WIRELESS PACKET ANALYZER TOOL WITH IP TRACEROUTE

WIRELESS PACKET ANALYZER TOOL WITH IP TRACEROUTE H. Abdul Rauf, Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore A. Ebenezer Jeyakumar Principal, Government College of Engineering, Salem harauf@yahoo.com ABSTRACT The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance, security and troubleshooting. Monitoring IP traffic flows facilitates more accurate capacity planning and ensures that resources are used appropriately in support of organizational goals. It helps to determine where to apply Quality of Service (QoS), optimize resource usage and it plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network propagated worms, and other undesirable network events. The proposed Wireless Packet Analyzer Tool (WPAT) facilitates solutions to many common Wi- Fi threats like DoS attack, Mis-associated systems from neighboring premises, Rogue APs etc., encountered by wireless networks. The attacks were simulated in an experimental set-up and WPAT is tested for required performance. A scheme that may effectively and efficiently combine detection, defense, and traceback may significantly enhance performance and mitigate false positives. The WPAT is used to identify the new IP and its route is traced by IP Traceback tool. The route contains the details such as the total number of hops, time taken for each hops in milliseconds and the IP address of the intermediate routers. The traced route is used for plotting the graph. Keywords: : Denial-of-Service, Wireless Packet Analyzer Tool, IP Traceback. 1 INTRODUCTION The rapid increase in the use of computers coupled with the exponential growth of the Internet has also had ramifications on the growth of crime. Effective tools that can analyze and monitor the network traffic and can also keep up with the growing bandwidth speeds are required. Such monitoring tools help network administrators in evaluating and diagnosing performance problem with servers, the network, hubs and applications. Careful and judicious monitoring of data flowing across the network can help detect and prevent crime and protect intellectual property as well as privacy of individuals. Network monitoring tools can monitor the network at various levels of the network stack. Some tools monitor only at the MAC layer whereas others can also monitor the network layer. Some tools can extend to the application level as well. There are only limited tools that can attempt to monitor based on filtering the content of applications. Network monitoring tools are mostly sniffers optionally coupled with filtering and post processing tools. This paper discusses the mechanics of the proposed Wireless Packet Analyzer Tool which is a post processing tool coupled to an already available sniffer. The IP Traceback is the process of identifying the actual source of attack packets. It helps in mitigating DoS attacks by isolating the identified attack sources. IP Traceback is a challenging problem because of the Distributed anonymous nature of DDoS attacks, the stateless nature of the internet, the destination oriented IP routing and the fact of having million of hosts connected to the internet. All these factors help attackers to stay behind the scenes and hence complicate the process of traceback. The remainder of the paper is organized as follows: Section (2) details the theory and background of the paper. Section (3) focuses on Network Monitoring Tool. Section (4) emphasizes on IP Traceback Tool and graphical output. Section (5) the conclusion and future scope of the paper. Ubiquitous Computing and Communication Journal 1

2 BACKGROUND Carnivore (Smith 2000) is a tool developed by the Federal Bureau of Investigation (FBI). This tool is developed for the sole purpose of directed surveillance and it can capture packets based on a wide range of application layer based criteria. It functions through wire-taps across gateways and Internet Service Provider (ISPs). Carnivore is also capable of monitoring dynamic IP address based networks. The capabilities of string searches in application level content seem limited in this package. It can also capture E-Mail messages to and from a specific user s account and all network traffic to and from a specific user or IP address. It can also capture headers for various protocols. PickPacket (Neeraj 2002) and (Pande and Sanghi 2005) is a monitoring tool similar to Carnivore. This tool can