Docstoc

UBICC Journal IP WPAT 243 - PDF

Document Sample
UBICC Journal IP WPAT 243 - PDF Powered By Docstoc
					    WIRELESS PACKET ANALYZER TOOL WITH IP TRACEROUTE


                                           H. Abdul Rauf,
           Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore

                                          A. Ebenezer Jeyakumar
                            Principal, Government College of Engineering, Salem
                                             harauf@yahoo.com


                                                  ABSTRACT
              The ability to characterize IP traffic and understand how and where it flows is
              critical for network availability, performance, security and troubleshooting.
              Monitoring IP traffic flows facilitates more accurate capacity planning and ensures
              that resources are used appropriately in support of organizational goals. It helps to
              determine where to apply Quality of Service (QoS), optimize resource usage and it
              plays a vital role in network security to detect Denial-of-Service (DoS) attacks,
              network propagated worms, and other undesirable network events. The proposed
              Wireless Packet Analyzer Tool (WPAT) facilitates solutions to many common Wi-
              Fi threats like DoS attack, Mis-associated systems from neighboring premises,
              Rogue APs etc., encountered by wireless networks. The attacks were simulated in
              an experimental set-up and WPAT is tested for required performance. A scheme
              that may effectively and efficiently combine detection, defense, and traceback may
              significantly enhance performance and mitigate false positives. The WPAT is used
              to identify the new IP and its route is traced by IP Traceback tool. The route
              contains the details such as the total number of hops, time taken for each hops in
              milliseconds and the IP address of the intermediate routers. The traced route is
              used for plotting the graph.


              Keywords: : Denial-of-Service, Wireless Packet Analyzer Tool, IP Traceback.


1   INTRODUCTION                                           coupled with filtering and post processing tools. This
                                                           paper discusses the mechanics of the proposed
    The rapid increase in the use of computers             “Wireless Packet Analyzer Tool” which is a post
coupled with the exponential growth of the Internet        processing tool coupled to an already available
has also had ramifications on the growth of crime.         sniffer.
Effective tools that can analyze and monitor the
network traffic and can also keep up with the                   The IP Traceback is the process of identifying
growing bandwidth speeds are required. Such                the actual source of attack packets. It helps in
monitoring tools help network administrators in            mitigating DoS attacks by isolating the identified
evaluating and diagnosing performance problem with         attack sources. IP Traceback is a challenging
servers, the network, hubs and applications. Careful       problem because of the Distributed anonymous
and judicious monitoring of data flowing across the        nature of DDoS attacks, the stateless nature of the
network can help detect and prevent crime and              internet, the destination oriented IP routing and the
protect intellectual property as well as privacy of        fact of having million of hosts connected to the
individuals.                                               internet. All these factors help attackers to stay
                                                           behind the scenes and hence complicate the process
    Network monitoring tools can monitor the               of traceback.
network at various levels of the network stack. Some
tools monitor only at the MAC layer whereas others              The remainder of the paper is organized as
can also monitor the network layer. Some tools can         follows: Section (2) details the theory and
extend to the application level as well. There are         background of the paper. Section (3) focuses on
only limited tools that can attempt to monitor based       Network Monitoring Tool. Section (4) emphasizes
on filtering the content of applications. Network          on IP Traceback Tool and graphical output. Section
monitoring tools are mostly “sniffers” optionally          (5) the conclusion and future scope of the paper.



