Sniffing Attacks Prevention and Detection Techniques

Sniffing Attacks Prevention and Detection Techniques auspices in Wired/Wireless websSniffing Attacks Prevention and Detection Techniques in Wired and Wireless Local battleground ne 2rks (LAN)ABSTRACTDuring the past era, Information Technology made a revolution in RD. No discredit Internet becomes an essential backb genius for whole sciences and research nowadays. Accordingly security measure threats and selective nurture banks attacks turn come in to be a phenomenon. Thus, granting safeguard to such(prenominal)(prenominal) crucial information becomes a high demand. While reviewing the up-to-the-minute studies in this area, t here are strong signs that attacking information wareho mathematical function is the hot topic nowadays.More all oer, preventing attacks to transmission control communications protocol/IP electronic profitss and what are the most efficient proficiencys to protect it, is the most quarryed research area for security experts. For representative, what so called the Man-in-the-Middle attack MiM and defence force of Service DoS are just both(prenominal) ways of vulner able attacks to TCP/IP networks, using some tools on hand(predicate) free on the internet. They are sniffing the data job or causing service denial.In our research, we evaluated the most famous security solutions and classifying them according to their efficiency against detecting or preventing the types of parcel out solvent protocol ARP Spoofing attacks. Based of the surprising auditional results in the security lab, we proposed an optimal algorithm to put forward their abilityKeywordsSniffing Attacks, ARP accumulate insobriety, Man-in-the-Middle MiM, irreverence Prevention Detection technique IPS/IDS, Denial of Service DoSCHAPTER 1 cosmos1.1 OverviewAs we mentioned in the abstract section that this research is focusing on the internal attack deep down the local anaesthetic anaesthetic area network LAN which is forming the major and critical attac ks which the network re rootages are exposed to according to young studies conducted in the Information Security do master(prenominal)1. We exit demonstrate two major attacks affecting the Internet exploiters the local network The MiM attack2 (Man-in-the-Middle Attack) and DoS (Denial-of-Service). There are mevery tools and softwares widely available and for free of cost which usher out carry out some(prenominal) attacks over the network and violate the privacy of users, such tools like Sniffers3 monitors data traveling over a network, it either stinkpot be of authorized or unauthorized function. It was started initially as a Network Analyzer to help the Administrator to perform health check and accommodate the network activities however it is utilize today to redirect the calling and access confidential files.Traditionally, research in the area of information and communication security foc utilize on helping developers of systems prevent security vulnerabilities in the sys tems they produce, before the systems are released to customers. the majority of studies on network security, are considering only the extraneous attacks. Internal as well as external are of the outmost importance when it comes to information security, just need to be complemented with to a greater extent depth research for developing detection and prevention mechanisms, and studying internal threats.The research visualize we followed in our work presented here are as followsa. encompass announcement Protocol ARPb. ARP Spoofing attack Poisoningc. ARP Spoofing base MiM DoS attacksd. Experimentse. Optimal ARP Spoofing detection algorithmf. Results analysisg. Conclusion1.1.1 What is an ARPThe turn to Resolution Protocol (ARP) 4 is used by computers to map network traversees (IP) to physical calles or what is commonly refer to Media Access Control deal outes ( mac).It translates IP handlees to Ethernet MAC addresses and classified as a Networking protocol used to find sold ierys address given its IP address. Some network expert consider it as a dataLink Layer protocol because it only operates on the local area network or lead-to-point touch base that a force is connected to5. The acknowledgment Resolution Protocol (ARP) is documented in RFC 8261 and later it was adopted by other media, such as FDDI6. For much details intimately Internet Protocols Suits see appendix 11.1.2 How it works The ARP Process RARPAs we stated at once from an architecture status, ARP is a stratum 3 function (Network), however in a programming view ARP is considered as layer 2 (Datalink) because it calls the LAN data like layer code. RARP is stand for Reverse Address Resolution Protocol, and it is a network protocol used to resolve a MAC address to the tally network layer address, i.e. RARP is used to map a MAC address to an IP address merely the reverse function of the ARP involve/ reaction.1.1.3 Types of ARP/RARP protocol nitty-grittysThere are four types of ARP massages that are sent by an ARP protocola. ARP imploreb. ARP