Document Sample
					Ubiquitous Computing and Communication Journal


                                             H. Abdul Rauf,
            Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore

                                            A. Ebenezer Jeyakumar
                              Principal, Government College of Engineering, Salem

               The ability to characterize IP traffic and understand how and where it flows is
               critical for network availability, performance, security and troubleshooting.
               Monitoring IP traffic flows facilitates more accurate capacity planning and ensures
               that resources are used appropriately in support of organizational goals. It helps to
               determine where to apply Quality of Service (QoS), optimize resource usage and it
               plays a vital role in network security to detect Denial-of-Service (DoS) attacks,
               network propagated worms, and other undesirable network events. The proposed
               Wireless Packet Analyzer Tool (WPAT) facilitates solutions to many common Wi-
               Fi threats like DoS attack, Mis-associated systems from neighboring premises,
               Rogue APs etc., encountered by wireless networks. The attacks were simulated in
               an experimental set-up and WPAT is tested for required performance. A scheme
               that may effectively and efficiently combine detection, defense, and traceback may
               significantly enhance performance and mitigate false positives. The WPAT is used
               to identify the new IP and its route is traced by IP Traceback tool. The route
               contains the details such as the total number of hops, time taken for each hops in
               milliseconds and the IP address of the intermediate routers. The traced route is
               used for plotting the graph.

               Keywords: : Denial-of-Service, Wireless Packet Analyzer Tool, IP Traceback.

 1   INTRODUCTION                                           coupled with filtering and post processing tools. This
                                                            paper discusses the mechanics of the proposed
     The rapid increase in the use of computers             “Wireless Packet Analyzer Tool” which is a post
 coupled with the exponential growth of the Internet        processing tool coupled to an already available
 has also had ramifications on the growth of crime.         sniffer.
 Effective tools that can analyze and monitor the
 network traffic and can also keep up with the                   The IP Traceback is the process of identifying
 growing bandwidth speeds are required. Such                the actual source of attack packets. It helps in
 monitoring tools help network administrators in            mitigating DoS attacks by isolating the identified
 evaluating and diagnosing performance problem with         attack sources. IP Traceback is a challenging
 servers, the network, hubs and applications. Careful       problem because of the Distributed anonymous
 and judicious monitoring of data flowing across the        nature of DDoS attacks, the stateless nature of the
 network can help detect and prevent crime and              internet, the destination oriented IP routing and the
 protect intellectual property as well as privacy of        fact of having million of hosts connected to the
 individuals.                                               internet. All these factors help attackers to stay
                                                            behind the scenes and hence complicate the process
      Network monitoring tools can monitor the              of traceback.
 network at various levels of the network stack. Some
 tools monitor only at the MAC layer whereas others              The remainder of the paper is organized as
 can also monitor the network layer. Some tools can         follows: Section (2) details the theory and
 extend to the application level as well. There are         background of the paper. Section (3) focuses on
 only limited tools that can attempt to monitor based       Network Monitoring Tool. Section (4) emphasizes
 on filtering the content of applications. Network          on IP Traceback Tool and graphical output. Section
 monitoring tools are mostly “sniffers” optionally          (5) the conclusion and future scope of the paper.

Volume 3 Number 3                               Page 161                                         www.ubicc.org
Ubiquitous Computing and Communication Journal