                    Ubiquitous Computing and Communication Journal                                             1
                                                          for eavesdropping on network traffic.
2   BACKGROUND
                                                               Sniffers usually provide some form of protocol-
Carnivore (Smith 2000) is a tool developed by the         level analysis that allows them to decode the data
Federal Bureau of Investigation (FBI). This tool is       flowing across the network, according to the needs of
developed for the sole purpose of directed                the user. This analysis is often done on a packet by
surveillance and it can capture packets based on a        packet basis, as data flows in the network in packets.
wide range of application layer based criteria. It        Sniffing programs have been traditionally used for
functions through wire-taps across gateways and           helping in managing and administering networks.
Internet Service Provider (ISPs). Carnivore is also       Recently, sniffers have also found use with law
capable of monitoring dynamic IP address based            enforcement agencies for gathering intelligence and
networks. The capabilities of string searches in          helping in crime prevention and detection. Typically
application level content seem limited in this            such programs can be used for evaluating and
package. It can also capture E-Mail messages to and       diagnosing network related problems, debugging
from a specific user’s account and all network traffic    applications, rendering captured data, network
to and from a specific user or IP address. It can also    intrusion detection and network traffic logging.
capture headers for various protocols.
                                                          3.1 Design and Development
     PickPacket (Neeraj 2002) and (Pande and Sanghi
2005) is a monitoring tool similar to Carnivore. This           Sniffers normally dump the packets that they
tool can filter packets across the levels of the Open     capture directly to the disk. These packets usually
Systems Interconnection (OSI) network stack for           require post capture processing to render them
selected applications. Criteria for filtering can be      human readable. Most sniffers provide post-
specified for network layer and application layer for     processing and rendering tools. Sniffers that provide
applications. It also supports real-time searching for    statistics about the data captured with the sole
text string in applications and packet content. The       purpose of helping network managers in diagnosing
criteria for selecting packets in PickPacket can be       and evaluating performance problems with servers,
specified at several layers of the protocol stack. The    the network media, switches and applications are
filtering component of this tool does not inject any IP   usually     called   network    monitoring      tools.
packets onto the network. Once the IP packets have        Traditionally such tools setup alerts on various
been selected based on these criteria, they are           events, show trends of network traffic over a time
dumped to permanent storages. The tool has been           period and maintain some history information.
demonstrated to work over a 100 Mbps link. The
extensibility and the modular design of PickPacket              Each packet that is forwarded within a router or
makes it more generalized and it can be used as a         switch is examined for a set of IP packet attributes.
simple tcpdump like application and can also be           These attributes are the IP packet identity or
extended to become an intrusion detection tool.           fingerprint of the packet and determine if the packet
                                                          is unique or similar to other packets. Traditionally,
     Cisco Netflow Tool (2007) identifies new             an IP flow is based on a set of seven and up to nine
application network loads such as VoIP or remote          IP packet attributes. IP packet attributes used by
site additions. This tool use NetFlow statistics to       WPAT are IP source address, IP destination address,
measure       WAN      traffic  improvement      from     Source port, Destination port, Protocol type, Packet
application-policy changes; understand who is             Size, date and time of packet flow.
utilizing the network and the network top talkers.
Diagnose slow network performance, bandwidth                   All packets with the same source/destination IP
hogs and bandwidth utilization quickly with               address, source/destination ports, protocol interface
command line interface or reporting tools. It also has    and class of service are grouped into a flow and then
facilities to avoid costly upgrades by identifying the    packets and bytes are tallied. This methodology of
applications causing congestion. NetFlow can be           fingerprinting or determining a flow is scalable
used for anomaly detection and worm diagnosis. It         because a large amount of network information is
confirms that appropriate bandwidth has been              condensed into a database.
allocated to each Class of Service (CoS) and that no
CoS is over - or under - subscribed.                      This flow information is extremely useful for
                                                          understanding network behavior like:
3   WIRELESS PACKET ANALYSER TOOL                             • Source address allows the understanding of
                                                                  who is originating the traffic
     Network monitoring tools are often called                • Destination address tells who is receiving
sniffers. Network sniffers are software applications              the traffic
often bundled with hardware devices and are used              • Ports characterize the application utilizing




