARP caches of both hosts E and F have poisoned by Host H. But, then host H will also forward the received data packet to the Test host I, since its own cache has also been poisoned by the Test host I. Finally, Host I forward that data to the host it is meant for, that is Host F. Now, by analyzing data packets that we get from Host H, we can reveal that the source IP in the IP header of the packet is that of host E, but the source MAC in the Ethernet header is that of the suspicious host H whereas it should have been equal to the MAC of host E By doing this, we have proved that the suspicious host H in the network is the one who has poisoned the cache of host E for sniffing of the data traffic. Here we have provided some easy to implement techniques in order to prevent ARP attacks. So, our mechanism needs to fulfill following things: It should be enough in itself to provide complete protection from all types of attacks on ARP. It should have monitoring properties to keep in check the any malicious acts. Providing management function for the administrator for keeping the security of network intact. A. Hashed Message: Hashed Message is a unicast message sent from the client to the server. It contains its IP and MAC address. Also it includes a hashed authentication key. B. Warning Message: It is a broadcast warning message sent from the server to all users in the network indicating that a new user has entered the network. It also includes the IP and MAC address of that new user. C. Hashed Response Message: This is a unicast message sent from the server to the latest user. It contains all static ARP entries of users successfully registered at the server. The protocol also performs two different functionalities: ARP Client: It is a software installed on user s machines that performs the following: Automatically get the IP and MAC address of the user and make use of them to send register message to the server. Receive periodic updates and register response messages from the server. Verify the updates or register reply messages received are coming from a authorized server. Use the IP and MAC pairs received in the update or register response message to add static ARP entries to the user ARP cache. ARP Server: It is a server software that can be installed on any device in the network. It can also be installed on a dedicated server, and has the following functions: Receive register messages from the ARP clients. Verify that the message is coming from a certified user. Make use of the IP and MAC pairs encapsulated within the register message to create a list of authorized users in the network. Send broadcast update message to inform them that a new user has come to the network. Send register response message to the new users. Take the proper action regarding users who try to violate the protocol security rules. I. Prevention of ARP Spoofing It is a client-server protocol that prevents ARP spoofing by mechanically configuring static ARP entries. The protocol works in both static as well as in DHCP networks. The proposed protocol defines three different messages: II.SYBIL DETECTION AND PREVENTION TECHNIQUES The RSP algorithm is enhanced to detect the Sybil nodes in the network. The destination receives data from each mobile node. The RSP value is calculated by the destination for every mobile node under different speed of mobile nodes. The Sybil nodes doesn t have any neighbors list and hop count, 23

4 based on this RSP value determination the Sybil node is detected. Received Signal Power Based Analysis Compare the behaviour of new legitimate node with new Sybil identity, which is normally based on the Received Signal Strength. In the Figure 2, the Node A is called a Master Attack Detection Node, which is a static node. If node B enters in to the neighbours of A node the first RSS value received at node A will be lower. Though, the node B steadily enters over time in the network. This is the normal entrance of node in the network. That node is called as authorized node. In contrast to Sybil attacker, where new identity launched by an attacker, which causes an unexpected changes in the RSP value at the receiver. Figure 2, shows the entrance & exit of a node in the network, which is based on the locality joining behavior. Due to natural behavior of node joining & exit the network, suppose if any node B entering into the radio range of A node, which is the main attack detection node, the RSP value will be increasing continuously. C A s Radio Range Fig.3. MAP creation In this the sender of a message, first generate the MAP through the MAP algorithm & Key (K). The original message along with the MAP tag is then transmitted to the receiver. Upon receiving the message, receiver in turn, runs the original message portion of the transmission through the same MAP algorithm using the same key, producing a second MAP data tag. The receiver then compares both the MAP tag i.e. first MAP tag send by sender & second MAP