VIEWS: 63 PAGES: 9 CATEGORY: Research POSTED ON: 6/17/2010
UBICC, the Ubiquitous Computing and Communication Journal [ISSN 1992-8424], is an international scientific and educational organization dedicated to advancing the arts, sciences, and applications of information technology. With a world-wide membership, UBICC is a leading resource for computing professionals and students working in the various fields of Information Technology, and for interpreting the impact of information technology on society.
WIRELESS PACKET ANALYZER TOOL WITH IP TRACEROUTE H. Abdul Rauf, Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore A. Ebenezer Jeyakumar Principal, Government College of Engineering, Salem email@example.com ABSTRACT The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance, security and troubleshooting. Monitoring IP traffic flows facilitates more accurate capacity planning and ensures that resources are used appropriately in support of organizational goals. It helps to determine where to apply Quality of Service (QoS), optimize resource usage and it plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network propagated worms, and other undesirable network events. The proposed Wireless Packet Analyzer Tool (WPAT) facilitates solutions to many common Wi- Fi threats like DoS attack, Mis-associated systems from neighboring premises, Rogue APs etc., encountered by wireless networks. The attacks were simulated in an experimental set-up and WPAT is tested for required performance. A scheme that may effectively and efficiently combine detection, defense, and traceback may significantly enhance performance and mitigate false positives. The WPAT is used to identify the new IP and its route is traced by IP Traceback tool. The route contains the details such as the total number of hops, time taken for each hops in milliseconds and the IP address of the intermediate routers. The traced route is used for plotting the graph. Keywords: : Denial-of-Service, Wireless Packet Analyzer Tool, IP Traceback. 1 INTRODUCTION coupled with filtering and post processing tools. This paper discusses the mechanics of the proposed The rapid increase in the use of computers “Wireless Packet Analyzer Tool” which is a post coupled with the exponential growth of the Internet processing tool coupled to an already available has also had ramifications on the growth of crime. sniffer. Effective tools that can analyze and monitor the network traffic and can also keep up with the The IP Traceback is the process of identifying growing bandwidth speeds are required. Such the actual source of attack packets. It helps in monitoring tools help network administrators in mitigating DoS attacks by isolating the identified evaluating and diagnosing performance problem with attack sources. IP Traceback is a challenging servers, the network, hubs and applications. Careful problem because of the Distributed anonymous and judicious monitoring of data flowing across the nature of DDoS attacks, the stateless nature of the network can help detect and prevent crime and internet, the destination oriented IP routing and the protect intellectual property as well as privacy of fact of having million of hosts connected to the individuals. internet. All these factors help attackers to stay behind the scenes and hence complicate the process Network monitoring tools can monitor the of traceback. network at various levels of the network stack. Some tools monitor only at the MAC layer whereas others The remainder of the paper is organized as can also monitor the network layer. Some tools can follows: Section (2) details the theory and extend to the application level as well. There are background of the paper. Section (3) focuses on only limited tools that can attempt to monitor based Network Monitoring Tool. Section (4) emphasizes on filtering the content of applications. Network on IP Traceback Tool and graphical output. Section monitoring tools are mostly “sniffers” optionally (5) the conclusion and future scope of the paper. Ubiquitous Computing and Communication Journal 1 for eavesdropping on network traffic. 