replyc. RARP requestd. RARP replyAs we just said in the definition, ARP is used to map network address (IP) to physical address (MAC) and when a waiter need to communicate with some other army it needs to know its MAC address. Here comes ARP protocol and works by broadcasting a package (ARP-Request) for any legions connected over the Ethernet network. The ARP packet contains the IP address of the sender and the IP address of the target it is interested in communicating with. See (1.2) and (1.3)However, the target master of ceremonies, identifying that the IP address in the ARP request packet is belong to itself, so it returns an answer back in a unicast reply (ARP-Reply) and the phalanx which initiated the ARP request catches the IP,MAC pair and fetes it in ARP save memory. Keeping the armament reply in cache will pick at the ARP traffic in the LAN. See (1.4)So simply when the ARP request is broadcasted to a ll PCs on the network it asks the by-line question Is x.x.x.x is your IP address?, if Yes send back your MAC address.Then every PC checks if its IP address is matching the one in ARP request and sends ARP reply with its MAC address.But the repeated ARP requests oddly when it is broadcasted every time a MAC address is required creates a high traffic in the network, and hence the Operating Systems keep copy of the ARP replies in the computers cache memory and update it frequently with any new pair, this will help in reducing the ARP requests number9.By the way ARP spoofing technique which we are release to talk nigh in the next chapter is transcendring when forged ARP replies is created and sent to the source computer who initiated the ARP request in one case and updated its ARP cache with talk by ones hat information. We will know afterward this kind of exploitation is called toxic condition the ARP cache.The Reverse Address Resolution Protocol RARP is broadcasting a RARP request packet with the target MAC address which will be received by all hosts in the Ethernet network. soldiers which its MAC address is matching the one in the RARP request will reply with its IP address in the RARP reply packet and sends it to the host which initiated the RARP request.Afterward the IP address which consists of 32 collation will be converted to 48 bit Ethernet address, by the suitable encapsulation mechanism. This is the common practice for the Address Resolution Protocol (ARP), which is documented in RFC 826 51.ARP defines the substitutions amidst network interfaces connected to an Ethernet media segment in order to map an IP address to a link layer address on demand. Link layer addresses are ironware addresses (although they are non unchallengeable) on Ethernet cards where the IP addresses are logical addresses assigned to machines attached to the Ethernet. Accordingly a Datalink layer address is known by other names, i.e. Ethernet Addresses, Media Access Control (MAC) Addresses, and even Hardware Addresses. However, the correct term from the kernels perspective is Link Layer Address because this address arse be changed via command line tools 50.1.1.4 ARP and RARP pith formatsThe ARP packet consists of Ethernet Header and Data packet the Ethernet header is divided to 6 bytes for the destination address 6 bytes for source address 2 bytes for the frame type in hexadecimal (e.g. 0806 for ARP 8035 for RARP)Where, the data packet social structure of ARP packet is encapsulated and the information that every part holds are demonstrated in the following table10Table 1.1 ARP and RARP packet structure+Bits 0 7Bits 8 15Bits 16 310Hardware type (HTYPE)Protocol type (PTYPE)32Hardware length (HLEN)Protocol length(PLEN)Operation (OPER)64Source ironware address MAC (SHA) (first 32 bits)96Source hardware address (last 16 bits)Source protocol address (first 16 bits)128Sender protocol address (last 16 bits)Destination hardware address (first 16 bits) one hundred sixtyDestination hardware address (THA) (last 32 bits)192Destination protocol address (TPA) Hardware address type (2 bytes). 1=Ethernet Protocol address type ( 2 bytes). 0800H (hexadecimal) = IP address Operation type 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply etc.1.1.5 TCP Standard expressions/ServicesThe table below is delegateing, a list of services and ports used by TCP protocolTable 1.2 TCP Ports and ServicesPort KeywordsDescription20FTP-DATAFile Transfer Default Data21FTPFile Transfer Control23TELNETTelNet Telecommunication network 25SMTPSimple Mail Transfer37TIMETime42NAMESERVERHost clear Server43NICNAMEWho Is53DOMAINDomain Name Server79FINGERdigit80HTTPWWW110POP3Post Office Protocol Version 3111SUNRPCSUN irrelevant Procedure CallCHAPTER 2LITERATURE REVIEW2.1 Background2.1.1 ARP Spoofing ground on MiM and DoS attacksARP spoofing is overly called ARP poison routing (ARP) or ARP cache poisoning or ARP lay aside Corrupting. It is a meth od of attacking an Ethernet local area network by updating the target ARP cache with a forged ARP request and reply packets9. This will try to change the target MAC