IP Spoofing Research Articles

Evil Twin Attack Mitigation Techniques in 802.11 Networks

Evil Twin Wi-Fi attack is an attack on the 802.11 IEEE standard. The attack poses a threat to wireless connections. Evil Twin Wi-Fi attack is one of the attacks which has been there for a long time. Once the Evil Twin Wi-Fi attack is performed this acts as a gateway to many other attacks such as DNS spoofing, SSL Strip, IP Spoofing, and many more attacks. Thus, preventing the attack is essential for privacy and data security. This paper will be going through in detail how the attack is performed and different measures to prevent the attack. The proposed algorithm sniffs for fake AP using the whitelist in all the channels, once an unauthorized AP is detected the user has an option to de-authenticate any user in the unauthorized network in case any clients do connect to it by accident also the algorithm will be checking if any de-authentication frame is being sent to any of the AP to know which of the AP is being compromised. The efficiency of proposed approach is verified by simulating and mitigating the evil-twin attack.

Boğaziçi University distributed denial of service dataset.

Distributed Denial of Service (DDoS) attacks is one of the most troublesome intrusions for online services on the internet. In general DDoS attacks are divided into two categories as bandwidth depletion and resource depletion attacks. We generate resource depletion-type DDoS attacks on the campus network of Boğaziçi University and recorded the ongoing traffic from the backbone router's mirrored port. We generate TCP SYN, and UDP flooding packets using Hping3 traffic generator software by flooding. This dataset includes attack-free user traffic and attack traffic, which is suitable for evaluating network-based DDoS detection methods. Attacks are towards one victim server connected to the backbone router of the campus. Attack packets have randomly generated spoofed source IP addresses. We removed payloads of packets and anonymized the source IP addresses of legitimate users for the confidentiality of legitimate users.

Zero-Knowledge Proof Based Authentication Over Untrusted Networks

Zero knowledge proof is a powerful cryptographic protocol that is utilized to establish data security whilst ensuring and maintaining user anonymity. ZKP has relatively less complex computational requirements as compared to the other protocols for authentication. Conventional authentication schemes are susceptible to attacks such as MiTM, IP spoofing, DoS, replay and other eavesdropping based attacks, when the data is shared across an untrusted network. This paper shows an approach to ensure authentication of a device over an untrusted network whilst maintaining and safeguarding user credentials, by using the concepts of ZKP protocol.

Multi-layered intrusion detection and prevention in the SDN/NFV enabled cloud of 5G networks using AI-based defense mechanisms

Software defined networking (SDN), network function virtualization (NFV), and cloud computing are receiving significant attention in 5G networks. However, this attention creates a new challenge for security provisioning in these integrated technologies. Research in the field of SDN, NFV, cloud computing, and 5G has recently focused on the intrusion detection and prevention system (IDPS). Existing IDPS solutions are inadequate, which could cause large resource wastage and several security threats. To alleviate security issues, timely detection of an attacker is important. Thus, in this paper, we propose a novel approach that is referred to as multilayered intrusion detection and prevention (ML-IDP) in an SDN/NFV-enabled cloud of 5G networks. The proposed approach defends against security attacks using artificial intelligence (AI). In this paper, we employed five layers: data acquisition layer, switches layer, domain controllers (DC) layer, smart controller (SC) layer, and virtualization layer (NFV infrastructure). User authentication is held in the first layer using the Four-Q-Curve algorithm. To address the flow table overloading attack in the switches layer, the game theory approach, which is executed in the IDP agent, is proposed. The involvement of the IDP agent is to completely avoid a flow table overloading attack by a deep reinforcement learning algorithm, and thus, it updates the current state of all switches. In the DC layer, packets are processed and classified into two classes (normal and suspicious) by a Shannon Entropy function. Normal packets are forwarded to the cloud via the SC. Suspicious packets are sent to the VNF using a growing multiple self-organization map (GM-SOM). The proposed ML-IDP system is evaluated using NS3.26 for different security attacks, including IP Spoofing, flow table overloading, DDoS, Control Plane Saturation, and host location hijacking. From the experiment results, we proved that the ML-IDP with AI-based defense mechanisms effectively detects and prevents attacks.

