CIT- 100 Tracking and Tracing Spoofed IP Packets to Their So(4)

As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial of service (DoS) attacks grows. A DoS attack is an attempt by a person or a group of persons to cripple an online service. Consequen

College of Information Technology

Ethernet subnet as the target, both the source IP address and the Ethernet MAC would be spoofed. If the spoofed source address was an external address, the MAC would be that of the router. This implies that other techniques are required.

3.2 Non-routing methods

Computers receiving a packet can determine if the packet is spoofed by a number of active and passive ways. We use the term active to mean the host must perform some network action to verify that the packet was sent from the claimed source. Passive methods require no such action, however an active method may be used to validate cases where the passive method indicates the packet was spoofed.

3.3 Active Methods

Active methods either make queries to determine the true source of the packet (reactive), or affect protocol specific commands for the sender to act upon (proactive). These methods have an advantage over routing methods in that they do not require cooperation between ISPs and can be effective even when the attacker is on the same subnet as the target. Active methods require a response from the claimed source. Only if the spoofed host is active (i.e. connected to the network and receiving and processing packets) can it be probed.

A host that is heavy firewalled and cannot respond to probes is effectively inactive. Because inactive hosts are commonly used as source addresses in spoofed packets, if these packets are seen in an attack, it is likely they are spoofed. When hosts will not respond to any probes, passive methods will be required for corroboration.

TTL methods

As IP packets are routed across the Internet, the time-to-live (TTL) field is decremented. This field in the IP packet header is used to prevent packets from being routed endlessly when the destination host can not be located in a fixed number of hops. It is also used by some networked devices to prevent packets from being sent beyond a host’s network subnet. The TTL is a useful value for detecting spoofed packets. Its use is based on several assumptions, which, from our network observations, appear to be true.?

IP Identification Number

As discussed in the section on Bounce Scanning, the sending host increments the Identification Number (ID) in the IP header with each packet sent. Because this is a value that is easily probed and changes in its value are predictable, we can use it to determine if a packet is spoofed. Unlike TTL values, IP ID numbers can be used to detect spoofed packets even when the attacker and the target are on the same subnet.

If we send probe packets to the claimed source and we receive a reply, the ID values should be near the value of questionable packets recently received from the host. Also, the ID values observed in the probe should be greater than the ID values in the questionable packets. If not the packets were likely not sent by the claimed source. If the host associated with the claimed source is very active, the ID values may change rapidly. To be effective, the probes must be done very close in time to receipt of the questionable packets.

.

OS Fingerprinting

The above techniques illustrate aspects of the more general task of OS fingerprinting where a series of various probes are used to identify the operating system of a particular host. Active fingerprinting refers to direct probing of a computer, while passive fingerprinting refers to monitoring traffic and comparing it to expected norms for different OSs. We can perform a limited passive fingerprint as we observe network traffic from a particular host, then by comparing this to an active OS fingerprint, we can determine if the two are likely to be the same OS. If not we can infer the packets are spoofed.

TCP Specific Methods

Flow Control

The TCP header includes a window size field. This is used to communicate the maximum amount of data the recipient can currently receive. This can also be interpreted as the maximum amount of data the sender can transmit without an acknowledgement from the recipient. This is the TCP flow control method. If the window size is set to zero, the sender should not send more data. If the packets we are receiving are spoofed, then the sender will never see the recipient’s ACK-packets. This implies that the sender will not respond to flow control. If the recipient does not send any ACK-packets, the sender should stop after the initial window size is exhausted. If it does not, it is likely the packets are spoofed. One way of implementing this check is to always send an initial window size that is extremely small. If packets received exceed this threshold, we can infer the packets are spoofed. Because spoofing replies with the correct sequence number to multiple TCP packets may be challenging, most spoofed TCP connections do not progress past the first ACK-packet. This implies that the best chance to detect spoofed packets requires it be The Sixth Annual U.A.E. Research Conference CIT - 103