Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks
|
|
- Brandon Matthews
- 5 years ago
- Views:
Transcription
1 Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks Israel Umana 1, Sornalakshmi Krishnan 2 1 M.Tech Student, Information Security and Cyber Forensic, Dept. of Information Technology Faculty of Engineering & Technology, SRM University, India 2 Assistant Professor, Information Security and Cyber Forensic, Dept. of Information Technology Faculty of Engineering & Technology, SRM University, India Abstract Spoofing is a technique used by hackers to conceal their identities in the Internet. Thus, one can launch attacks from a particular location and assumes the identity of someone else that either does not exist or exists in a completely different location. Distributed Denial of Service (DDoS) attacks, among other kinds of atttaks, are successful through IP spoofing. Over the years, efforts to combat the popular DDoS attacks have always implied efforts to identify spoofed packets, hence a lot of work has been done to identify IP packets that do not originate from where they claim to have originated from. However, efforts to trace back to the true source of spoofed packets have been faced with a number of challenges which include ease of deployment, extra overhead on routers and the need for it to be implemented in all the routers in the internet. This paper presents a new methodology that does not require any deployment but utilizes already existing features implemented in routers to reveal the true location of the attacker. We focused on trusted networks and utilize hop count filtering to identify spoofed packets and to implement a trace back to the node from which the spoofed packet originated. We also propose a secure three-way handshake that would prevent the attacker from getting a false connection to a victim by simply guessing the sequence numbers. Keywords Spoofing; Back scatter; Hop Count filtering; IP Trace back; secure three-way handshake I. Introduction Malicious Hackers are everywhere! One thing that is common among hackers, except for the suicide hackers, is that they want to remain anonymous in the internet. They do this by masquerading themselves and pretending to be who they are not. This act of concealing one s identity in the internet is known as IP address spoofing. The IPv4 and IPv6 headers both have fields marked as Source Address and Destination Address as shown in figure 1. The source address is the part of the header that is usually forged by the attacker as it bears his identity. Most cyber-attacks directly or indirectly involve spoofing attacks as the attackers, most times, would not want to be traced. The popular Distributed Denial of service (DDoS) attack exploits IP spoofing technique to send rogue requests from fake IP addresses to a single target [1]. Because the requests come from different spoofed IP addresses, it becomes difficult to trace the true generator of such malicious packets. Thus, the attacker ends up impersonating legitimate owners of the addresses used in the spoofing activity. This is a breach of authentication. Usually, the spoofer is not interested in the response packet as they are sent to the spoofed addresses which, truly, did not request for such. Therefore, system resources allocated for such packets lay waste, while denying legitimate requests for those resources denial of service (DoS) attack. Figure 1: IPv4 and IPv6 Headers In this paper, we study the IP spoofing activity by analysing the backscatter messages captured by an internet monitor called network telescope or darknet [2]. Network Telescope is a passive traffic monitoring system which is a globally routed /8 network. It captures unsolicited response packets which are usually sent from a spoofing attack victim back to the spoofed addresses. These response packets could be a SYN packet or ICMP error messages, also known as path backscatter. Though the network telescope is primarily aimed at observing Distributed Denial of service attacks (as depicted in figure 2), the ISSN: Page 281
2 backscatter messages, if collected, can be useful in identifying the true origin of the spoofed packets. We try to explore the ICMP error messages, which holds some details that can lead to the disclosure of the spoofer location. As presented in RFC792 [3], ICMP error messages are generated on certain occasions. For instance, the ICMP time exceeded message is generated when the TTL value gets exhausted while packet is on transit or when fragment reassembly time is exceeded. The headers of these messages hold sensitive information that may reveal the original IP header (figure 3). Thus, by probing the ICMP error messages, one can discover the original source IP address of the packet which, in most cases, is that of the spoofers gateway. Figure 2: Backscatter monitor with darknet (Source: [2]) Figure 3: ICMP header format II. Review of Existing Work A. Existing works on IP Trace back Mechanisms A lot of literatures have been published on methodologies to identify the true location of the IP spoofing attacker. Apart from the recent work published by [4], other IP traceback mechanisms can broadly be classified into two Packet Marking and Packet Logging. In the packet marking method, presented in [5], the routers append their identification information on