An event based technique for detecting spoofed IP packets
Introduction
IP address spoofing is commonly used in Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks [4] in the Internet. There are two types of DoS attacks the first type is logic based which exploits a weakness (vulnerability) in the implementation of a particular application and second type is called flooding based which sends too many service requests to overwhelm the recipient. DDoS attacks are always of second type. A schematic view of flooding based denial of service attacks is shown in Fig. 1 where many hosts contribute a portion of traffic towards a server overwhelming it. The goal of any flooding based denial of service attack is to exhaust the resources available at the target and make the service unavailable for useful computation and thereby deny access of service to some genuine users or requests. IP address spoofing gives the flexibility to conceal the source of attack in such a scenario. Further any host connected to Internet can generate a packet with spoofed source address with ease. Raw socket programming available in most flavors of UNIX systems gives the convenience of generating such a packet. Several malicious programs like Botnet programs come with the ability of generating such packets under the instruction of a Bot master.
Denial of Service and Distributed Denial of Service attacks have been addressed by researchers in two broad classes as preventive mechanisms and defensive mechanisms. Either of these two techniques can be operational at the router/infrastructure level or individual machine level. Techniques like Ingress [8] and Egress Filtering [7], Unicast Reverse Path Forwarding [5] which discard IP packets that have been received on a different interface than the one used for sending a packet to that source and Traceroute work at the router level, while techniques like Hop Count filtering [11], [24], making initial sequence number in TCP session a truly random number or a parameter of source and destination addresses [9] are techniques at the end host.
In this paper, we describe an active verification based technique to detect IP address spoofing in the event of DDoS attacks. Our approach is an event based, active probing technique which proactively initiates verification of source IP address of a particular packet, after number of new IP addresses seen in a particular time window exceeds a threshold. Our paper makes the following specific contributions.
- •
An active verification technique to verify the authenticity of source IP address of a packet
- •
A discrete event system formal model for describing the event based active verification mechanism
- •
We experiment in a real network setup in Internet by creating several spoofing scenarios and furnish the results of these experiments
Rest of this paper is organized as follows. In Section 2 we review the related work, in Section 3 we describe the proposed event based detection technique for IP address spoofing. In Section 4 we describe details of our experiments. In Section 5 we describe operational limitations of our method and suggests few workarounds and finally conclude in Section 6.
Section snippets
Related work
IP address spoofing detection and prevention methods can be broadly categorized into following cases.
Cryptography based techniques: These techniques rely on cryptography methods to verify the authenticity of received packets. Spoofing Prevention Method (SPM) [3] is a scheme in which participants (involved autonomous systems AS) authenticate their packets by a source AS key. Source AS key assigned to every autonomous system and is shared with all other autonomous systems. Recipient router or
Event based detection of spoofed IP addresses
In this section we describe our active verification method for detecting spoofed packets in the context of DDoS attacks.
Experimental evaluation
In this section we provide the details of experimental setup and results of the experiments done. We experimented in a real network setup by selecting to probe one IP address per overflow detected and more than one IP address per flow. These two are explained in the next two subsections.
Discussion
In this section, we describe few operational limitations of our method and suggest methods to overcome these shortcomings. In addition we also discuss couple of methods to optimize probing.
- 1.
Not Receiving a Probe Reply: Our model requires a probe reply to be received to differentiate between genuine and spoofed IP packets. In some cases a probe reply may not be received due to different reasons. One of the prominent reason is a firewall installed ahead of the intended recipient is configured to
Conclusion
Distributed Denial of Service attacks are one of common and hard to thwart cyber attacks. IP address spoofing is commonly used in DDoS attacks to generate random traffic to a target machine. We argued that, a proactive detection of IP spoofing helps in detecting DDoS attacks. In this paper we described an active verification method for detecting spoofed IP packets. This method is useful in predicting DDoS attacks and works by proactively probing a bunch of new IP addresses seen in last W time
References (26)
- et al.
Analyzing well-known countermeasures against distributed denial of service attacks
Comput Commun
(2012) - et al.
LAN attack detection using discrete event systems
ISA Trans
(2011) - et al.
IP Traceback with deterministic packet marking
IEEE Commun Lett
(2003) - et al.
Spoofing prevention method
INFOCOM ’05: 24th Annual joint conference of the IEEE computer and communications societies
(2005) - et al.
Detecting and preventing IP-spoofed distributed DoS attacks
Int J Netw Secur
(2008) - CISCO....
- The CAIDA UCSD “DDoS Attack2007” dataset....
Performing egress filtering
(2008)- Ferguson P., Senie D. (RFC 2827) Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source...
- Gont F., Bellovin S. (RFC 6528) Defending against Sequence Number Attacks....
Hop-count filtering: an effective defense against spoofed DDoS traffic
CCS ’03: Proceedings of the 10th ACM conference on computer and communications security
PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks
IEEE Trans Dependable Secure Comput
Detecting IP spoofing by modelling history of IP address entry points
AIMS ’13: Proceedings of the autonomous infrastructure, management and security
Cited by (19)
HyPASS: Design of hybrid-SDN prevention of attacks of source spoofing with host discovery and address validation
2022, Physical CommunicationTwo statistical traffic features for certain APT group identification
2022, Journal of Information Security and ApplicationsPreventing time synchronization in NTP broadcast mode
2021, Computers and SecurityCitation Excerpt :3) Prevent IP spoofing: Since the proposed attack requires a malicious client to use spoofed IP addresses to send mode 5 and mode 3 packets to victim client and broadcast server respectively, any IP spoofing mitigation approach can prevent the proposed attack. Thus, techniques such as ingress/egress filtering (Ferguson and Senie, 2000; Hubballi and Tripathi, 2017b; Jin et al., 2003; Wang et al., 2007) can be implemented on the border routers to block malicious traffic. However, this approach will fail to mitigate the attack if it is launched within a local network.
SlowTrack: detecting slow rate Denial of Service attacks against HTTP with behavioral parameters
2024, Journal of SupercomputingLDES: detector design for version number attack detection using linear temporal logic based on discrete event system
2023, International Journal of Information SecurityAn Online Entropy-Based DDoS Flooding Attack Detection System With Dynamic Threshold
2022, IEEE Transactions on Network and Service Management