                     Ubiquitous Computing and Communication Journal                                           2
          the traffic                                    3.2 Implementation
    •     Tallied packets and bytes show the amount
          of traffic                                          The implementation is done using the
    •     Flow timestamps to understand the life of a    experimental set-up shown in Figure 2. A honeypot
          flow; timestamps are useful for calculating    system is also implemented using the same
          packets and bytes per second.                  experimental set-up. The experiments were carried
                                                         out several times until satisfactory results were
     The WPAT software creates real-time or              obtained.
historical reports from the captured data.
                                                               A sniffer tool is used to capture the raw packets
     The proposed wireless packet analyzer tool          from the network and connected to the database. The
(WPAT) as shown in the Figure 1 links with the           sniffer tool used is set to capture the packets flowing
packet sniffer tool and updates all packets already      through the specified system.
captured by the sniffer tool for every 30 seconds.
The sniffer tool is set to capture the raw packets and   3.3 Experiment 1-To Study the Packet Flow
store it in text format. The proposed WPAT links to          Information
the captured data and displays the data as shown in
the Figure 1. The analyzer tool displays another two           The experiment is conducted using the
windows showing the sum of packet flow between           experimental set-up shown in the Figure 2. Initially
starting time of capture to ending time of capture and   packets are generated from various clients, and sent
the enterprise network intruder                          to a honeypot server which is placed in an Enterprise
                                                         premises as shown in the Figure 2. A data set is
     The sum of packet flow gives consolidated           generated and a valid stream is transmitted from
details about packets captured between any time          clients to the wireless honeypot server. The data
period and further analysis of data can be made by       received by the honeypot server is captured using a
selecting any source IP and clicking the packet flow     sniffing tool and linked to the database.
details button shown in the Figure 1. The results
shown in Table 1 are produced by the report
produced by the “Packet Flow Details” button.

     The graphs shown in Figure 3 to Figure 6 are
obtained by selecting any IP address in the packet
flow between starting time of capture to ending time
window and by the report produced by graphs
button. Like wise graphs for any source IP address
can be displayed if there is any abnormality noticed
in the packet flow. These graphs show a clear picture
of the packet flow between any source IP address to
the honeypot server system.

    The “enterprise master” button is used to enter
the IP address, the MAC address and the system
name permitted to be used inside the enterprise
premises.


                                                           Figure 2. Experimental Set-up and IP Connected

                                                             The Figure 3 shows packets generated from
                                                         “update” client and sent to the “honeypot_server” as
                                                         valid stream. Likewise Figure 4 shows packets
                                                         generated from “update1” client and sent to
                                                         “honeypot_server” as valid stream. Likewise similar
                                                         valid stream generated from “update4” and
                                                         “update5wireless_client” were sent to the
                                                         “honeypot_server”. The Table 1 shows the captured
                                                         data over a period of time. The Figure 3 and Figure 4
                                                         shows a graph with packets transmitted from
        Figure 1. Wireless Packet Analyzer Tool          “update” and “update1” client over a period of time.




                     Ubiquitous Computing and Communication Journal                                           3
Table 1 illustrates the details of the packets captured
by the Honeypot server. The second column shows
the packet size captured at various instant of time.
The packets received from all connected clients by
the server like Source IP, Destination IP, Source port
and destination port are tabulated.

 Table 1 Details of the sample packets captured by
               the Honeypot server.

No      Size   Source(S) IP    Destination     S      D      Time
                               (D) IP
                                               Port   Port
                                                                         Figure 5 Packets from Permitted IP 192.168.1.112
1       162    192.168.1.111   192.168.1.113   1088   7000   12:32:52

2       52     192.168.1.113   192.168.1.111   7000   1088   12:32:53

5       40     192.168.1.112   192.168.1.113   1424   7000   12:32:53

6       72     192.168.1.113   192.168.1.112   7000   1424   12:32:53

7       1500   192.168.1.111   192.168.1.113   1088   7000   12:32:53

10      1500   192.168.1.111   192.168.1.113   1088   7000   12:32:53

13      1500   192.168.1.113   192.168.1.112   7000   1424   12:32:53

14      645    192.168.1.113   192.168.1.112   7000   1424   12:32:53

16      1500   192.168.1.113   192.168.1.112   7000   1424   12:32:53

13288   46     192.168.1.117   192.168.1.113   1041   7000   01:45:36

13291   46     192.168.1.113   192.168.1.117   7000   1041   01:45:36

13292   40     192.168.1.117   192.168.1.113   1041   7000   01:45:37

13293   65     192.168.1.113   192.168.1.117   7000   1041   01:45:37

13294   40     192.168.1.117   192.168.1.113   1041   7000   01:45:37




                                                                         Figure 6 Packets from Permitted IP 192.168.1.117

                                                                        3.4 Experiment 2- To Simulate and Detect
                                                                            Dos Attack

