CONTROLLING IP SPOOFING THROUGH PACKET FILTERING

Transcription

1 CONTROLLING IP SPOOFING THROUGH PACKET FILTERING Mrs. Mridu Sahu Department of Computer Science Engineering, RCET Bhilai, Chhattisgarh, India mridu.kaushlesh@gmail.com Rainey C. Lal Department of Computer Science Engineering, RCET Bhilai, Chhattisgarh, India rainey.c.lal@gmail.com Abstract IP address spoofing refers to the creation of Internet Protocol packets with a forged source IP address, called spoofing, it is a method of attacking a network in order to gain unauthorized access. The distributed denial-of-service (DDoS) attack is a serious threat to the legitimate use of the Internet. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address. The origination address is only used by the destination machine when it responds back to the source. We describe and evaluate route-based Packet Faltering (PF) of incoming data packets to find out it will be send by the legitimate user and using encryption techniques to encipher the IP address to Prevent the ability of attackers to forge or spoof the source addresses in IP packets and find out the malwares distributors to prevent the Drive-by-attack. Keywords: Spoofing, IP, legitimate user, PF, Router, encipher, DDoS, malwares, drive-by-attack. 1. Introduction Communication over a network contains Data Packets sent by the source user to destination using the IP protocol include many information and the IP address of the sending host. The header of each IP packet contains, among other things, the numerical source and destination address of the packet. The recipient directs replies to the sender using this source address. The correctness of this address is not verified by the protocol. The IP protocol specifies no method for validating the authenticity of the packet s source. Because attacker/intruder attacks and alter/hack the sanded data packets by manipulating the source IP address. This implies that an attacker could forge the source address to be any he desires. This is a well-known problem and has been well described. In all but a few rare cases, sending spoofed packets is done for illegitimate purposes. Sending IP packets with forged source addresses is known as packet spoofing and is used by attackers for several purposes. Spoofing is the action of making something look like something that it is not in order to gain unauthorized access to a user's private information. It is of type- IP Spoofing URL Spoofing Spoofing DNS Spoofing We are concentrating on the IP address or IP spoofing only in this paper. 1.1 IP Spoofing Overview The basic protocol for sending data over the Internet network and many other computer networks is the Internet Protocol ("IP"). IP spoofing or Internet protocol address spoofing is the method of creating an Internet protocol packet or IP packet using a fake IP address that is impersonating a legal and legitimate IP address. IP spoofing is a method of attacking a network in order to gain unauthorized access. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers which find the best route by examining the destination address, but generally ignore the origination address. The origination address is only used by the destination machine when it responds back to the source. Figure 1: Intruder in communication In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system, and then modify the packet headers to that it appears that the packets are coming from the trusted system. These include obscuring 155

