![Sundarapandian et al. (Eds): CoNeCo,WiMo, NLP, CRYPSIS, ICAIT, ICDIP, ITCSE, CS & IT 07,
pp. 185–193, 2012. © CS & IT-CSCP 2012 DOI : 10.5121/csit.2012.2416
EFFICIENT DEFENSE SYSTEM FOR IP
SPOOFING IN NETWORKS
Emil Kuriakose John 1
and Sumaiya Thaseen 2
1
School of Information Technology and Engineering,
VIT University, Vellore, Tamil Nadu, India
ekj171@gmail.com
2
School of Computing Science and Engineering,
VIT University, Chennai, Tamil Nadu, India
sumaiyathaseen@gmail.com
ABSTRACT
In this age of gigabit Ethernet and broadband internet, network security has been the top
priority for most of the researchers. Technology advancements have advantages as well as
disadvantages. Most of the communication of present world, the e-world, takes place online,
through the internet. Thus the context of network intrusions and attacks to hack into servers also
came into existence. A technique to perform this activity is made possible by preventing the
discovery of the sender’s identity through IP Spoofing [7]. Many popular internet sites have
been hacked and attackers try to forge or spoof the source addresses in IP packets. Using
spoofing detection technique, the user can retrieve the list of IP addresses and able to identify
the malicious IP addresses.Hence mechanisms must be designed to prevent hacking. This paper
proposes a novel technique to detect IP spoofing based on traffic verification and filtering.
KEYWORDS
Distributed Denial of service attack (DDoS), Replay attack, Blind Spoofing. IP Spoofing, Time
to Live (TTL), Hop Count Filtering (HCF).
1. INTRODUCTION
Internet is most widely used in every aspect of life. Over one-third of the world population utilize
Internet for daily activities [8]. It is used in services like banking, shopping, transport, health,
communications etc. Shifting to the internet era has increased the context of network intrusions
and attacks to hack into servers [3]. But in the current scenario, there is no integrated application
that provides a network administrator to manage the network from the server or host machine.
Unauthorized access made by malicious user to a particular system is IP Spoofing. IP address
spoofing or IP Spoofing refers to “the creation of Internet protocol (IP) packets with forged
source IP address with the intention of concealing the identity of the sender and impersonate other
computing system” [7]. Security for IP Spoofing is essential and demanding.
This paper proposes a promising solution for the detection of malicious IP packets under real time
environment. IP Spoofing happens in various ways through Distributed Denial of Service (DDoS)
attack, Replay attack and Blind Spoofing [9]. These are the main techniques by which spoofing
attempts occurs in the Internet. We provide some efficient and reliable techniques by which these
issues are dealt. The aim of the work is to develop an application with a clean GUI that aids the
administrator to monitor network traffic and attempts of intrusion, from any system in the
network. The developed system will integrate all the necessary tools required by a network](https://image.slidesharecdn.com/csit2416-180205123139/85/EFFICIENT-DEFENSE-SYSTEM-FOR-IP-SPOOFING-IN-NETWORKS-1-320.jpg)
![186 Computer Science & Information Technology ( CS & IT )
administrator to know the details of each and every system connected to the network, the traffic
from each system, source and destination of packets, source and destination of intrusions and
even lets him record the details of traffic and attacks. The administrator can carry out analysis
based on the entries in this application and thus provide an efficient defense system against IP
Spoofing.
The paper is organized as follows. Section 2 summarizes the comparative study of IP Spoofing.
Section 3 discusses about implementation of proposed defense system. Section 4.Results are
discussed in section 4.Section 5 concludes the paper.
2. COMPARATIVE STUDY OF IP SPOOFING
IP Spoofing can be handled in many different ways ranging from greater complexity algorithms
to simple techniques based on the level of service it has to provide. Here we develop a
mechanism for detection of IP Spoofing in real time environment, considering the performance
and the resource management constraints [6]. Over the years, network security has been a prime
concern and there are four major aspects. They are:-
1. Distributed denial of service(DDoS attack)
This is a serious attack in IP Spoofing [5]. Our study is limited to the host based
approach. In host based approach, it decreases the resource consumption and provides
greater resource management by avoiding the malicious traffic [4]. The present host
based approach identifies spoofing in the transport layer and layers above and cannot stop
the victim server from consuming CPU resource in handling the malicious IP packets.