                                                                             In this experiment a DoS attack is detected
                                                                        using the following experimental set-up. For Dos
                                                                        Attack an experimental set-up as shown in the Figure
                                                                        7 is created. The Figure 8 shows packets generated
                                                                        from “update5wireless_client” client and sent to
                                                                        honeypot server as invalid stream. The Figure 9
                                                                        shows a graph with packets transmitted from
                                                                        “update5wireless_client” over a period of time.
 Figure 3 Packets from Permitted IP 192.168.1.110
                                                                            The Figure 9 and Figure 6 are compared and the
                                                                        graph shows very large packets received from
                                                                        “update5wireless” client than compared to packets
                                                                        received from “update” client over a period of time.
                                                                        This graphically represents attack packets sent from
                                                                        “update5wireless” client to honeypot server




 Figure 4 Packets from Permitted IP 192.168.1.111




                                                                             Figure 7 DoS Attack Experimental Set-up




                          Ubiquitous Computing and Communication Journal                                                    4
  Figure 8 Packets from “update5wireless_client”



                                                           Figure10 Experimental Set-up for Wi-Fi Threats

                                                                 Table 2 Permitted and Mis-Associated IPs


                                                           No.    IP Address      MAC ADDRESS         SYSTEM NAME        PERMISSION


                                                           1      192.168.1.110   00:A0:B0:00:0D:FF Update4


                                                           2      192.168.1.111   00:E0:20:72:36:27   Update


                                                           3      192.168.1.112   00:E0:20:75:31:42   Update1


                                                           4      192.168.1.113   00:12:F0:09:55:C9   Honeypot_Server

      Figure 9 Packets from DoS attacking IP
                  192.168.1.116                            5      192.168.1.116                                          Not Permitted


                                                           6      192.168.1.117   00:17:9A:77:FC:E5   Update6_wireless
3.5 Experiment 3- To Simulate and Detect Mis-
    Associated IPs from the Neighboring
    Premises                                             3.6 Experiment 4- To Simulate and Detect a
                                                             Rogue AP
      In this experiment a Wi-Fi threats in a no Wi-Fi
network is detected using the following experimental          In this experiment a Wi-Fi threats in a no Wi-Fi
set-up. For Mis-Associated IPs from neighboring          network is detected using the following experimental
premises an experimental set-up is created as shown      set-up. For detecting a Rogue AP an experimental
in the Figure 10.                                        set-up is created as shown in the Figure 11. A Rogue
                                                         AP is detected and auto classified from the permitted
    The Figure 10 illustrates an attack lures in         IP’s.
multiple laptops to mis-associate. Even if there is no
IEEE 802.11 AP’s most of the laptops have IEEE                Even if there is no IEEE 802.11 AP, hackers
802.11 cards and the laptop radio is default             through known or unknown sources place Rogue
configured to automatically associate with the           IEEE 802.11 AP’s in the Enterprise premises and get
strongest signal from a list of SSIDs. Hackers simply    connected to the Enterprise Network and attack the
sit outside the building with an AP configured to a      laptops which have IEEE 802.11 cards. Hackers
common SSID and wait for a number of laptops to          simply sit outside the building and attack the
connect. The Table 2 classifies the permitted IPs and    Enterprise Network. The Table 3 shows the Intruder
mis-associated IPs.                                      IP Connected to Enterprise Network.




                     Ubiquitous Computing and Communication Journal                                                                 5
                                                               The WPAT is used to find the unknown IP
                                                           address as shown in Table 4 and 5. A database is
                                                           maintained which contains all the IP addresses that
                                                           have been previously traversed.

