DESIGN DETECTION OF MULTIPLE SPOOFING ATTACKERS USING ARP J.Deny* 1, J.Densi 2, J. Darwin 3

Transcription

1 ISSN: X CODEN: IJPTFI Available Online through Research Article DESIGN DETECTION OF MULTIPLE SPOOFING ATTACKERS USING ARP J.Deny* 1, J.Densi 2, J. Darwin 3 1 Research Scholar, Bharath Institute of Higher Education and Research, Bharath University, Chennai, Assistant Professor, Asan Memorial College of Engineering and Technology. 3 PG Student, Kalasalingam Institute of Technology. Received on Accepted on Abstract Packets sent using the IP protocol include the IP address of the sending host. The recipient directs replies to the sender using this source address. However, the correctness of this address is not verified by the protocol. The IP protocol specifies no method for validating the authenticity of the packet s source. This implies that an attacker can forge the source address to be any desired. This is almost exclusively done for malicious or at least inappropriate purposes. Given that attackers can exploit this weakness for many attacks, it would be beneficial to know if network traffic has spoofed source addresses. This knowledge can be particularly useful as an adjunct to reduce false positive from intrusion detection systems.this paper deals with the subject of ARP spoofing. ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks running IP.The subject will be addressed such that anyone with basic networking experience can understand key points of the subject. Knowledge of the TCP/IP reference model is vital to full understanding, as is a familiarity with the operation of switched and non-switched networks. Keywords: Spoofing; Sniffing; ARP; Rroute. 1. Introduction The IP smart spoofing use a combination of ARP cache poisoning, network addresses translation and routing. It doesn t require any sophisticated hack. In our final spoofing section we will discuss sending malicious TCP packets in order to break existing TCP sessions. TCP is a connection-based protocol. Before communication can take place, a connection must be established between the source and the destination. This is done with what is known as a three-way handshake: the initiator sends a SYN message, the destination replies with acknowledgement ACK and another SYN, then the IJPT Sep-2016 Vol. 8 Issue No Page 16873

2 original initiator sends an ACK for the second SYN. When the communication is complete, the TCP session is terminated with a similar handshake, this time with the FIN flag. FTP uses TCP to communicate and we will use this for our attack. A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the network card, called the MAC address. The MAC, in theory, is a globally unique and unchangeable address which is stored on the network card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data, consisting of 1500 byte blocks. Each frame has an Ethernet header, containing the MAC address of the source and the destination computer. The second address is the IP address. IP is a protocol used by applications, independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to communicate. IP addresses are virtual and are assigned via software.ip and Ethernet must work together. IP communicates by constructing packets which are similar to frames, but have a different structure. These packets cannot be delivered without the data link layer. In our case they are delivered by Ethernet, which splits the packets into frames, adds an Ethernet header for delivery, and sends them down the cable to the switch. The switch then decides which port to send the frame to, by comparing the destination address of the frame to an internal table which maps port numbers to MAC addresses. When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time of construction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to create an Ethernet header. The only information it has available is the destination IP from the packet s header. There must be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. The IP smart spoofing use a combination of ARP cache poisoning, network address translation and routing. It doesn t require any sophisticated hack. In our final spoofing section we will discuss sending malicious TCP packets in order to break existing TCP sessions. TCP is a connection-based protocol. Before communication can take place, a connection must be established between the source and the destination. This is done with what is known as a three-way handshake: the initiator sends a SYN message, the destination replies with acknowledgement ACK and another SYN, then the original initiator sends an ACK for the second SYN. When the communication is complete, the TCP session is terminated with a similar handshake, this time with the FIN flag. FTP uses TCP to communicate and we will use this for our attack. IJPT Sep-2016 Vol. 8 Issue No Page 16874

3 A computer connected to an IP/Ethernet LAN has two addresses. One is the address of the network card, called the MAC address. The MAC, in theory, is a globally unique and unchangeable address which is stored on the network card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data, consisting of 1500 byte blocks. Each frame has an Ethernet header, containing the MAC address of the source and the destination computer. The second address is the IP address. IP is a protocol used by applications, independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to communicate. IP addresses are virtual and are assigned via software. IP and Ethernet must work together. IP communicates by constructing packets which are similar to frames, but have a different structure. These packets cannot be delivered without the data link layer. In our case they are delivered by Ethernet, which splits the packets into frames, adds an Ethernet header for delivery, and sends them down the cable to the switch. The switch then decides which port to send the frame to, by comparing the destination address of the frame to an internal table which maps port numbers to MAC addresses. When an Ethernet frame is constructed, it must be built from an IP packet. However, at the time of construction, Ethernet has no idea what the MAC address of the destination machine is, which it needs to create an Ethernet header. The only information it has available is the destination IP from the packet s header. There must be a way for the Ethernet protocol to find the MAC address of the destination machine, given a destination IP. IP spoofing accompanies many security attacks, such as flooding denial-ofservice (DDoS) and vulnerability scanning and hinders the design of simple, cost-effective defenses.these threats use spoofing to blend the attack with the legitimate traffic and thus avoid identification of attack machines. A simple defense approach collects statistics of source IP sending behavior and uses them to spot either persistent large senders (to be blacklisted as suspicious) or recurring moderate users (to be given high-priority as long term clients). 2. Impacts of Smart Spoofing Network devices like routers or firewalls often use source IP address filtering. Theses rules can be bypassed from any computer located on the network path between the authorized client and the firewall. For example, in most corporate networks connected to the internet through a firewall, only few identified computers can directly access to the internet (the internal HTTP proxy hosting content or URL filtering, mail servers, etc ). With smart spoofing, any internal users can bypass theses rules (bypass the HTTP content or URL filtering, received/send SMTP s directly, etc ). In the IJPT Sep-2016 Vol. 8 Issue No Page 16875