INTERNET TRAFFIC ANALYSIS: MAPREDUCE BASED TRAFFIC FLOW CLASSIFICATION IN HADOOP ENVIRONMENT

Internet is the global network that interconnects entities all over the world. This unparalleled network has occupied the mandatory part in the life of every individual. In recent days, due to the increase in the number of flow, the internet traffic is increased. The increasing traffic is flooding with the DDoS flows from multiple DDoS attackers. If DDoS flow traffic enters the internet, then there will be a drastic increase in the utilization of resources. Due to this, the legitimate traffic will not get proper service. In order to address the above issues, this paper has proposed an approach that classifies the internet traffic as Normal traffic flow or DDoS traffic flow. A huge volume of traffic flows is analyzed in this paper and the results are presented. The MapReduce is implemented for the classification as it accurately maps the flow features and reduces them into the appropriate traffic type. The incoming traffic is classified into one of the three categories as Web Traffic, DDoS Traffic (Heavy User) or DDoS Traffic (Spoofed IP). The main objective of this paper is to classify structured as well as unstructured data of IP, TCP, HTTP and NetFlow analysis. The experimental observations were carried out in the Hadoop 2.7.2 environment. The dataset is obtained from Wireshark, which consists of traffic flow based on latest traffic pattern. Hadoop Distributed File System (HDFS) and MapReduce components of Hadoop are used under the metrics as Work Completion Time, Throughput and Accuracy.

Detection of Spoofed IP nodes using BAT Algorithm and Extreme Learning Machine

IP spoofing is known as the most important cyber-attack which is the source for DoS or DDoS attacks where the attacker is hidden inside the network and makes the computer resource services unavailable to the users. The attacker once done with spoofing the IP address will start to flood the system with keeping on sending requests and make the network bandwidth slow to the extent. This paper contains the literature study of the different types of defence mechanisms from different authors used few decades before to detect and mitigate the Spoofed IP nodes at router, host level and recently some author come up with ideas of using computational intelligence methods for detecting the different types of attacks in wireless communications which results in accurate prediction. This paper provides creating a threat model of detecting the Spoofed IP nodes among 105 network wireless communication scenario using computational intelligence algorithm, the features are selected from the simulated raw data and preprocessed by using BAT optimization algorithm and features are converted to ELM readable format and then they are trained and learned using Extreme learning machine algorithm to predict the accurate detection of the Spoofed IP nodes in the wireless communication network scenario. The proposed method provides high accuracy in detection of Spoofed IP nodes with respect to some performance metrics like end to end delay, throughput, packet delivery ratio, packet drop ratio and it is compared with the KNN-SVM exiting model proved the results.

Detecting Saturation Attacks Based on Self-Similarity of OpenFlow Traffic

As a new networking paradigm, Software-Defined Networking (SDN) separates data and control planes to facilitate programmable functions and improve the efficiency of packet delivery. Recent studies have shown that there exist various security threats in SDN. For example, a saturation attack may disturb the normal delivery of packets and even make the SDN system out of service by flooding the data plane, the control plane, or both. The existing research has focused on saturation attacks caused by SYN flooding. This paper presents an anomaly detection method, called SA-Detector, for dealing with a family of saturation attacks through IP spoofing, ICMP flooding, UDP flooding, and other types of TCP flooding, in addition to SYN flooding. SA-Detector builds upon the study of self-similarity characteristics of OpenFlow traffic between the control and data planes. Our work has shown that the normal and abnormal traffic flows through the OpenFlow communication channel have different statistical properties. Specifically, normal OpenFlow traffic has a low self-similarity degree whereas the occurrences of saturation attacks typically imply a higher degree of self-similarity. Therefore, SA-Detector exploits statistical results and self-similarity degrees of OpenFlow traffic, measured by Hurst exponents, for anomaly detection. We have evaluated our approach in both physical and simulation SDN environments with various time intervals, network topologies and applications, Internet protocols, and traffic generation tools. For the physical SDN environment, the average accuracy of detection is 97.68% and the average precision is 94.67%. For the simulation environment, the average accuracy is 96.54% and the average precision is 92.06%. In addition, we have compared SA-Detector with the existing saturation attack detection methods in terms of the aforementioned performance metrics and controller’s CPU utilization. The experiment results indicate that SA-Detector is effective for the detection of saturation attacks in SDN.