                                                                             Table 4 WPAT Output


                                                             TYPE      SIZE       SOURCE IP       DESTINATION IP

                                                             TCP        54      203.212.180.190   121.247.106.165

                                                             TCP       477      203.212.180.190   121.247.106.165

                                                             TCP       1086       64.86.142.9     121.247.106.165

                                                             TCP       453       209.85.53.104    121.247.106.165


                                                                         Table 5 New IP Addresses

Figure 11 Experimental Set-up to Prevent Rogue AP
                  and Threats                                                     64.86.142.9

                                                                                 209.85.153.104
    Table 3 Intruder IPs Connected to Enterprise
                      Network                                                    209.85.143.97

                                                                                 209.85.153.83
Source IP       Source Dest IP       Date       Time
                MAC
                                                           4.2 Tracing the route of new IP address
192.168.1.116          192.168.1.111 28:05:2007 01:06:56

                                                               This module traces the route of new IP address.
4   TRACING CYBER ATTACKS BY THE IP                        The route contains the number of hops, time in
    TRACEBACK TOOL                                         milliseconds and the IP address of the intermediate
                                                           routers. Traceroute displays all the routers through
    The IP traceback may identify attack sources.          which data packets pass on way to the destination
However, IP traceback itself is not a detection or         system from the source system. However, the path
defense scheme. Integrating IP traceback with other        displayed by Traceroute for any IP addresses like the
functionalities such as detection and defense is the       same source to the same destination in two different
topic of interest which is experimented in this IP         sessions may or may not vary. The operations
Traceback tool.                                            performed during the tracing process are depicted as
                                                           a flowchart as shown in the Figure 12 and block
4.1Finding the New IP Address                              diagram of Trace route concept in Figure 13.

     This module finds the new IP address whose            The first step in the traceroute command is that it
route has to be traced. The sniffer output is used in      creates a packet with a TTL value of 1 and sends it to
this module. The sniffer is used to sniff both Data        the destination system. The first router on way to the
packets and Control packets. The control packet does       destination system from the source system will
not contain any information and hence their size is        discard the data packet, as the TTL value of this
small. While the data packets contain some data and        received data packet is 1. In addition, this first router
they have large size (say greater than 100 bytes). For     will also send back a "Time exceeded" error message
example, while downloading a web page or files say         to the source system. Since this “Time exceeded”
from yahoo.com or google.com, it may request for           error message received by the source system, has its
information. In that case the web server may send the      source IP Address as that of the first router. As a
packet to the host system that requested for it. Thus      result the traceroute running on the source system
the web server becomes the source and the host             will come to know this IP address of the first router.
system requesting for a packet becomes the                 In this way, the traceroute command identifies the
destination.                                               address of the first router on the path to the
                                                           destination system and displays it on the screen.




                      Ubiquitous Computing and Communication Journal                                                6
                        Start


                    Socket Initialize


                         Ttl=1




                                            NO
                      If Ttl <=255

                                  YES

                    Send UDP                            A
                Datagram to Router                                 Figure13 Block Diagram of Traceroute Concept
                                            YES
                  If Router = Destination
                                                                      When the TTL value is high enough for the data
                                                                 packet to reach the destination system, its TTL value
                                  No
                                                                 would have been decremented to 1 by the time the
                                             Print Trace Route
                                                 Complete        data packets reaches its destination. However, even
                   Decrement ttl
                                                                 though the destination system will receive a data
                                                                 packet having a TTL value of 1, it will not discard
                                            Socket Cleanup
                                                                 the packet. This is because the destination has been
                                                                 reached. Since the destination system does not
                                                                 discard the data packet that it receives, it means that
                                                 Stop            the destination system does not generate a “Time
                                                                 exceeded” error message. As a result, since no "Time
                                                                 Exceeded" error message is generated, the source
                    If ipo.tt1=0            NO                   system does not have any way by which it can ensure
                                                        A        that the destination system has been reached. Hence,
                                                                 all new IP addresses are traced and if there is any
                                                                 intruder, it is considered as a new IP address and its
                                  YES
                                                                 route is also traced. Thus the intruder is traced.
                    Send ICMP
                      Packet                                     4.3 Graphical Representation

                  Print Router IP                                    The output shown in the Table 6 is the route of
                                                                 the new IP address which is used for drawing the
                                                                 graph. The Table 6 contains the fields such as
                      ipo.ttl++                                  number of hops, time taken by each hops and the IP
                                                                 address of the intermediate routers.

