Docstoc

Detection of Spoofing Attacks in Wireless Network and Their Remedies

Document Sample
Detection of Spoofing Attacks in Wireless Network and Their Remedies Powered By Docstoc
					IJRREST: International Journal of Research Review in Engineering Science and Technology   |      Volume 1 Issue1 June 2012




       Detection of Spoofing attacks in Wireless network and their Remedies
                               *Divya Pal Singh, *Pankaj Sharma, **Ashish Kumar

                      *Department of CSE, Vira College of Engineering, Bijnor,
             ** Department of MCA, SD College of Management Studies, Muzaffarnagar
            divyapalsingh@yahoo.com, shapankaj.sharma@gmail.com, ashisonugmail.com

______________________________________________________________________________

                                                                          is not modified and availability ensures that
                                                                          legitimate users can access services, data and
ABSTRACT                                                                  network resources when requested. As wireless
                                                                          sensor networks continue to grow due to the fact that
                                                                          they are potentially low cost and effective (providing
Wireless networks are vulnerable to spoofing
                                                                          solutions to a number of real world challenges), the
attacks, which allows for many other forms of
                                                                          need for effective security mechanisms also grow.
attacks on the networks. A spoofing attack is the
                                                                          As more wireless and sensor networks are deployed,
most common online attack in which one person
                                                                          they will increasingly become tempting targets for
or program successfully masquerades as another
                                                                          malicious attacks. Spoofing attacks occur when the
by falsifying data and thereby gaining an
                                                                          attacker is able to cause a user or a device on a
illegitimate  advantage,     it   become   more
                                                                          system to think that a piece of information came from
sophisticated defense mechanisms. Although the
                                                                          a source from which it actually did not originate.
identity of a node can be verified through
                                                                          Spoofing attacks can be IP Spoofing, MAC Spoofing,
cryptographic authentication, authentication is
                                                                          Web Spoofing, DNS Spoofing, and Email Spoofing
not always possible because it requires key
                                                                          etc. Due to the open-nature of the wireless medium,
management and additional infrastructural
                                                                          it is easy for adversaries to monitor communications
overhead. In this paper we describe different
                                                                          to find the layer-2 Media Access Control (MAC)
defense mechanism, their advantages and
                                                                          addresses of the other entities. For most commodity
disadvantages against spoofing attacks.
                                                                          wireless devices, attackers can easily forge their
                                                                          MAC address in order to masquerade as another
Key Words: Spoofing, filtering, defense
                                                                          transmitter.
                                                                          Spoofing attacks are a serious threat as they represent
1. INTRODUCTION                                                           a form of identity compromise and can facilitate a
                                                                          variety of traffic. The traditional security approach to
Wireless networks are networks that consist of                            cope with identity fraud is to use cryptographic
sensors which are distributed in an ad hoc manner.                        authentication. injection attacks, such as evil twin
These sensors work with each other to sense some                          access point attacks. Due to the limited resources in
physical phenomenon and then the information                              wireless and sensor nodes, and the infrastructural
gathered is processed to get relevant results. Due to                     overhead needed to maintain the authentication
the openness of wireless and sensor networks, they                        mechanisms, it is not always desirable to use
are especially vulnerable to spoofing attacks where                       authentication. In this paper we consider the different
an attacker forges its identity to masquerade as                          types of Spoofing attacks and analyze the different
another device, or even creates multiple illegitimate                     defense mechanism with their advantage and
identities. With the recent advances in modern                            disadvantages.
communication systems, wireless networks are
expected     to    provide     communication       with                   2. TYPES OF SPOOFING
confidentiality, data integrity, and availability of
service to the user. Confidentiality of data can simply
                                                                          Spoofing attacks can be, MAC Spoofing, Web
be explained as prevention of the untrusted third
                                                                          Spoofing, DNS Spoofing, and Email Spoofing, IP
party from accessing the secure data. Data integrity
                                                                          Spoofing, URL Spoofing etc.
ensures that replay attacks are prevented and the data

1|P ag e
IJRREST: International Journal of Research Review in Engineering Science and Technology   |      Volume 1 Issue1 June 2012