This can very much slow down the victim server [11]. Hence, we detect the spoofed
packet at the IP layer itself. This technique lays emphasis on effective usage of resources
thus providing greater resource management. One of the host based approach is hop
count filtering (HCF). The hop count field is indirectly related to the Time to Live (TTL)
field of the IP Header. We design a tool at the receiver end where the Time to Live (TTL)
value can be inferred and can check for consistency. If the TTL field gives different
values for different packet in a single session then inconsistency prevails and one can
suspect of an intruder attempting to make connection with the receiver.
Hop Count Filter (HCF) runs in two states. In the learning state, HCF watches for the
abnormal TTL behavior without discarding any packets. On detection of an attack, HCF
switches to the filtering state, where it discards those IP packets with mismatching hop-
counts. Over 90% of the spoofed IP packets can be identified. False positive is a term
which refers to the legitimate packets that are incorrectly identified as spoofed. Our HCF
technique reduces the number of false positives [1]. Thus, HCF can effectively counter
the DDoS attack.
2. Replay attack
A replay attack is defined as “a type of network attack in which data transmission is
maliciously repeated” [10]. Theoretically, this issue can be handled using session id. A
packet with a session id is valid only for a particular period of time after which the packet
is considered invalid and is not fit for transmission. An intruder or malicious user copies
a steam of messages between the sender and receiver (two parties) and replay the stream
to one or more of the parties.](https://image.slidesharecdn.com/csit2416-180205123139/85/EFFICIENT-DEFENSE-SYSTEM-FOR-IP-SPOOFING-IN-NETWORKS-2-320.jpg)
![Computer Science & Information Technology ( CS & IT ) 187
3. Blind Spoofing
Blind Spoofing Attack is another type of spoofing attack. This attack may occur by
external means where sequence and acknowledgement numbers are unreachable.
Attackers send random packets to the end system to identify the sequence numbers.
Random sequence number is specified by the operating System and is difficult to predict.
If the sequence number is compromised, data could be sent to the target machine.
IP spoofing is incomplete without considering the issues of all the hosts connected in the network
as a whole. This is because network intrusion can happen within a particular network as well. So
here we provide a scenario to validate the availability of the hosts in that particular network
starting from the network address and performing ping operation on every successive IP
addresses till the end of the hosts. The next stage follows implementation where we discuss on
how these concepts can be implemented for real time systems on resource management.
3. IMPLEMENTATION OF PROPOSED DEFENSE SYSTEM
The design and development of defense system for IP Spoofing is discussed in this section. The
proposed system works on real time environment. It works on the platform C#.net (Microsoft
Visual Studio 2005). Application is capable of performing the detection of malicious packets
arriving at the destination node. The proposed system is capable of monitoring the network traffic
and detects any attempts to intrude into the network almost instantaneously. The system combines
together all the tools into a single, user-friendly application that can be handled by the
administrator. The operation performed is classified into three categories. In the first step, packet
analyzer module will filter all the incoming IP packets to the destination. It monitors the network
traffic and detects any attempts to intrusion into the network, almost instantaneously. IP
Spoofing is incomplete without port scanning of the servers. With port scanning it identifies
which all ports are active at a particular time and can validate the existence of an attack (if any)
with the packet tracing feature. Apart from these activities, another module is machines on local
area network (LAN) which identifies all the machines in the network to which the host is
presently connected. This also plays a major role in IP Spoofing as spoofing can happen within
the host network as well. These are the proposed issues we wish to handle in the application to be
developed.
Generally the phases of fake IP detection can be classified as shown in Figure 1.
Figure 1. Fake IP Detection process
The general working phases can be categorized into three categories [2].](https://image.slidesharecdn.com/csit2416-180205123139/85/EFFICIENT-DEFENSE-SYSTEM-FOR-IP-SPOOFING-IN-NETWORKS-3-320.jpg)
![Computer Science & Information Technology ( CS & IT ) 189
Figure 3. IP Packet Analyzer
Various guidelines are taken into account for detecting the malicious packet which can result in
IP Spoofing. Distributed Denial of service (DDoS) attack can be avoided by using the Hop-count
filtering (HCF) technique where the destination system can infer the Time to Live (TTL)
information and check for consistency [1] [2]. If it leads to inconsistent values, then it is
considered as spoofed IP packet and is highlighted.