tag generated by receiver. If both are identical, the receiver can assume that the integrity of the message was not changed, and the message is not altered by intruder in between the transmission Steps taken to identify & check Sybil attack Step1: Broadcast the message Step 2: Receive Reply message with Logical and Physical Address Step 3: Compare MAC Address of nodes from different routes. Step 4: If MAC Address of any node matches with different IP address then inserted node as a Sybil Node and find alternate route to send message. Step 5: Otherwise, Accept Node as genuine node. Step 6: Stop B D A W I Intruder node Attack detection node Whitewash node START Broadcast Request Message Fig.2. Entrance & Exit of node Authentication of a Node A Message Authentication Code (MAC) is a short piece of data which is mainly used to authenticate a message. As well as, it s used to provide integrity & authenticity assurance over the message. Sometimes MAC algorithm is called as a keyed hash function because it accepts secret key as input and an arbitrary-length message to be authenticated, and MAC as an output. The MAC provides both the authenticity & data integrity, by allowing verifiers to detect any changes to the message content. Add node as a Sybil Node Receive Reply Message with MAC Address Compare MAC Address of nodes from different routes IF(MAC Address of any node Matches with different IP address ) Select another path Accept Node as legitimate node STOP 24

5 Fig.4. Architecture for prevention of Sybil node attack can be done by RSP analysis and detection by using comparing MAC addresses. EXPERIMENTAL RESULTS In this we implemented the Sybil attack detection and prevention technique using MAC address. Parameters used for measurement of performance are as follows: 1. Throughput: Total number of packets delivered over the total simulation time. 2. Packet Delivery Ratio (PDR): Ratio of data packets received by the destination to those generated by source Fig. 5. Throughput graph is showing the throughput for different number of nodes for different situation like when there is no possibility of attack in the network, when attacker attacked on the network and when attack is detected and prevented. Fig. 6. Packet Delivery Ratio(PDR) graph is showing PDR for different number of nodes for different situation like when there is no attack in the network, when attacker attacked on the network and when attack is detected and prevented. References [1] Adnan Nadeem and Michael P. Howarth,``A survey of MANET Intrusion Detection & Prevention Approaches for Network layer Attacks,'' IEEECommunication Surveys & Tutorials, pp.1-19, [2] Sohail Abbas, MadjidMerabti, David Llewellyn-Jones, and KasifKhifayat,``Lightweight Sybil Attack in MANETs,'' IEEE System Journal, Vol.7,No.2, pp , June 2013 [3] Yafeng Xu and Shuwen Sun, The study on the college campus network ARP deception defense," nd International Conference on Future Computer and Communication (ICFCC), 3(1), pp , May 2010 [4] Haider Salim, Zhitang Li, Hao Tu, Zhengbiao Guo, Preventing ARP Spoofing Attacks through Gratuitous Decision Packet, 11th International Symposium on Distributed Computing and Applications to Business, Engineering & Science, 2012 [5] Faheem Fayyaz, Hamza Rasheed, Using JPCAP to prevent man-in-themiddle attacks in a local area network environment, IEEE potentials, July/August 2012, [6] Somnuk Puangpronpitag, Narongrit Masusai, An Efficient and Feasible Solution to ARP Spoof Problem. IEEE [7] Seung Yeob Narn, Dongwon Kim, Jeongeun Kim, Enhanced ARP: Preventing ARP poisoning- based Man-in-the-Middle Attacks, IEEE communications letters, vol. 14, no. 2, February [8] Faheem Fayyaz, Hamza Rasheed, Using JPCAP to prevent man-in-themiddle attacks in a local area network environment, IEEE potentials, July/August 2012, [9] Thawatchai Chomsiri, Sniffing packets on LAN without ARPspoofing. International Conference on Convergence and Hybrid Information Technology,2008. [10] Ai-zeng Qian, "The Automatic Prevention and Control Research of ARP Deception and Implementation," 2009 WRI World Congress on Computer Science and Information Engineering,, 2(1), pp , April [11] Roopali Garg, Himika harma Proposed Lightweight Sybil Attack Detection Technique in MANET International Journal of Advanced Research in Electrical, Electronics and Instrumentation Engineering Vol. 3, Issue 5, May 2014 [12] Sohail Abbas, Madjid Merabti, David Llewellyn Jones, and Kashif Kifayat, Lightweight Sybil Attack Detection in MANETs, IEEE systems journal, vol. 7, no. 2, June [ CONCLUSION MANET is susceptible to various attacks due to its infrastructure-less or wireless nature. To have safe Communication it is must be secure network. There are various attacks which can cause disastrous effects on network. In this paper considering two attacks ARP spoofing and Sybil we proposed detection and prevention techniques. For ARP prevention we have client-server protocol, detection of Sybil 25