                                                             for eavesdropping on network traffic.
                                                                  Sniffers usually provide some form of protocol-
 Carnivore (Smith 2000) is a tool developed by the           level analysis that allows them to decode the data
 Federal Bureau of Investigation (FBI). This tool is         flowing across the network, according to the needs of
 developed for the sole purpose of directed                  the user. This analysis is often done on a packet by
 surveillance and it can capture packets based on a          packet basis, as data flows in the network in packets.
 wide range of application layer based criteria. It          Sniffing programs have been traditionally used for
 functions through wire-taps across gateways and             helping in managing and administering networks.
 Internet Service Provider (ISPs). Carnivore is also         Recently, sniffers have also found use with law
 capable of monitoring dynamic IP address based              enforcement agencies for gathering intelligence and
 networks. The capabilities of string searches in            helping in crime prevention and detection. Typically
 application level content seem limited in this              such programs can be used for evaluating and
 package. It can also capture E-Mail messages to and         diagnosing network related problems, debugging
 from a specific user’s account and all network traffic      applications, rendering captured data, network
 to and from a specific user or IP address. It can also      intrusion detection and network traffic logging.
 capture headers for various protocols.
                                                             3.1 Design and Development
      PickPacket (Neeraj 2002) and (Pande and Sanghi
 2005) is a monitoring tool similar to Carnivore. This              Sniffers normally dump the packets that they
 tool can filter packets across the levels of the Open       capture directly to the disk. These packets usually
 Systems Interconnection (OSI) network stack for             require post capture processing to render them
 selected applications. Criteria for filtering can be        human readable. Most sniffers provide post-
 specified for network layer and application layer for       processing and rendering tools. Sniffers that provide
 applications. It also supports real-time searching for      statistics about the data captured with the sole
 text string in applications and packet content. The         purpose of helping network managers in diagnosing
 criteria for selecting packets in PickPacket can be         and evaluating performance problems with servers,
 specified at several layers of the protocol stack. The      the network media, switches and applications are
 filtering component of this tool does not inject any IP     usually      called   network    monitoring     tools.
 packets onto the network. Once the IP packets have          Traditionally such tools setup alerts on various
 been selected based on these criteria, they are             events, show trends of network traffic over a time
 dumped to permanent storages. The tool has been             period and maintain some history information.
 demonstrated to work over a 100 Mbps link. The
 extensibility and the modular design of PickPacket                Each packet that is forwarded within a router or
 makes it more generalized and it can be used as a           switch is examined for a set of IP packet attributes.
 simple tcpdump like application and can also be             These attributes are the IP packet identity or
 extended to become an intrusion detection tool.             fingerprint of the packet and determine if the packet
                                                             is unique or similar to other packets. Traditionally,
      Cisco Netflow Tool (2007) identifies new               an IP flow is based on a set of seven and up to nine
 application network loads such as VoIP or remote            IP packet attributes. IP packet attributes used by
 site additions. This tool use NetFlow statistics to         WPAT are IP source address, IP destination address,
 measure       WAN      traffic   improvement      from      Source port, Destination port, Protocol type, Packet
 application-policy changes; understand who is               Size, date and time of packet flow.
 utilizing the network and the network top talkers.
 Diagnose slow network performance, bandwidth                     All packets with the same source/destination IP
 hogs and bandwidth utilization quickly with                 address, source/destination ports, protocol interface
 command line interface or reporting tools. It also has      and class of service are grouped into a flow and then
 facilities to avoid costly upgrades by identifying the      packets and bytes are tallied. This methodology of
 applications causing congestion. NetFlow can be             fingerprinting or determining a flow is scalable
 used for anomaly detection and worm diagnosis. It           because a large amount of network information is
 confirms that appropriate bandwidth has been                condensed into a database.
 allocated to each Class of Service (CoS) and that no
 CoS is over - or under - subscribed.                        This flow information is extremely useful for
                                                             understanding network behavior like:
 3   WIRELESS PACKET ANALYSER TOOL                               • Source address allows the understanding of
                                                                      who is originating the traffic
      Network monitoring tools are often called                  • Destination address tells who is receiving
 sniffers. Network sniffers are software applications                 the traffic
 often bundled with hardware devices and are used                • Ports characterize the application utilizing

