Computer Communication, Wireless and Mobile

Communications and Information Theory and Coding

Project report
DETECTING AND PREVENTING IP SPOOFED ATTACK BY
MARKING BASED DETECTION
Under the Guidance of
Prof.Subhashini, Prof. NagaJayanthi and Prof.Revathi
BY
Kumar

R. Naresh
P. Varun Varma

Vardhan
Abhilash

P. Vishnu
P. Surya

ABSTRACT:
IP spoofing is generally creation of IP Packets
with Forged Source IP Address impersonating another
Computing System. IP spoofing is the action of masking a
computer IP address so that it looks like it is authentic. In IP
spoofing, IP headers are masked through a form of
Transmission Control Protocol (TCP) in which spoofers
discover and then manipulate vital information contained in
the IP header such as IP address and source and destination
information. This IP Spoofing is mostly used in Denial-OfService Attacks. In these kind of attacks, the attacker goal is
to flood the victim with overwhelming amounts of traffic, and
the attacker does not care about receiving responses to the
attack packets. These packets have the additional
advantages like they are more difficult to filter since each
spoofed packet appears to come from a different address,
and they hide the true source of the attack. These IP
Spoofing is most effective where Trusted Relationship exist
between Machines. There are Various Techniques to detect IP
Spoofing. The Present Work is all about Detecting the
spoofed Packets coming from the attacker and their
Prevention. The Technique used for Detecting and Prevention
of
IP
Spoofing
is
MARKING
BASED
DETECTION.
BackScattering is a technique used to observe denial-ofservice attack activity in the Internet. The Present Work
discusses the Various Stages involved and its Effective Use
in detecting the Spoofed Packets.

Introduction:
The communication between systems in a
Wireless local area network has been in great demand from
the past few years since the evolution of wireless data
transfer. The requirements of high speed data and improved
quality of service have been increasing to meet the peoples
demand. Initially the wireless communication systems were
designed to meet the needs of mobile subscribers which
later on evolved to advanced systems comprising computers
etc. the communication between computers was possible
with the introduction of Internet Protocol which is a principal
communication protocol mainly responsible for internetworking and establishing the internet. With the increase
in demand, the capacity of the channels has been increased
by introducing different multiplexing schemes like TDMA,
FDMA, SDMA etc wherein the user is allocated the channels
either in the broadband spectrum, wide band or ultra
wideband spectrum depending upon the demand of his/her
data rate.
With increase in users who crave for
wireless networks, the security concerns have also been
rising dramatically. Hence the need for authentication has
been given the prime importance in any wireless network
and has been regarded as an important aspect in
determining the Quality of Service of a network. In most of
the wireless mobile communication the information can be
tapped between the transmitter and the receiver and hence
information can be secured by using spread spectrum
technologies and several other techniques. But , unlike in
mobile communications, the inter-networking have several
security concerns like hacking, ip spoofing etc. which occur
at the source of either transmitter or receiver.

The attacks like IP SPOOFING are inherent in

the Internet Protocol due to the improper design of IPv4. Our
main AIM in this project would be to isolate the denial of
service attack which is an application of ip spoofing.

Expected outcome:
An Efficient algorithm which can detect and
prevent the spoofed packets entering into the network and thereby
protecting the TRUSTED USER from making him Denial-ofService.
PROCEDURE:
The Procedure or the algorithm proposed is
Back MARKING Based Detection which is Effective to Detect
and Prevent IP Spoofed Packets. It is clear that in the DDOS
Attack, the attackers main aim is to flood the Target with
high Traffic by sending Huge Number of Packets so that the
Server responds and believes that these Packets are
originated from the Source IP Address as these packets are
spoofed with the Source ip Address. So, the Server in the
case of its failure to detect these packets have been spoofed
sends the packets to the Source where it (Target) is not going
to respond at all and ultimately resulting in Denial of Service.
So, inorder to prevent IP spoofing, the main interest or the
requirement is to detect these Spoofed Packets at the point
where SERVER is located.
The Various steps on
MARKING Based Detection works are
(1). Learning Phase

which

the

entire

(2). DataBase Construction

(3). Normal Filtering Procedure
(4). Route Change Consideration
To distinguish the Spoofed Packets, the
firewall needs to keep a record of the genuine markings. In
Learning Phase, a Particular period of time or Phase is fixed
where no attacks will happen.
In Database Construction Phase, the Firewall
is ready to develop the Database with genuine and unique
Markings. In this Process, the Packet coming from the User
contains an IP Header where the Source and Destination
Address are stored. As soon as the IP packet leaves the
source, it sees many Reuters on its way to Destination. So,
at Each Reuter a XOR Operation is done with the Reuter
address and the ip address which will be stored as a
temporary Marking. For the Next Reuters, the temporary
Marking will be replaced by the Newly calculated Marking.
When the Packet reaches the SERVER, it is stored right
across the Source IP Address in the Database.
After the Database is created, the Firewall
begins to perform its Normal Filtering Procedure Operations.
To the packet from an IP address recorded in the Database, it
is accepted if it has a Consisted and Matched Marking,
otherwise it is dropped and we say corresponding IP Packet
has been spoofed. This is how the Detection and prevention
of IPspoofing is done.
The Route Change Consideration is a special
Case. Though Routes on the Internet are relatively stable,

they are not invariable. Once the route between two hosts
has changed, the packet received by the destination will
have a different marking with the one stored in the Filter
Table, so that it may be dropped according to basic filtering
scheme. Taking route changes into consideration, we
introduce another counter called SMC, to count the number
of mismatching packets for any IP address A. When the value
of SMC reaches a threshold, the entry (A, Marking A) is
copied to the Check List to test whether the route from this
source has changed and SMCA is reset to zero. If the new
marking is verified by the Check List verification process, the
marking for this IP address is updated in the Filter Table.
Otherwise, the original marking is preserved. Unless the
route change has been verified, the original marking is still
used to filter packets.

Future work:
1. Transmitting echo messages:
To verify the markings in the Check-List, a random echo
message is sent periodically to the source address for
each (IP-address, Marking) pair in the Check-List, and a
counter is used to record the number of echo messages
have been sent for it.
To avoid the reply being imitated by the attacker, the
content of the echo message is recorded in the CheckList and compared with the content of reply received.
On receiving an echo reply from the source, the
marking can be verified and the (IP-address, Marking)
pair is moved to the DataBase; otherwise, it indicates
the previously received packet was spoofed, then this
pair is deleted from the Check List.

If the counter in the Check List shows that more than

d(= 10) echo messages have been sent to an IP
address x, then the entry for this IP address is removed
from the Check List
Since in this situation, this source IP must be either

non-existent or inactive, so that the packets received

with this source address are coming from the attacker
and need to be rejected.
2. Provision for authentication:
To avoid the computation of XOR of each of the routers address with
the
address present in the
data header, which increases the computation to a huge extent and also
increases the delay, the provision for authentication can be provided to the
receiver system.
The Process of providing provision for Authentication
both for the sender as well as the Receiver increases the security and also
can be used to prevent the attacker from entering into the Network until and
unless he gets hold of the username and password used for authentication.
3. Use of other mathematical functions for Marking:
We used a simple XOR operation for marking the
IP packets at each and every router. Instead we can use cyclic left shift
and then XOR or any other complex mathematical operation can be
performed on the IP address to avoid packet sniffing if once all the
address of the routers are known by the spoofer. Increase the Complexity.

RESULT: