Capturing the Origins of IP Spoofers Using Passive IP Traceback Aparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India aparna.goura@gmail.com Abstract: Attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. A method called passive IP traceback (PIT) was proposed that bypasses the deployment difficulties of IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing traffic and tracks the spoofers based on public available information (e.g., topology). This also demonstrates the processes and effectiveness of PIT and shows the captured locations of spoofers through applying PIT on the path backscatter data set. Index Terms Denial of Service ( DoS), IP traceback, marking. I. INTRODUCTION Criminals have long employed the tactic of masking their true identity, from disguises to aliases to caller-id blocking. It should come as no surprise then, that criminals who conduct their nefarious activities on networks and computers should employ such techniques. IP spoofing is one of the most common forms of on-line camouflage. IP spoofing as a method of attacking a network in order to gain unauthorized access [1]. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address, but generally ignore the origination address. The origination address is only used by the destination machine when it responds back to the source. In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system and then modify the packet headers to that it appears that the packets are coming from the trusted system. In essence, the attacker is fooling (spoofing) the distant computer into believing that they are a legitimate member of the network The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system. IP spoofing is the creation of IP packets using somebody else s IP source addresses. This technique is used for obvious reasons and is employed in several of the attacks. Dr. Rekha Patil Associate Professor Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India rekha.patilcse@gmail.com Examining the IP header, we can see that the first 12 bytes contain various information about the packet. The next 8 bytes contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses specifically the source address field. A common misconception is that IP spoofing can be used to hide our IP address while surfing the Internet, chatting online, sending e- mail and so on. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection [2]. Figure 1: Valid source IP address. In figure 1, valid source IP address, illustrates a typical interaction between a workstation with a valid source IP address requesting web pages and the web server executing the requests. When the workstation requests a page from the web server the request contains both the workstation s IP address (i.e. source IP address 192.168.0.5) and the address of the web server executing the request (i.e. destination IP address 10.0.0.23). The web server returns the web page using the source IP address specified in the request as the destination IP address (192.168.0.59) and its own IP address as the source IP address (10.0.0.23). 5
FIGURE 2: SPOOFED SOURCE IP ADDRESS. In figure 2, spoofed source IP address illustrates the interaction between a workstation requesting web pages using a spoofed source IP address and the web server executing the requests. If a spoofed source IP address (i.e. 172.16.0.6) is used by the workstation, the web server executing the web page request will attempt to execute the request by sending information to the IP address of what it believes to be the originating system (i.e. the workstation at 172.16.0.6). The system at the spoofed IP address will receive unsolicited connection attempts from the web server that it will simply discard. II. RELATED WORK The two basic detecting mechanism of IP spoofing based attack is packet filtering and packet traceback at the node level. Many techniques have been proposed by various researchers based on the above mentioned two mechanisms. The partial path of the packet is inspected in order to find the true origin of the attack packet. This task of finding the true source of the malicious packet is called traceback mechanism. The first step towards the necessary legal action to discourage such attack in future is to identify the source address correctly. Savage et al. proposed to let routers mark packets probabilistically, so that the victim can collect the marked packets and reconstruct the attack path. One enhanced scheme of probabilistic packet marking has been proposed by Song et al. to reduce the false positive rate for reconstructing the attack path. Another enhanced scheme of probabilistic packet marking has been proposed to reduce the computational overhead. As a proactive solution to such attacks, several filtering schemes, which must execute on IP routers, have been proposed to prevent spoofed IP packets from reaching intended victims. The ingress filter blocks spoofed packets at edge routers, where address ownership is relatively unambiguous and traffic load is low. However, the success of ingress filtering hinges on its wide deployment in IP routers. Existing IP traceback approaches can be classified into five main categories: packet marking, ICMP traceback, logging on the router, link testing, overlay and hybrid tracing. 