|Published (Last):||6 May 2015|
|PDF File Size:||2.43 Mb|
|ePub File Size:||13.1 Mb|
|Price:||Free* [*Free Regsitration Required]|
Pages: 7 Get Full Essay Get access to this section to get all the help you need with your essay and educational goals. Prevention mechanisms are disillusioned by the ability of attackers to spoof the source addresses in IP packets. With the help of the technique called IP spoofing, attackers can avoid detection and cause a burden on the destination network for policing attack packets. A key feature of the scheme is that it does not require global routing information.
I establish the conditions under which the IDPF framework works correctly; it does not discard packets with valid source addresses. Even with partial employment on the Internet, IDPFs can proactively limit the spoofing capability of attackers.
In addition, they can help localize the origin of an attack packet to a small number of participant networks. IP spoofing can avoid detection and put a burden on the destination network for policing attack packets from the attackers. A key feature of this scheme is that it does not require global routing information. The condition under which the IDPF framework works correctly is established. It does not discard packets with valid source addresses. The recipient sends the replies to the sender using this source address.
However, the correctness of this address is not verified by the protocol. This implies that an attacker can create the source address to be any desired. This is exclusively done for malicious or inappropriate purposes. The attackers can take advantage of this weakness for many attacks; it would be useful to know if network traffic has spoofed source addresses in it or not. The problem of sending spoofed packets is done for illegal purposes.
Sending IP packets with fake source addresses is known as packet spoofing and is used by attackers for several purposes. The purposes include obscuring the true source of the attack, implicating another site as the attack origin, pretending to be a trusted host, intercepting network traffic, or sending fake replies to aim at another system.
Because none of the above are wanted, it is therefore useful to determine if a packet has a spoofed source address. In situations where an ongoing attack is occurring it is advantageous to determine if the attack is from a particular location. Most of the situations the determination of when packets are spoofed and their origination is possible using this scheme.
Spoofing of network traffic can occur at different layers. Examples include network layer spoofing as well as session and application layer spoofing e. All of these have security concerns. This project mainly concentrates on IP Spoofing. The issue is attacks that cause packets to be routed to a different host than the sender intends.
These are attacks on routing and the DNS system. Packet spoofing is restricted to false source addresses in the IP packet header. IP spoofing is advantageous in many aspects. First, IP spoofing makes isolating attack traffic from lawful traffic harder: packets with spoofed source addresses may appear to be from all around the Internet. Second, it presents the attacker with an easy way to introduce a level of indirection.
As a result, ample of effort is required to localize the source of the attack traffic. Finally flood attacks use IP spoofing and require the ability to copy source addresses. A single AS can only apply a limited impact with respect to identifying and discarding forged IP flows. Disadvantages: IP spoofing may occur easily. Because the packet-filtering router permits or denies a network connection based on the source and destination addresses of the packet, any attack that uses valid IP address may not be detected.
Packet-filtering rules are harder to be designed and configured. A routing system is in a Stable state if all the nodes have selected a best route to reach other nodes and no route updates are generated. Definition 2: route-based packet filtering. Node v accepts packet M s, d that is forwarded from node u if and only if e u, v belongs to R s, d. Else, the source address of the packet is spoofed, and the packet is discarded by v.
Definition 3: correctness of packet filtering. A packet filter is correct if it does not discard packets with valid source addresses when the routing system is stable. Advantages: IDPFs can significantly limit the spoofing capability of an attacker. It also helps to locate the origin of an attack packet to be within a small number of participant networks, thereby making the reactive IP trace back process much simpler. DDoS attacks are observed on a daily basis on most of the large networks.
One of the factors that complicate the mechanisms for policing such attacks is IP spoofing, which is the act of forging the source addresses in IP packets. By pretending to be a different host, an attacker can hide its true identity and location, interpreting the source based packet filtering less effective. The basic protocol for sending data over the Internet and many other computer networks is the Internet Protocol IP.