2 BACKGROUND Sniffers usually provide some form of protocol- Carnivore (Smith 2000) is a tool developed by the level analysis that allows them to decode the data Federal Bureau of Investigation (FBI). This tool is flowing across the network, according to the needs of developed for the sole purpose of directed the user. This analysis is often done on a packet by surveillance and it can capture packets based on a packet basis, as data flows in the network in packets. wide range of application layer based criteria. It Sniffing programs have been traditionally used for functions through wire-taps across gateways and helping in managing and administering networks. Internet Service Provider (ISPs). Carnivore is also Recently, sniffers have also found use with law capable of monitoring dynamic IP address based enforcement agencies for gathering intelligence and networks. The capabilities of string searches in helping in crime prevention and detection. Typically application level content seem limited in this such programs can be used for evaluating and package. It can also capture E-Mail messages to and diagnosing network related problems, debugging from a specific user’s account and all network traffic applications, rendering captured data, network to and from a specific user or IP address. It can also intrusion detection and network traffic logging. capture headers for various protocols. 3.1 Design and Development PickPacket (Neeraj 2002) and (Pande and Sanghi 2005) is a monitoring tool similar to Carnivore. This Sniffers normally dump the packets that they tool can filter packets across the levels of the Open capture directly to the disk. These packets usually Systems Interconnection (OSI) network stack for require post capture processing to render them selected applications. Criteria for filtering can be human readable. Most sniffers provide post- specified for network layer and application layer for processing and rendering tools. Sniffers that provide applications. It also supports real-time searching for statistics about the data captured with the sole text string in applications and packet content. The purpose of helping network managers in diagnosing criteria for selecting packets in PickPacket can be and evaluating performance problems with servers, specified at several layers of the protocol stack. The the network media, switches and applications are filtering component of this tool does not inject any IP usually called network monitoring tools. packets onto the network. Once the IP packets have Traditionally such tools setup alerts on various been selected based on these criteria, they are events, show trends of network traffic over a time dumped to permanent storages. The tool has been period and maintain some history information. demonstrated to work over a 100 Mbps link. The extensibility and the modular design of PickPacket Each packet that is forwarded within a router or makes it more generalized and it can be used as a switch is examined for a set of IP packet attributes. simple tcpdump like application and can also be These attributes are the IP packet identity or extended to become an intrusion detection tool. fingerprint of the packet and determine if the packet is unique or similar to other packets. Traditionally, Cisco Netflow Tool (2007) identifies new an IP flow is based on a set of seven and up to nine application network loads such as VoIP or remote IP packet attributes. IP packet attributes used by site additions. This tool use NetFlow statistics to WPAT are IP source address, IP destination address, measure WAN traffic improvement from Source port, Destination port, Protocol type, Packet application-policy changes; understand who is Size, date and time of packet flow. utilizing the network and the network top talkers. Diagnose slow network performance, bandwidth All packets with the same source/destination IP hogs and bandwidth utilization quickly with address, source/destination ports, protocol interface command line interface or reporting tools. It also has and class of service are grouped into a flow and then facilities to avoid costly upgrades by identifying the packets and bytes are tallied. This methodology of applications causing congestion. NetFlow can be fingerprinting or determining a flow is scalable used for anomaly detection and worm diagnosis. It because a large amount of network information is confirms that appropriate bandwidth has been condensed into a database. allocated to each Class of Service (CoS) and that no CoS is over - or under - subscribed. This flow information is extremely useful for understanding network behavior like: 3 WIRELESS PACKET ANALYSER TOOL • Source address allows the understanding of who is originating the traffic Network monitoring tools are often called • Destination address tells who is receiving sniffers. Network sniffers are software applications the traffic often bundled with hardware devices and are used • Ports characterize the application utilizing Ubiquitous Computing and Communication Journal 2 the traffic 3.2 Implementation • Tallied packets and bytes show the amount of traffic The implementation is done using the • Flow timestamps to understand