Replay attack is also potential attack in network security which needs greater importance. Since
the application being developed is worked at the destination level, the technique adopted here is
based on the Identification field and the Time to Live (TTL) field of the IP header. A packet
arriving at a particular instant has identification field as well as TTL field. A packet arriving next
will definitely have different identification value than the previous one. If the detection phase
detects any IP Packets with identification field different than the identification field previously
coming from the same IP address, then it is considered malicious as there is a possibility of replay
attack.
Some other criteria are also taken into consideration. If many packets arrive from a particular
source to the destination, then it can be a threat on flooding the network leading to Denial of
service (DoS). Although it is not necessary that Denial of Service (DoS) should occur at that point
in time rather a large file being downloaded can also be the case. Hence as a precautionary step a
message box is displayed to alert the user about the packet transfer from a particular source
during a short span of time.
If a user considers that packets arriving from a particular source IP is malicious or wishes to trace,
one can manually filter the results by providing the source IP under the monitor IP sub module of
the proposed application. This will benefit users for a comparative analysis of the packets leading
to greater result accuracy.
It is well known that UDP is connectionless service and communication of services is carried out
between ports. Naturally, the server port and the client ports are different. If same port number for
both the server and client is used in transfer of packet from source IP address to destination IP
address, then such packets may not be secure and are therefore detected.
Apart from the IP packet filtering techniques, a user can also perform scanning of the active
machines available. This segment is used to validate the user whether spoofing happens within](https://image.slidesharecdn.com/csit2416-180205123139/85/EFFICIENT-DEFENSE-SYSTEM-FOR-IP-SPOOFING-IN-NETWORKS-5-320.jpg)
![192 Computer Science & Information Technology ( CS & IT )
The defects detected during test execution of the proposed application system are described
below.
1. Change in hop value- potential chances for Denial of Service (DoS) attack [1]. This is
illustrated in Figure 9.
Figure 9. Variation in Time to Live (TTL) field for DoS detection
2. Source IP transmitting more packets in a particular time to the destination. This is
illustrated in Figure 10.
Figure.10 Multiple placket transmission over a period of time
The proposed system can handle or identify almost all malicious packets and thus add on the
feature of robustness.](https://image.slidesharecdn.com/csit2416-180205123139/85/EFFICIENT-DEFENSE-SYSTEM-FOR-IP-SPOOFING-IN-NETWORKS-8-320.jpg)
![Computer Science & Information Technology ( CS & IT ) 193
5. CONCLUSION
The proposed system retrieves IP traffic for verification and filters the packet which is identified
as malicious. The application can be used for spoofing any type of malicious packets with the key
advantage of consuming fewer resources. It is an integrated tool comprising of packet analyzer,
active ports and machines on LAN. The system is resistant to Distributed Denial of service attack
(DDoS), Replay attack and blind spoofing. Improving the current system with new set of
guidelines or methods for packet tracing is our future work.
REFERENCES
[1] Haining Wang, Member, IEEE, Cheng Jin, and Kang G. Shin, Fellow, IEEE, “Defense Against
Spoofed IP Traffic Using Hop-Count Filtering”, IEEE/ACM TRANSACTIONS ON
NETWORKING, VOL. 15, NO. 1, FEBRUARY 2007.
[2] N. Arumugam, C. Venkatesh ,“A Trivial Scheme for Detecting and Preventing Fake IP Access of
Network Server Using IPHP Filter”, European Journal of Scientific Research, ISSN 1450-216X
Vol.53 No.2 (2011), pp.258-268.
[3] Yao Chen, Shantanu Das, Pulak Dhar, Abdulmotaleb El Saddik, and Amiya Nayak, “Detecting and
Preventing IP-spoofed Distributed DoS Attacks,” International Journal of Network Security, Vol.7,
No.1, PP.70–81, July 2008.
[4] T.M. Gil and M Poleto, ”MULTOPS: a data-structure for bandwidth attack detection”, hoc.io*
USENIX Security Symposium Washington,DC, pp.23-38,Aug,2001
[5] A. Kuzmanovic and E. W. Knightly, “Low-rate TCP-targeted denial of service attacks (the shrew vs.
the mice and elephants,” in Proc. ACM SIGCOMM, 2003, pp. 75–86.