the packet header while traversing through the network. The IP header has limited space for marking, therefore the router probabilistically mark packets such that each marked packet carries just a partial information about the network path. This method of packet marking is called Probabilistic Packet Marking (PPM). The network path is constructed using a number of marked packets received. Another variant of the packet marking method is the Deterministic Packet Marking (DPM) proposed in [6] and [7]. In this method, the packet marking is deterministically done by only the ingress edge routers while exempting other routers from the marking task. This reduction in the number of routers engaged in the packet marking task makes DPM most effective in handling large scale Distributed Denial of Service. The major challenges of the packet marking method is that it requires a number of packets in order to determine the network path. This is because a single marked packet carries but partial path information. Packet Logging approach requires the routers on the path to the destination to store path information of a packet the router memory. These logged information are then used to derive the network path of the packet. This, as noted in [8], consumes enormous storage and processing resources given the limited storage capacity of routers. Apart from the storage limitation, it also poses a privacy threat as the logged information may reveal the topology of the network and ISPs are sceptical about implementing features that compromise the privacy of individuals. Though some authors like [8] and [9] have published articles on a hybrid of these two methods in an attempt to overcome the inherent drawback, the unattended challenge has always been the deployment difficulty. This is because it requires that all routers in the Internet be configured to implement packet marking and logging as proposed by these authors. It also requires collaboration with ISPs who are not readily willing to implement policies that have no business value for them. These, among other factors have led to more research into traceback mechanisms that do not require deployment on all routers and that is equally effective in identifying the origin of spoofed traffic. ISSN: Page 282
3 A. Defence against IP Spoofing A lot of defence mechanisms have been proposed by many authors against the impersonation attack known as IP spoofing. Fu-Yuan Lee et al, [10], proposed an Anti-DDoS scheme called ANTID which focusses on identifying spoofed packets and discarding them when DDoS attacks occur. His scheme was inspired by hop count filtering and path identification. This, again required huge deployment cost as each of the routers was expected to mark the packets with a path information. Another method is presented in [11] which is based on traceroute and the cooperation with trusted adjacent nodes. It requires mutual cooperation among trusted adjacent nodes to block intruders from external network which intrudes trusted networks by IP spoofing attacks. In this model, the author employs an adjacent trusted node, referred to as detection node, to detect when the hijacked node is unreachable due to the presence of an impersonator. The challenge with this method is getting external nodes to cooperate in detecting spoofers over the Internet. Pimpalkar, et al [12] propose a cryptographic hash technique of defending against spoofing attacks. In the algorithm, certain fields in the IP header are extracted and encrypted by using a hashing technique. The encryption secret key is computed from certain packet field values and then an XOR operation is carried out on the computed values. This constitute extra overhead on the network. III. OUR WORK A. HOW SPOOFING IS DONE IN A TRUSTED NETWORK The schematics of a trusted network is illustrated in figure 4. In this architecture, each trusted node has access authority of others. Thus, each trusted node in the network has access information of other nodes such as node name, IP address, hop count and traceroute from self to other trusted nodes. The trusted nodes can however be virtually connected together. That is, as opposed to the idea illustrated in figure 4, hosts A, B and C can be in different geographical locations but still make up the trusted network. Thus, if host A communicates with node B, node B can verify the authenticity of the message received by comparing the information retrieved from the message with the stored access information about node A. This way, a spoofer trying to mimic the IP address of a trusted node can be identified since he has no idea of other information such as hop counts between trusted nodes, computer names, etc. In general, there can be a number of routers (Henceforth referred to as nodes) forming the trusted networks. Thus, any packet from outside the network must first be authenticated. In our work, we simulated 49 nodes within the network and illustrated how the traceback process is implemented. The following section explains the spoofing process in detail. Figure 4: Trusted and Untrusted network Figure 5: Spoofing Process The spoofing process generally works as depicted in the figure 5. The hosts with IP addresses of (Host A) and (Host B) are considered a trusted hosts. An attacker IP address of (Host C) first attacks and controls Host A and blocks it from communicating with the internet. Next it sends a TCP SYN connection request to Host B pretending to be Host A. When Host B receives the request, it sends a SYN + ACK to node A. However, node A cannot receive such response since it did not request for it. But, since Host A is under the control of Host C, Host C sniffs and captures the sequence number and uses that to send an ACK packet to Host B, hence completing the three-way handshaking process. Thus, for an attacker to successfully spoof the source address of a trusted host, he must first obtain the control of that source. This is a kind of man-in-themiddle (MITM) attack which requires that the attacker breaks into the network (usually through one of the weak links within the trusted network) before he can successfully impersonate another user. ISSN: Page 283
4 B. DETECTION OF SPOOFED PACKETS BASED ON HOP COUNT FILTERING Within a trusted network, each node maintains an IPto-HopCount table, indexed by IP addresses within the network, which indicates how many hops it takes to reach all the hosts within the network. Unfortunately, hop count values are not directly captured in the IP header but rather is implied in the time-to-live (TTL) values. TTL is used to specify the maximum number of nodes a packet will need to traverse before getting to the destination. Sometimes, hackers set a small TTL values with the intension of triggering ICMP error messages for him to determine exactly how far the target system is away from him. When a packet traverses a node (router), the TTL value is decremented by 1. However, the initial TTL values are not uniform across different platforms. While some will set at 30 or 30, some will set at 64 or 128, etc, depending on the operating systems. Thus, obtaining the initial TTL value of a packet can be obscure. Given the advantage that we are considering a trusted network in which we know so much details about each node, we can predict the initial TTL value of the packet. To determine whether or not a packet is from a genuine source, we first extract the source IP address from the packet header. We label this address as S. We extract the final TTL from the header and label it as T. We infer the initial TTL, T 0, from the knowledge of initial TTL usually generated within the network, which is depending on the host operating systems. From these values we compute the hop count, H c. From the IP-to-HopCount table, we index the source IP address, S, to obtain the stored hop count, H s, between the source IP address and the destination. We then compare the value of H c with that of H s ; if they match, then the packet is from the genuine source, otherwise, the packet is spoofed. The algorithm works as follows: For each packet: extract the final TTL T and IP address S; infer the initial TTL T o compute the hop-count, H c = T T o ; index S to get the stored hop-count H s ; if (H s == H c ) packet is legitimate; else packet is spoofed; the spoofed packet was sent. First, when a spoofed packet is detected, the trace back module got triggered. First, the system tries to identify the path between the source, S, node and itself, D, and the number of nodes, p, between S and D. With this, it identifies all the nodes between the source and destination as a set of suspect nodes, N s. Ns = {N i : 1 <= i <= p} This is done by sending route requests to neighbouring nodes and obtaining the route replies for evaluation. With this, the most efficient path between S and D is identified as well as Ns. After identifying the set of suspect nodes, Ns, it probes the distances between S and each of the nodes, N i, to find which of them has hop count equal to the earlier computed value. Once a match is found, that node is designated the spoofing node, otherwise, the test fails. Our aim is to identify which of the nodes the attacker broke into the network and to take necessary measures to secure such nodes. Further probing can be done, though not covered in the scope of this work, to determine which host connected to the spoofing node actually launched the attack. D. SECURE THREE-WAY HANDSHAKING We reasoned that spoofing becomes successful in a trusted network due to the ability of the attacker to guess the sequence number of the packets transmitted between legitimate hosts within the network. Thus, if some additional credentials that cannot be guessed is requested for and verified during the three-way handshake, the attacker will find more difficult to establish connection with the victim using a spoofed address. Therefore, we propose the secure three-way handshaking in a trusted network based on the spoofing scenario depicted in figure 5. We present two models: one based on pre-shared secret key (K) among the trusted hosts and the other based on the shared identifiers (ID) among the trusted hosts. The two schemas are illustrated in figure 6 and figure 7. C. TRACEBACK BASED ON HOP COUNT We now present a method we employed in our implementation to trace the node that through which Figure 6: Secure 3-way Handshake based on Shared key ISSN: Page 284