6 marking methods require routers modify the header of the packet to contain the information of the router and forwarding decision. Hence the receiver of the packet can then reconstruct the path of a packet (or an attacking flow) from the received packets. There are two classes of packet marking schemes: probabilistic packet marking [3], [6] [11] and deterministic packet marking [12] [15]. marking methods are generally considered to be lightweight because they do not cost storage resource on routers and the link bandwidth resource. However, packet marking is not a widely supported function on routers; thus, it is difficult to enable packet marking traceback in the network. Different from packet marking methods, ICMP traceback [4], [16], [17] generates addition ICMP messages to a collector or the destination. The ICMP messages can be used to reconstruct the attacking path. For example, if itrace [4] is enabled, routers generate ICMP samples to destinations with a certain probability. The shortcoming of ICMP traceback is considerable additional traffic will be generated to consume the already stressed bandwidth resource. Moreover, when the attack is against the bandwidth of the victim, the increased traffic will make the attack more serious. ICMP generation can be performed by the processor, but significant overhead will be introduced to the processor. Attacking path can be reconstructed from log on the router when router makes a record on the packets forwarded [5]. Bloom filter is used to reduce the number of bits to store a packet. Nevertheless, to achieve a low enough collision probability in current highspeed networks, the storage cost is still too large for commodity routers. Link testing is an approach which determines the upstream of attacking traffic hop-by-hop while the attack is in progress. A controlled flooding mechanism based on performing UDP request flooding iteratively on the victim rooted tree to see the effects on attacking traffic is proposed in [18]. Because of the huge scale of the Internet, this approach is hard to perform at the Internet level. CenterTrack [19] proposes offloading the suspect traffic from edge routers to special tracking routers through a overlay network. Though such a mechanism can reduce the requirement on edge routers, the management of the tunnels and the overlay network will be significantly increase the network management overhead [20]. Proposes building an AS-level overlay to trace spoofers. It is found if hundreds of ASes can join the overlay network, the spoofers can be accurately located. However, the challenge in practice is how to make the ASes cooperate. The intradomain version of this work [21] can avoid this problem, but it is necessary to update routers to adopt modification on OSPF. Though there has been a large number of promising traceback mechanisms, there is still a long way to get the proposed mechanisms widely deployed, especially at the Internet level. Currently, there is still lack of a ready mechanism to track the spoofers.
III. PROPOSED SYSTEM IV. MODULES USED We propose a solution, named Passive IP Traceback (PIT), to overcome the challenges in deployment. Routers may fail to forward an IP spoofing packet due to various reasons, e.g., TTL exceeding. In such cases, the routers may generate an ICMP error message (named path backscatter) and send the message to the spoofed source address. Because the routers can be close to the spoofers, the path backscatter messages may potentially disclose the locations of the spoofers. PIT exploits these path backscatter messages to find the location of the spoofers. With the locations of the spoofers known, the victim can seek help from the corresponding ISP to filter out the attacking packets, or take other counterattacks. PIT is especially useful for the victims in reflection based spoofing attacks, e.g., DNS amplification attacks. The victims can find the locations of the spoofers directly from the attacking traffic. Our work has following advantages: 1. It deeply investigates path backscatter messages. These messages are valuable to help understand spoofing activities. 2. PIT overcomes the deployment difficulties of existing IP traceback mechanisms. 