2 the true source of the attack, implicating another site as the attack origin, pretending to be a trusted host, hijacking or intercepting network traffic, or causing replies to target another system. Spoofing of network traffic can occur at many layers. Examples include network layer spoofing (e.g. Ethernet MAC spoofing), non-ip transport layer spoofing (e.g. IPX, NetBEUI), as well as session and application layer spoofing (e.g. spoofing). All of these have significant security concerns. 1.2 IP Address Spoofing Attacks Blind spoofing- This attack may take place from outside where sequence and acknowledgement numbers are unreachable. Attackers usually send several packets to the target machine in order to sample sequence numbers, which is doable in older days. Using the spoofing to interfere with a connection (or creating one), that does not send packets along your cable. Non-Blind spoofing- This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection. Man in the Middle Attack- This is also called connection hijacking. In these attacks, a malicious party intercepts a legitimate communication between two hosts to controls the flow of communication and to eliminate or alter the information sent by one of the original participants without their knowledge. If an attacker controls a gateway that is in the delivery route Denial-Of-Service- conducting the attack, attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic; it is very challenging to quickly block the traffic. IP spoofing is almost always used in denial of service attacks (DoS), in which attackers are concerned with consuming bandwidth and resources by flooding the target with as many packets as possible in a short amount of time. 2. Related Work Research in time-sharing is provided by a collection of programs whose elaborate and strange design outgrowth of many years of experience with earlier versions. To help develop a secure system, we have continuing competition to devise new way to attack the security of the system (the bad guy) and, at the same time, to device new techniques to resist the new attack (the good guy). This competition has been in the same vein as the completion of long standing between manufactures of armor plate and those of armor piercing shells. For this reasons, the description that follows will trace the history of IP Spoofing and packet routing rather than just sending a data normally without any encryption in the network. 2.1 Detecting Spoofed Packets Packets sent using the IP protocol include the IP address of the sending host. The recipient directs replies to the sender using this source address. However, the correctness of this address is not verified by the protocol. They did research to know if network traffic has spoofed source addresses and a wide variety of methods for detecting spoofed packet. By using routing and non-routing methods they are trying to detect the spoofed packet various methods are used like Spoofed detection method Non- Routing Method OS Fingerprinting IP Identification Number Zombie control Steven and Karl conclude that the intricacies of the modern computer networks can create situations that complicated detecting spoofed packets. Also, an attacker who knows that a system is being monitored for spoofed packets may craft more sophisticated packets to defeat the spoofed packet detector. 2.2 Practical Network Support for IP Traceback In This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source by using general purpose traceback mechanism based on probabilistic packet marketing in the network. Traceback can be performed post-mortem after an attack has completed. Ingress filtering Link testing Logging ICMP Traceback That said, we believe that the scheme is promising and that hybrid approaches combining it with some of the algorithms we propose are likely to be quite effective. 2.3 Controlling IP Spoofing Through Inter Domain Packet Filters They propose an inter-domain packet filter (IDPF) architecture that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. IDPFs are constructed from the information implicit in BGP route updates and are deployed in network border routers. We establish the conditions under which the IDPF framework works correctly in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that even with partial deployment on the Internet, IDPFs can proactively limit the spoofing capability of attackers. 156

3 Border Gateway Protocols and AS Interconnections Relationships and Routing Policies- import policies can affect the.desirability. of routes by modifying route attributes. Let r be a route (to destination d) received at v from node u. We denote by import(v u) the possibly modified route that has been transformed by the import policies. The transformed routes are stored in v's routing table. The set of all such routes is denoted as candidater(v; d) Equation 1: import policies Inter Domain Packet Filters: They discuss the intuition behind the IDPF architecture, describe how IDPFs are constructed using BGP route updates, and establish the correctness of IDPFs. There simulation results showed that, even with partial deployment on the Internet, IDPFs can significantly limit the spoofing capability of attackers. Moreover, they also help pinpoint the true origin of an attack packet to be within a small number of candidate networks, therefore, simplifying the reactive IP traceback process. 2.4 On the Effectiveness of RouteBased Packet Filtering for Distributed DoS Attack Prevention in PowerLaw Internets Denial of service (DoS) attack on the Internet has become a pressing problem. In this paper, we describe and evaluate route-based distributed packet faltering (DPF), a novel approach to distributed DoS (DDoS) attack prevention. We show that DPF achieves proactiveness and scalability, and we show that there is an intimate relationship between the effectiveness of DPF at mitigating DDoS attack and powerlaw network topology. The salient features of their work are two-fold. First, we show that DPF is able to proactively filter out a significant fraction of spoofed packet flows and prevent attack packets from reaching their targets in the first place. The IP flows that cannot be proactively curtailed are extremely sparse so that their origin can be localized, IP traceback to within a small, constant number of candidate sites. We show that the two proactive and reactive performance effects can be achieved by implementing route-based filtering on less than 20% of Internet autonomous system (AS) sites. Second, we show that the two complementary performance measures are dependent on the properties of the underlying AS graph. In particular, we show that the power-law structure of Internet AS topology leads to connectivity properties which are crucial in facilitating the observed performance effects. cryptographic security services mainly encryption techniques is used. For ciphering the text we will use Blowfish Algorithm. 4.1 Introduction to Blowfish Algorithm Blowfish Algorithm is used for encryption and decryption. Blowfish is a symmetric block cipher that can be effectively used for encryption and safe guarding of data. It takes a variable-length key, from 32 bits to 448 bits, making it ideal for securing data. Blowfish Algorithm is a Feistel Network, iterating a simple encryption function 16 times. The block size is 64 bits, and the key can be any length up to 448 bits. Blowfish is a variable-length key block cipher. It is suitable for applications where the key does not change often, like a communications link or an automatic file encryptor. It is significantly faster than most encryption algorithms when implemented on 32-bit microprocessors with large data caches. It performs data encryption via 16- round feistel network. Each round consist of a key-dependent permutation, and a key-and data dependent substitution. All operations are XOR and additions on 32-bit words. The only addition operations are four indexed array data lookups per round. Subkeys- Blowfish uses a large number of subkeys. These keys must be per computed before any data encryption or decryption. Blowfish has 16 rounds. The input is a 64-bit data element, x. Divide x into two 32-bit halves: xl, xr. Then, for i = 1 to 16: xl = xl XOR Pi xr = F(xL) XOR xr Swap xl and xr After the sixteenth round, swap xl and xr again to undo the last swap. Then, xr = xr XOR P17 and xl = xl XOR P18. Finally, recombine xl and xr to get the ciphertext. 4. Methodology Evaluate route-based Distributed Packet Faltering (DPF), to Prevent by the ability of attackers to forge or spoof the source addresses in IP packets and find out the malwares distributors to prevent the Drive-by-attack. For implementing the above objective, Using Router based Packet Filtering and 157