[6] G. Banga, P. Druschel, and J. Mogul, “Resource containers: A new facility for resource management
in server systems,” in Proc. USENIX OSDI’99, New Orleans, LA, 1999, pp. 45–58.
[7] IP address spoofing. Accessed 02.32 PM http://en.wikipedia.org/wiki/IP_address_spoofing
[8] World Internet Usage Statistics. Accessed 07.45 AM http://www.internetworldstats.com/
[9] Different types of IP Spoofing Accessed 03.01 PM
http://www.computerworld.com/s/article/9001021/The_top_five_ways_to_prevent_IP_spoofing
[10] Replay attack. Accessed 04.40 PM http://en.wikipedia.org/wiki/Replay_attack
[11] S. M. Bellavin, “ICMP traceback messages”, Internet Draft, 2001
Authors
[1] Emil Kuriakose John received his B. Tech. from Kerala University,
Trivandrum, Kerala, India, in 2010. He is currently doing M. Tech. from VIT
University, Vellore, Tamil Nadu, India. His areas of interest are Wireless Mobile
Networking, Cryptography and Network Security, Network Programming and
Protocols.
[2] Sumaiya Thaseen received her B.E from Madras University and M.Tech
from VIT University in 2004 and 2006 respectively. She is currently an Assistant
Professor (Senior) in School of Computing Science and Engineering, VIT
University, Chennai with 6 years of experience and also pursuing her PhD degree.
A life member of Computer Society of India (CSI). Her areas of interests are ad
hoc networks, cryptography and network security. She has published several
papers in international peer reviewed journals and conferences.](https://image.slidesharecdn.com/csit2416-180205123139/85/EFFICIENT-DEFENSE-SYSTEM-FOR-IP-SPOOFING-IN-NETWORKS-9-320.jpg)
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS
- 1. Sundarapandian et al. (Eds): CoNeCo,WiMo, NLP, CRYPSIS, ICAIT, ICDIP, ITCSE, CS & IT 07, pp. 185–193, 2012. © CS & IT-CSCP 2012 DOI : 10.5121/csit.2012.2416 EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKS Emil Kuriakose John 1 and Sumaiya Thaseen 2 1 School of Information Technology and Engineering, VIT University, Vellore, Tamil Nadu, India ekj171@gmail.com 2 School of Computing Science and Engineering, VIT University, Chennai, Tamil Nadu, India sumaiyathaseen@gmail.com ABSTRACT In this age of gigabit Ethernet and broadband internet, network security has been the top priority for most of the researchers. Technology advancements have advantages as well as disadvantages. Most of the communication of present world, the e-world, takes place online, through the internet. Thus the context of network intrusions and attacks to hack into servers also came into existence. A technique to perform this activity is made possible by preventing the discovery of the sender’s identity through IP Spoofing [7]. Many popular internet sites have been hacked and attackers try to forge or spoof the source addresses in IP packets. Using spoofing detection technique, the user can retrieve the list of IP addresses and able to identify the malicious IP addresses.Hence mechanisms must be designed to prevent hacking. This paper proposes a novel technique to detect IP spoofing based on traffic verification and filtering. KEYWORDS Distributed Denial of service attack (DDoS), Replay attack, Blind Spoofing. IP Spoofing, Time to Live (TTL), Hop Count Filtering (HCF). 1. INTRODUCTION Internet is most widely used in every aspect of life. Over one-third of the world population utilize Internet for daily activities [8]. It is used in services like banking, shopping, transport, health, communications etc. Shifting to the internet era has increased the context of network intrusions and attacks to hack into servers [3]. But in the current scenario, there is no integrated application that provides a network administrator to manage the network from the server or host machine. Unauthorized access made by malicious user to a particular system is IP Spoofing. IP address spoofing or IP Spoofing refers to “the creation of Internet protocol (IP) packets with forged source IP address with the intention of concealing the identity of the sender and impersonate other computing system” [7]. Security for IP Spoofing is essential and demanding. This paper proposes a promising solution for the detection of malicious IP packets under real time environment. IP Spoofing happens in various ways through Distributed Denial of Service (DDoS) attack, Replay attack and Blind Spoofing [9]. These are the main techniques by which spoofing attempts occurs in the Internet. We provide some efficient and reliable techniques by which these issues are dealt. The aim of the work is to develop an application with a clean GUI that aids the administrator to monitor network traffic and attempts of intrusion, from any system in the network. The developed system will integrate all the necessary tools required by a network