Volume 3 Number 3                                 Page 162                                           www.ubicc.org
Ubiquitous Computing and Communication Journal

           the traffic                                        3.2 Implementation
     •     Tallied packets and bytes show the amount
           of traffic                                              The implementation is done using the
     •     Flow timestamps to understand the life of a        experimental set-up shown in Figure 2. A honeypot
           flow; timestamps are useful for calculating        system is also implemented using the same
           packets and bytes per second.                      experimental set-up. The experiments were carried
                                                              out several times until satisfactory results were
      The WPAT software creates real-time             or      obtained.
 historical reports from the captured data.
                                                                    A sniffer tool is used to capture the raw packets
       The proposed wireless packet analyzer tool             from the network and connected to the database. The
 (WPAT) as shown in the Figure 1 links with the               sniffer tool used is set to capture the packets flowing
 packet sniffer tool and updates all packets already          through the specified system.
 captured by the sniffer tool for every 30 seconds.
 The sniffer tool is set to capture the raw packets and       3.3 Experiment 1-To Study the Packet Flow
 store it in text format. The proposed WPAT links to              Information
 the captured data and displays the data as shown in
 the Figure 1. The analyzer tool displays another two               The experiment is conducted using the
 windows showing the sum of packet flow between               experimental set-up shown in the Figure 2. Initially
 starting time of capture to ending time of capture and       packets are generated from various clients, and sent
 the enterprise network intruder                              to a honeypot server which is placed in an Enterprise
                                                              premises as shown in the Figure 2. A data set is
      The sum of packet flow gives consolidated               generated and a valid stream is transmitted from
 details about packets captured between any time              clients to the wireless honeypot server. The data
 period and further analysis of data can be made by           received by the honeypot server is captured using a
 selecting any source IP and clicking the packet flow         sniffing tool and linked to the database.
 details button shown in the Figure 1. The results
 shown in Table 1 are produced by the report
 produced by the “Packet Flow Details” button.

      The graphs shown in Figure 3 to Figure 6 are
 obtained by selecting any IP address in the packet
 flow between starting time of capture to ending time
 window and by the report produced by graphs
 button. Like wise graphs for any source IP address
 can be displayed if there is any abnormality noticed
 in the packet flow. These graphs show a clear picture
 of the packet flow between any source IP address to
 the honeypot server system.

     The “enterprise master” button is used to enter
 the IP address, the MAC address and the system
 name permitted to be used inside the enterprise

                                                                Figure 2. Experimental Set-up and IP Connected

                                                                  The Figure 3 shows packets generated from
                                                              “update” client and sent to the “honeypot_server” as
                                                              valid stream. Likewise Figure 4 shows packets
                                                              generated from “update1” client and sent to
                                                              “honeypot_server” as valid stream. Likewise similar
                                                              valid stream generated from “update4” and
                                                              “update5wireless_client”     were    sent    to    the
                                                              “honeypot_server”. The Table 1 shows the captured
                                                              data over a period of time. The Figure 3 and Figure 4
                                                              shows a graph with packets transmitted from
         Figure 1. Wireless Packet Analyzer Tool              “update” and “update1” client over a period of time.

Volume 3 Number 3                                  Page 163                                        www.ubicc.org
Ubiquitous Computing and Communication Journal

 Table 1 illustrates the details of the packets captured
 by the Honeypot server. The second column shows
 the packet size captured at various instant of time.
 The packets received from all connected clients by
 the server like Source IP, Destination IP, Source port
 and destination port are tabulated.

    Table 1 Details of the sample packets captured by
                  the Honeypot server.

  No      Size   Source(S) IP    Destination     S      D      Time
                                 (D) IP
                                                 Port   Port
                                                                           Figure 5 Packets from Permitted IP
  1       162   1088   7000   12:32:52

  2       52   7000   1088   12:32:53

                                                        7000   12:32:53
  5       40   1424
  6       72   7000   1424   12:32:53

  7       1500   1088   7000   12:32:53

                                                        7000   12:32:53
  10      1500   1088
                                                        1424   12:32:53
  13      1500   7000
  14      645   7000   1424   12:32:53

                                                        1424   12:32:53
  16      1500   7000
                                                        7000   01:45:36
  13288   46   1041
                                                        1041   01:45:36
  13291   46   7000
  13292   40   1041   7000   01:45:37

  13293   65   7000   1041   01:45:37

  13294   40   1041   7000   01:45:37

                                                                           Figure 6 Packets from Permitted IP

                                                                          3.4 Experiment 2- To Simulate and Detect
                                                                              Dos Attack