5 Figure 7: Secure 3-way handshake based on shared Identity In the first model, if there is a shared symmetric encryption key among the trusted nodes for the purpose of authentication, then this can be incorporated into the connection negotiation process. When a host within a trusted network wishes to communicate with another host, it sends a SYN packet to the destination. The destination generates a random value (rand), encrypts it with the shared key (K) using any agreed symmetric encryption algorithm, sends a SYN + ACK and piggybacks it with the encrypted rand to source. If the source is genuine, it will have the shared key and therefore be able to decrypt the rand, piggyback it with an ACK packet and send to the destination. The destination grants the connection if the sent rand matches the one it had earlier generated. In the second model, the identity information which is accessible to all the trusted hosts is utilized. Here, when a trusted host receives a SYN request from another trusted host, it asks, hey, do you know my identity? by sending a hash of the identity along with a SYN + ACK packet. The host that initiated the connection request then sends an ACK along with the ID of the destination which can be verified before granting the connection request. We illustrate this concept with NS2. We simulate a trusted network with 49 nodes as shown in figure 8. In the implementation, we simulate an attacker mapping the network to find out the topology of the network and hence, the nodes between the source and destination that can be compromised. He monitors the traffic and then takes control of the intermediate nodes. He then pretends to be the original source by using the original source IP address as his IP address. At the destination, the spoofer detection module is run whenever a packet is received. Whenever a spoofed packet is identified, the trace back module is automatically run. The system was tested with different sets of source nodes, destination nodes and spoofing nodes. The end to end delay, Spoofer detection rate and Packet delivery ratio generated by NS2 are as shown in the output graphs of figure 9, figure 10 and figure 11. Figure 9: End-To-End Delay output With this, we can terminate the connection between the spoofer and the target host right during the connection negotiation process. E. IMPLEMENTATION AND RESULT Figure 10: IP Spoofer Detection Figure 11: Packet Delivery Ratio Figure 8: Set of nodes in a trusted network ISSN: Page 285
6 IV CONCLUSION AND FUTURE WORK In this paper, we present a method of IP trace back using hop count. We limited our study to a trusted network where the nodes collaborate with one another to detect anomalous activities. This method is easy to implement and, with optimized algorithm, the spoofer can be detected and traced before much damage is done. Innivative Research in Computer and Communication Engineering, vol. 3, no. 3, pp , [13] D. Davis, TechRepublic, 14 March [Online]. Available: [Accessed 30 August 2015]. There is however need to extend the trace back with hop count to address spoofing attack in untrusted networks where there is no collaboration between neighbouring nodes or any shared information between nodes. Research is also needed in the area of determining the initial TTL value of a packet so as to be able to determine, with a greater level of precision, the hop count between nodes. References [1] Y. Xiang and W. Zhou, A Defense System Against DDoS Attacks by Large-Scale IP Traceback, in Third International Conference on Information Technology and Applications (ICITA 05), Australia, [2] CAIDA, Network Telescope, CAIDA, 23 April [Online]. Available: [Accessed 17 August 2015]. [3] J. Postel, Internet Control Message Protocol, RFC792, 5 September [Online]. Available: [Accessed 18 August 2015]. [4] G. Yoa, J. Bi and A. V. Vasilakos, Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backscatter, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, vol. 10, no. 3, pp , [5] B. C. Hal Burch, Tracing Anonymous Packets to Their Approximate Source, in 14th Usenix Systems Administration Conf., LISA, [6] A. B. a. N. Ansari, IP Traceback with Deterministic packet marking, IEEE Communication Letter, vol. 7, pp , [7] A. B. a. N. Ansari, Tracing Multiple Attackers with deterministic packet marking (DPM), in IEEE Pacific Rim Conference, [8] W. Xiao-jing and X. You-lin, IP Traceback based on Deterministic Packet Marking and Logging, in Eighth IEEE International Conference on Embedded Computing; IEEE International Conference on Scalable Computing and Communications, China, [9] C. Gong and Sarac Kamil, A More Practical Approach for Single-Packet IP Traceback Using Logging and Marking, IEEE Transactions on Parallel Distributed Systems, vol. 19, no. 10, pp , [10] F.-Y. Lee and S. Shieh, Defending against spoofed DDoS attacks with path fingerprint, ELSEVIER - Computers & Security, vol. 2005, no. 24, pp , [11] Y. Ma, An Effective Method for Defense against IP Spoofing Attack, IEEE, pp , [12] A. S. Pimpalkar and A. R. B. Patil, Defence Against DDoS Attack Using IP Address Spoofing, International Journal of ISSN: Page 286
A hybrid IP Trace Back Scheme Using Integrate Packet logging with hash Table under Fixed Storage
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 2, Issue. 12, December 2013,
More informationSurvey of Several IP Traceback Mechanisms and Path Reconstruction
Available online at www.worldscientificnews.com WSN 40 (2016) 12-22 EISSN 2392-2192 Survey of Several IP Traceback Mechanisms and Path Reconstruction Dr. M. Newlin Rajkumar 1,a, R. Amsarani 2,b, M. U.