4 6. Conclusion Network is an open space that facilitate the user in every mean; but many unauthorized user misuses this facility and wanted to gain useful information of someone else for their own means by adopting different network crimes. And Forging an IP address of a legitimate user is one of them. (During the literature survey of the previous work done I came to know that for securing IP address to be forged there is no such contribution is available.) We are trying to prevent the IP address of the source machine to be forged and hacked; and for this we are using Cryptography. Blowfish is an algorithm that will be used to encrypt the IP address and Packet filtering is used to prevent the forging of the Route. 7. Future Work Figure 2: Blowfish Algorithm Detecting spoofed packet and trying to prevent Source IP address is just half of the solution of the problem: we need to be able to localize the true source of the packets. A number of projects have looked at this, but either required specially instrumented routers, or changes in the underlying network protocol that will predefine having a support to IP address encryption. While these are possible solutions, we feel that methods that do not have these requirements are more attractive. We believe that for some spoofing attacks, it is possible to use search techniques built upon some of the active detection methods described in this paper to accomplish this. Reference 5. Comparison and Scope Figure 3: Project Proposed Flow During the previous paper review we observed that many of the alerts generated were false positives and could be eliminated if corroborating information were available. The ability to know if the packets that generated the alerts were spoofed is just one example of supplemental information that would help in filtering out those alerts of low significance. Only strong end-to-end authentication can prevent packet spoofing. Preventing spoofing through Packet filtering alone is a tough work to do, can prevent the frequency but for have a secure network and secure session of the user during network communication need to have better idea. IP encryption is another way to prevent the security of the IP address and if unauthorized user is not able to have original IP address then they will not be able to spoof that. For IP encryption ciphering techniques can be used. [1] Steven J. Templeton, Karl E. Levitt Detecting Spoofed Packets. Department of Computer Science U.C. Davis, Jan 2004 [2] Zhenhai Duan, Xin Yuan and Jaideep Chandrashekar, Controlling IP Spoong Through Inter-Domain Packet Filters IEEE members [3] Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson Practical Network Support for IP Traceback Department of Computer Science and Engineering University of Washington [4] Cheng Jin, Haining Wang and Kang G. Shin Hop- Count Filtering: An Effective Defense Against Spoofed Traffic [5] Kihong Park and Heejo Lee On the Effectiveness of RouteBased Packet Filtering for Distributed DoS Attack Prevention in PowerLaw Internets, Network Systems Lab; Department of Computer Sciences Purdue University West Lafayette. [6] Leila Fatmasari Rahman and Rui Zhou IP Address Spoofing, Albert-udwigs-Universität Freiburg, Institute for Computer Science [7] SANS Institute InfoSec Reading Room Copyright SANS Institute Author Retains. 158

5 [8] ICANN/SSAC,.ICANN SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks,. Mar [9] S. Staniford-Chen and L. T. Heberlein. Holding Intruders Accountable on the Internet. Proc. of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, pages 39-49, May 1995 [10] B. Schneier, Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish) Fast Software Encryption, Cambridge Security Workshop Proceedings, (December 1993), Springer-Verlag, 1994, pp