                                                                               Table 6 Traceroute Table
        Figure 12 Flowchart for Traceroute
                                                                    NO.OF         TIME TAKEN          INTERMEDIATE
     Similarly, in the next step, traceroute sends a                HOPS                              ROUTERS
data packet with a TTL value of 2 to the destination                Hop 1         38 ms               203.200.140.225
system. The first router receiving this data packet                 Hop 2         45 ms               203.200.140.129
will decrement the TTL value of the packet by 1 and                 Hop 3         46 ms               203.200.140.217
then it would forward the packet to the second router               Hop 4         46 ms               59.163.16.58
on path to the destination system. This second router
                                                                    Hop 5         62 ms               59.163.16.58
would in turn, discard this packet and send back a
"Time Exceeded" error message to the source system,                 Hop 6         280 ms              59.163.16.138
revealing its IP Address. This process of sending                   Hop 7         280 ms              64.86.84.141
packets with increasing TTL values is carried out,                  Hop 8         280 ms              216.6.86.5
until the data packet has a TTL value high enough to                Hop 9         286 ms              216.6.86.10
make sure that it reaches the destination system.                   Hop 10        296 ms              64.86.142.9




                      Ubiquitous Computing and Communication Journal                                                    7
    The route traced by the Traceroute tool is                           Information Assurance, West Point, New York,
enhanced by the graphical representation which is                        pp. 326-332 (2002).
shown in the Figure 14. The hops are plotted against                [4] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E.
the milliseconds.                                                        Jones, F. Tchakountio, B. Schwartz, S.T. Kent
                                                                         and W.T. Strayer: ‘Single Packet IP Traceback’,
                                                                         IEEE/ACM Transactions on Networking, Vol.
                                Traceroute Graph                         10, pp. 721-734 (2002).
                                                                    [5] A.C. Snoeren, C. Patriridge, L.A. Sanchez, C.E.
                350                                                      Jones, S.T. Kent, F. Tehhakountio and W.T.
                300                                                      Strayer:     ‘Hash-Based       IP     Traceback’,
                                                                         Proceedings     of     ACM      Conference    on
                250
                                                                         Applications, Technologies, Architectures, and
    Time - ms




                200
                                                                         Protocols for Computer Communication, San
                150                                                      Diego, California, USA (2001).
                100                                                 [6] K. Park and H. Lee: ‘On the Effectiveness of
                 50                                                      Probabilistic Packet Marking for IP Traceback
                 0
                                                                         under DoS Attack’, Proceedings of 20th Annual
                      1     2    3   4   5   6     7   8   9   10
                                                                         Joint Conference of the IEEE Computer and
                                                                         Communication Society, Vol. 1, pp. 338-347.
                                         Hops
                                                                         (2001).
                                                                    [7] A. Mankin, D. Massey, S.F. Chien-Lung Wu
                          Figure 14 Traceroute graph                     Wu and Lixia Zhang: ‘On Design and
                                                                         Evaluation     of     'Intention-driven'   ICMP
5        CONCLUSION                                                      Traceback’, Proceedings of 10th International
                                                                         Conference on Computer Communication and
    The post processing tool proposed through                            Networks, Scottsdale, USA, pp. 159-65 (2001).
various experimental results shows that it can                      [8] J. Li, M. Sung, J. Xu and L. Li: ‘Large-Scale IP
measure the packets flowing across an enterprise                         Traceback in High-Speed Internet: Practical
network considering the wireless threats on-the-fly.                     Techniques and Theoretical Foundation’,
So a specific approach is undertaken to present a new                    Proceedings of IEEE Symposium on Security
experimental set-up for the precise measurement of                       and Privacy, Oakland, California, pp. 115-129
packets across an enterprise network with or without                     (2004).
Wi-Fi using a sniffer and a WPAT.                                   [9] C. Gong and K. Sarac: ‘IP Traceback based on
                                                                         Packet Marking and Logging’, Proceedings of
     Thus, WPAT using a IP Traceback tool is more                        IEEE       International       Conference     on
effective, when any new IP address and if the IP                         Communication, Vol. 2, pp. 1043-1047 (2005).
address is not available in the database then its route             [10] M.T. Goodrich: ‘Probabilistic Packet Marking
is traced back. Thus, when an intruder attacks with                      for Large-Scale IP Traceback’, IEEE/ACM
an IP address that is not available in the database                      Transactions on Networking, Vol. 16, No.1,
then that IP address is also considered as a new IP                      pp.15 - 24 (2008).
and the route is traced. The IP Traceback tool is                   [11] Z. Gao and N. Ansari: ‘Tracing Cyber Attacks
enabled in real time and this tool based on the ICMP                     from the Practical Perspective’, IEEE
concept proves to be efficient.                                          Communications Magazine, Vol. 43, No. 5, pp.
                                                                         123-131 (2005).
                                                                    [12] A. Belenky and N. Ansari: ‘On IP Traceback’,
6 REFERENCES
                                                                         IEEE Communications Magazine, Vol. 41, No.
[1] M. Sung and J. Xu: ‘IP Traceback-based                               7, pp. 142-153. (2003).
    Intelligent Packet Filtering: A Novel Technique                 [13] A. Belenky and N. Ansari: ‘Tracing Multiple
    for Defending Against Internet DDoS Attacks’,                        Attackers with Deterministic Packet Marking
    IEEE Transactions on Parallel and Distributed                        (DPM)’, Proceedings of IEEE Pacific Rim
    System, Vol. 14, No. 9, pp. 861-872 (2003).                          Conference Communication, Computer and
[2] Y.Tseng, H. Chen and Hsieh W: ‘Probabilistic                         Signal Processing, Victoria BC, Canada, pp. 49-
    Packet      Marking      with    Non-Preemptive                      52 (2003).
    Compensation’, IEEE Communications Letters,                     [14] A. Belenky and N. Ansari: ‘IP Traceback with
    Vol. 8, No. 6, pp. 359-361 (2004).                                   Deterministic      Packet      Marking’,    IEEE
[3] D. Wei and N. Ansari: ‘Implementing IP                               Communications Letters, Vol. 7, No. 4, pp.
    Traceback in the Internet - An ISP Perspective’,                     162-164 (2003).
    Proceedings of 3rd Annual IEEE Workshop on                      [15] C. Beak, J.A. Chaudhry, K. Lee, S. Park and M.
                                                                         Kim: ‘A Novel Packet Marketing Method in