                                                                               In this experiment a DoS attack is detected
                                                                          using the following experimental set-up. For Dos
                                                                          Attack an experimental set-up as shown in the Figure
                                                                          7 is created. The Figure 8 shows packets generated
                                                                          from “update5wireless_client” client and sent to
                                                                          honeypot server as invalid stream. The Figure 9
                                                                          shows a graph with packets transmitted from
                                                                          “update5wireless_client” over a period of time.
   Figure 3 Packets from Permitted IP
                                                                              The Figure 9 and Figure 6 are compared and the
                                                                          graph shows very large packets received from
                                                                          “update5wireless” client than compared to packets
                                                                          received from “update” client over a period of time.
                                                                          This graphically represents attack packets sent from
                                                                          “update5wireless” client to honeypot server

   Figure 4 Packets from Permitted IP

                                                                              Figure 7 DoS Attack Experimental Set-up

Volume 3 Number 3                                              Page 164                                     www.ubicc.org
Ubiquitous Computing and Communication Journal

   Figure 8 Packets from “update5wireless_client”

                                                              Figure10 Experimental Set-up for Wi-Fi Threats

                                                                    Table 2 Permitted and Mis-Associated IPs

                                                              No.    IP Address      MAC ADDRESS         SYSTEM NAME        PERMISSION

                                                              1   00:A0:B0:00:0D:FF Update4

                                                              2   00:E0:20:72:36:27   Update

                                                              3   00:E0:20:75:31:42   Update1

                                                              4   00:12:F0:09:55:C9   Honeypot_Server

        Figure 9 Packets from DoS attacking IP
                                       5                                          Not Permitted

                                                              6   00:17:9A:77:FC:E5   Update6_wireless
 3.5    Experiment 3- To Simulate and Detect Mis-
       Associated IPs from the Neighboring
       Premises                                             3.6 Experiment 4- To Simulate and Detect a
                                                                Rogue AP
       In this experiment a Wi-Fi threats in a no Wi-Fi
 network is detected using the following experimental            In this experiment a Wi-Fi threats in a no Wi-Fi
 set-up. For Mis-Associated IPs from neighboring            network is detected using the following experimental
 premises an experimental set-up is created as shown        set-up. For detecting a Rogue AP an experimental
 in the Figure 10.                                          set-up is created as shown in the Figure 11. A Rogue
                                                            AP is detected and auto classified from the permitted
     The Figure 10 illustrates an attack lures in           IP’s.
 multiple laptops to mis-associate. Even if there is no
 IEEE 802.11 AP’s most of the laptops have IEEE                  Even if there is no IEEE 802.11 AP, hackers
 802.11 cards and the laptop radio is default               through known or unknown sources place Rogue
 configured to automatically associate with the             IEEE 802.11 AP’s in the Enterprise premises and get
 strongest signal from a list of SSIDs. Hackers simply      connected to the Enterprise Network and attack the
 sit outside the building with an AP configured to a        laptops which have IEEE 802.11 cards. Hackers
 common SSID and wait for a number of laptops to            simply sit outside the building and attack the
 connect. The Table 2 classifies the permitted IPs and      Enterprise Network. The Table 3 shows the Intruder
 mis-associated IPs.                                        IP Connected to Enterprise Network.

Volume 3 Number 3                                Page 165                                                          www.ubicc.org
Ubiquitous Computing and Communication Journal

                                                                   The WPAT is used to find the unknown IP
                                                               address as shown in Table 4 and 5. A database is
                                                               maintained which contains all the IP addresses that
                                                               have been previously traversed.