Proposed an Algorithm for Preventing IP Spoofing DoS Attack on Neighbor Discovery Protocol of IPv6 in Link Local Network

Duplicate Address Detection (DAD) is one of the most interesting features in IPv6. It allows nodes to connect to a network by generating a unique IP address. It works on two Neighbor Discovery (ND) messages, namely, Neighbor Solicitation (NS) and Neighbor Advertisement (NA). To verify the uniqueness of generating IP, it sends that IP address via NS message to existing hosts. Any malicious node can receive NS message and can send a spoof reply, thereby initiates a DoS attack and prevents auto configuration process. In this manner, DAD is vulnerable to such DoS attack. This study aims to prevent those malicious nodes from sending spoof reply by securing both NS and NA messages. The proposed Advanced Bits Security (ABS) technique is based on Blake2 algorithm and introducing a creative option called ABS field that holds the hash value of tentative IP address and attached to both NA and NS message. We expect the ABS technique can prevent spoof reply during DAD procedure in link local network and can prevent DoS attack

Proposed an Algorithm for Preventing IP Spoofing DoS Attack on Neighbor Discovery Protocol of IPv6 in Link Local Network

Duplicate Address Detection (DAD) is one of the most interesting features in IPv6. It allows nodes to connect to a network by generating a unique IP address. It works on two Neighbor Discovery (ND) messages, namely, Neighbor Solicitation (NS) and Neighbor Advertisement (NA). To verify the uniqueness of generating IP, it sends that IP address via NS message to existing hosts. Any malicious node can receive NS message and can send a spoof reply, thereby initiates a DoS attack and prevents auto configuration process. In this manner, DAD is vulnerable to such DoS attack. This study aims to prevent those malicious nodes from sending spoof reply by securing both NS and NA messages. The proposed Advanced Bits Security (ABS) technique is based on Blake2 algorithm and introducing a creative option called ABS field that holds the hash value of tentative IP address and attached to both NA and NS message. We expect the ABS technique can prevent spoof reply during DAD procedure in link local network and can prevent DoS attack

Exploiting the Remote Server Access Support of CoAP Protocol

The constrained application protocol (CoAP) is a specially designed Web transfer protocol for use with constrained nodes and low-power networks. The widely available CoAP implementations have failed to validate the remote CoAP clients. Each CoAP client generates a random source port number when communicating with the CoAP server. However, we observe that in such implementations it is difficult to distinguish the regular packet and the malicious packet, opening a door for a potential off-path attack. The off-path attack is considered a weak attack on a constrained network and has received a less attention from the research community. However, the consequences resulting from such an attack cannot be ignored in practice. In this article, we exploit the combination of IP spoofing vulnerability and the remote server access support of CoAP is to be launch an off-path attack. The attacker injects a fake request message to change the credentials of the 6LoWPAN smart door keypad lock system. This creates a request spoofing vulnerability in CoAP, and the attacker exploits this vulnerability to gain full access to the system. Through our implementation, we demonstrated the feasibility of the attack scenario on the 6LoWPAN-CoAP network using smart door keypad lock. We proposed a machine learning (ML)-based approach to mitigate such attacks. To the best of our knowledge, we believe that this is the first article to analyze the remote CoAP server access support and request spoofing vulnerability of CoAP to launch an off-path attack and demonstrate how an ML-based approach can be deployed to prevent such attacks.