4 same way, application whose access is restricted to specific IP addresses may be abused by any computer located on the network path between one authorized client and the server. This is the case for many application like Apache ACL, r- commands, NFS, TCP Wrapper, restricted administration tools, etc. Moreover, SMTP anti-relaying controls based on the IP source address reverse-resolution may be abused. By spoofing the IP address of a SMTP relay A, a malicious user on the network path between A and B, can relay mails through the SMTP relay B, using a forged source address from a mail domain hosted by A. 2.1 Broad casting Frames can be broadcast to the entire network by setting the destination address to FF:FF:FF:FF:FF:FF, also known as the broadcast MAC. By sweeping a network with spoofed ARP replies which set the MAC of the network gateway to the broadcast address, all external-bound data will be broadcast, enabling sniffing.if a host were to listen for ARP requests and generate a reply containing the broadcast address, potentially crippling amounts of data could be broadcast on large networks DOS Updating ARP caches with non-existent MAC addresses will cause frames to be dropped. These could be sent out in a sweeping fashion to all clients on the network in order to cause a Denial of Service attack. This is also a side effect of post-mim attacks, since targeted computers will continue to send frames to the attacker s MAC address even after they remove themselves from the communication path. To perform a clean MiM attack, the target computers would have to have the original ARP entries restored by the attacking computer. 2.3 Hijacking Connection hijacking allows an attacker to take control of a connection between two computers, using methods similar to the MiM attack. This transfer of control can result in any type of session being transferred. For example, an attacker could take control of a telnet session after a target computer has logged in to a remote computer as administrator. 2.4 Cloning MAC addresses were intended to be globally unique identifiers for each network interface produced.they were to be burned into the ROM of each interface, and not be changed. Today, however, MAC addresses are easily changed. Linux users can even change their MAC without spoofing software, using a single parameter to ifconfig, the interface IJPT Sep-2016 Vol. 8 Issue No Page 16876

5 configuration program for the OS.An attacker could DoS a target computer, then assign themselves the IP and MAC of the target computer, receiving all frames intended for the target. 3. Sniffing Switches determine which frames go to which ports by comparing the destination MAC on an frame against a table. This table contains a list of ports and the attached MAC address. The table is built when the switch is powered on, by examining the source MAC from the first frame transmitted on each port. Network cards can enter a state called promiscuous mode where they are allowed to examine frames that are destined for MAC addresses other than their own. On switched networks this is not a concern, because the switch routes frames based on the table described above. This prevents sniffing of other people s frames. However, using ARP spoofing, there are several ways that sniffing can be performed on a switched network. A man-in-the-middle attack is one of these. When a MiM is performed, a malicious user inserts his computer between the communications path of two target computers. Sniffing can then be performed. The malicious computer will forward frames between the two target computers so communications are not interrupted. The attack is performed as follows (where X is the attacking computer, and T1 and T2 are targets) Fig3.1 Man-In-the-Middle attack. 4. IP Smart Spoofing Using ARP ARP operates by sending out ARP request packets. An ARP request asks the question, Is your IP address x.x.x.x? If so, send your MAC back to me. These packets are broadcast to all computers on the LAN, even on a switched network. Each computer examines the ARP request, checks if it is currently assigned the specified IP, and sends an ARP reply containing its MAC address. To minimize the number of ARP requests being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association. As ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent out an actual request. ARP spoofing involves constructing forged ARP replies. By sending forged ARP IJPT Sep-2016 Vol. 8 Issue No Page 16877

