Comprehensive Security Mechanism for Defending Cyber Attacks based upon Spoofing and Poisoning

Much attention needs to be paid to different types of security threats and related attacks in the LAN and the interconnected environment. A variety of controls and counter mechanisms covering different layers of TCP/IP protocol suite are already available. But most of them have several issues related to cost, compatibility, interoperability, manageability, effectiveness etc. and hence multiple protection devices need to be installed. In this paper we propose a comprehensive security mechanism which can detect and guard against a variety of spoofing and sniffing based cyber attacks in the local area networks. The solution does not require any additional hardware and is fully backward compatible with existing versions of ARP as no modifications are required to the existing LAN protocols. It also provides necessary detection and mitigation mechanism for the common type of DoS, MITM attacks & provides mobility along with a consistent working environment to the users as they roam around on different networks Index Terms – ARP Spoofing, Denial-of-Service (DoS), LAN, Man-In-The-Middle (MITM), Security 1.0 INTRODUCTION & RELATED WORKS Although a lot of effort has been made by the research community for securing the network based communication, but still there are problems which need to be resolved. More attention needs to be paid to different types of security threats and related attacks in the LAN and the interconnected environment. Malicious users can launch different types of network attacks based upon the sniffing and spoofing techniques and gather information which could be used for penetrating further into network for thefts and damages to data. TCP/IP protocol suite was initially developed with the prime consideration of communications and as such much attention was not paid to concerned security aspects. Attackers are exploiting some of the known weaknesses of the individual protocols like ARP, ICMP, IP, TCP and UDP etc. of the TCP / IP suite. Senior Systems Manager, Birla Institute Of Technology, Mesra, Jaipur Campus, Rajasthan, India, Email Id: [email protected] Professor & I/C Director, Narmada College of Computer Application Bharuch, Gujarat, India, Email Id: [email protected] Some common attacking strategies adopted by attackers are by way of Intrusions, Denial of Services [1] (DoS and DDoS), Interception and re-routing of the communication. In a typical LAN environment, internal user can launch different types of network attacks based upon sniffing, spoofing techniques and capture sensitive information like user name, passwords, IP addresses, port numbers and other proprietary data [2] and use it for penetrating further into network for thefts and damages to data. Capturing and analyzing a TCP/IP packet on a network for stealing network based information is called Sniffing [3]. Another well known technique for launching attacks in network environments is Spoofing[4]. This underlines the need for reliable techniques for detection of sniffing and spoofing based activities and related attacks on the network. Attackers craft and inject bogus packets by exploiting the feature of Raw Socket Programming which is offered by most of the programming languages today. Spoofing is the process of creating and injecting fake TCP/IP packets with some oneelse’s identification on networks [5] whereas in MITM the entire session is hijacked by the attacker for stealing of data. Protocols like IP and ARP are exploited [6] for launching attacks like Port Scanning, ARP Cache Poisoning, Changing of Default gateway, ICMP redirect, DHCP poisoning, DNS poisoning etc. Based upon IP spoofing, which involves forging of IP addresses of the source device, different types of attacks can be launched [7] whereas attacks like DoS and MITM can be achieved using ARP spoofing. Address Resolution Protocol (ARP) is used for finding out the MAC address [8] of the destination device on a LAN. ARP stores such mappings of IP addresses to MAC addresses in temporary storage called cache for future usage [9]. This cache is updated from time to time. Whenever the system has to transmit a frame it first checks its ARP cache for locating the corresponding MAC address of the receiver[10]. It uses two types of messages namely ARP request and ARP reply which are encapsulated inside an Ethernet frame. It contains MAC addresses of sending and receiving devices along with a value of 0x0806 in Ethernet type [11]. The frame also contains the IP and MAC addresses of the sender and receiver along with an operation code as part of the ARP message. The entries to the ARP cache can be added either statically or dynamically[12]. For supporting the DHCP enabled hosts, these entries are removed periodically form the cache. The devices update their ARP cache whenever they receive an ARP Reply even if they had not sent out the corresponding ARP request earlier as ARP is stateless protocol [13,14]. Thus, BIJIT BVICAM’s International Journal of Information Technology Copy Right © BIJIT –2016; July December, 2016; Vol. 8 No. 2; ISSN 0973 –5658 1012 despite its crucial importance ARP provides ground for launching ARP spoofing & ARP cache poisoning attacks [12]. For genuine communication both Ethernet and ARP headers should match. But since there is no mechanism to check consistency of these headers, attackers intentionally craft packets having different or forged values of IP-MAC addresses [15,16,17,18]. This is called ARP Cache Poisoning. Thus attacker modifies the entry for gateway or any other genuine host with mapping of their IP Addresses and its MAC address in ARP Cache of victim system. After this a variety of attacks can be launched [14, 19] namely Denial of Service (DoS) attacks, Man in the Middle (MITM) attacks etc. The attackers craft different types of packets based upon IP, ICMP, TCP, UDP etc protocols and try to disrupt various functionalities of the network. A variety of controls and counter mechanisms like Antivirus, Anti Spam, Anti Malware, Encryption and other related software covering different layers of TCP /IP protocol suite are already available. Some higher-end expensive hardware and software based devices like Switches, Firewalls, IDS, UTM etc. are also available for mitigating specific types of individual or group of attacks at various layers. But most of them do not cover the range of Sniffing, Spoofing, ARP Poisoning, Packet Crafting for Port Scanning and Flag Manipulation based DoS attacks actually taking place. Besides these, the issues related to cost, compatibility, interoperability, manageability, effectiveness etc. are also involved As a result multiple protection devices need to be installed. Although solutions based upon Static ARP Cache entries to prevent ARP spoofing attacks exist yet they have some major issues like effort required for manual configuration of static entries, limited scalability and workability in static and DHCP based networks [14]. Some of the typical works done in this category include the DAPS (Dynamic ARP spoof Protection SystemCisco) technique suggested in [20] which is a solution to ARP spoofing that snoops DHCP packets. Katkar et al. [21] have proposed a light weight approach for prevention & detection of ARP Spoofing. A server based solution has been proposed by Ortega et .al. [22]. Another mechanism to prevent ARP spoofing based upon the use of static ARP entries was suggested by Ai-Zeng Qian[23]. A combination of using static ARP entries and SNORT-IDS is suggested in [24] for resolving the ARP spoofing problem.