2.1 MAC Spoofing                                                          Path and Reply-To fields (which can be found in the
MAC spoofing is a technique for changing a factory-                       message header), ill-intentioned users can make the
assigned Media Access Control (MAC) address of a                          e-mail appear to be from someone other than the
network interface on a networked device. Unlike IP                        actual sender. The result is that, although the e-mail
address spoofing, where senders spoofing their                            appears to come from the address indicated in the
address in a request direct the receiver into sending                     Form field (found in the e-mail headers), it actually
the response elsewhere, in MAC address spoofing the                       comes from another source.
response is received by the spoofing party.
However, MAC address spoofing is limited to the                           2.5 IP Spoofing
local broadcast domain. There are legitimate uses for                     IP spoofing refers to the creation of Internet Protocol
MAC address “spoofing” for example; an Internet                           (IP) packets with a forged source IP address, called
service provider (ISP) may register a client’s MAC                        spoofing, with the purpose of concealing the identity
address for service and billing tracking. If the client                   of the sender or impersonating another computing
needs to replace their network card, do to a failure or                   system. IP spoofing can also be a method of attack
maybe a new computer, they can simply set the MAC                         used by network intruders to defeat network security
address of the new card to that of the old one . Also,                    measures, such as authentication based on IP
some software requires you to input your MAC                              addresses. IP address spoofing is the creation of IP
address to access certain services. In this case, if the                  packets using somebody else’s IP source addresses.
user needs to replace his/her network card, they may                      This technique is used for obvious reasons and is
change their new network card MAC address to                              employed in several of the attacks.
“spoof” their old one. This can eliminate the need to
re-register the software product.                                         2.6 URL Spoofing

2.2 WEB Spoofing                                                          URL spoofing occurs when one website appears as if
When malicious action causes the reality of the                           it is another. The URL that is displayed is not the real
browsing session to differ significantly from the                         URL of the site, therefore the information is sent to a
mental model a sophisticated user has of that session.                    hidden web address. Using this technique the hacker
It allows the attacker creates misleading context in                      could create a series of fake websites and steal a
order trick the victim for online fraud.                                  user's private information unknowingly. URL
                                                                          spoofing is sometimes used to direct a user to a
2.3 DNS Spoofing                                                          fraudulent site and by giving the site the same look
DNS Spoofing is the art of making a DNS entry to                          and feel as the original site the user attempts to login
point to another IP than it would be supposed to point                    with a username and password. The hacker collects
to. DNS Spoofing is the trick of making a DNS entry                       the username and password then displays a password
to point to some IP other than it would be supposed                       error and directs the user to the legitimate site.
to point to -- hijacking the identity of the server. The
DNS Spoofing feature is designed to allow a router to                     3.PREVENTATION TECHNIQUES
act as a proxy Domain Name System (DNS) server                            To prevent MAC spoofing the user may use a pre-
and “spoof” replies to any DNS queries using either                       configured file to constantly change their MAC
the configured IP address in the ip dns spoofing ip-                      address while performing large file transfers in order
address command or the IP address of the incoming                         to avoid being caught by the NIDS. Usually this
interface for the query.                                                  security implementation will track the origin of large
                                                                          transfers to the MAC address, but if the MAC
2.4 Email Spoofing                                                        address is constantly changing, then it appears to the
This forgery of the email’s from address is a favorite                    NIDS as many different people transferring many
technique of spammers and phishers to try to get you                      small files.
to respond to their emails. E-mail spoofing is e-mail                     A way to stop systematically Web spoofing would be
activity in which the sender address and other parts of                   to modify browsers so that their status and content
the e-mail header are altered to appear as though the                     functions do not have such collisions, and so users
e-mail originated from a different source. Because                        can (in theory, at least) always perform recog, and
core SMTP doesn't provide any authentication, it is                       hence judge, correctly.
easy to impersonate and forge emails. It is usually                       DNS spoofing attacks can be prevented on DNS
fraudulent but can be legitimate. By changing certain                     servers by being less trusting of the information
properties of the e-mail, such as the From, Return-                       passed to them by other DNS servers, and ignoring