                                                                                 Table 4 WPAT Output

                                                                 TYPE     SIZE        SOURCE IP       DESTINATION IP

                                                                 TCP        54

                                                                 TCP       477

                                                                 TCP      1086

                                                                 TCP       453

                                                                            Table 5 New IP Addresses

 Figure 11 Experimental Set-up to Prevent Rogue AP
                   and Threats                                              

      Table 3 Intruder IPs Connected to Enterprise

 Source IP       Source Dest IP       Date       Time
                                                               4.2 Tracing the route of new IP address 28:05:2007 01:06:56

                                                                    This module traces the route of new IP address.
                                                               The route contains the number of hops, time in
                                                               milliseconds and the IP address of the intermediate
                                                               routers. Traceroute displays all the routers through
     The IP traceback may identify attack sources.             which data packets pass on way to the destination
 However, IP traceback itself is not a detection or            system from the source system. However, the path
 defense scheme. Integrating IP traceback with other           displayed by Traceroute for any IP addresses like the
 functionalities such as detection and defense is the          same source to the same destination in two different
 topic of interest which is experimented in this IP            sessions may or may not vary. The operations
 Traceback tool.                                               performed during the tracing process are depicted as
                                                               a flowchart as shown in the Figure 12 and block
                                                               diagram of Trace route concept in Figure 13.
 4.1Finding the New IP Address

      This module finds the new IP address whose               The first step in the traceroute command is that it
 route has to be traced. The sniffer output is used in         creates a packet with a TTL value of 1 and sends it to
 this module. The sniffer is used to sniff both Data           the destination system. The first router on way to the
 packets and Control packets. The control packet does          destination system from the source system will
 not contain any information and hence their size is           discard the data packet, as the TTL value of this
 small. While the data packets contain some data and           received data packet is 1. In addition, this first router
 they have large size (say greater than 100 bytes). For        will also send back a "Time exceeded" error message
 example, while downloading a web page or files say            to the source system. Since this “Time exceeded”
 from yahoo.com or google.com, it may request for              error message received by the source system, has its
 information. In that case the web server may send the         source IP Address as that of the first router. As a
 packet to the host system that requested for it. Thus         result the traceroute running on the source system
 the web server becomes the source and the host                will come to know this IP address of the first router.
 system requesting for a packet becomes the                    In this way, the traceroute command identifies the
 destination.                                                  address of the first router on the path to the
                                                               destination system and displays it on the screen.

Volume 3 Number 3                                   Page 166                                           www.ubicc.org
Ubiquitous Computing and Communication Journal


                    Socket Initialize


                      If Ttl <=255


                     Send UDP                           A
                                                                              Figure13 Block Diagram of Traceroute Concept
                  If Router = Destination
                                                                                 When the TTL value is high enough for the data
                                                                            packet to reach the destination system, its TTL value
                                                                            would have been decremented to 1 by the time the
                                             Print Trace Route
                                                 Complete                   data packets reaches its destination. However, even
                   Decrement ttl
                                                                            though the destination system will receive a data
                                                                            packet having a TTL value of 1, it will not discard
                                            Socket Cleanup
                                                                            the packet. This is because the destination has been
                                                                            reached. Since the destination system does not
                                                                            discard the data packet that it receives, it means that
                                                 Stop                       the destination system does not generate a “Time
                                                                            exceeded” error message. As a result, since no "Time
                                                                            Exceeded" error message is generated, the source
                                            NO                              system does not have any way by which it can ensure
                    If ipo.tt1=0
                                                        A                   that the destination system has been reached. Hence,
                                                                            all new IP addresses are traced and if there is any
                                                                            intruder, it is considered as a new IP address and its
                                                                            route is also traced. Thus the intruder is traced.
                    Send ICMP
                                                                            4.3 Graphical Representation

                   Print Router IP                                              The output shown in the Table 6 is the route of
                                                                            the new IP address which is used for drawing the
                                                                            graph. The Table 6 contains the fields such as
                      ipo.ttl++                                             number of hops, time taken by each hops and the IP
                                                                            address of the intermediate routers.