the life of a experimental set-up shown in Figure 2. A honeypot flow; timestamps are useful for calculating system is also implemented using the same packets and bytes per second. experimental set-up. The experiments were carried out several times until satisfactory results were The WPAT software creates real-time or obtained. historical reports from the captured data. A sniffer tool is used to capture the raw packets The proposed wireless packet analyzer tool from the network and connected to the database. The (WPAT) as shown in the Figure 1 links with the sniffer tool used is set to capture the packets flowing packet sniffer tool and updates all packets already through the specified system. captured by the sniffer tool for every 30 seconds. The sniffer tool is set to capture the raw packets and 3.3 Experiment 1-To Study the Packet Flow store it in text format. The proposed WPAT links to Information the captured data and displays the data as shown in the Figure 1. The analyzer tool displays another two The experiment is conducted using the windows showing the sum of packet flow between experimental set-up shown in the Figure 2. Initially starting time of capture to ending time of capture and packets are generated from various clients, and sent the enterprise network intruder to a honeypot server which is placed in an Enterprise premises as shown in the Figure 2. A data set is The sum of packet flow gives consolidated generated and a valid stream is transmitted from details about packets captured between any time clients to the wireless honeypot server. The data period and further analysis of data can be made by received by the honeypot server is captured using a selecting any source IP and clicking the packet flow sniffing tool and linked to the database. details button shown in the Figure 1. The results shown in Table 1 are produced by the report produced by the “Packet Flow Details” button. The graphs shown in Figure 3 to Figure 6 are obtained by selecting any IP address in the packet flow between starting time of capture to ending time window and by the report produced by graphs button. Like wise graphs for any source IP address can be displayed if there is any abnormality noticed in the packet flow. These graphs show a clear picture of the packet flow between any source IP address to the honeypot server system. The “enterprise master” button is used to enter the IP address, the MAC address and the system name permitted to be used inside the enterprise premises. Figure 2. Experimental Set-up and IP Connected The Figure 3 shows packets generated from “update” client and sent to the “honeypot_server” as valid stream. Likewise Figure 4 shows packets generated from “update1” client and sent to “honeypot_server” as valid stream. Likewise similar valid stream generated from “update4” and “update5wireless_client” were sent to the “honeypot_server”. The Table 1 shows the captured data over a period of time. The Figure 3 and Figure 4 shows a graph with packets transmitted from Figure 1. Wireless Packet Analyzer Tool “update” and “update1” client over a period of time. Ubiquitous Computing and Communication Journal 3 Table 1 illustrates the details of the packets captured by the Honeypot server. The second column shows the packet size captured at various instant of time. The packets received from all connected clients by the server like Source IP, Destination IP, Source port and destination port are tabulated. Table 1 Details of the sample packets captured by the Honeypot server. No Size Source(S) IP Destination S D Time (D) IP Port Port Figure 5 Packets from Permitted IP 192.168.1.112 1 162 192.168.1.111 192.168.1.113 1088 7000 12:32:52 2 52 192.168.1.113 192.168.1.111 7000 1088 12:32:53 5 40 192.168.1.112 192.168.1.113 1424 7000 12:32:53 6 72 192.168.1.113 192.168.1.112 7000 1424 12:32:53 7 1500 192.168.1.111 192.168.1.113 1088 7000 12:32:53 10 1500 192.168.1.111 192.168.1.113 1088 7000 12:32:53 13 1500 192.168.1.113 192.168.1.112 7000 1424 12:32:53 14 645 192.168.1.113 192.168.1.112 7000 1424 12:32:53 16 1500 192.168.1.113 192.168.1.112 7000 1424 12:32:53 13288 46 192.168.1.117 192.168.1.113 1041 7000 01:45:36 13291 46 192.168.1.113 192.168.1.117 7000 1041 01:45:36 13292 40 192.168.1.117 192.168.1.113 1041 7000 01:45:37 13293 65 192.168.1.113 192.168.1.117 7000 1041 01:45:37 13294 40 192.168.1.117 192.168.1.113 1041 7000 01:45:37 Figure 6 Packets from Permitted IP 192.168.1.117 3.4 Experiment 2- To Simulate and Detect Dos Attack In this experiment a DoS attack is detected using the following experimental set-up. For Dos Attack an experimental set-up as shown in the Figure 7 is created. The