The header of each IP packet contains the source and destination address of the packet. The source address is the address that the packet was sent from. By forging the header, an attacker can depict as the packet was sent by a different machine. The machine that receives spoofed packets will send response back to the forged source address, which means that this technique is mainly used when the attacker does not care about response or the attacker has some way of guessing the response.
In certain cases, it might be possible for the attacker to see or redirect the response to his own machine. IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with vast amounts of traffic, and the attacker does not care about receiving responses to his attack packets.
Packets with spoofed addresses are thus suitable for such attacks. They are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing randomly choose addresses from the entire IP address space, though more complicated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The production of large botnets makes spoofing less important in denial of service attacks, but attackers have spoofing available as a tool, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets.
IP spoofing is a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that a user can log in without a username or password provided he is connecting from another machine on the internal network and so must already be logged in.
By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authenticating. Both the selection and the propagation of best routes are governed by locally defined routing policies. Import policies: Neighbor-specific import policies are applied upon routes learned from neighbors.
Export policies: Neighbor-specific export policies are imposed on locally selected best routes before they are propagated to the neighbors. Two distinct sets of routing policies are typically employed by a node: import policies and export policies. Neighbor-specific import policies are applied upon routes learned from neighbors, whereas neighbor-specific export policies are imposed on locally selected best routes before they are propagated to the neighbors.
Let r be a route to destination d received at v from node u. Among the set of candidate routes candidateR v, d ; node v selects a single best route to reach the destination based on a well-defined procedure. To aid in description, I denote the outcome of the selection procedure at node v, that is, the best route, as bestR v, d which reads the best route to destination d at node v. Having selected bestR v, d from candidateR v, d v then exports the route to its neighbors after applying neighbor-specific export policies.
The export policies determine if a route should be forwarded to the neighbor and if so, they modify the route attributes according to the policies. BGP is an incremental protocol: updates are generated only in response to network events. In the absence of any event, no route updates are triggered or exchanged between neighbors, and the routing system is in a stable state.
IDPFs are deployed at the border routers so that IP packets can be inspected before they enter the network. If the Source address is not valid it will discard the packets.
Following a network failure, the set of feasible upstream neighbors will not admit more members during the period of routing convergence, assuming that AS relationships are static, which is true in most cases. Hence, for the first type of routing dynamics network failure , there is no possibility that the filters will block a valid packet.
In this situation, although u may explore and announce multiple routes to v during the path exploration process , the filtering function of v is unaffected. Now, both u and u0 may explore multiple routes; however, since u0 has already announced a route about s to v, the IDPF at v can correctly filter that is, accept packetM s; d , which is forwarded from u0.
Consequently, AS v will also not be able to reach s, and v will no longer be on the best route between s and d. No new packet M s; d should be sent through v. M s; d should be sent through v. The other concern of routing dynamics relates to how a newly connected network or a network recovered from a fail-down event will be affected.
In general, a network may start sending data immediately following the announcement of a new prefix, even before the route has had time to propagate to the rest of the Internet. During the time that the route should be propagated, packets from this prefix may be discarded by some IDPFs if the reachability information has not propagated to them. However, the mitigating factor here is that in contrast to the long convergence delay that follows failure, reachability for the new prefix will be distributed far more speedily.
In general, the time taken for such new prefix information to reach an IDPF is proportional to the shortest ASpath between the IDPF and the originator of the prefix and independent of the number of alternate paths between the two.
Previous work has established this bound with L being the diameter of the AS graph. It is believed that in this short timescale, it is acceptable for IDPFs to potentially incorrectly behave discarding valid packets. One alternative solution is to allow a neighbor to continue forwarding packets from a source within a grace period, after the corresponding network prefix has been withdrawn by the neighbor. In this case, during this short period, IDPFs may fail to discard spoofed attack packets.
However, given that most DDoS attacks require a persistent train of packets to be directed at a victim, not discarding spoofed packets for this short period of time should be acceptable.
I plan to further investigate the related issues in the future. In short, IDPFs can handle the routing dynamics caused by network failures, which may cause long route convergence times.
Controlling Ip Spoofing Through Interdomain Packet Filter Computer Science Essay