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationAparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India
Capturing the Origins of IP Spoofers Using Passive IP Traceback Aparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India aparna.goura@gmail.com
More informationComparative Study of IP Trace back Techniques
Journal for Research Volume 02 Issue 02 April 2016 ISSN: 2395-7549 Comparative Study of IP Trace back Techniques Jigneshkumar V Madhad Department of Computer Engineering Narnarayan Shastri Institute of
More informationA Survey on Different IP Traceback Techniques for finding The Location of Spoofers Amruta Kokate, Prof.Pramod Patil
www.ijecs.in International Journal Of Engineering And Computer Science ISSN: 2319-7242 Volume 4 Issue 12 Dec 2015, Page No. 15132-15135 A Survey on Different IP Traceback Techniques for finding The Location
More informationEnhancing the Reliability and Accuracy of Passive IP Traceback using Completion Condition
Enhancing the Reliability and Accuracy of Passive IP Traceback using Completion Condition B.Abhilash Reddy 1, P.Gangadhara 2 M.Tech Student, Dept. of CSE, Shri Shiridi Sai Institute of Science and Engineering,
More informationMITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK. J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy
MITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy Department of Information Technology, Velammal College of Engineering and
More informationA New Mechanism For Approach of IP Spoofers: Passive IP Traceback Using Backscatter Messages
A New Mechanism For Approach of IP Spoofers: Passive IP Traceback Using Backscatter Messages Dharam Pavithra 1, B. Narasimha Swamy 2, Dr.A. Sudhir Babu 3 1 M.Tech (CSE), 2 Sr.Assistant Professor, 3 Professor
More informationTRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS Mohammed Alenezi 1 and Martin J Reed 2 1 School of Computer Science and Electronic Engineering, University of Essex, UK mnmale@essex.ac.uk 2 School of Computer
More informationSpoofer Location Detection Using Passive Ip Trace back
Spoofer Location Detection Using Passive Ip Trace back 1. PALDE SUDHA JYOTHI 2. ARAVA NAGASRI 1.Pg Scholar, Department Of ECE, Annamacharya Institute Of Technology And Sciences,Piglipur, Batasingaram(V),
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More informationDDoS and Traceback 1
DDoS and Traceback 1 Denial-of-Service (DoS) Attacks (via Resource/bandwidth consumption) malicious server legitimate Tecniche di Sicurezza dei Sistemi 2 TCP Handshake client SYN seq=x server SYN seq=y,
More informationNETWORK SECURITY. Ch. 3: Network Attacks
NETWORK SECURITY Ch. 3: Network Attacks Contents 3.1 Network Vulnerabilities 3.1.1 Media-Based 3.1.2 Network Device 3.2 Categories of Attacks 3.3 Methods of Network Attacks 03 NETWORK ATTACKS 2 3.1 Network
More informationProf. N. P. Karlekar Project Guide Dept. computer Sinhgad Institute of Technology
Volume 4, Issue 7, July 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Advance Deterministic
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationSingle Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking
1 Review of TCP/IP working Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path Frame Path Chapter 3 Client Host Trunk Link Server Host Panko, Corporate
More informationGeographical Division Traceback for Distributed Denial of Service
Journal of Computer Science 8 (2): 216-221, 2012 ISSN 1549-3636 2012 Science Publications Geographical Division Traceback for Distributed Denial of Service 1 Viswanathan, A., 2 V.P. Arunachalam and 3 S.
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationA Study of Two Different Attacks to IPv6 Network
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 19, Issue 5, Ver. IV (Sep.- Oct. 2017), PP 66-70 www.iosrjournals.org A Study of Two Different Attacks to IPv6
More informationA Novel Approach to Denial-of-Service Attack Detection with Tracebacking
International Journal On Engineering Technology and Sciences IJETS 35 A Novel Approach to Denial-of-Service Attack Detection with Tracebacking Jasheeda P M.tech. Scholar jashi108@gmail.com Faisal E M.tech.
More informationDiscriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric
Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric HeyShanthiniPandiyaKumari.S 1, Rajitha Nair.P 2 1 (Department of Computer Science &Engineering,
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationSingle Packet IP Traceback in AS-level Partial Deployment Scenario
Single Packet IP Traceback in AS-level Partial Deployment Scenario Chao Gong, Trinh Le, Turgay Korkmaz, Kamil Sarac Department of Computer Science, University of Texas at San Antonio 69 North Loop 64 West,
More informationIP traceback through (authenticated) deterministic flow marking: an empirical evaluation
Aghaei-Foroushani and Zincir-Heywood EURASIP Journal on Information Security 2013, 2013:5 RESEARCH Open Access IP traceback through (authenticated) deterministic flow marking: an empirical evaluation Vahid
More informationExperience with SPM in IPv6
Experience with SPM in IPv6 Mingjiang Ye, Jianping Wu, and Miao Zhang Department of Computer Science, Tsinghua University, Beijing, 100084, P.R. China yemingjiang@csnet1.cs.tsinghua.edu.cn {zm,jianping}@cernet.edu.cn
More informationAn IP Traceback using Packet Logging & Marking Schemes for Path Reconstruction
An IP Traceback using Packet Logging & Marking Schemes for Path Reconstruction S. Malathi 1, B. Naresh Achari 2, S. Prathyusha 3 1 M.Tech Student, Dept of CSE, Shri Shiridi Sai Institute of science & Engineering,
More informationA NEW IP TRACEBACK SCHEME TO AVOID LAUNCH ATTACKS
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 3, March 2014,
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #17 Oct 27 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Backscatter Technique CAIDA (San Diego) owns large block of IP address space They have
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More informationVarious Anti IP Spoofing Techniques
Various Anti IP Spoofing Techniques Sonal Patel, M.E Student, Department of CSE, Parul Institute of Engineering & Technology, Vadodara, India Vikas Jha, Assistant Professor, Department of CSE, Parul Institute
More informationDenial of Service. EJ Jung 11/08/10
Denial of Service EJ Jung 11/08/10 Pop Quiz 3 Write one thing you learned from today s reading Write one thing you liked about today s reading Write one thing you disliked about today s reading Announcements
More informationA Study on Intrusion Detection Techniques in a TCP/IP Environment
A Study on Intrusion Detection Techniques in a TCP/IP Environment C. A. Voglis and S. A. Paschos Department of Computer Science University of Ioannina GREECE Abstract: The TCP/IP protocol suite is the
More informationDoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.