3. PIT cannot work in all the attacks, but it does work in a number of spoofing activities. 4. A number of locations of spoofers are captured using PIT. Figure 3 explains that not all the packets reach their destinations. A network device may fail to forward a packet due to various reasons. Under certain conditions, it may generate an ICMP error message, i.e., path backscatter messages. The path backscatter messages will be sent to the source IP address indicated in the original packet. If the source address is forged, the messages will be sent to the node who actually owns the address. This means the victims of reflection based attacks and the hosts whose addresses are used by spoofers, are possibly to collect such messages. The modules used in our paper are: 1. Topology construction: The topology is the arrangement of nodes in the simulation area. The routers are connected in mesh topology. In which each routers are connected to each other via other routers (Path). Each host is connected via routers. Each host has multiple paths to reach a single destination node in the network. The nodes are connected by duplex link connection. 2. Collection of path backscatter messages: Though path backscatter can happen in any spoofing based attacks, it is not always possible to collect the path backscatter messages, as they are sent to the spoofed addresses. Path backscatter messages can be effectively collected in random spoofing attacks, reflection attacks and their combinations, which cover the majority of IP spoofing attacks. 3. Passive IP Traceback mechanism: We make use of path information to help track the location of the spoofer. 4. Performance evaluation: The performance is evaluated by using the network parameters like No. of bytes received, end to end delay and throughput. V. CAPTURING MECHANISM In this paper we describe the IP spoofing capturing mechanism which will first identify if the packet is malicious or not and if found malicious it will then try to identify the true source of the IP packet from where the packet has originated. Figure 4 explains the algorithm to capture IP spoofers. A network is constructed using nodes, routers and links. Nodes are connected via routers in mesh topology. In a network every source node has multiple paths to reach a destination node. Hence path selection is important step. Once path is selected packets are been sent to destination node. While sending packets, packet marking and logging takes place. If an attack and a spoofed node is found path reconstruction happens else packet is successfully reached at the destination node. Figure 3: Architecture of Proposed Work 7
Start International Journal of Advanced Research Foundation node is one of the important parameter to evaluate the quality of the network. Hence by looking at the below graph we can conclude that by applying PIT, more number of bytes are received by the destination node. Network Construction Path Selection Sending Marking and Logging Figure 5: Graph of data (bytes) versus time. Path Reconstruction Found Attack? Figure 4: Algorithm to capture IP spoofers. VI. Receive SIMULATION RESULTS The operating system used in our project is LINUX and the tool used is Network Simulator-2. NS2 is built using object oriented methods in C++ and O TCL. The language used at front end is O TCL (Object Oriented Tool Command Language). In our simulation, we are using 11 nodes as the router node and 20 nodes as the client-server node. Totally we are having 31 nodes in our network. The routers are connected in mesh topology. Each host is connected via routers. Each host has multiple paths to reach a single destination node in the network. The nodes are connected by duplex link connection. The bandwidth for each link is 100 mbps and delay time for each link is 10 ms. each edges uses Drop Tail Queue as the interface between the nodes. We can detect the locations of the IP spoofers using PIT. The results are drawn by taking into consideration PIT and IP traceback mechanisms. Graphs are shown below for both PIT and IP traceback mechanisms. Figure 5, describes about number of bytes received. A graph of data in bytes versus time period is plotted by considering time on x axis and data on y axis. The total number of bytes delivered to the destination successfully. Number of bytes received by the destination Figure 6: Graph of delay versus time. Figure 6, describes about end to end delay. A graph of delay versus time period is plotted, by considering time on x axis and delay on y axis. The time taken by the source node to deliver the data successfully to the destination is called as End to End delay. The following formula is used to calculate the End to End delay. End to End delay = A T - S T / n Where, A T Arrival time, n Number of connections and S T Sent time. Hence by looking at the above graph we can conclude that by applying PIT, we can achieve minimum end to end delay. Figure 7: Graph of packets delivered versus time. 8