6 replies, a target computer could be convinced to send frames destined for computer A to instead go to computer B. When done properly, computer A will have no idea that this redirection took place. The process of updating a target computer s ARP cache with a forged entry is referred to as poisoning. 4.1 The ARP Cache Poisoning A computer connected to an IP/Ethernet network has two addresses. A globally-unique MAC address for each network interface and a logical IP address assigned by software. The ARP protocol build the association between these two addresses. When a computer needs to send a packet to an IP address located in the same network, it broadcast a message ARP who has?. As shown in the following figure, the IP address s owner responds with its Ethernet address. To minimize ARP broadcast, operating systems keep a cache of ARP replies. Unfortunately, ARP is stateless and most operating systems update their cache when receiving ARP reply, regardless of whether they have sent out an actual request. By sending forged ARP replies, a target system could be convinced to send frames destined for a computer to another computer. This process is referred as ARP cache poisoning. Depending on the target operating system, cache poisoning may be achieved through eight types of ARP message with the following characteristic : ARP message forwarded in a MAC broadcast or MAC unicast. Operation code may be ARP Who is or ARP Reply. ARP message is a gratuitous message or not (embedding the same IP addresses for source and destination) According to our tests on Windows 9x, NT, 2000, XP, Solaris 8, Linux kernel 2.2 and 2.4, Cisco IOS 12, Nokia IPSO 3.5 operating systems, there were always at least one kind of ARP message to poison the cache. Moreover, on Windows systems (9x/NT/2K), static ARP entry can always be overwritten using a fake ARP message. Note that due to the MAC learning process on the switch hub, spoofing the source MAC address will cause the malicious user to receive all traffic intended to the spoofed system for a while, causing a short deny of service. Using ARP cache poisoning, the malicious user inserts his computer into the server-to-client communication path. With IP forwarding, existing traffic is still routed to the client side. Of course, ICMP Redirect have been disabled on the malicious user s computer. Finally, a source network translation is used by the malicious user to spoof the client s Ip address and established a new connection to the server. Then, the malicious user can then run any standard network applications to connect to the servr using the client s IP address. Any access control based on the client s IP address will be ubused. IJPT Sep-2016 Vol. 8 Issue No Page 16878

7 4.2 The ARP Packet Format Fig 4.1 IP Spoofing using ARP. The ARP packet format, embedded in an Ethernet frame. The Ethernet frame is composed of two elements, the Ethernet header and the Ethernet body, just filled up with the ARP packet contents.the Ethernet frame refers always to the Ethernet version II packet type, also known as Ethernet ARPA type. The Ethernet header has 3 different fields: Target or Destination Hardware Address (48 bits): system MAC address this frame is addressed to. Sender or Source Hardware Address (48 bits): system MAC address this frame was generated from. Protocol Type (16 bits): encapsulated next-layer protocol. Fig 4.2 ARP Packet format. 4.3 Description and diagram of network The networks exposed to the described attack are any LAN, independently of the interconnecting network devices used: bridges, hubs, switches and layer-n switches. The local network topology doesn t affect the scope of the attack: any system placed in a specific local network can potentially exploit any other system in the same LAN. The usage of VLANs restricts the scope of the attack to an specific VLAN, but this is not different from the scope described before because the VLAN concept just expands the LAN concept between multiple physical locations (switch ports and IJPT Sep-2016 Vol. 8 Issue No Page 16879

8 switches), so it doesn t increase the security against this attack. The previous sentence could be rewritten: any system placed in a specific local network (LAN or VLAN) can potentially exploits any other system in the same LAN or VLAN. So this attack can be consider an internal thread. We will focus the analysis only in two of the most currently used protocols, even though the ARP protocol is totally generic and could be used over any pair of protocols. We will analyze the Ethernet protocol (layer 2), used in most of the local area networks and the IP protocol (layer 3), used all over Internet and most of its associated developments, the intranets and extranet networks. The Ethernet concept includes all different possible and common speeds:ethernet (10 Mbps), Fast-Ethernet (100 Mbps) and Giga-Ethernet (1 Gbps). It seems there is no real ARP implementation for other layer-2 protocols. Other possible layer 3 protocols, although old and rarely used, could be CHAOS,Xerox PUP and DECnet.The operating systems potentially exposed have been referenced in the Operating Systems section.at the link layer level there are two main protocols for Ethernet technologies, the Ethernet protocol (RFC 894 [RFC894]) and the IEEE 802 protocols (RFC 1042[RFC1042]). The later also covers non-ethernet protocols as Token Ring. That a host connected to an Ethernet cable must speak Ethernet encapsulation and should speak IEEE 802, intermixed or not with Ethernet frames. This is the reason why we focused this paper on the Ethernet encapsulation frame, because it is the most commonlyused implementation in Ethernet networks, from both a theoretical and a practical point of view.there are other network technologies, not covered by this paper, like ATM,Asynchronous Transfer Networks, that doesn t have similar technologies as the associated to LAN networks natively, so they need to emulate LAN behaviour,including ARP, through special solutions, as LAN Emulation [RFC2225] [ATM1]. Fig 4.3 ARP protocol description and network diagram. 5 Serial to Ethernet Module 1. Connect the serial port of one of the S2E modules to the serial port of a PC. 2. Connect the serial port of the other S2E module to the serial port of another PC. IJPT Sep-2016 Vol. 8 Issue No Page 16880