                                  Ubiquitous Computing and Communication Journal                                        8
     DDoS Attack Detection’, Proceedings of
     American Journal of Applied Sciences, Vol. 4,
     No. 10, pp. 741-754 (2007)..
[16] Brajesh Pande: ‘Network Monitoring Tool’,
     Computer Society of India, Communications,
     November 2006, pp. 27-29. (2006).
[17] B. Pande, D. Gupta, D. Sanghi and S.K. Jain:
     ‘The Network Monitoring Tool–Pick Packet’,
     Proceedings of 3rd International Conference on
     Information Technology and Applications, Vol.
     2, pp. 191-196. (2005).
[18] P. Stephen, J. Smith and Allen Crider:
     ‘Independent Review of the Carnivore System’,
     Final Report, IIT Research Institute, Lanham,
     Maryland (2000).




H.A.Rauf received the Bachelors Degree in
Electrical and Electronics Engineering in 1987. He
completed his Masters degree in Business
Administration (M.B.A) Degree in the year 1996 and
his masters degree in Computer Science and
Engineering in the year 1999.He is currently a PhD
candidate in the faculty of Information and
Communication Engineering, Anna University of
Chennai. His research interests includes mobile
computing, Computer Networks, Network Security,
Advanced Networks and Performance Evaluation of
Computer Networks. He is currently the
Dean (CSE/IT), V.L.B. Janakiammal College of
Engineering & Technology, Coimbatore, India

Dr. Ebenezer Jeyakumar is currently the Principal of
Government College of Engineering, Salem, India.
Being an eminent professor of Anna University,
there are many students doing their research under
his guidance in various fields. Some of main areas
of research are Networking, mobile computing, high
voltage engineering and other related areas.




                    Ubiquitous Computing and Communication Journal   9

				
DOCUMENT INFO
Shared By:
Categories:
Tags: UbiCC, Journal
Stats:
views:63
posted:6/17/2010
language:English
pages:9
Description: UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.
UbiCC Journal UbiCC Journal Ubiquitous Computing and Communication Journal www.ubicc.org
About UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.