2|P ag e
IJRREST: International Journal of Research Review in Engineering Science and Technology   |     Volume 1 Issue1 June 2012



any DNS records passed back which are not directly                        methods are used in wireless network to defend
relevant to the query. However routers, firewalls,                        against spoofing attacks. These are
proxies, and other gateway devices that perform
network address translation (NAT), or more                                3.1 TCP Intercept
specifically, port address translation (PAT), often                       Router checks the real host behind the source address
rewrite source ports in order to track connection state.                  by completing the 3-way handshake and if
When modifying source ports, PAT devices typically                        connection with client is established, then address
remove source port randomness implemented by                              considered not spoofed. The TCP intercept feature
name servers and stub resolvers.                                          helps prevent SYN-flooding attacks by intercepting
To prevent Email spoofing happen in network, the                          and validating TCP connection requests. In intercept
following are some common practices:                                      mode, the TCP intercept software intercepts TCP
 DON'T click on the link in an email that asks for                       synchronization (SYN) packets from clients to
     your personal information.                                           servers that match an extended access list.
 If someone contacts you and says you’ve been a
     victim of fraud, verify the person’s identity                        3.2 Forge Resistance Relationship With Rate
     before you provide any personal information.                         Analysis (FRR-RA) Method
 Be suspicious if someone contacts you                                   Detection of adversary presence avoids the launching
     unexpectedly and asks for your personal                              of other wireless attacks. In FRR-FR method, packets
     information.                                                         detected spoofed by FRR method are again analyzed
 Avoid emailing personal and financial                                   by transmission rate method. Packet detected spoofed
     information.                                                         by both method is dropped from analyzing window
 Review credit card and bank account statements                          of packets to avoid raising false positive alarms for
     as soon as you receive them to determine                             previous ‘n’ consecutive packets.
     whether there are any unauthorized charges.
 Act immediately if you’ve been hooked by a                              3.3 Silence Method
     phisher.                                                             SILhouette Plot and System Evolution with minimum
                                                                          distance of cluster, which evaluates the minimum
To prevent IP spoofing happen in network, the                             distance between clusters on top of the pure cluster
following are some common practices:                                      analysis to improve the accuracy of determining the
 Avoid using the source address authentication.                          number of attackers.
Implement cryptographic authentication system wide.
 Configuring your network to reject packets from
                                                                          3.4 Change Point Detection Method
the Net that claim to originate from a local address.
                                                                          Change point detection is the identification of abrupt
 Implementing ingress and egress filtering on the
                                                                          changes in the generative parameters of sequential
border routers and implement an ACL (access
                                                                          data. As an online and offline signal processing tool,
control list) that blocks private IP addresses on your
                                                                          it has proven to be useful in applications such as
downstream interface.
                                                                          process control, EEG analysis, DNA segmentation,
The best method of preventing the IP spoofing
                                                                          econometrics, and disease demographics. This
problem is to install a filtering router that restricts the
                                                                          scheme based a storage-efficient data structure and a
input to external interface by not allowing a packet
                                                                          change point detection method. The storage-efficient
through if it has a source address from internal
                                                                          data structure, which is a variant of Bloom filter, is
network. In addition, we should filter outgoing
                                                                          used to generate a hash digest of the traffic. The
packets that have a source address different from
                                                                          change-point detection method is based on the
internal network in order to prevent a source IP
                                                                          CUSUM algorithm which is a nonparametric change
spoofing attack originating from site.
                                                                          point detection method.
To prevent URL Spoofing the most effective step that
you can take to help protect yourself from malicious
hyperlinks is not to click them. Rather, type the URL                     3.5 End-Host-Based Solutions
of your intended destination in the address bar                           These solutions are implemented on end-hosts, and
yourself. By manually typing the URL in the address                       aim to allow an end-host to recognize spoofing
bar, you can verify the information that Internet                         packets. Although some such solutions can be
Explorer uses to access the destination Web site. To                      deployed at routers as well, end-host-based solutions
do so, type the URL in the Address bar, and then                          are designed with end-hosts in mind, and do not rely
press ENTER. The various detection and prevention                         upon any special router functionality. In general,
                                                                          these solutions do not need to change networking
3|P ag e
IJRREST: International Journal of Research Review in Engineering Science and Technology   |      Volume 1 Issue1 June 2012