Figure 7, describes about throughput which is also a major evaluation parameter to improve the quality of a network. A graph of packets delivered versus time period is plotted, by considering time on x axis and packets delivered on y axis. Throughput is the amount of packets delivered to the destination per unit of time. The Throughput is calculated by using the formula. Throughput= Number of packets delivered / Time Hence by looking at the above graph we can conclude that by applying PIT, we can achieve maximum throughput than by applying IP traceback mechanism. VII. CONCLUSION In this paper we proposed Passive IP Traceback (PIT) which tracks and captures spoofers based on path backscatter messages and public available information. We know how to apply PIT when the topology and routing information are known. We presented algorithm to capture the locations of IP spoofers using PIT. We demonstrated the effectiveness of PIT based on simulation. We compared the results of a network by applying PIT and by without applying PIT. Hence it is understood that the performance of a network is best by applying PIT. REFERENCES [13] Y. Xiang, W. Zhou, and M. Guo, Flexible deterministic packet marking: An IP traceback system to find the real source of attacks, IEEE Trans. Parallel Distrib. Syst., vol. 20, no. 4, pp. 567 580, Apr. 2009. [14] R. P. Laufer et al., Towards stateless single-packet IP traceback, in Proc. 32nd IEEE Conf. Local Comput. Netw. (LCN), Oct. 2007, pp. 548 555. [Online]. Available: http://dx.doi.org/10.1109/lcn.2007.160. [15] M. D. D. Moreira, R. P. Laufer, N. C. Fernandes, and O. C. M. B. Duarte, A stateless traceback technique for identifying the origin of attacks from a single packet, in Proc. IEEE Int. Conf.Commun. (ICC), Jun. 2011, pp. 1 6. [16] A. Mankin, D. Massey, C.-L. Wu, S. F. Wu, and L. Zhang, On design and evaluation of intention-driven ICMP traceback, in Proc. 10th Int. Conf. Comput. Commun. Netw., Oct. 2001, pp. 159 165. [17] H. C. J. Lee, V. L. L. Thing, Y. Xu, and M. Ma, ICMP traceback with cumulative path, an efficient solution for IP traceback, in Information and Communications Security. Berlin, Germany: Springer-Verlag, 2003, pp. 124 135. [18] H. Burch and B. Cheswick, Tracing anonymous packets to their approximate source, in Proc. LISA, 2000, pp. 319 327. [19] R. Stone, CenterTrack: An IP overlay network for tracking DoS floods, in Proc. 9th USENIX Secur. Symp., vol. 9. 2000, pp. 199 212. [20] A. Castelucio, A. Ziviani, and R. M. Salles, An AS-level overlay network for IP traceback, IEEE Netw., vol. 23, no. 1, pp. 36 41, Jan. 2009. [Online]. [21] A. Castelucio, A. T. A. Gomes, A. Ziviani, and R. M. Salles, Intradomain IP traceback using OSPF, Comput. Commun., vol. 35, no. 5, pp. 554 564, 2012.[Online]. [1] Hikmat Farhat, Zouk Mosbeh, A Scalable Method to Protect From IP Spoofing, 978-1-4244-2624-9/08/$25.00 2008 IEEE. [2] Bellovin, S. M. (1989, April). Security Problems in the TCP/IP Protocol. Computer Communication Review,Vol 19, No. 2, 32-48. [3] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical network support for IP traceback, in Proc. Conf. Appl., Technol., Archit., Protocols Comput. Commun. (SIGCOMM), 2000, pp. 295 306. [4] S. Bellovin. ICMP Traceback Messages. [Online]. Available: http://tools.ietf.org/html/draft-ietf-itrace-04, accessed Feb. 2003. [5] A. C. Snoeren et al., Hash-based IP traceback, SIGCOMM Comput. Commun. Rev., vol. 31, no. 4, pp. 3 14, Aug. 2001 [6] M. T. Goodrich, Efficient packet marking for large-scale IP traceback, in Proc. 9th ACM Conf. Comput. Commun. Secur. (CCS), 2002, pp. 117 126. [7] D. X. Song and A. Perrig, Advanced and authenticated marking schemes for IP traceback, in Proc. IEEE 20th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM), vol. 2. Apr. 2001, pp. 878 886. [8] A. Yaar, A. Perrig, and D. Song, FIT: Fast internet traceback, in Proc. IEEE 24th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM), vol. 2. Mar. 2005, pp. 1395 1406. [9] J. Liu, Z.-J. Lee, and Y.-C. Chung, Dynamic probabilistic packet marking for efficient IP traceback, Comput. Netw., vol. 51, no. 3, pp. 866 882, 2007. [10] K. Park and H. Lee, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack, in Proc. IEEE 20th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM), vol. 1. Apr. 2001, pp. 338 347. [11] M. Adler, Trade-offs in probabilistic packet marking for IP traceback, J. ACM, vol. 52, no. 2, pp. 217 244, Mar. 2005. [12] Belenky and N. Ansari, IP traceback with deterministic packet marking, IEEE Commun. Lett., vol. 7, no. 4, pp. 162 164, Apr. 2003. 9