- 2. 186 Computer Science & Information Technology ( CS & IT ) administrator to know the details of each and every system connected to the network, the traffic from each system, source and destination of packets, source and destination of intrusions and even lets him record the details of traffic and attacks. The administrator can carry out analysis based on the entries in this application and thus provide an efficient defense system against IP Spoofing. The paper is organized as follows. Section 2 summarizes the comparative study of IP Spoofing. Section 3 discusses about implementation of proposed defense system. Section 4.Results are discussed in section 4.Section 5 concludes the paper. 2. COMPARATIVE STUDY OF IP SPOOFING IP Spoofing can be handled in many different ways ranging from greater complexity algorithms to simple techniques based on the level of service it has to provide. Here we develop a mechanism for detection of IP Spoofing in real time environment, considering the performance and the resource management constraints [6]. Over the years, network security has been a prime concern and there are four major aspects. They are:- 1. Distributed denial of service(DDoS attack) This is a serious attack in IP Spoofing [5]. Our study is limited to the host based approach. In host based approach, it decreases the resource consumption and provides greater resource management by avoiding the malicious traffic [4]. The present host based approach identifies spoofing in the transport layer and layers above and cannot stop the victim server from consuming CPU resource in handling the malicious IP packets. This can very much slow down the victim server [11]. Hence, we detect the spoofed packet at the IP layer itself. This technique lays emphasis on effective usage of resources thus providing greater resource management. One of the host based approach is hop count filtering (HCF). The hop count field is indirectly related to the Time to Live (TTL) field of the IP Header. We design a tool at the receiver end where the Time to Live (TTL) value can be inferred and can check for consistency. If the TTL field gives different values for different packet in a single session then inconsistency prevails and one can suspect of an intruder attempting to make connection with the receiver. Hop Count Filter (HCF) runs in two states. In the learning state, HCF watches for the abnormal TTL behavior without discarding any packets. On detection of an attack, HCF switches to the filtering state, where it discards those IP packets with mismatching hop- counts. Over 90% of the spoofed IP packets can be identified. False positive is a term which refers to the legitimate packets that are incorrectly identified as spoofed. Our HCF technique reduces the number of false positives [1]. Thus, HCF can effectively counter the DDoS attack. 2. Replay attack A replay attack is defined as “a type of network attack in which data transmission is maliciously repeated” [10]. Theoretically, this issue can be handled using session id. A packet with a session id is valid only for a particular period of time after which the packet is considered invalid and is not fit for transmission. An intruder or malicious user copies a steam of messages between the sender and receiver (two parties) and replay the stream to one or more of the parties.
- 3. Computer Science & Information Technology ( CS & IT ) 187 3. Blind Spoofing Blind Spoofing Attack is another type of spoofing attack. This attack may occur by external means where sequence and acknowledgement numbers are unreachable. Attackers send random packets to the end system to identify the sequence numbers. Random sequence number is specified by the operating System and is difficult to predict. If the sequence number is compromised, data could be sent to the target machine. IP spoofing is incomplete without considering the issues of all the hosts connected in the network as a whole. This is because network intrusion can happen within a particular network as well. So here we provide a scenario to validate the availability of the hosts in that particular network starting from the network address and performing ping operation on every successive IP addresses till the end of the hosts. The next stage follows implementation where we discuss on how these concepts can be implemented for real time systems on resource management. 3. IMPLEMENTATION OF PROPOSED DEFENSE SYSTEM The design and development of defense system for IP Spoofing is discussed in this section. The proposed system works on real time environment. It works on the platform C#.net (Microsoft Visual Studio 2005). Application is capable of performing the detection of malicious packets arriving at the destination node. The proposed system is capable of monitoring the network traffic and detects any attempts to intrude into the network almost instantaneously. The system combines together all the tools into a single, user-friendly application that can be handled by the administrator. The operation performed is classified into three categories. In the first step, packet analyzer module will filter all the incoming IP packets to the destination. It monitors the network traffic and detects any attempts to intrusion into the network, almost instantaneously. IP Spoofing is incomplete without port scanning of the servers. With port scanning it identifies which all ports are active at a particular time and can validate the existence of an attack (if any) with the packet tracing feature. Apart from these activities, another module is machines on local area network (LAN) which identifies all the machines in the network to which the host is presently connected. This also plays a major role in IP Spoofing as spoofing can happen within the host network as well. These are the proposed issues we wish to handle in the application to be developed. Generally the phases of fake IP detection can be classified as shown in Figure 1. Figure 1. Fake IP Detection process The general working phases can be categorized into three categories [2].