Figure 8 shows packets generated from “update5wireless_client” client and sent to honeypot server as invalid stream. The Figure 9 shows a graph with packets transmitted from “update5wireless_client” over a period of time. Figure 3 Packets from Permitted IP 192.168.1.110 The Figure 9 and Figure 6 are compared and the graph shows very large packets received from “update5wireless” client than compared to packets received from “update” client over a period of time. This graphically represents attack packets sent from “update5wireless” client to honeypot server Figure 4 Packets from Permitted IP 192.168.1.111 Figure 7 DoS Attack Experimental Set-up Ubiquitous Computing and Communication Journal 4 Figure 8 Packets from “update5wireless_client” Figure10 Experimental Set-up for Wi-Fi Threats Table 2 Permitted and Mis-Associated IPs No. IP Address MAC ADDRESS SYSTEM NAME PERMISSION 1 192.168.1.110 00:A0:B0:00:0D:FF Update4 2 192.168.1.111 00:E0:20:72:36:27 Update 3 192.168.1.112 00:E0:20:75:31:42 Update1 4 192.168.1.113 00:12:F0:09:55:C9 Honeypot_Server Figure 9 Packets from DoS attacking IP 192.168.1.116 5 192.168.1.116 Not Permitted 6 192.168.1.117 00:17:9A:77:FC:E5 Update6_wireless 3.5 Experiment 3- To Simulate and Detect Mis- Associated IPs from the Neighboring Premises 3.6 Experiment 4- To Simulate and Detect a Rogue AP In this experiment a Wi-Fi threats in a no Wi-Fi network is detected using the following experimental In this experiment a Wi-Fi threats in a no Wi-Fi set-up. For Mis-Associated IPs from neighboring network is detected using the following experimental premises an experimental set-up is created as shown set-up. For detecting a Rogue AP an experimental in the Figure 10. set-up is created as shown in the Figure 11. A Rogue AP is detected and auto classified from the permitted The Figure 10 illustrates an attack lures in IP’s. multiple laptops to mis-associate. Even if there is no IEEE 802.11 AP’s most of the laptops have IEEE Even if there is no IEEE 802.11 AP, hackers 802.11 cards and the laptop radio is default through known or unknown sources place Rogue configured to automatically associate with the IEEE 802.11 AP’s in the Enterprise premises and get strongest signal from a list of SSIDs. Hackers simply connected to the Enterprise Network and attack the sit outside the building with an AP configured to a laptops which have IEEE 802.11 cards. Hackers common SSID and wait for a number of laptops to simply sit outside the building and attack the connect. The Table 2 classifies the permitted IPs and Enterprise Network. The Table 3 shows the Intruder mis-associated IPs. IP Connected to Enterprise Network. Ubiquitous Computing and Communication Journal 5 The WPAT is used to find the unknown IP address as shown in Table 4 and 5. A database is maintained which contains all the IP addresses that have been previously traversed. Table 4 WPAT Output TYPE SIZE SOURCE IP DESTINATION IP TCP 54 18.104.22.168 22.214.171.124 TCP 477 126.96.36.199 188.8.131.52 TCP 1086 184.108.40.206 220.127.116.11 TCP 453 18.104.22.168 22.214.171.124 Table 5 New IP Addresses Figure 11 Experimental Set-up to Prevent Rogue AP and Threats 126.96.36.199 188.8.131.52 Table 3 Intruder IPs Connected to Enterprise Network 184.108.40.206 220.127.116.11 Source IP Source Dest IP Date Time MAC 4.2 Tracing the route of new IP address 192.168.1.116 192.168.1.111 28:05:2007 01:06:56 This module traces the route of new IP address. 4 TRACING CYBER ATTACKS BY THE IP The route contains the number of hops, time in TRACEBACK TOOL milliseconds and the IP address of the intermediate routers. Traceroute displays all the routers through The IP traceback may identify attack sources. which data packets pass on way to the destination However, IP traceback itself is not a detection or system from the source system. However, the path defense scheme. Integrating IP traceback with other displayed by Traceroute for any IP addresses like the functionalities such as detection and defense is the same source to the same destination in two different topic of interest which is experimented in this IP sessions may or may not vary. The operations Traceback tool. performed during the tracing process are depicted as a flowchart as shown in the Figure 12 and block 4.1Finding the New IP Address diagram of Trace route concept in Figure 13. This module finds the new IP address whose The first step in the traceroute command is that it route has to be traced. The sniffer output is used in creates a packet with a TTL value of 1 and sends it to this module. The sniffer is used to sniff both Data the destination system. The first router on way to the packets