address by a nonher(prenominal) one which the attacker has a control on it. Updating ARP cache with a simulated origination value is so called ARP Poisoning.What is sniffer? or (The Network Analyzer) it is a software or a hardware which log the traffic over a network and captures the data packets, wherefore decodes the packets and analyzes the content. Kindly notice in our research that the following basis Spoofing, Poisoning and Cache Corrupting are referring to the same(p) term .Furthermore, since ARP is considered as a trusted protocol within the network and is not designed to deal with beady-eyed activities in the network, so attackers found laughable ways to illegitimately penetrate into the network causing harmful costs.These harms or costs rear end be much worse when the attacker tries to impersonate anoth er user, performs Man-in-the-Middle attacks (MiM), or even causes Denial of Service (DoS) on a Server or even the whole Network11.P.S. Spoof means hoax or imitation. give thanks to the British comedian Arthur Roberts (1852-1933), who introduced the word spoof to the world in the 19th century. He invented a play and called it Spoof, it incorporates tricks nonsense12.Why it is so difficult to detect sniffers? The attack is essentially performed in the passive mode, which means it is cloak-and-dagger and working in the backend so the standard user will not recognize such attacks. to a fault it is not easily for user to detect the sniffing since this kind of attacks is generating usual traffic over the network. The other point is the fact that sniffers can be normally linked to an active intrusion attacks. While talking about the requirement and resources sniffing is only requiring a standard machine connected over the network with normal hardware configurations and there is no nee d to special requirements or high executing. Threat is forever and a day seen as external and many researches shows that most of the attacks are from the internal resources according to the recent Global security surveys in 200913, another study 14 shows that internal threat is incredible increased to more than 80% of the security breaches, where external attacks showed about 15% with internal help and 5% just from pure outsiders.2.1.2 How ARP caches are updated? permit us hark back how the communication happens on an Ethernet LAN. As we early stated that all communications in layer 2 is base on the MAC address, so for any PC wants to talk to a target on the network is has to address it to the targets MAC address.If a source computer tries to communicate with another computer in TCP/IP based network it has to translate the targets IP into the corresponding physical address (MAC) and here where we use an ARP protocol. The translation happens by request/reply ARP broadcast process es. When the ARP requester receives the reply, it catches the pair and keep it in its ARP cache memory so it wont ask for it over again15.2.1.3 ARP Cache Poisoning (Spoofing) AttackIt is the process of vitiate an ARP cache with fake IP/MAC entries. It also used to perform some other attacks, for instance Man-in-the-Middle (MiM) attack, also known as (MITM) Denial of Service (DoS) attack (refer to section 3.2)As we discussed earlier if an portal is exist in the ARP cache, then it can be updated or corrupted using ARP reply or ARP request.But what about if the entry is NOT exist in the ARP cache? The answer is ARP request packets always work to corrupt any Operating System ARP cache whether the entry exists or not in the ARP cache. On the other hand, for hackers, ARP requests allow them to corrupt always the target ARP cachesA recent study16 showed by experiment the impact of the ARP request update on incompatible Operating Systems. An experiment revealed which OS with high-powe red entries in the ARP cache was vulnerable to the ARP cache poisoning attack.2.1 17, an evaluation for the impact of the ARP request update on different Operating Systems, e.g. Windows XP Professional, Windows 2000, 2003 Server, Linux 2.x, and Solaris 5.9Table 2.1 ARP request impact on various OSWindowsXPWindows2000Windows2003 ServerLinux 2.4Linux 2.6Free BSD4.11SunOSSolaris5.9 climax exist inARP cache?YesNoYesNoYesNoYesNoYesNoYesNoYesNoARP requestARP replyXXXX = ARP request or reply message is accepted by the system allows the update or installation of MAC / IP entryX = ARP request or reply message is rejected by the system doest NOT allow update creation MAC/IP entryThe results of the experiment indicated that1. If the entry does not exist in the ARP cache, all tested OSs, except Windows 2000, Free BSD 4.11 and SunOS Solaris 5.9, will not allow the creation of a new entry by an ARP reply message.2. If the entry does not exist in the ARP cache, all tested OSs allow the creati on of a new entry by an ARP request message.3. However, if the entry existed already in the ARP cache, all tested OSs allowed its update by an ARP reply (even in the absence of an ARP request) or request message.Therefore, when using ARP reply messages, the ARP cache poisoning attack becomes difficult to realize against most OSs. However, it remains indeed possible when using ARP request messages. In conclusion, most common OSs are stable vulnerable to the ARP cache poisoning attack. Malicious users can first use ARP request messages to create fake IP/MAC entries in the ARP caches of their target hosts. Then, fake ARP reply massages are used to maintain the existence of fake IP/MAC entries in the ARP caches of the target hosts.2.1.4 Example of ARP Cache SpoofingAs mentioned supra the ARP Spoofing process is principally to corrupt the ARP cache of any host over the network with fake IP/MAC pair in order to perform some serious attacks such as Man-in-the-Middle attack MiM or Denial- of-Service DoS. In the following demonstration we will show the two different steps before and after the ARP cache poisoning is taking place, in the (2.1) and (2.2).2.1.4.1 ARP Cache Spoofing (before ARP corruption)In (2.1) its clear that the ARP cache table is legitimate for all hosts connected to the network via a switch, where we can see that every IP-address is mapped to a valid and corresponding MAC-address for that host. For instance in ARP cache table of the host A the IP-address of the host B is mapped with the MAC-address of the host B. And the same case is applied on host C.On the other hand, in ARP cache table of the host B for archetype the IP-address of the host A is mapped with the MAC-address of the host A. And the same case is applied on host C. Let us see what changes may occur after the cache poisoning2.1.4.2 ARP Cache Spoofing (after corruption)In (2.2) Host C is the malicious host in this scenario. It corrupted the ARP cache tables for both hosts A and B. The A RP cache table for host A is becoming illegitimate now, where we can see that every IP-address is mapped to an invalid and not the corresponding MAC-address for that host. For instance in ARP cache table of the host A the IP-address of the host B is mapped with the MAC-address of the host C. And the same case is applied on host B.In this case whenever the host A want to communicate with host B, the TCP/IP traffic will be guided to pass by the malicious host C instead of B..So what..?Hackers use the process of generating such abnormal ARP request packets to corrupt the ARP cache for certain hosts and perform different attacks over the network (e.g. MiM or DoS).2.1.5 Gratuitous ARPThis process is concerned about IP address duplication attack. such a situation is due to the case when a host sends an ARP request to look for its MAC. This may occur when the host reboots, or once changing its Ethernet Number or the IP address17.Gratuitous ARP is doing the following tasksi. decision IP a ddress conflicts in the Network by verifying if there is another host that has the same IP address and displaying this message duplicate IP address sent from Ethernet address abcdef .ii. If a host changing its MAC or IP address by sending an ARP request, then it will force to update the ARP cache on the Network with the new MAC/IP addressP.S. ARP Gratuitous is mainly influence old Operation Systems, such as Windows XP SP1 or older.2.1.6 MiM attackThe man-in-the-middle attack, (abbreviated as MiM, or sometimes MITM18) comes from the Packet-Sniffing19. MiM doesnt listen to all the packets that walk on the network as the Sniffer works, however it interfere with one or more hosts in the network and starts snooping surrounded by them. Such hosts been listened by a MiM are commonly called victims. A victim can be a normal host (e.g. PC or Notebook), gateway or even a routerAn attacker who is mainly spying among two or more victims is establishing a autonomous connections between the vi ctims and convey messages between them as if they are directly connected. And hence we call him Man-in-the-Middle.So far MiM is just listening to the traffic passing through two victims. Although this kind of outrage is illegitimate and can reach sensitive information like passwords, e-mail messages, encryption advertsetc. however it become worse and worse when he tries to go further than and inject false and fake packets and convey them between the deceived victims.According to20 MiM attack is classified as an active attack, because the hacker manages the traffic in the network between the source and the destinations.MiM is very famous approach used by hackers nowadays and uses the ARP protocol in order to attack the ARP-Cache tables and hence control the targets21. By poisoning the ARP tables for all hosts in the network for example will instruct the hosts to reroute the traffic to the Attacker host instead of the Gateway, where he starts interfering between any two or more victi ms.One more thing needs to be mentioned that the attacker has to forward all the interrupted packets to the original destination, so that the synchronised connection will remain and doesnt time outIn the above ARP spoofing occurs when sending a fake and spoofed ARP reply to the target, i.e. if