filter packets across the levels of the Open Systems Interconnection (OSI) network stack for selected applications. Criteria for filtering can be specified for network layer and application layer for applications. It also supports real-time searching for text string in applications and packet content. The criteria for selecting packets in PickPacket can be specified at several layers of the protocol stack. The filtering component of this tool does not inject any IP packets onto the network. Once the IP packets have been selected based on these criteria, they are dumped to permanent storages. The tool has been demonstrated to work over a 100 Mbps link. The extensibility and the modular design of PickPacket makes it more generalized and it can be used as a simple tcpdump like application and can also be extended to become an intrusion detection tool. Cisco Netflow Tool (2007) identifies new application network loads such as VoIP or remote site additions. This tool use NetFlow statistics to measure WAN traffic improvement from application-policy changes; understand who is utilizing the network and the network top talkers. Diagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools. It also has facilities to avoid costly upgrades by identifying the applications causing congestion. NetFlow can be used for anomaly detection and worm diagnosis. It confirms that appropriate bandwidth has been allocated to each Class of Service (CoS) and that no CoS is over - or under - subscribed. 3 WIRELESS PACKET ANALYSER TOOL Network monitoring tools are often called sniffers. Network sniffers are software applications often bundled with hardware devices and are used for eavesdropping on network traffic. Sniffers usually provide some form of protocollevel analysis that allows them to decode the data flowing across the network, according to the needs of the user. This analysis is often done on a packet by packet basis, as data flows in the network in packets. Sniffing programs have been traditionally used for helping in managing and administering networks. Recently, sniffers have also found use with law enforcement agencies for gathering intelligence and helping in crime prevention and detection. Typically such programs can be used for evaluating and diagnosing network related problems, debugging applications, rendering captured data, network intrusion detection and network traffic logging. 3.1 Design and Development Sniffers normally dump the packets that they capture directly to the disk. These packets usually require post capture processing to render them human readable. Most sniffers provide postprocessing and rendering tools. Sniffers that provide statistics about the data captured with the sole purpose of helping network managers in diagnosing and evaluating performance problems with servers, the network media, switches and applications are usually called network monitoring tools. Traditionally such tools setup alerts on various events, show trends of network traffic over a time period and maintain some history information. Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets. Traditionally, an IP flow is based on a set of seven and up to nine IP packet attributes. IP packet attributes used by WPAT are IP source address, IP destination address, Source port, Destination port, Protocol type, Packet Size, date and time of packet flow. All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database. This flow information is extremely useful for understanding network behavior like: Source address allows the understanding of who is originating the traffic Destination address tells who is receiving the traffic Ports characterize the application utilizing Ubiquitous Computing and Communication Journal 2

the traffic Tallied packets and bytes show the amount of traffic Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second. The WPAT software creates real-time or historical reports from the captured data. The proposed wireless packet analyzer tool (WPAT) as shown in the Figure 1 links with the packet sniffer tool and updates all packets already captured by the sniffer tool for every 30 seconds. The sniffer tool is set to capture the raw packets and store it in text format. The proposed WPAT links to the captured data and displays the data as shown in the Figure 1. The analyzer tool displays another two windows showing the sum of packet flow between starting time of capture to ending time of capture and the enterprise network intruder The sum of packet flow gives consolidated details about packets captured between any time period and further analysis of data can be made by selecting any source IP and clicking the packet flow details button shown in the Figure 1. The results shown in Table 1 are produced by the report produced by the Packet Flow Details button. 3.2 Implementation The implementation is done using the experimental set-up shown in Figure 2. A honeypot system is also implemented using the same experimental set-up. The experiments were carried out several times until satisfactory results were obtained. A sniffer tool is used to capture the raw packets from the network and connected to the database. The sniffer tool used is set to capture the packets flowing through the specified system. 3.3 Experiment 1-To Study the Packet Flow Information The experiment is conducted using the experimental set-up shown in the Figure 2. Initially packets are generated from various clients, and sent to a honeypot server which is placed in an Enterprise premises as shown in the Figure 2. A data set is generated and a valid stream is transmitted from clients to the wireless honeypot server. The data received by the honeypot server is captured using a sniffing tool and linked to the database. The graphs shown in Figure 3 to Figure 6 are obtained by selecting any IP address in the packet flow between starting time of capture to ending time window and by the report produced by graphs button. Like wise graphs for any source IP address can be displayed if there is any abnormality noticed in the packet flow. These graphs show a clear picture of the packet flow between any source IP address to the honeypot server system. The enterprise master button is used to enter the IP address, the MAC address and the system name permitted to be used inside the enterprise premises. Figure 2. Experimental Set-up and IP Connected Figure 1. Wireless Packet Analyzer Tool The Figure 3 shows packets generated from update client and sent to the honeypot_server as valid stream. Likewise Figure 4 shows packets generated from update1 client and sent to honeypot_server as valid stream. Likewise similar valid stream generated from update4 and update5wireless_client were sent to the honeypot_server. The Table 1 shows the captured data over a period of time. The Figure 3 and Figure 4 shows a graph with packets transmitted from update and update1 client over a period of time. Ubiquitous Computing and Communication Journal 3

Table 1 illustrates the details of the packets captured by the Honeypot server. The second column shows the packet size captured at various instant of time. The packets received from all connected clients by the server like Source IP, Destination IP, Source port and destination port are tabulated. Table 1 Details of the sample packets captured by the Honeypot server. No Size Source(S) IP Destination (D) IP S Port D Port Time Figure 5 Packets from Permitted IP 192.168.1.112 1 162 192.168.1.111 192.168.1.113 1088 7000 12:32:52 2 52 192.168.1.113 192.168.1.111 7000 1088 12:32:53 5 40 192.168.1.112 192.168.1.113 1424 7000 12:32:53 6 72 192.168.1.113 192.168.1.112 7000 1424 12:32:53 7 1500 192.168.1.111 192.168.1.113 1088 7000 12:32:53 10 1500 192.168.1.111 192.168.1.113 1088 7000 12:32:53 13 1500 192.168.1.113 192.168.1.112 7000 1424 12:32:53 14 645 192.168.1.113 192.168.1.112 7000 1424 12:32:53 16 1500 192.168.1.113 192.168.1.112 7000 1424 12:32:53 13288 46 192.168.1.117 192.168.1.113 1041 7000 01:45:36 13291 46 192.168.1.113 192.168.1.117 7000 1041 01:45:36 13292 40 192.168.1.117 192.168.1.113 1041 7000 01:45:37 13293 65 192.168.1.113 192.168.1.117 7000 1041 01:45:37 13294 40 192.168.1.117 192.168.1.113 1041 7000 01:45:37 Figure 6 Packets from Permitted IP 192.168.1.117 3.4 Experiment 2- To Simulate and Detect Dos Attack Figure 3 Packets from Permitted IP 192.168.1.110 In this experiment a DoS attack is detected using the following experimental set-up. For Dos Attack an experimental set-up as shown in the Figure 7 is created. The Figure 8 shows packets generated from update5wireless_client client and sent to honeypot server as invalid stream. The Figure 9 shows a graph with packets transmitted from update5wireless_client over a period of time. The Figure 9 and Figure 6 are compared and the graph shows very large packets received from update5wireless client than compared to packets received from update client over a period of time. This graphically represents attack packets sent from update5wireless client to honeypot server Figure 4 Packets from Permitted IP 192.168.1.111 Figure 7 DoS Attack Experimental Set-up Ubiquitous Computing and Communication Journal 4

