IP Spoofing Attack, Detection and Effective Measures

Download Report

Transcript IP Spoofing Attack, Detection and Effective Measures

Seminar Presentation
IP Spoofing Attack, detection and
effective method of prevention.
Md. Sajan Sana Ansari
Id: 201206680
9/12/2016
1
Outlines
Introduction to IP spoofing
IP spoofing attack
Detection strategies
Prevention method
Comparision
Summary
Conclusion
9/12/2016
2
IP Spoofing
 IP spoofing is simply refer as creating forged (fake) ip
address by an attacker with intension of concealing
identity of sender.
 Attacker selects trusted ip address so that access
control list in firewall can not recognize it.
 According to a study [2] there are at least four
thousand such attacks occures every week in the
Internet.
9/12/2016
3
Process of ip spoofing attack
2
SYN
(SeqNo=X)
3
1
SYN-ACK
(SeqNo=Y, ACK=X+1)
4
ACK
(SeqNo=X+1, ACK=Y+1)
9/12/2016
4
Process of ip spoofing attack
1) An attacker firstly create forged ip address using tools like
hping and then attack and control the victim node
2) It sends a SYN connection request to server by disguising
(concealing) IP address of victim node
3) Server receives the request, server sends a SYN-ACK to
victim node, but Victim node can not receive the message
actually.
4) Once the hacker gets the SeqNo (sequence number), it can
send ACK to server again
5) The connection is established between the hacker and server
6) Now attack is running
9/12/2016
5
Detection Method by Trace Route model[1]
Fig : Trace route model [1]
9/12/2016
6
Prevention strategies (Trace Rout Method) [1]
9/12/2016
Fig : flow chart of prevention system
7
Prevention Method using Trace Rout model [1]
(1) IP Authentication Module
 This module is used to judge whether source host is a trusted node. The
information of IP authentication includes node name, node IP address,
hop count from itself to target node. Only when the user pass the IP
authentication, it is considered as an trusted node, Otherwise the user is
considered as an node from outer site.
(2) Trace route Module
 In this module, it process trace route from detection node to source node.
If source host is trusted node, the result information of trace route is "host
reachable", otherwise, when IP spoofing attack occurs, the result
information is "host unreachable". At the same time, the rule base and log
base will be updated dynamically. The result of trace route is sent to the
implementation module.
9/12/2016
8
Prevention strategies (Packet Funneling method)[2]
1.
2.
3.
4.
9/12/2016
When packet of a new user is
received, the user is entered in
the AIP (active ip) table, its
timeout value is set, and the
packet is forwarded to its
destination.
The size of the AIP table is a
parameter
set
by
the
administrator according to the
average number of expected
users.
The Waiting Matrix stores the
arriving packets of each
delayed user until one of the
active users times out and is
thus removed from the AIP
table.
When the memory is entirely
consumed, the packets will be
dropped instead of delayed.
9
Some other Common Prevention strategies [3]
To prevent IP spoofing happen in network, the following are
some common practices:
1.
Hop-Count Filtering
 Hop-count filtering [3] is a victim based solution relying on Hop-Count
method.
 The number of hops between source and destination is indicated by the
TTL field in an IP packet.
 Linking the source IP with the statistical number of hops to reach the
destination can be used to assess the authenticity of the claimed IP source.
9/12/2016
10
Some other Common Prevention strategies [3]
2. Router Based Solution
 The routers are modified to provide :
 encryption,
 digital signatures, and
 authentication,
 It enables the tracing of a packet back to its origin and thus stopping
further traffic at the closest intelligent router point.
9/12/2016
11
Some other Common Prevention strategies [3]
3. Traffic Level Measurements
 The module relies on a buffer through which all incoming
traffic enters.
 Traffic level is continuously monitored and when it shoots to
high levels, most incoming packets will be dropped.
 The module thus attempts to isolate the server from the attack
9/12/2016
12
Comparison
1. Packet funneling is a load balancing solution that would delay heavy traffic
on the server .The IP pattern of a normal user will have repetitive
occurrences. It is easy approach for a small group of network.
2. Hop -Count process depends heavily on assumptions and probabilistic
methods, rendering the method inaccurate.
3. Even though “Router based solution” provides more secure and private
communication between the routers involved, a tremendous amount of
complexity is introduced.
9/12/2016
13
Comparison
4. Traffic level counter measure is not effective way to prevent ip spoofing due to the
reason of simply controlling the pick traffic level, where legitimate request may
suffer to access the server.
5. Trace rout method is effective defense method where attacker is
detected by tracing out the rout with the help of trusted adjacent node
in network, if source ip is unreachable it drops the packet.
9/12/2016
14
Comparison
Table (1): comparison among different prevention strategies of IP spoofing attack
9/12/2016
15
Summary
 We discussed what the ip spoofing is and how ip spoofing
attack is proceed.
 We discussed how to detect ip spoofing Attack
 We discussed different types of measure to prevent ip
spoofing attack such as: Trace Rout model, Packet Funneling,
and some common prevention technique
 We compared these technique of prevention.
9/12/2016
16
Conclusion
IP spoofing attack on network is severe problem of
consideration as it encounters many cases per day in the world
of internet. Hence, the effective prevention strategies should be
evaluated. By studying several prevention strategies Trace Rout
strategies is effective way to control the attacker in network.
9/12/2016
17
References
[1] Yunji Ma,” An Effective Method for Defense against IP Spoofing Attack”, Department of
Network Engineering University of Science and Technology LiaoNing Anshan, China,2010
[2] N. Arumugam, C. Venkatesh,” A NOVEL SCHEME FOR DETECTING AND PREVENTING
SPOOFED IP ACCESS ON NETWORK USING IP2HP FILTER ”, ©2006-2011 Asian
Research Publishing Network (ARPN), Dec 2011
[3] Antonio Challita, Mona El Hassan, Sabine Maalouf, Adel Zouheiry,” A Survey of DDoS
Defense Mechanisms”, Department of Electrical and Computer Engineering, American
University of Beirut
[4] T. Baba and S. Matsuda, "Tracing network attacks to their sources,“ IEEE Internet Computing,
2002.
[5] I. B. Mopari, S. G. Pukale and M. L. Dhore, "Detection and defense against DDoS attack with
IP spoofing," International Conference on Computing, Communication and Networking,
2008, pp. 1-5, Dec. 2008.
[6] A. Bremler-Barr and H. Levy, "Spoofing prevention method," 24th Annual Jiont Conference of
the IEEE Computer and Communications Societies, March 2005.
9/12/2016
18
Thanks
Accept my sincere thanks
for listening .
Any question and suggestion !!
9/12/2016
19