An event based technique for detecting spoofed IP packets

https://doi.org/10.1016/j.jisa.2017.04.001Get rights and content

Abstract

Distributed Denial of Service (DDoS) attacks are one of the prominent network security attacks. In DDoS attack several machines send large amount of network traffic to the victim using spoofed IP address. Unfortunately there is no reliable technique to detect spoofed IP packets. In this paper we argue that, a proactive detection of spoofed IP packets will help in predicting DDoS attacks. In this paper we describe an event based detection method to identify spoofed IP packets. Our method works by proactively probing received packets for genuineness. Active probing technique uses inconsistencies in TTL values of received packets to decide whether the first packet was spoofed or genuine. We enumerate several possible spoofing scenarios with our detection method in place and identify its type based on the response to probing. Further, we study limitations of event based method and discuss ways to overcome those. We design and experiment with all spoofing scenarios in a real network setup and report the results. With few optimizations done to the probing strategy, the overhead incurred can be minimized considerably, which makes the proposed technique useful for detecting DDoS attacks.

Introduction

IP address spoofing is commonly used in Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks [4] in the Internet. There are two types of DoS attacks the first type is logic based which exploits a weakness (vulnerability) in the implementation of a particular application and second type is called flooding based which sends too many service requests to overwhelm the recipient. DDoS attacks are always of second type. A schematic view of flooding based denial of service attacks is shown in Fig. 1 where many hosts contribute a portion of traffic towards a server overwhelming it. The goal of any flooding based denial of service attack is to exhaust the resources available at the target and make the service unavailable for useful computation and thereby deny access of service to some genuine users or requests. IP address spoofing gives the flexibility to conceal the source of attack in such a scenario. Further any host connected to Internet can generate a packet with spoofed source address with ease. Raw socket programming available in most flavors of UNIX systems gives the convenience of generating such a packet. Several malicious programs like Botnet programs come with the ability of generating such packets under the instruction of a Bot master.

Denial of Service and Distributed Denial of Service attacks have been addressed by researchers in two broad classes as preventive mechanisms and defensive mechanisms. Either of these two techniques can be operational at the router/infrastructure level or individual machine level. Techniques like Ingress [8] and Egress Filtering [7], Unicast Reverse Path Forwarding [5] which discard IP packets that have been received on a different interface than the one used for sending a packet to that source and Traceroute work at the router level, while techniques like Hop Count filtering [11], [24], making initial sequence number in TCP session a truly random number or a parameter of source and destination addresses [9] are techniques at the end host.

In this paper, we describe an active verification based technique to detect IP address spoofing in the event of DDoS attacks. Our approach is an event based, active probing technique which proactively initiates verification of source IP address of a particular packet, after number of new IP addresses seen in a particular time window exceeds a threshold. Our paper makes the following specific contributions.

  • An active verification technique to verify the authenticity of source IP address of a packet

  • A discrete event system formal model for describing the event based active verification mechanism

  • We experiment in a real network setup in Internet by creating several spoofing scenarios and furnish the results of these experiments

Rest of this paper is organized as follows. In Section 2 we review the related work, in Section 3 we describe the proposed event based detection technique for IP address spoofing. In Section 4 we describe details of our experiments. In Section 5 we describe operational limitations of our method and suggests few workarounds and finally conclude in Section 6.

Section snippets

Related work

IP address spoofing detection and prevention methods can be broadly categorized into following cases.

Cryptography based techniques: These techniques rely on cryptography methods to verify the authenticity of received packets. Spoofing Prevention Method (SPM) [3] is a scheme in which participants (involved autonomous systems AS) authenticate their packets by a source AS key. Source AS key assigned to every autonomous system and is shared with all other autonomous systems. Recipient router or

Event based detection of spoofed IP addresses

In this section we describe our active verification method for detecting spoofed packets in the context of DDoS attacks.

Experimental evaluation

In this section we provide the details of experimental setup and results of the experiments done. We experimented in a real network setup by selecting to probe one IP address per overflow detected and more than one IP address per flow. These two are explained in the next two subsections.

Discussion

In this section, we describe few operational limitations of our method and suggest methods to overcome these shortcomings. In addition we also discuss couple of methods to optimize probing.

  • 1.

    Not Receiving a Probe Reply: Our model requires a probe reply to be received to differentiate between genuine and spoofed IP packets. In some cases a probe reply may not be received due to different reasons. One of the prominent reason is a firewall installed ahead of the intended recipient is configured to

Conclusion

Distributed Denial of Service attacks are one of common and hard to thwart cyber attacks. IP address spoofing is commonly used in DDoS attacks to generate random traffic to a target machine. We argued that, a proactive detection of IP spoofing helps in detecting DDoS attacks. In this paper we described an active verification method for detecting spoofed IP packets. This method is useful in predicting DDoS attacks and works by proactively probing a bunch of new IP addresses seen in last W time

References (26)

  • H. Beitollahi et al.

    Analyzing well-known countermeasures against distributed denial of service attacks

    Comput Commun

    (2012)
  • N. Hubballi et al.

    LAN attack detection using discrete event systems

    ISA Trans

    (2011)
  • A. Belenky et al.

    IP Traceback with deterministic packet marking

    IEEE Commun Lett

    (2003)
  • A. Bremler-Barr et al.

    Spoofing prevention method

    INFOCOM ’05: 24th Annual joint conference of the IEEE computer and communications societies

    (2005)
  • Y. Chen et al.

    Detecting and preventing IP-spoofed distributed DoS attacks

    Int J Netw Secur

    (2008)
  • CISCO....
  • The CAIDA UCSD “DDoS Attack2007” dataset....
  • D. Distler

    Performing egress filtering

    (2008)
  • Ferguson P., Senie D. (RFC 2827) Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source...
  • Gont F., Bellovin S. (RFC 6528) Defending against Sequence Number Attacks....
  • C. Jin et al.

    Hop-count filtering: an effective defense against spoofed DDoS traffic

    CCS ’03: Proceedings of the 10th ACM conference on computer and communications security

    (2003)
  • Y. Kim et al.

    PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks

    IEEE Trans Dependable Secure Comput

    (2006)
  • M. Kovik et al.

    Detecting IP spoofing by modelling history of IP address entry points

    AIMS ’13: Proceedings of the autonomous infrastructure, management and security

    (2013)
  • Cited by (19)

    • Two statistical traffic features for certain APT group identification

      2022, Journal of Information Security and Applications
    • Preventing time synchronization in NTP broadcast mode

      2021, Computers and Security
      Citation Excerpt :

      3) Prevent IP spoofing: Since the proposed attack requires a malicious client to use spoofed IP addresses to send mode 5 and mode 3 packets to victim client and broadcast server respectively, any IP spoofing mitigation approach can prevent the proposed attack. Thus, techniques such as ingress/egress filtering (Ferguson and Senie, 2000; Hubballi and Tripathi, 2017b; Jin et al., 2003; Wang et al., 2007) can be implemented on the border routers to block malicious traffic. However, this approach will fail to mitigate the attack if it is launched within a local network.

    • An Online Entropy-Based DDoS Flooding Attack Detection System With Dynamic Threshold

      2022, IEEE Transactions on Network and Service Management
    View all citing articles on Scopus
    View full text