Figure 8 Packets from update5wireless_client Figure10 Experimental Set-up for Wi-Fi Threats Table 2 Permitted and Mis-Associated IPs No. IP Address MAC ADDRESS SYSTEM NAME PERMISSION 1 192.168.1.110 00:A0:B0:00:0D:FF Update4 2 192.168.1.111 00:E0:20:72:36:27 Update 3 192.168.1.112 00:E0:20:75:31:42 Update1 Figure 9 Packets from DoS attacking IP 192.168.1.116 3.5 Experiment 3- To Simulate and Detect Mis- Associated IPs from the Neighboring Premises In this experiment a Wi-Fi threats in a no Wi-Fi network is detected using the following experimental set-up. For Mis-Associated IPs from neighboring premises an experimental set-up is created as shown in the Figure 10. The Figure 10 illustrates an attack lures in multiple laptops to mis-associate. Even if there is no IEEE 802.11 AP s most of the laptops have IEEE 802.11 cards and the laptop radio is default configured to automatically associate with the strongest signal from a list of SSIDs. Hackers simply sit outside the building with an AP configured to a common SSID and wait for a number of laptops to connect. The Table 2 classifies the permitted IPs and mis-associated IPs. 4 192.168.1.113 00:12:F0:09:55:C9 Honeypot_Server 5 192.168.1.116 Not Permitted 6 192.168.1.117 00:17:9A:77:FC:E5 Update6_wireless 3.6 Experiment 4- To Simulate and Detect a Rogue AP In this experiment a Wi-Fi threats in a no Wi-Fi network is detected using the following experimental set-up. For detecting a Rogue AP an experimental set-up is created as shown in the Figure 11. A Rogue AP is detected and auto classified from the permitted IP s. Even if there is no IEEE 802.11 AP, hackers through known or unknown sources place Rogue IEEE 802.11 AP s in the Enterprise premises and get connected to the Enterprise Network and attack the laptops which have IEEE 802.11 cards. Hackers simply sit outside the building and attack the Enterprise Network. The Table 3 shows the Intruder IP Connected to Enterprise Network. Ubiquitous Computing and Communication Journal 5

The WPAT is used to find the unknown IP address as shown in Table 4 and 5. A database is maintained which contains all the IP addresses that have been previously traversed. Table 4 WPAT Output TYPE SIZE SOURCE IP DESTINATION IP TCP 54 203.212.180.190 121.247.106.165 TCP 477 203.212.180.190 121.247.106.165 TCP 1086 64.86.142.9 121.247.106.165 TCP 453 209.85.53.104 121.247.106.165 Table 5 New IP Addresses Figure 11 Experimental Set-up to Prevent Rogue AP and Threats Table 3 Intruder IPs Connected to Enterprise Network Source IP Source Dest IP Date Time MAC 192.168.1.116 192.168.1.111 28:05:2007 01:06:56 4 TRACING CYBER ATTACKS BY THE IP TRACEBACK TOOL The IP traceback may identify attack sources. However, IP traceback itself is not a detection or defense scheme. Integrating IP traceback with other functionalities such as detection and defense is the topic of interest which is experimented in this IP Traceback tool. 4.1Finding the New IP Address This module finds the new IP address whose route has to be traced. The sniffer output is used in this module. The sniffer is used to sniff both Data packets and Control packets. The control packet does not contain any information and hence their size is small. While the data packets contain some data and they have large size (say greater than 100 bytes). For example, while downloading a web page or files say from yahoo.com or google.com, it may request for information. In that case the web server may send the packet to the host system that requested for it. Thus the web server becomes the source and the host system requesting for a packet becomes the destination. 