Method for Assessing Effectiveness of Protection of Electronic Document Management using the Petri and Markov Nets Apparatus

Traditional approaches to assessing the effectiveness of information security, based on a comparison of the possibilities of realizing threats to information security in absence and application of protection measures, do not allow to analyze the dynamics of suppression by security measures of the process of implementing threats. The paper proposes a new indicator of the effectiveness of protection of electronic documents, aimed at assessing the possibility of advancing security measures of the process of implementing threats in electronic document management systems using the probability-time characteristics of the dynamics of the application of protection measures and the implementation of threats to electronic documents. Mathematical models were developed using the Petri-Markov network apparatus and analytical relationships were obtained for calculating the proposed indicator using the example of the "traffic tunneling" threat (placing intruder packets in trusted user packets) and unauthorized access (network attacks) to electronic documents, as well as the threat of intrusion of malicious program by carrying out an "blind IP spoofing" attack (network address spoofing). Examples of calculating the proposed indicator and graphs of its dependence on the probability of detecting network attacks by the intrusion detection system and on the probability of malware detection by the anti-virus protection system are given. Quantitative dependencies are obtained for the effectiveness of protection of electronic documents due to being ahead of protection measures for threat realization processes, both on the probability of detecting an intrusion or the probability of detecting a malicious program, and on the ratio of the time spent by the protection system on detecting an attempt to implement a threat and taking measures to curb its implementation, and threat implementation time. Models allow not only to evaluate the effectiveness of measures to protect electronic documents from threats of destruction, copying, unauthorized changes, etc., but also to quantify the requirements for the response time of adaptive security systems to detectable actions aimed at violating the security of electronic documents, depending on the probability -temporal characteristics of threat realization processes, to identify weaknesses in protection systems related to the dynamics of threat realization and the reaction of defense systems to such threats electronic document.

Policy-Based Security Management System for 5G Heterogeneous Networks

Advances in mobile phone technology and the growth of associated networks have been phenomenal over the last decade. Therefore, they have been the focus of much academic research, driven by commercial and end-user demands for increasingly faster technology. The most recent generation of mobile network technology is the fifth generation (5G). 5G networks are expected to launch across the world by 2020 and to work with existing 3G and 4G technologies to provide extreme speed despite being limited to wireless technologies. An alternative network, Y-Communication (Y-Comm), proposes to integrate the current wired and wireless networks, attempting to achieve the main service requirements of 5G by converging the existing networks and providing an improved service anywhere at any time. Quality of service (QoS), vertical handover, and security are some of the technical concerns resulting from this heterogeneity. In addition, it is believed that the Y-Comm convergence will have a greater influence on security than was the case with the previous long-term evolution (LTE) 4G networks and with future 5G networks. The purpose of this research is to satisfy the security recommendations for 5G mobile networks. This research provides a policy-based security management system, ensuring that end-user devices cannot be used as weapons or tools of attack, for example, IP spoofing and man-in-the-middle (MITM) attacks. The results are promising, with a low disconnection rate of less than 4% and 7%. This shows the system to be robust and reliable.

Development of Internet Protocol Traceback Scheme for Detection of Denial-of-Service Attack

To mitigate the challenges that Flash Event (FE) poses to IP-Traceback techniques, this paper presents an IP Traceback scheme for detecting the source of a DoS attack based on Shark Smell Optimization Algorithm (SSOA). The developed model uses a discrimination policy with the hop-by-hop search. Random network topologies were generated using the WaxMan model in NS2 for different simulations of DoS attacks. Discrimination policies used by SSOA-DoSTBK for the attack source detection in each case were set up based on the properties of the detected attack packets. SSOA-DoSTBK was compared with a number of IP Traceback schemes for DoS attack source detection in terms of their ability to discriminate FE traffics from attack traffics and the detection of the source of Spoofed IP attack packets. SSOA-DoSTBK IP traceback scheme outperformed ACS-IPTBK that it was benchmarked with by 31.8%, 32.06%, and 28.45% lower FER for DoS only, DoS with FE, and spoofed DoS with FE tests respectively, and 4.76%, 11.6%, and 5.2% higher performance in attack path detection for DoS only, DoS with FE, and Spoofed DoS with FE tests, respectively. However, ACS-IPTBK was faster than SSOA-DoSTBK by 0.4%, 0.78%, and 1.2% for DoS only, DoS with FE, and spoofed DoS with FE tests, respectively. Keywords : DoS Attacks Detection, Denial-of-Service, Internet Protocol, IP Traceback, Flash Event, Optimization Algorithm.

IP Spoofing In and Out of the Public Cloud: From Policy to Practice

In recent years, a trend that has been gaining particular popularity among cybercriminals is the use of public Cloud to orchestrate and launch distributed denial of service (DDoS) attacks. One of the suspected catalysts for this trend appears to be the increased tightening of regulations and controls against IP spoofing by world-wide Internet service providers (ISPs). Three main contributions of this paper are (1) For the first time in the research literature, we provide a comprehensive look at a number of possible attacks that involve the transmission of spoofed packets from or towards the virtual private servers hosted by a public Cloud provider. (2) We summarize the key findings of our research on the regulation of IP spoofing in the acceptable-use and term-of-service policies of 35 real-world Cloud providers. The findings reveal that in over 50% of cases, these policies make no explicit mention or prohibition of IP spoofing, thus failing to serve as a potential deterrent. (3) Finally, we describe the results of our experimental study on the actual practical feasibility of IP spoofing involving a select number of real-world Cloud providers. These results show that most of the tested public Cloud providers do a very good job of preventing (potential) hackers from using their virtual private servers to launch spoofed-IP campaigns on third-party targets. However, the same very own virtual private servers of these Cloud providers appear themselves vulnerable to a number of attacks that involve the use of spoofed IP packets and/or could be deployed as packet-reflectors in attacks on third party targets. We hope the paper serves as a call for awareness and action and motivates the public Cloud providers to deploy better techniques for detection and elimination of spoofed IP traffic.

SIPAV-SDN: Source Internet Protocol Address Validation for Software Defined Network

SDN technology is becoming every day more popular and big data centers and organizational networks have started deploying for its advantages. Current development of SDN network relies on target host IP address of packet and OFSwitches ignores checking of source host IP. SDN has separated control planes and data planes and OpenFlow protocol enabled switches are used as packet forwarding devices. The SDN controller controls flow of data packet through forwarding devices and when these are turned on, do not have any control and defense. The devices are not able to handle packet arriving from connected host. In this case, data packets of hosts are sent to the controller forwarding device for inspection and control packet creation for data packet and setting up required matching entries in flow table of forwarding device for such type of data packets generated by the hosts. The attackers can generate packets with Spoofed source IP address and perform various types of attacks. In this research paper, we offer a scheme as Source IP Address Validation for Software Defined Network (SIPAV-SDN) to check packet’s source host IP address by binding source host IP Address and MAC address with switch port. It maintains a HostTable at Controller for verification of source host IP and MAC with switch port and only forwards the packets which have valid sources host IP address. We also simulated SIPAV-SDN with hybrid SDN network and experiment results have shown that it achieved 100% packet filtering accuracy for IP spoofed TCP, UDP and ICMP packet attacks. We used python programming language for RYU controller in Mininet network emulator.

Software Defined Based Pure VPN Protocol for Preventing IP Spoofing Attacks in IOT

The Internet of things (IoT) is the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data. IoT involves extending Internet connectivity beyond standard devices, such as desktops, laptops, smart phones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the Internet, and they can be remotely monitored and controlled. Traditionally, current internet packet delivery only depends on packet destination IP address and forward devices neglect the validation of packet’s IP source address. It makes attacks can leverage this flow to launch attacks with forge IP source address so as to meet their violent purpose and avoid to be tracked. In order to reduce this threat and enhance internet accountability, many solution proposed in the inter domain and intra domain aspects. Furthermore, most of them faced with some issues hard to cope, i.e., data security, data privacy. And most importantly code cover PureVPN protocol for both inter and intra domain areas. The novel network architecture of SDN possess whole network PureVPN protocol rule instead of traditional SDN switches, which brings good opportunity to solve IP spoofing problems. However, use authentication based on key exchange between the machines on your network; something like IP Security protocol will significantly cut down on the risk of spoofing. This paper proposes a SDN based PureVPN protocol architecture, which can cover both inter and intra domain areas with encrypted format effectively than SDN devices. The PureVPN protocol scheme is significant in improving the security and privacy in SDN for IoT.