- 4. 188 Computer Science & Information Technology ( CS & IT ) 1. Learning Phase During this phase, the information containing the packets in the real time is listed. It is assumed that during normal connection, no attacks occur. 2. Validation Phase After performing the listening phase, the packets traced are checked with various detection handling methods. If any detection method gets invoked, it moves to the Detection phase or else it continues to learn the packets. 3. Detection Phase The packets obtained from the validation phase and sent to detection phase are considered malicious and are potentially dangerous packets which are highlighted for user’s immediate attention. The proposed system consists of the following modules as shown in the figure 2.This system performs the task of detecting IP Spoofing in a fair and less resource consumed manner. Figure 2. Architecture of Proposed System Packet Analyzer is the major module of the system performing the following action as shown in the Figure 3.
- 5. Computer Science & Information Technology ( CS & IT ) 189 Figure 3. IP Packet Analyzer Various guidelines are taken into account for detecting the malicious packet which can result in IP Spoofing. Distributed Denial of service (DDoS) attack can be avoided by using the Hop-count filtering (HCF) technique where the destination system can infer the Time to Live (TTL) information and check for consistency [1] [2]. If it leads to inconsistent values, then it is considered as spoofed IP packet and is highlighted. Replay attack is also potential attack in network security which needs greater importance. Since the application being developed is worked at the destination level, the technique adopted here is based on the Identification field and the Time to Live (TTL) field of the IP header. A packet arriving at a particular instant has identification field as well as TTL field. A packet arriving next will definitely have different identification value than the previous one. If the detection phase detects any IP Packets with identification field different than the identification field previously coming from the same IP address, then it is considered malicious as there is a possibility of replay attack. Some other criteria are also taken into consideration. If many packets arrive from a particular source to the destination, then it can be a threat on flooding the network leading to Denial of service (DoS). Although it is not necessary that Denial of Service (DoS) should occur at that point in time rather a large file being downloaded can also be the case. Hence as a precautionary step a message box is displayed to alert the user about the packet transfer from a particular source during a short span of time. If a user considers that packets arriving from a particular source IP is malicious or wishes to trace, one can manually filter the results by providing the source IP under the monitor IP sub module of the proposed application. This will benefit users for a comparative analysis of the packets leading to greater result accuracy. It is well known that UDP is connectionless service and communication of services is carried out between ports. Naturally, the server port and the client ports are different. If same port number for both the server and client is used in transfer of packet from source IP address to destination IP address, then such packets may not be secure and are therefore detected. Apart from the IP packet filtering techniques, a user can also perform scanning of the active machines available. This segment is used to validate the user whether spoofing happens within
- 6. 190 Computer Science & Information Technology ( CS & IT ) the network or from outside. The proposed system considers the machines that are scanned from the IP address “192.0.0.0” onwards. This will also facilitate in providing the MAC address of that particular host in the network. 4. RESULTS AND DISCUSSION An integrated application is developed which collectively handles most of the issues related to spoofing with less resource requirements. User will trace the packets coming to the destination node. Based on the criteria mentioned above detection of spoofing is performed. Results and discussion of the proposed system is discussed below. The main GUI of the implemented system is as shown in Figure 4. Figure 4. IP Packet Analyzer getting real time packets Analyzing the above packets, it can be inferred that no Denial of Service takes place because the identification field gives different values in each time. The Differentiated Services field also plays an important role in determining the type of service carried out by every packet. Here, it is 0x00 which represents packets are sent at minimum delay. This is the learning phase. Similarly the TCP and UDP packets can also be listed as shown in Figure 5 and Figure 6 below. Figure 5. Analyzing TCP real time packets The sequence number field is of great importance as it identifies each packet uniquely.