and Control packets. The control packet does destination system from the source system will not contain any information and hence their size is discard the data packet, as the TTL value of this small. While the data packets contain some data and received data packet is 1. In addition, this first router they have large size (say greater than 100 bytes). For will also send back a "Time exceeded" error message example, while downloading a web page or files say to the source system. Since this “Time exceeded” from yahoo.com or google.com, it may request for error message received by the source system, has its information. In that case the web server may send the source IP Address as that of the first router. As a packet to the host system that requested for it. Thus result the traceroute running on the source system the web server becomes the source and the host will come to know this IP address of the first router. system requesting for a packet becomes the In this way, the traceroute command identifies the destination. address of the first router on the path to the destination system and displays it on the screen. Ubiquitous Computing and Communication Journal 6 Start Socket Initialize Ttl=1 NO If Ttl <=255 YES Send UDP A Datagram to Router Figure13 Block Diagram of Traceroute Concept YES If Router = Destination When the TTL value is high enough for the data packet to reach the destination system, its TTL value No would have been decremented to 1 by the time the Print Trace Route Complete data packets reaches its destination. However, even Decrement ttl though the destination system will receive a data packet having a TTL value of 1, it will not discard Socket Cleanup the packet. This is because the destination has been reached. Since the destination system does not discard the data packet that it receives, it means that Stop the destination system does not generate a “Time exceeded” error message. As a result, since no "Time Exceeded" error message is generated, the source If ipo.tt1=0 NO system does not have any way by which it can ensure A that the destination system has been reached. Hence, all new IP addresses are traced and if there is any intruder, it is considered as a new IP address and its YES route is also traced. Thus the intruder is traced. Send ICMP Packet 4.3 Graphical Representation Print Router IP The output shown in the Table 6 is the route of the new IP address which is used for drawing the graph. The Table 6 contains the fields such as ipo.ttl++ number of hops, time taken by each hops and the IP address of the intermediate routers. Table 6 Traceroute Table Figure 12 Flowchart for Traceroute NO.OF TIME TAKEN INTERMEDIATE Similarly, in the next step, traceroute sends a HOPS ROUTERS data packet with a TTL value of 2 to the destination Hop 1 38 ms 18.104.22.168 system. The first router receiving this data packet Hop 2 45 ms 22.214.171.124 will decrement the TTL value of the packet by 1 and Hop 3 46 ms 126.96.36.199 then it would forward the packet to the second router Hop 4 46 ms 188.8.131.52 on path to the destination system. This second router Hop 5 62 ms 184.108.40.206 would in turn, discard this packet and send back a "Time Exceeded" error message to the source system, Hop 6 280 ms 220.127.116.11 revealing its IP Address. This process of sending Hop 7 280 ms 18.104.22.168 packets with increasing TTL values is carried out, Hop 8 280 ms 22.214.171.124 until the data packet has a TTL value high enough to Hop 9 286 ms 126.96.36.199 make sure that it reaches the destination system. Hop 10 296 ms 188.8.131.52 Ubiquitous Computing and Communication Journal 7 The route traced by the Traceroute tool is Information Assurance, West Point, New York, enhanced by the graphical representation which is pp. 326-332 (2002). shown in the Figure 14. The hops are plotted against  A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. the milliseconds. Jones, F. Tchakountio, B. Schwartz, S.T. Kent and W.T. Strayer: ‘Single Packet IP Traceback’, IEEE/ACM Transactions on Networking, Vol. Traceroute Graph 10, pp. 721-734 (2002).  A.C. Snoeren, C. Patriridge, L.A. Sanchez, C.E. 350 Jones, S.T. Kent, F. Tehhakountio and W.T. 300 Strayer: ‘Hash-Based IP Traceback’, Proceedings of ACM Conference on 250 Applications, Technologies, Architectures, and Time - ms 200 Protocols for Computer Communication, San 150 Diego, California, USA (2001). 100  K. Park and H. Lee: ‘On the Effectiveness of 50 Probabilistic Packet Marking for IP Traceback 0 under DoS Attack’, Proceedings of 20th Annual 1 2 3 4 5 6 7 8 9 10 Joint Conference of the IEEE Computer and Communication Society, Vol. 1, pp. 338-347. Hops (2001).  