infrastructure and are the easiest to deploy. On the                      In distributed methods of spoofing defense, routers
other hand, they may act too late since the spoofing                      cooperate in order to discover information for
packets must reach end-hosts before they are                              distinguishing valid and spoofing packets. The
detected.                                                                 information may be related to a key which only valid
                                                                          packets will carry or to the incoming direction for
3.6 Router based solutions                                                packets from a given source.
These solutions are implemented on end-hosts, and
aim to allow an end-host to recognize spoofing                            3.11 IP identification field probing
packets. Although some such solutions can be                              It can identify spoofing packets, but only if the
deployed at routers as well, end-host-based solutions                     spoofed source does not use any sophisticated
are designed with end-hosts in mind, and do not rely                      methods for identification number assignment.
upon any special router functionality. In general,                        Furthermore, results can be complicated by a firewall
these solutions do not need to change networking                          if it either filters the probing, or alters the response.
infrastructure and are the easiest to deploy. On the
other hand, they may act too late since the spoofing                      4. CONCLUSION
packets must reach end-hosts before they are                              Various security protocols for sensor networks have
detected.                                                                 been evaluated against these vulnerabilities. Spoofing
                                                                          remains a severe problem in today’s Internet. Not
3.7 Demote system                                                         only are there still many areas where spoofing is
The DEMOTE system performs spoofing attack                                possible, but attackers also have motivation for
detection by analyzing the RSS trace for each mobile                      performing IP spoofing. Researchers have developed
node identity. The main idea of the DEMOTE                                numerous spoofing defense mechanisms, all with
technique is to use the relationship between the RSS                      advantages and disadvantages. All the spoofing
and the physical location of a mobile device to                           defense mechanisms are able to identify some
perform spoofing attacks detection.                                       amount of spoofing traffic, but they show a variety of
If a spoofing attack is present, the RSS trace from                       efficacies, including when considering their
claimed node identity is the mixture of two RSS                           capabilities of locating an attacker or mitigating an
traces: one belongs to the victim node and the other                      attack. For deploying a defense mechanism today, we
belongs to the spoofing node.                                             can recommend some host based mechanisms. We
                                                                          also believe a “future-proof,” router-based solution
3.8 Hop-Count Filtering                                                   should be developed which is not only incrementally
It observes the hop-count of packets arriving at a                        deployable, but also has no reliance on manipulate -
given host. First, by measuring the hop-counts during                     able traffic characteristics or a specific routing
normal times, HCF creates a mapping of IP addresses                       protocol, and is proactive without suffering from
to hop-counts. Then, if an attacker sends a spoofing                      false positives.
packet to the host, it is likely the hop-count of the
packet will not match the expected hop-count for                          REFERENCES
packets from the spoofed source address. Because                          [01]BAKER, F. AND SAVOLA, P. 2004. Ingress Filtering
legitimate hop-counts may change due to routing                           for Multihomed Networks. RFC 3704.
changes, strictly filtering all packets that do not                       [02] BERNSTEIN, D. J. 1996. SYN cookies.
                                                                          http://cr.yp.to/syncookies.html.
match would lead to false positives. In order to                          [03] DEAN, D., FRANKLIN, M. K., AND
minimize false positives, HCF only begins filtering                       STUBBLEFIELD, A. 2002. An algebraic approach to IP
traffic if some threshold amounts of packets do not                       traceback.ACM Trans. Inf. Syst. Secur
match their expected hop-counts.                                          [04] MESSMER, E. 2007. Report says identity thieves
                                                                          working hand in hand with ‘bot herders’. Network World.
3.9. Discrete Event System (DES) Approach                                 [05] Jie Yang, Yingying Chen, Wade Trappe, Jerry Cheng,
 It detector based IDS for detecting ARP response                         “Determining the Number of Attackers and Localizing
                                                                          Multiple Adversaries in Wireless Spoofing Attacks”,
spoofing uses an active probing mechanism and does
                                                                          proceeding of IEEE INFOCOM, pp: 666-674, 2009.
not violate the principles of network layering                            [06] Wei Chen, Dit-Yan Yeung, “Defending Against TCP
architecture. Further, this being a software based                        SYN Flooding Attacks Under Different Types of IP
approach does not require any additional hardware to                      Spoofing”, International Conference on Networking,
operate.                                                                  International Conference on Systems and International
                                                                          Conference on Mobile Communications and Learning
3.10 Distributed Defense Methods                                          Technologies.

4|P ag e
IJRREST: International Journal of Research Review in Engineering Science and Technology   |      Volume 1 Issue1 June 2012



[07] Jie Yang, Yingying Chen and Wade Trappe,                             [23] KENT, S. AND SEO, K. 2005. Security architecture
“Detecting                                                                for the Internet Protocol. RFC 4301.
Spoofing Attacks in Mobile Wireless Environments”,                        [24] LEE, H., KWON, M., HASKER, G., AND PERRIG,
Proceedings of the Sixth Annual IEEE Communications                       A. 2007. BASE: An incrementally deployable mechanism
Society, Secon, 2009.                                                     for viable IP spoofing prevention. In Proceedings of the
[08] J. D. Tygar and Alma Whitten. “WWW Electronic                        ACM Symposium on Information, Computer, and
Commerce and Java Trojan Horses.” The Second USENIX                       Communication Security.
Workshop on Electronic Commerce Proceedings.1996.                         [25] MESSMER, E. 2007. Report says identity thieves
[09] E. Elnahrawy, X. Li, and R. P. Martin, “The limits of                working hand in hand with ‘bot herders’. Network World.
localization using signal strength: A comparative study,” in
Proceedings of the First IEEE International Conference on
Sensor and Ad hoc Communications and Networks
(SECON 2004), Oct. 2004.
[10] T. Hastie, R. Tibshirani, and J. Friedman, The
Elements of Statistical Learning, Data Mining Inference,
and Prediction. Springer, 2001.
[11] T. Roos, P. Myllymaki, H.Tirri, P. Misikangas, and J.
Sievanen, “A probabilistic approach to WLAN user
location estimation,”International Journal of Wireless
Information Networks, vol. 9,no. 3, July 2002.
[12] M. Youssef, A. Agrawal, and A. U. Shankar, “Wlan
location determination via clustering and probability
distributions,” in Proceedings of the First IEEE
International Conference on Pervasive Computing and
Communications (PerCom), Mar. 2003.
[13] Z. Li, W. Xu, R. Miller, and W. Trappe, “Securing
wireless systems via lower layer enforcements,” in
Proceedings of the ACM Workshop on Wireless Security
(WiSe), 2006.
[14] D. Faria and D. Cheriton, “Detecting identity-based
attacks in wireless networks using signalprints,” in
Proceedings of the ACM Workshop on Wireless Security
(WiSe), September 2006.
[15] M. Demirbas and Y. Song, “An rssi-based scheme for
Sybil attack detection in wireless sensor networks,” in
Proceedings of the International Workshop on Advanced
Experimental Activities on Wireless Networks and
Systems, 2006.
[16] B. Xiao, B. Yu, and C. Gao, “Detection and
localization of sybil nodes in vanets,” in Proceedings of the
Workshop on Dependability Issues in Wireless Ad Hoc
Networks and Sensor Networks (DIWANS), 2006.
[17] P. Bahl and V. N. Padmanabhan, “Radar: An in-
building rfbased user location and tracking system,” in
Proceedings of the IEEE International Conference on
Computer Communications (INFOCOM), March 2000.
[19] TALECK, G. 2003. Ambiguity resolution via passive
OS fingerprinting. In Proceedings of the Symposium
on Recent Advances in Intrusion Detection.
[20] TEMPLETON, S. J. AND LEVITT, K. E. 2003.
Detecting spoofed packets. In Proceedings of the DARPA
Information Survivability Conference and Exposition,
[21] WU, J., REN, G., AND LI, X. 2007. Source address
validation: Architecture and protocol design. In
Proceedings of the Annual International Conference on
Network Protocols.
[22] YAAR, A., PERRIG, A., AND SONG, D. 2006.
StackPi: New packet marking and filtering mechanisms for
DDoS and IP spoofing defense. IEEE J. Selected Areas
Commun..

5|P ag e

				
DOCUMENT INFO
Description: Wireless networks are vulnerable to spoofing attacks, which allows for many other forms of attacks on the networks. A spoofing attack is the most common online attack in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage, it become more sophisticated defense mechanisms. Although the identity of a node can be verified through cryptographic authentication, authentication is not always possible because it requires key management and additional infrastructural overhead. In this paper we describe different defense mechanism, their advantages and disadvantages against spoofing attacks. Key Words: Spoofing, filtering, defense.