DoS Attacks Network Traceback Eric Stone Easy to launch Hard to trace Zombie machines Fake header info The Ultimate Goal Stopping attacks at the source To stop an attack at its source, you need to know
More informationNetwork Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018
Network Security Evil ICMP, Careless TCP & Boring Security Analyses Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018 Part I Internet Control Message Protocol (ICMP) Why ICMP No method
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationIP TRACEBACK (PIT): A NOVEL PARADIGM TO CATCH THE IP SPOOFERS
IP TRACEBACK (PIT): A NOVEL PARADIGM TO CATCH THE IP SPOOFERS Edama Naga sunitha #1 and G. Karunakar *2 # STUDENT, DEPT OF C.S.E, NRI INSTITUTE OF TECHNOLOGY,AGIRIPAALI, A.P, INDIA *2 Asst. Prof., DEPT
More informationICS 451: Today's plan
ICS 451: Today's plan ICMP ping traceroute ARP DHCP summary of IP processing ICMP Internet Control Message Protocol, 2 functions: error reporting (never sent in response to ICMP error packets) network
More informationIP TRACEBACK Scenarios. By Tenali. Naga Mani & Jyosyula. Bala Savitha CSE Gudlavalleru Engineering College. GJCST-E Classification : C.2.
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 3 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationDenial of Service and Distributed Denial of Service Attacks
Denial of Service and Distributed Denial of Service Attacks Objectives: 1. To understand denial of service and distributed denial of service. 2. To take a glance about DoS techniques. Distributed denial
More informationAn Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network
An Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network Lizhong Xie, Jun Bi, and Jianpin Wu Network Research Center, Tsinghua University, Beijing, 100084, China
More informationNetwork Policy Enforcement
CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous
More informationRETRIEVAL OF DATA IN DDoS ATTACKS BY TRACKING ATTACKERS USING NODE OPTIMIZATION TECHNIQUE
RETRIEVAL OF DATA IN DDoS ATTACKS BY TRACKING ATTACKERS USING NODE OPTIMIZATION TECHNIQUE G.Sindhu AP/CSE Kalaivanicollege of technology *Mail-id:sindhugnsn24@gmail.com ABSTRACT: attempt derives from a
More informationNovel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. Basheer Al-Duwairi, Member, IEEE, and G. Manimaran, Member, IEEE
1 Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback Basheer Al-Duwairi, Member, IEEE, and G. Manimaran, Member, IEEE Abstract Tracing DoS attacks that employ source address spoofing
More information(Submit to Bright Internet Global Summit - BIGS)
Reviewing Technological Solutions of Source Address Validation (Submit to Bright Internet Global Summit - BIGS) Jongbok Byun 1 Business School, Sungkyunkwan University Seoul, Korea Christopher P. Paolini
More informationDDOS Attack Prevention Technique in Cloud
DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationEFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS Emil Kuriakose John 1 and Sumaiya Thaseen 2 1 School of Information Technology and Engineering, VIT University, Vellore, Tamil Nadu, India ekj171@gmail.com
More informationPacket Estimation with CBDS Approach to secure MANET
Packet Estimation with CBDS Approach to secure MANET Mr. Virendra P. Patil 1 and Mr. Rajendra V. Patil 2 1 PG Student, SSVPS COE, Dhule, Maharashtra, India 2 Assistance Professor, SSVPS COE, Dhule, Maharashtra,
More informationA Look Back at Security Problems in the TCP/IP Protocol Suite Review
A Look Back at Security Problems in the TCP/IP Protocol Suite Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 26, 2011 1 Introduction to the topic and the reason
More informationnetwork security s642 computer security adam everspaugh
network security s642 adam everspaugh ace@cs.wisc.edu computer security today Announcement: HW3 to be released WiFi IP, TCP DoS, DDoS, prevention 802.11 (wifi) STA = station AP = access point BSS = basic
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationAN UNIQUE SCHEME FOR DETECTING IP SPOOFERS USING PASSIVE IP TRACEBACK
AN UNIQUE SCHEME FOR DETECTING IP SPOOFERS USING PASSIVE IP TRACEBACK LANKA VENNELA #1 and VEERA RAJU RYALI *2 # PG Scholar, Kakinada Institute Of Engineering & Technology Department of Computer Science,
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationInternational Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN
International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December-2016 360 A Review: Denial of Service and Distributed Denial of Service attack Sandeep Kaur Department of Computer
More informationInternet Protocol and Transmission Control Protocol