the Attacker has an IP 10.10.1.10 and wants to sniff the traffic between the Victim who has an IP 10.10.1.20 and the Gateway which has an IP 10.10.1.254 it simply sends fake ARP replies to associate its own MAC address with the Gateway IP 10.10.1.254. The Victim then is trapped and starts sending all the packets intended to the Gateway to the Attacker address as in the above illustration.2.1.7 Denial of Service DoSDoS attacks occurring when any suspicious host over the network performs ARP cache poisoning and receives any packet designated to the original target to the suspicious host and cause a block in the connection between the host and the target which is being attacked. Kindly notice t hat more details regarding Denial of Service DoS will be discussed in section (3.2) in chapter No. 3.2.2 Evaluation Of Common Intrusion Detection Systems And Intrusion Prevention Systems2.2.1 ARP cache poisoning and MiM attacksThe ARP cache spoofing attack and the Man-in-the-Middle attack are usually maintained and controlled by humans22. There are many solutions proposed in solving this type of security threat, based on different mechanisms or protocols at different OSI model layers such as Application layer, Network layer and Data link layer16.2.2.2 Detection of ARP cache poisoning attackArpwatch23 and Snort24 are tools that are able to detect ARP cache poisoning attack by checking each packet contents. To do that, these tools monitor Ethernet activities and keep databases of Ethernet MAC/IP address pairs. If an analyzed packet has an Ethernet MAC/IP address pair, which does not shape up in their databases, then the system administrator is alerted. Arpwatch and Snort are sensors that need to grow access to supervise ports on the switches (usually, known under the name of SPAN port, or mirroring port) or be placed in locations where they can see all the network traffic. Therefore, it would be more interesting and efficient to detect any ARP anomalies without the use of any access privilege or special ports on the switches. This is the case since substantial performance impact can be caused when port mirroring is in effect. This strategy makes ARP spoofing detection based on sniffing not quite viable on switched LAN networks16.2.2.3 Packets sniffing and MiM attacksOn shared broadcast LAN networks, such as hubbed and wireless networks, packets sniffing can easily be achieved with minimal efforts. However, a switched LAN environment presents a different problem with few available techniques for sniffing. The first technique consists of connecting to an administrative port on the Switch and position it to broadcast mode. The administrative port will now recei ve all traffic. A second technique is summarized by sending a large number of spoofed packets, which is usually an ARP packet (Address Resolution Protocol) to the Switch so it fails to open and sends all packets to all ports. However, a recent study25 shows that only old switches models are vulnerable to this attack. other technique, which is based on the MiM attack, is to tell target hosts on the LAN network to use an attackers MAC address in order to get to any other host. This technique is based on the generation of malicious ARP traffic. The attacker host deliberates a copy of the received traffic then forwards it to the correct host.Today, security devices, such IDSs (An intrusion detection system) 26 and IPSs (An Intrusion Prevention System)27, have become a standard destiny of security solutions used to protect computing assets from hostile attacks. IDSs are able to detect many types of attacks, such as denial of service (DoS) and IP spoofing attacks. But, their ability an d reliability to detect certain attacks are fluid questionable, notably the MiM attack. Prevention mechanisms, such as S-ARP28 and O-ARP29 lack efficient implementation on real systems and for a performance evaluation2.2.4 Prevention mechanisms based on limit ARP protocolsA number of cryptographic protocols have targeted issues related to ARP security. For example, S-ARP28 is a popular ARP security protocol that uses asymmetric cryptography utilizing digitally signed ARP replies. At the receiving end, an entry is updated if and only if the signatures are correctly verified. S-ARP is considerably slow as can be deduced from the results presented in28. Furthermore, S-ARP can not prevent against cache poisoning attacks.a. O-ARP techniqueO-ARP29 is a secure ARP technique that is similar to S-ARP with regards to its message format and key management. However, it uses cryptography only when necessary and tries to avoid it when ever possible. The authors in29 claim that O-ARP is much me teoric than S-ARP on the average, and can be used as security measure to prevent against cache poisoning attacks. Meanwhile, the authors did not implement O-ARP in any operating system to obtain measurements for its performance.In30 the authors proposed another Secure Address Resolution Protocol. In this protocol, a secure server shares underground keys