A. Mankin, D. Massey, S.F. Chien-Lung Wu Figure 14 Traceroute graph Wu and Lixia Zhang: ‘On Design and Evaluation of 'Intention-driven' ICMP 5 CONCLUSION Traceback’, Proceedings of 10th International Conference on Computer Communication and The post processing tool proposed through Networks, Scottsdale, USA, pp. 159-65 (2001). various experimental results shows that it can  J. Li, M. Sung, J. Xu and L. Li: ‘Large-Scale IP measure the packets flowing across an enterprise Traceback in High-Speed Internet: Practical network considering the wireless threats on-the-fly. Techniques and Theoretical Foundation’, So a specific approach is undertaken to present a new Proceedings of IEEE Symposium on Security experimental set-up for the precise measurement of and Privacy, Oakland, California, pp. 115-129 packets across an enterprise network with or without (2004). Wi-Fi using a sniffer and a WPAT.  C. Gong and K. Sarac: ‘IP Traceback based on Packet Marking and Logging’, Proceedings of Thus, WPAT using a IP Traceback tool is more IEEE International Conference on effective, when any new IP address and if the IP Communication, Vol. 2, pp. 1043-1047 (2005). address is not available in the database then its route  M.T. Goodrich: ‘Probabilistic Packet Marking is traced back. Thus, when an intruder attacks with for Large-Scale IP Traceback’, IEEE/ACM an IP address that is not available in the database Transactions on Networking, Vol. 16, No.1, then that IP address is also considered as a new IP pp.15 - 24 (2008). and the route is traced. The IP Traceback tool is  Z. Gao and N. Ansari: ‘Tracing Cyber Attacks enabled in real time and this tool based on the ICMP from the Practical Perspective’, IEEE concept proves to be efficient. Communications Magazine, Vol. 43, No. 5, pp. 123-131 (2005).  A. Belenky and N. Ansari: ‘On IP Traceback’, 6 REFERENCES IEEE Communications Magazine, Vol. 41, No.  M. Sung and J. Xu: ‘IP Traceback-based 7, pp. 142-153. (2003). Intelligent Packet Filtering: A Novel Technique  A. Belenky and N. Ansari: ‘Tracing Multiple for Defending Against Internet DDoS Attacks’, Attackers with Deterministic Packet Marking IEEE Transactions on Parallel and Distributed (DPM)’, Proceedings of IEEE Pacific Rim System, Vol. 14, No. 9, pp. 861-872 (2003). Conference Communication, Computer and  Y.Tseng, H. Chen and Hsieh W: ‘Probabilistic Signal Processing, Victoria BC, Canada, pp. 49- Packet Marking with Non-Preemptive 52 (2003). Compensation’, IEEE Communications Letters,  A. Belenky and N. Ansari: ‘IP Traceback with Vol. 8, No. 6, pp. 359-361 (2004). Deterministic Packet Marking’, IEEE  D. Wei and N. Ansari: ‘Implementing IP Communications Letters, Vol. 7, No. 4, pp. Traceback in the Internet - An ISP Perspective’, 162-164 (2003). Proceedings of 3rd Annual IEEE Workshop on  C. Beak, J.A. Chaudhry, K. Lee, S. Park and M. Kim: ‘A Novel Packet Marketing Method in Ubiquitous Computing and Communication Journal 8 DDoS Attack Detection’, Proceedings of American Journal of Applied Sciences, Vol. 4, No. 10, pp. 741-754 (2007)..  Brajesh Pande: ‘Network Monitoring Tool’, Computer Society of India, Communications, November 2006, pp. 27-29. (2006).  B. Pande, D. Gupta, D. Sanghi and S.K. Jain: ‘The Network Monitoring Tool–Pick Packet’, Proceedings of 3rd International Conference on Information Technology and Applications, Vol. 2, pp. 191-196. (2005).  P. Stephen, J. Smith and Allen Crider: ‘Independent Review of the Carnivore System’, Final Report, IIT Research Institute, Lanham, Maryland (2000). H.A.Rauf received the Bachelors Degree in Electrical and Electronics Engineering in 1987. He completed his Masters degree in Business Administration (M.B.A) Degree in the year 1996 and his masters degree in Computer Science and Engineering in the year 1999.He is currently a PhD candidate in the faculty of Information and Communication Engineering, Anna University of Chennai. His research interests includes mobile computing, Computer Networks, Network Security, Advanced Networks and Performance Evaluation of Computer Networks. He is currently the Dean (CSE/IT), V.L.B. Janakiammal College of Engineering & Technology, Coimbatore, India Dr. Ebenezer Jeyakumar is currently the Principal of Government College of Engineering, Salem, India. Being an eminent professor of Anna University, there are many students doing their research under his guidance in various fields. Some of main areas of research are Networking, mobile computing, high voltage engineering and other related areas. Ubiquitous Computing and Communication Journal 9
Pages to are hidden for
"UBICC Journal IP WPAT 243 - PDF"Please download to view full document