Internet Protocol and Transmission Control Protocol CMSC 414 November 13, 2017 Internet Protcol Recall: 4-bit version 4-bit hdr len 8-bit type of service 16-bit total length (bytes) 8-bit TTL 16-bit identification
More informationDetection and Removal of Black Hole Attack in Mobile Ad hoc Network
Detection and Removal of Black Hole Attack in Mobile Ad hoc Network Harmandeep Kaur, Mr. Amarvir Singh Abstract A mobile ad hoc network consists of large number of inexpensive nodes which are geographically
More informationCYBER ATTACKS EXPLAINED: WIRELESS ATTACKS
CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS Wireless networks are everywhere, from the home to corporate data centres. They make our lives easier by avoiding bulky cables and related problems. But with these
More informationMITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES
MITIGATING DENIAL OF SERVICE ATTACKS IN OLSR PROTOCOL USING FICTITIOUS NODES 1 Kalavathy.D, 2 A Gowthami, 1 PG Scholar, Dept Of CSE, Salem college of engineering and technology, 2 Asst Prof, Dept Of CSE,
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationEE 122: Network Security
Motivation EE 122: Network Security Kevin Lai December 2, 2002 Internet currently used for important services - financial transactions, medical records Could be used in the future for critical services
More informationDistributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013
Distributed Systems 27. Firewalls and Virtual Private Networks Paul Krzyzanowski Rutgers University Fall 2013 November 25, 2013 2013 Paul Krzyzanowski 1 Network Security Goals Confidentiality: sensitive
More informationDenial of Service, Traceback and Anonymity
Purdue University Center for Education and Research in Information Assurance and Security Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS Network
More informationInter-domain routing validator based spoofing defence system
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 2010 Inter-domain routing validator based spoofing defence system Lei
More informationAn Investigation about the Simulation of IP Traceback and Various IP Traceback Strategies
IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.12, December 2008 1 An Investigation about the Simulation of IP Traceback and Various IP Traceback Strategies S.Karthik 1
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Intrusion Detection Systems Intrusion Actions aimed at compromising the security of the target (confidentiality, integrity, availability of computing/networking
More informationKeywords MANET, DDoS, Floodingattack, Pdr.
Volume 6, Issue 1, January 2016 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Detection and
More informationNETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
NETWORK INTRUSION Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Recognize different
More informationTCP Overview Revisited Computer Networking. Queuing Disciplines. Packet Drop Dimensions. Typical Internet Queuing. FIFO + Drop-tail Problems
TCP Overview Revisited TCP modern loss recovery 15-441 Computer Networking Other Transport Issues, Attacks and Security Threats, Firewalls TCP options TCP interactions TCP modeling Workload changes TCP
More informationPassive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backscatter
1 Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backscatter Guang Yao, Jun Bi, Senior Member, IEEE, and Athanasios V. Vasilakos, Senior Member, IEEE Abstract It is long known
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationCSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management
CSE/EE 461 Lecture 13 Connections and Fragmentation Tom Anderson tom@cs.washington.edu Peterson, Chapter 5.2 TCP Connection Management Setup assymetric 3-way handshake Transfer sliding window; data and
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationCISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks
CISNTWK-440 Intro to Network Security Chapter 4 Network Vulnerabilities and Attacks Objectives Explain the types of network vulnerabilities List categories of network attacks Define different methods of
More informationDetecting and Preventing Network Address Spoofing
Detecting and Preventing Network Address Spoofing Hamza A. Olwan 1, Mohammed A. Babiker 2 and Mohammed E. Hago 3 University of Khartoum, Sudan olwan777@gmail.com 1, moh_teg821@hotmail.com 2 and melzain88@gmail.com
More informationABSTRACT. A network is an architecture with a lot of scope for attacks. The rise in attacks has been
ABSTRACT A network is an architecture with a lot of scope for attacks. The rise in attacks has been growing rapidly. Denial of Service (DoS) attack and Distributed Denial of Service (DDoS) attack are among
More informationAdopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks
Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre January 2014 1 Introduction IPv6 was introduced
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More informationDenial of Service. Serguei A. Mokhov SOEN321 - Fall 2004
Denial of Service Serguei A. Mokhov SOEN321 - Fall 2004 Contents DOS overview Distributed DOS Defending against DDOS egress filtering References Goal of an Attacker Reduce of an availability of a system
More informationHP High-End Firewalls
HP High-End Firewalls Attack Protection Configuration Guide Part number: 5998-2650 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
More informationBest Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies
Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies In order to establish a TCP connection, the TCP three-way handshake must be completed. You can use different accept policies
More informationSecuring ARP and DHCP for mitigating link layer attacks
Sādhanā Vol. 42, No. 12, December 2017, pp. 2041 2053 https://doi.org/10.1007/s12046-017-0749-y Ó Indian Academy of Sciences Securing ARP and DHCP for mitigating link layer attacks OSAMA S YOUNES 1,2 1
More informationInternational Journal of Advance Engineering and Research Development
Scientific Journal of Impact Factor (SJIF): 5.71 International Journal of Advance Engineering and Research Development Volume 5, Issue 03, March -2018 e-issn (O): 2348-4470 p-issn (P): 2348-6406 BATCH
More informationLayer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers
Layer 4: UDP, TCP, and others based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Concepts application set transport set High-level, "Application Set" protocols deal only with how handled
More informationIntrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks
Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks So we are proposing a network intrusion detection system (IDS) which uses a Keywords: DDoS (Distributed Denial
More informationCOUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITY
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITY Anand Bisen 1, Shrinivas Karwa 2, B.B. Meshram 3 1,2,3 Department of Computer Engineering, Veermata Jijabai Technological Institute, Mumbai, MH, India
More informationConfiguring Flood Protection
Configuring Flood Protection NOTE: Control Plane flood protection is located on the Firewall Settings > Advanced Settings page. TIP: You must click Accept to activate any settings you select. The Firewall
More informationTHE "TRIBE FLOOD NETWORK 2000" DISTRIBUTED DENIAL OF SERVICE ATTACK TOOL
TFN2K - An Analysis Jason Barlow and Woody Thrower AXENT Security Team February 10, 2000 (Updated March 7, 2000) Revision: 1.3 Abstract This document is a technical analysis of the Tribe Flood Network
More informationDDoS PREVENTION TECHNIQUE
http://www.ijrst.com DDoS PREVENTION TECHNIQUE MADHU MALIK ABSTRACT A mobile ad hoc network (MANET) is a spontaneous network that can be established with no fixed infrastructure. This means that all its
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationSingle Packet ICMP Traceback Technique using Router Interface
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 30, 1673-1694 (2014) Single Packet ICMP Traceback Technique using Router Interface Department of Computer Science and Engineering Thiagarajar College of Engineering
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 12 2/28/08 CIS/TCOM 551 1 Announcements Reminder: Project 2 is due Friday, March 7th at 11:59 pm 2/28/08 CIS/TCOM 551 2 Internet Protocol
More informationSIMULATION OF THE COMBINED METHOD
SIMULATION OF THE COMBINED METHOD Ilya Levin 1 and Victor Yakovlev 2 1 The Department of Information Security of Systems, State University of Telecommunication, St.Petersburg, Russia lyowin@gmail.com 2
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More informationDETECTING, DETERMINING AND LOCALIZING MULTIPLE ATTACKS IN WIRELESS SENSOR NETWORK - MALICIOUS NODE DETECTION AND FAULT NODE RECOVERY SYSTEM
DETECTING, DETERMINING AND LOCALIZING MULTIPLE ATTACKS IN WIRELESS SENSOR NETWORK - MALICIOUS NODE DETECTION AND FAULT NODE RECOVERY SYSTEM Rajalakshmi 1, Umamaheswari 2 and A.Vijayaraj 3 1 Department
More informationInternet level Traceback System for Identifying the Locations of IP Spoofers from Path Backscatter
Volume 4, Issue 3, March-2017, pp. 98-105 ISSN (O): 2349-7084 International Journal of Computer Engineering In Research Trends Available online at: www.ijcert.org Internet level Traceback System for Identifying
More information