9 3. Connect both S2E modules to a network with a DHCP server. 4. Power both S2E modules. Fig 5.1 serial to Ethernet module. 5. After the modules power up, both will automatically be configured as telnet servers by default.one will need to be configured to be a telnet client. Use a PC to double-click on one of the UPnP icons that corresponds to one of the S2E modules. This will load the configuration website for that S2E module. For details on accessing and using the configuration website. 6. Once the configuration page is loaded, click the link for Port 0 Settings. 7. Configure the Telnet Mode to be Client, the Local Telnet Port Number and Remote Telnet Port Number to be 23, and the Telnet Server IP to be the IP address of the other S2E module. 8. Open HyperTerminal on each of the PCs connected to the S2E modules. For each instance of HyperTerminal, select the COM port used by that PC to connect to the S2E module (most likely COM1) and configure it for bits per second, 8 data bits, no parity, 1 stop bit, and no flow control. 9. Once HyperTerminal is started and configured on each of the PCs, messages can be sent from one PC to the other by simply typing in the HyperTerminal window. Note that the default HyperTerminal settings will not display the typed characters in the transmitting window. Fig 5.2 Simulation Result. 6. Conclusion ARP spoofing is one of several vulnerabilities which exist in modern networking protocols, which allow a knowledgeable individual free reign over a network. IP spoofing, TCP sequence prediction, and ICMP redirect are just a IJPT Sep-2016 Vol. 8 Issue No Page 16881

10 few examples of other current weaknesses in these protocols. It is unlikely that these problems will be addressed until they are abused on a wide enough scale to force a change in the status quo. The problem is poised to grow as broadband Metropolitan Area Networks are implemented using Ethernet as the protocol of choice. The goal of this paper is trying to research and discover every small detail and component of the ARP protocol that will allow an attacker to get control over an unauthorized system, and it successfully provided the enough information for an administrator to be able to protect its network infrastructure. References 1. J. Bellardo and S. Savage, denial-of-service attacks: Real vulnerabilities and practical solutions, in Proceedings of the USENIX Security Symposium, 2003, pp F. Ferreri, M. Bernaschi, and L. Valcamonici, Access points vulnerabilities to dos attacks in networks, in Proceedings of the IEEE Wireless Communications and Networking Conference, D. Faria and D. Cheriton, Detecting identity-based attacks in wireless networks using signalprints, in Proceedings of the ACM Workshop on Wireless Security (WiSe), September Q. Li and W. Trappe, Relationship-based detection of spoofing-related anomalous traffic in ad hoc networks, in Proc. IEEE SECON, B. Wu, J. Wu, E. Fernandez, and S. Magliveras, Secure and efficient key management in mobile ad hoc networks, in Proc. IEEE IPDPS, A. Wool, Lightweight key management for ieee wireless lans with key refresh and host revocation, ACM/Springer Wireless Networks,vol. 11, no. 6, pp , Y. Sheng, K. Tan, G. Chen, D. Kotz, and A. Campbell, Detecting MAC layer spoofing using received signal strength, in Proc. IEEE INFOCOM, April J. Yang, Y. Chen, and W. Trappe, Detecting spoofing attacks in mobile wireless environments, in Proc. IEEE SECON, Y. Chen, W. Trappe, and R. P. Martin, Detecting and localizing wirelss spoofing attacks, in Proc. IEEE SECON, May IJPT Sep-2016 Vol. 8 Issue No Page 16882

11 10. M. bohge and W. Trappe, Anauthentication framework for hierarchicaad hoc sensor networks, in Proceedings of the ACM Workshop on Wireless Security (WiSe), 2003, pp L. Xiao, L. J. Greenstein, N. B.Mandayam, and W. Trappe, Fingerprints in the ether: using the physical layer for wireless. 12. Authentication, in Proceedings of the IEEE International Conference on Communications(ICC), June 2007, pp V. Brik, S. Banerjee, M. Gruteser, and S. Oh, Wireless device identification with radiometric signatures, in Proceedings of the 14th ACM international conference on Mobile computing and networking, 2008,pp F. Guo and T. Chiueh, Sequence number-based mac address spoof detection, in Recent Advances in Intrusion Detection, 2006, pp L. Sang and A. Arora, Spatial signatures for lightweight security in wireless sensor networks, in The 27th Conference on Computer. Corresponding Author: J.Deny*, IJPT Sep-2016 Vol. 8 Issue No Page 16883