with each host on a subnet. The server maintains a database of MAC/IP address mappings, which is updated periodically through communication with each host. each(prenominal) ARP requests and replies occur between a host and the server, and replies are authenticated using the shared pair keys. The main drawback of this technique is congestion at the server, which constitutes a single point of failure in the network.b. Ticket-based Address Resolution ProtocolTicket-based Address Resolution Protocol (TARP)31 is another secure ARP protocol. TARP is built as an extension to ARP. TARP implements security by distributing centrally issued s ecure MAC/IP address mapping attestations through animate ARP messages. These attestations, called tickets are given to clients as they join the network and are subsequently distributed through existing ARP messages. Unlike other popular ARP-based solutions, the costs per resolution are reduced to one public key validation per request/reply pair in the worst case. However, networks implementing TARP are vulnerable to two types of attacks-active host impersonation, and DoS through ticket flooding. In addition, TARP does not include support for dynamic environments, mainly when hosts IP addresses changes dynamically.c. Cryptographic TechniqueAnother approach was presented in32, where the authors proposed a cryptographic technique. The technique is based on the combination of digital signatures and one time passwords based on hash chains.d. ARPSec protocolMoreover, in33, the ARPSec protocol was proposed as an ARP security extension that intends to solve the security weaknesses of the ARP protocol. ARPSec provides an anti-replay protection and authentication using a secret key shared only by the source and the destination of the packet computed by an authenticated Diffie-Hellman exchange. Unfortunately, no real-time implementation or performance evaluations on actual network systems were performed to quantify their efficiency.At the network layer, the IPSec34 protocol can be used to facilitate the confidentiality, integrity, and authentication of information communicated using the IP protocol. IPSec proposes solutions for many security issues within the IP protocol, but does not prevent any malicious users from manipulating ARP packets, at the Data link layer, or redirecting target network IP traffic to other destinations. IPSec guaranties the confidentiality and integrity of the redirected IP traffic, but cannot prevent malicious users from causing DoS attacks on target hosts.2.2.5 Protection mechanisms at the Application layerRecently, several security protecti on mechanisms have been proposed at the Application layer. However, such mechanisms might not be effective against certain attacks at the lower layers, mainly at the Data Link layer. For example, in35, the authors argued that most deployed user authentication mechanisms fail to provide protection against the MiM attack, even when they run on top of the SSL/TLS protocol or other similar protocols. The authors then introduced the notion of SSL/TLS session-aware user authentication, and elaborated on possibilities to implement it. Another example is the Interlock protocol, proposed in36, which was later shown to be vulnerable to attacks when used for authentication37. For enhanced security at the Application layer, in38 a new proposed technique called Delayed Password Disclosure (DPD) was shown to complement a password-based authentication and key exchange protocol to protect against a special form of the MiM attack, the doppelganger window attack. On the other hand, in39 the authors p roposed the notion of a Password Protection Module (PPM) that provides protection against the MiM attack for certain situations. PPMs are effective only if they take into account network-related information, such as IP addresses and URLs. This makes PPMs very difficult to deploy and manage. Additional protection mechanisms were proposed in40 to secure tunneled authentication protocols against the MiM attack. In most cases, prevention mechanisms at the Application layer guarantee the confidentiality and integrity of the traffic exchanged but do not prevent malicious users from redirecting network traffic to their hosts.2.2.6 External protection mechanismsSeveral attempts have been made to address the above security issues through methods external to the ARP protocol. For example, it has been proposed that hosts can statically be cond41 . This would incur a huge administrative overhead and is largely intractable for dynamic environments. Conversely, the port security42 features availa ble in recent switches restrict the use of physical ports to con MAC addresses. If an attacker forges its own MAC address and includes an additional frame header containing malicious mapping, poisoning a victims ARP cache can still be possible. This approach only prevents certain kinds of MAC hijacking, but does nothing to prevent MiM attack. Hence, it is only a partial and in many ways limited solution