64.86.142.9 209.85.153.104 209.85.143.97 209.85.153.83 4.2 Tracing the route of new IP address This module traces the route of new IP address. The route contains the number of hops, time in milliseconds and the IP address of the intermediate routers. Traceroute displays all the routers through which data packets pass on way to the destination system from the source system. However, the path displayed by Traceroute for any IP addresses like the same source to the same destination in two different sessions may or may not vary. The operations performed during the tracing process are depicted as a flowchart as shown in the Figure 12 and block diagram of Trace route concept in Figure 13. The first step in the traceroute command is that it creates a packet with a TTL value of 1 and sends it to the destination system. The first router on way to the destination system from the source system will discard the data packet, as the TTL value of this received data packet is 1. In addition, this first router will also send back a "Time exceeded" error message to the source system. Since this Time exceeded error message received by the source system, has its source IP Address as that of the first router. As a result the traceroute running on the source system will come to know this IP address of the first router. In this way, the traceroute command identifies the address of the first router on the path to the destination system and displays it on the screen. Ubiquitous Computing and Communication Journal 6

Start Socket Initialize Ttl=1 If Ttl <=255 NO YES Send UDP If Router = Destination No Decrement ttl If ipo.tt1=0 YES Send ICMP Print Router IP ipo.ttl++ YES A Print Trace Route Complete Socket Cleanup NO Stop A Figure13 Block Diagram of Traceroute Concept When the TTL value is high enough for the data packet to reach the destination system, its TTL value would have been decremented to 1 by the time the data packets reaches its destination. However, even though the destination system will receive a data packet having a TTL value of 1, it will not discard the packet. This is because the destination has been reached. Since the destination system does not discard the data packet that it receives, it means that the destination system does not generate a Time exceeded error message. As a result, since no "Time Exceeded" error message is generated, the source system does not have any way by which it can ensure that the destination system has been reached. Hence, all new IP addresses are traced and if there is any intruder, it is considered as a new IP address and its route is also traced. Thus the intruder is traced. 4.3 Graphical Representation The output shown in the Table 6 is the route of the new IP address which is used for drawing the graph. The Table 6 contains the fields such as number of hops, time taken by each hops and the IP address of the intermediate routers. Figure 12 Flowchart for Traceroute Similarly, in the next step, traceroute sends a data packet with a TTL value of 2 to the destination system. The first router receiving this data packet will decrement the TTL value of the packet by 1 and then it would forward the packet to the second router on path to the destination system. This second router would in turn, discard this packet and send back a "Time Exceeded" error message to the source system, revealing its IP Address. This process of sending packets with increasing TTL values is carried out, until the data packet has a TTL value high enough to make sure that it reaches the destination system. Table 6 Traceroute Table NO.OF TIME TAKEN INTERMEDIATE HOPS ROUTERS Hop 1 38 ms 203.200.140.225 Hop 2 45 ms 203.200.140.129 Hop 3 46 ms 203.200.140.217 Hop 4 46 ms 59.163.16.58 Hop 5 62 ms 59.163.16.58 Hop 6 280 ms 59.163.16.138 Hop 7 280 ms 64.86.84.141 Hop 8 280 ms 216.6.86.5 Hop 9 286 ms 216.6.86.10 Hop 10 296 ms 64.86.142.9 Ubiquitous Computing and Communication Journal 7

The route traced by the Traceroute tool is enhanced by the graphical representation which is shown in the Figure 14. The hops are plotted against the milliseconds. Time - ms 350 300 250 200 150 100 50 0 5 CONCLUSION Traceroute Graph 1 2 3 4 5 6 7 8 9 10 Hops Figure 14 Traceroute graph The post processing tool proposed through various experimental results shows that it can measure the packets flowing across an enterprise network considering the wireless threats on-the-fly. So a specific approach is undertaken to present a new experimental set-up for the precise measurement of packets across an enterprise network with or without Wi-Fi using a sniffer and a WPAT. Thus, WPAT using a IP Traceback tool is more effective, when any new IP address and if the IP address is not available in the database then its route is traced back. Thus, when an intruder attacks with an IP address that is not available in the database then that IP address is also considered as a new IP and the route is traced. The IP Traceback tool is enabled in real time and this tool based on the ICMP concept proves to be efficient. 