- 7. Computer Science & Information Technology ( CS & IT ) 191 Figure 6. Analyzing UDP real time packets Since the server port and client port cannot be the same, it highlights the packet details. As discussed earlier, once the learning phase is done, validation phase is carried out where the system checks the possibility of the packet to be malicious or not. Detection mechanisms as discussed above have been incorporated in the tool. Apart from this a user interface is developed for users to particularly monitor specific source IP addresses. This is illustrated as shown in Figure 7. Figure 7. Monitor IP Address in packet analyzer Port Scanning is another module that is implemented. Active ports describe the ports which are being connected at that particular point of time. It is illustrated as shown in the Fig.8. Figure 8. Port Scanning Machines on Local Area Network (LAN) is another module used to validate whether an attack occurs within the system or from externally.
- 8. 192 Computer Science & Information Technology ( CS & IT ) The defects detected during test execution of the proposed application system are described below. 1. Change in hop value- potential chances for Denial of Service (DoS) attack [1]. This is illustrated in Figure 9. Figure 9. Variation in Time to Live (TTL) field for DoS detection 2. Source IP transmitting more packets in a particular time to the destination. This is illustrated in Figure 10. Figure.10 Multiple placket transmission over a period of time The proposed system can handle or identify almost all malicious packets and thus add on the feature of robustness.
- 9. Computer Science & Information Technology ( CS & IT ) 193 5. CONCLUSION The proposed system retrieves IP traffic for verification and filters the packet which is identified as malicious. The application can be used for spoofing any type of malicious packets with the key advantage of consuming fewer resources. It is an integrated tool comprising of packet analyzer, active ports and machines on LAN. The system is resistant to Distributed Denial of service attack (DDoS), Replay attack and blind spoofing. Improving the current system with new set of guidelines or methods for packet tracing is our future work. REFERENCES [1] Haining Wang, Member, IEEE, Cheng Jin, and Kang G. Shin, Fellow, IEEE, “Defense Against Spoofed IP Traffic Using Hop-Count Filtering”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 1, FEBRUARY 2007. [2] N. Arumugam, C. Venkatesh ,“A Trivial Scheme for Detecting and Preventing Fake IP Access of Network Server Using IPHP Filter”, European Journal of Scientific Research, ISSN 1450-216X Vol.53 No.2 (2011), pp.258-268. [3] Yao Chen, Shantanu Das, Pulak Dhar, Abdulmotaleb El Saddik, and Amiya Nayak, “Detecting and Preventing IP-spoofed Distributed DoS Attacks,” International Journal of Network Security, Vol.7, No.1, PP.70–81, July 2008. [4] T.M. Gil and M Poleto, ”MULTOPS: a data-structure for bandwidth attack detection”, hoc.io* USENIX Security Symposium Washington,DC, pp.23-38,Aug,2001 [5] A. Kuzmanovic and E. W. Knightly, “Low-rate TCP-targeted denial of service attacks (the shrew vs. the mice and elephants,” in Proc. ACM SIGCOMM, 2003, pp. 75–86. [6] G. Banga, P. Druschel, and J. Mogul, “Resource containers: A new facility for resource management in server systems,” in Proc. USENIX OSDI’99, New Orleans, LA, 1999, pp. 45–58. [7] IP address spoofing. Accessed 02.32 PM http://en.wikipedia.org/wiki/IP_address_spoofing [8] World Internet Usage Statistics. Accessed 07.45 AM http://www.internetworldstats.com/ [9] Different types of IP Spoofing Accessed 03.01 PM http://www.computerworld.com/s/article/9001021/The_top_five_ways_to_prevent_IP_spoofing [10] Replay attack. Accessed 04.40 PM http://en.wikipedia.org/wiki/Replay_attack [11] S. M. Bellavin, “ICMP traceback messages”, Internet Draft, 2001 Authors [1] Emil Kuriakose John received his B. Tech. from Kerala University, Trivandrum, Kerala, India, in 2010. He is currently doing M. Tech. from VIT University, Vellore, Tamil Nadu, India. His areas of interest are Wireless Mobile Networking, Cryptography and Network Security, Network Programming and Protocols. [2] Sumaiya Thaseen received her B.E from Madras University and M.Tech from VIT University in 2004 and 2006 respectively. She is currently an Assistant Professor (Senior) in School of Computing Science and Engineering, VIT University, Chennai with 6 years of experience and also pursuing her PhD degree. A life member of Computer Society of India (CSI). Her areas of interests are ad hoc networks, cryptography and network security. She has published several papers in international peer reviewed journals and conferences.