Implementation of Defense in Depth Strategy to Secure Industrial Control System in Critical Infrastructures

The goal of this communication is to examine the implementation of defense in depth strategy to secure the industrial control systems (ICS) from threats, hackers, vandals and other ones that can damage the critical infrastructures (gas transportation network, power transmission network, power generation, power distribution grids, air traffic, petrochemical industries, rail traffic, military industries) and others big infrastructures that affect large number of persons and security of nations [1]. The defense in depth concept ensures the physical access protection of the infrastructure, using network access control system (NAC) and traditional security measures, and implements policies and procedures that deal training and cybersecurity awareness programs, risk assessment (analyzing and documenting), and the plan of security. The philosophy of defense in depth uses also the IT technologies in order to ensure separation and segmentations of the networks to the VLANs, demilitarized zones, VPN, using firewalls, switch and routers. The hardening of different systems installed like routers, firewalls, switches and other devices on the network such as SCADA servers is a very sensitive operation of defense in depth. The last important operations are monitoring and maintenance, the monitoring serve to detect and stop intrusions attempts before they can damage the control system with using detection and protection system (IDS/IPS), and the maintenance operations control system (soft and hard), schedule updating of anti-virus software on different devices installed in the network like (computers, SCADA servers, routers, switch and other devices). The defense-in-depth recommendations described in this document can decrease the risk of attacks can target industrial network architectures, like VLAN hopping, SQL injection on SCADA, IP spoofing and DoS (denies of service) and others ones. The risk of attacks can use a common point of access as point of failures (RTU, corporate VPNs, database links, wireless communication, and IT controlled communication equipment). The implementation strict of the defense in depth concept can avoid important damage of critical infrastructures such as loss of production, damage to plant, impact on reputation, impact of health, impact of safety, impact of environment and impact on nation’s security.

Security risk assessment for SDN-enabled smart grids

The increasing energy dependence of cloud data centers to Internet-of-Things necessitates availability of high reliable power systems. Smart grid enables two-way flow of energy from power to plug to be automated, monitored and controlled. However, IP-based communications in smart grids increase the likelihood of network attacks, such as IP spoofing and Distributed Denial of Service (DDoS) attacks. These attacks cause damages such as wrong smart meter readings, false demands for electricity, and impaired protection devices. Thus, there is a need for cyber resilient smart grid communication network. Software Defined Networking (SDN) which has the ability to redefine operations of a network at runtime presents the most resilience benefits when used as an underlying infrastructure for the smart grid. In this paper, we present a framework to assess security risks within an SDN-enabled smart grid communication network. Specifically, we quantify the security risks for DoS attacks on Intelligent Electronic Devices (IEDs) and the IEC 61850 network. Our security score model incorporates the critical role of each IED and measures impact on the overall smart grid network. We illustrate how SDN relieves our smart grid network of congestion and improves timing performance of IEC 61850 type messages, making them time compliant.

A Survey of Network-Based Detection and Defense Mechanisms Countering the IP Spoofing Problems

A Survey of Network-Based Detection and Defense Mechanisms Countering the IP Spoofing Problems

LPM: A lightweight authenticated packet marking approach for IP traceback

IP traceback approaches have an important role to play in mitigating the attacks based on IP spoofing like Denial of service/Distributed denial of service attacks. Due to the obvious significance of such attacks, numerous approaches have been proposed in the literature. However, as per our observations, there is still a scope to improve the IP traceback techniques especially in terms of reducing the number of false-positives, reducing the number of packets required at the victim node and the requirement of an upstream router map.Motivated by this observation, in this paper, we propose a novel Light-weight Packet Marking (LPM) that is a probabilistic packet marking (PPM) approach, to trace back the sources of an attack. LPM improves upon the existing PPM approaches in the number of packets required by the victim to reconstruct the attack paths, reduced false-positives and support incremental deployment. It does not even require an upstream router map. LPM also authenticates the marking that enables a victim to detect the attackers attempts to forge the marking. LPM uses multiple hash functions to reduce the false positives further to zero. We carry out experimental analysis as well as security analysis of LPM considering attacker and compromised routers in our attacker model.