6 REFERENCES [1] M. Sung and J. Xu: IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks, IEEE Transactions on Parallel and Distributed System, Vol. 14, No. 9, pp. 861-872 (2003). [2] Y.Tseng, H. Chen and Hsieh W: Probabilistic Packet Marking with Non-Preemptive Compensation, IEEE Communications Letters, Vol. 8, No. 6, pp. 359-361 (2004). [3] D. Wei and N. Ansari: Implementing IP Traceback in the Internet - An ISP Perspective, Proceedings of 3 rd Annual IEEE Workshop on Information Assurance, West Point, New York, pp. 326-332 (2002). [4] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, B. Schwartz, S.T. Kent and W.T. Strayer: Single Packet IP Traceback, IEEE/ACM Transactions on Networking, Vol. 10, pp. 721-734 (2002). [5] A.C. Snoeren, C. Patriridge, L.A. Sanchez, C.E. Jones, S.T. Kent, F. Tehhakountio and W.T. Strayer: Hash-Based IP Traceback, Proceedings of ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, San Diego, California, USA (2001). [6] K. Park and H. Lee: On the Effectiveness of Probabilistic Packet Marking for IP Traceback under DoS Attack, Proceedings of 20 th Annual Joint Conference of the IEEE Computer and Communication Society, Vol. 1, pp. 338-347. (2001). [7] A. Mankin, D. Massey, S.F. Chien-Lung Wu Wu and Lixia Zhang: On Design and Evaluation of 'Intention-driven' ICMP Traceback, Proceedings of 10 th International Conference on Computer Communication and Networks, Scottsdale, USA, pp. 159-65 (2001). [8] J. Li, M. Sung, J. Xu and L. Li: Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation, Proceedings of IEEE Symposium on Security and Privacy, Oakland, California, pp. 115-129 (2004). [9] C. Gong and K. Sarac: IP Traceback based on Packet Marking and Logging, Proceedings of IEEE International Conference on Communication, Vol. 2, pp. 1043-1047 (2005). [10] M.T. Goodrich: Probabilistic Packet Marking for Large-Scale IP Traceback, IEEE/ACM Transactions on Networking, Vol. 16, No.1, pp.15-24 (2008). [11] Z. Gao and N. Ansari: Tracing Cyber Attacks from the Practical Perspective, IEEE Communications Magazine, Vol. 43, No. 5, pp. 123-131 (2005). [12] A. Belenky and N. Ansari: On IP Traceback, IEEE Communications Magazine, Vol. 41, No. 7, pp. 142-153. (2003). [13] A. Belenky and N. Ansari: Tracing Multiple Attackers with Deterministic Packet Marking (DPM), Proceedings of IEEE Pacific Rim Conference Communication, Computer and Signal Processing, Victoria BC, Canada, pp. 49-52 (2003). [14] A. Belenky and N. Ansari: IP Traceback with Deterministic Packet Marking, IEEE Communications Letters, Vol. 7, No. 4, pp. 162-164 (2003). [15] C. Beak, J.A. Chaudhry, K. Lee, S. Park and M. Kim: A Novel Packet Marketing Method in Ubiquitous Computing and Communication Journal 8

DDoS Attack Detection, Proceedings of American Journal of Applied Sciences, Vol. 4, No. 10, pp. 741-754 (2007).. [16] Brajesh Pande: Network Monitoring Tool, Computer Society of India, Communications, November 2006, pp. 27-29. (2006). [17] B. Pande, D. Gupta, D. Sanghi and S.K. Jain: The Network Monitoring Tool Pick Packet, Proceedings of 3 rd International Conference on Information Technology and Applications, Vol. 2, pp. 191-196. (2005). [18] P. Stephen, J. Smith and Allen Crider: Independent Review of the Carnivore System, Final Report, IIT Research Institute, Lanham, Maryland (2000). H.A.Rauf received the Bachelors Degree in Electrical and Electronics Engineering in 1987. He completed his Masters degree in Business Administration (M.B.A) Degree in the year 1996 and his masters degree in Computer Science and Engineering in the year 1999.He is currently a PhD candidate in the faculty of Information and Communication Engineering, Anna University of Chennai. His research interests includes mobile computing, Computer Networks, Network Security, Advanced Networks and Performance Evaluation of Computer Networks. He is currently the Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore, India Dr. Ebenezer Jeyakumar is currently the Principal of Government College of Engineering, Salem, India. Being an eminent professor of Anna University, there are many students doing their research under his guidance in various fields. Some of main areas of research are Networking, mobile computing, high voltage engineering and other related areas. Ubiquitous Computing and Communication Journal 9