Remote Extraction of Malicious Payload for Sctp

The Stream Control Transmission Protocol (SCTP) is a message oriented reliable transport layer protocol which uses four way handshake mechanism. It is more robust than TCP, which provides delivery of data between two end points, and message boundaries preservation as in UDP. Additionally it has advantage such as multihoming and multi streaming. These features increase the availability of data chunks and solve problems like head of line blocking, and SYN flooding. In a network, a block of allocated public IP may not have all the IPs to be active or in us; hardly few IPs may be active. Since those IPs are allocated to the particular block, nobody else can use them, and as that block is also not using those IPs, they are completely inactive. It is required to ascertain whether a host is trying to connect to any of these inactive IPs, and if any one tries to connect to them, the intention is not right. They are called as suspicious host. In normal communication, the server receives the request from true client or a malicious client for establishing association. The aim of this work is to demonstrate whether the received SCTP packets are from a trusted or malicious client by developing an active application responder, above SCTP stack; this can be achieved by doing a proper association. Once the connection is established, the packets are sniffed, and analysed to get the information of the fields present in it. An INIT ACK packet is created, according to the sniffed information of the packet, and is sent to the client. If the client responds to INIT Ack, the particular packet is marked as a malicious; as that client wants to connect to the inactive IP. Keywords— SCTP, TCP, SYN Flooding, Fore way handshake, Scapy