                                                                                          Table 6 Traceroute Table
         Figure 12 Flowchart for Traceroute
                                                                               NO.OF         TIME TAKEN         INTERMEDIATE
      Similarly, in the next step, traceroute sends a                          HOPS                             ROUTERS
 data packet with a TTL value of 2 to the destination                          Hop 1         38 ms    
 system. The first router receiving this data packet                           Hop 2         45 ms    
 will decrement the TTL value of the packet by 1 and                           Hop 3         46 ms    
 then it would forward the packet to the second router
                                                                               Hop 4         46 ms    
 on path to the destination system. This second router
                                                                               Hop 5         62 ms    
 would in turn, discard this packet and send back a
 "Time Exceeded" error message to the source system,                           Hop 6         280 ms   
 revealing its IP Address. This process of sending                             Hop 7         280 ms   
 packets with increasing TTL values is carried out,                            Hop 8         280 ms   
 until the data packet has a TTL value high enough to                          Hop 9         286 ms   
 make sure that it reaches the destination system.                             Hop 10        296 ms   

Volume 3 Number 3                                                Page 167                                        www.ubicc.org
Ubiquitous Computing and Communication Journal

     The route traced by the Traceroute tool is                                  Information Assurance, West Point, New York,
 enhanced by the graphical representation which is                               pp. 326-332 (2002).
 shown in the Figure 14. The hops are plotted against                       [4] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E.
 the milliseconds.                                                               Jones, F. Tchakountio, B. Schwartz, S.T. Kent
                                                                                 and W.T. Strayer: ‘Single Packet IP Traceback’,
                                                                                 IEEE/ACM Transactions on Networking, Vol.
                                  Traceroute Graph                               10, pp. 721-734 (2002).
                                                                            [5] A.C. Snoeren, C. Patriridge, L.A. Sanchez, C.E.
                    350                                                          Jones, S.T. Kent,        F. Tehhakountio and W.T.
                    300                                                          Strayer:     ‘Hash-Based          IP      Traceback’,
                                                                                 Proceedings      of      ACM       Conference      on
                                                                                 Applications, Technologies, Architectures, and
     T im e - m s

                                                                                 Protocols for Computer Communication,             San
                    150                                                          Diego, California, USA (2001).
                    100                                                     [6] K. Park and H. Lee: ‘On the Effectiveness of
                    50                                                           Probabilistic Packet Marking for IP Traceback
                                                                                 under DoS Attack’, Proceedings of 20 th Annual
                          1   2    3   4   5   6     7   8   9   10
                                                                                 Joint Conference of the IEEE Computer and
                                                                                 Communication Society, Vol. 1, pp. 338-347.
                                                                            [7] A. Mankin, D. Massey, S.F. Chien-Lung Wu
                          Figure 14 Traceroute graph                             Wu and Lixia Zhang: ‘On               Design     and
                                                                                 Evaluation      of     'Intention-driven'     ICMP
                                                                                 Traceback’, Proceedings of 10 th International
 5         CONCLUSION
                                                                                 Conference on Computer Communication and
     The post processing tool proposed through                                   Networks, Scottsdale, USA, pp. 159-65 (2001).
 various experimental results shows that it can                             [8] J. Li, M. Sung, J. Xu and L. Li: ‘Large-Scale IP
 measure the packets flowing across an enterprise                                Traceback in High-Speed Internet: Practical
 network considering the wireless threats on-the-fly.                            Techniques      and      Theoretical    Foundation’,
 So a specific approach is undertaken to present a new                           Proceedings of IEEE Symposium on Security
 experimental set-up for the precise measurement of                              and Privacy, Oakland, California, pp. 115-129
 packets across an enterprise network with or without                            (2004).
 Wi-Fi using a sniffer and a WPAT.                                          [9] C. Gong and K. Sarac: ‘IP Traceback based on
                                                                                 Packet Marking and Logging’, Proceedings of
      Thus, WPAT using a IP Traceback tool is more                               IEEE        International        Conference        on
 effective, when any new IP address and if the IP                                Communication, Vol. 2, pp. 1043-1047 (2005).
 address is not available in the database then its route                    [10] M.T. Goodrich: ‘Probabilistic Packet Marking
 is traced back. Thus, when an intruder attacks with                             for Large-Scale IP Traceback’, IEEE/ACM
 an IP address that is not available in the database                             Transactions on Networking, Vol. 16, No.1,
 then that IP address is also considered as a new IP                             pp.15 - 24 (2008).
 and the route is traced. The IP Traceback tool is                          [11] Z. Gao and N. Ansari: ‘Tracing Cyber Attacks
 enabled in real time and this tool based on the ICMP                            from     the     Practical     Perspective’,     IEEE
 concept proves to be efficient.                                                 Communications Magazine, Vol. 43, No. 5, pp.
                                                                                 123-131 (2005).
                                                                            [12] A. Belenky and N. Ansari: ‘On IP Traceback’,
                                                                                 IEEE Communications Magazine, Vol. 41, No.
 [1] M. Sung and J. Xu: ‘IP Traceback-based                                      7, pp. 142-153. (2003).
     Intelligent Packet Filtering: A Novel Technique                        [13] A. Belenky and N. Ansari: ‘Tracing Multiple
     for Defending Against Internet DDoS Attacks’,                               Attackers with Deterministic Packet Marking
     IEEE Transactions on Parallel and Distributed                               (DPM)’, Proceedings of IEEE Pacific Rim
     System, Vol. 14, No. 9, pp. 861-872 (2003).                                 Conference Communication, Computer and
 [2] Y.Tseng, H. Chen and Hsieh W: ‘Probabilistic                                Signal Processing, Victoria BC, Canada, pp. 49-
     Packet      Marking      with    Non-Preemptive                             52 (2003).
     Compensation’, IEEE Communications Letters,                            [14] A. Belenky and N. Ansari: ‘IP Traceback with
     Vol. 8, No. 6, pp. 359-361 (2004).                                          Deterministic       Packet      Marking’,       IEEE
 [3] D. Wei and N. Ansari: ‘Implementing IP                                      Communications Letters, Vol. 7, No. 4, pp.
     Traceback in the Internet - An ISP Perspective’,                            162-164 (2003).
     Proceedings of 3rd Annual IEEE Workshop on                             [15] C. Beak, J.A. Chaudhry, K. Lee, S. Park and M.
                                                                                 Kim: ‘A Novel Packet Marketing Method in

Volume 3 Number 3                                                Page 168                                          www.ubicc.org
Ubiquitous Computing and Communication Journal

      DDoS Attack Detection’, Proceedings of
      American Journal of Applied Sciences, Vol. 4,
      No. 10, pp. 741-754 (2007)..
 [16] Brajesh Pande: ‘Network Monitoring Tool’,
      Computer Society of India, Communications,
      November 2006, pp. 27-29. (2006).
 [17] B. Pande, D. Gupta, D. Sanghi and S.K. Jain:
      ‘The Network Monitoring Tool–Pick Packet’,
      Proceedings of 3rd International Conference on
      Information Technology and Applications, Vol.
      2, pp. 191-196. (2005).
 [18] P. Stephen, J. Smith and Allen Crider:
      ‘Independent Review of the Carnivore System’,
      Final Report, IIT Research Institute, Lanham,
      Maryland (2000).

 H.A.Rauf received the Bachelors Degree in
 Electrical and Electronics Engineering in 1987. He
 completed his Masters degree in Business
 Administration (M.B.A) Degree in the year 1996 and
 his masters degree in Computer Science and
 Engineering in the year 1999.He is currently a PhD
 candidate in the faculty of Information and
 Communication Engineering, Anna University of
 Chennai. His research interests includes mobile
 computing, Computer Networks, Network Security,
 Advanced Networks and Performance Evaluation of
 Computer      Networks.    He   is currently    the
 Dean (CSE/IT), V.L.B. Janakiammal College of
 Engineering & Technology, Coimbatore, India

 Dr. Ebenezer Jeyakumar is currently the Principal of
 Government College of Engineering, Salem, India.
 Being an eminent professor of Anna University,
 there are many students doing their research under
 his guidance in various fields. Some of main areas
 of research are Networking, mobile computing, high
 voltage engineering and other related areas.

Volume 3 Number 3                              Page 169   www.ubicc.org

Research Insight Research Insight UbiCC Journal http://www.researchinsight.org