Sniffing Attacks Prevention and Detection Techniques

Sniffing Attacks Pr til nowtion and Detection TechniquesSecurity in Wired/Wireless NetworksSniffing Attacks Prevention and Detection Techniques in Wired and Wireless Local Area Networks (LAN) crochetDuring the past era, Information Technology made a revolution in RD. No doubt Internet live ons an essential backbone for any sciences and research nowadays. then security measure threats and data banks attacks turn out to be a phenomenon. Thus, granting protection to much(prenominal) crucial information becomes a high demand. While reviewing the latest studies in this subject atomic number 18a, thither atomic number 18 strong signs that attacking information w arhouse is the hot topic nowadays.More everyplace, preventing attacks to transmission toytrol communications protocol/IP communicates and what atomic number 18 the nigh efficient proficiencys to protect it, is the most aspireed research area for security experts. For showcase, what so c alled the Man-in-the-Middle att ack MiM and defense of inspection and repair DoS are just some shipway of vulnerable attacks to TCP/IP communicates, exploitation some tools available free on the internet. They are sniffing the data vocation or causing service denial.In our research, we evaluated the most famous security solutions and classifying them fit to their efficiency against detecting or preventing the types of hollo Resolution communications protocol ARP Spoofing attacks. Based of the surprising experimental results in the security lab, we proposed an optimal algorithm to enhance their energyKeywordsSniffing Attacks, ARP squirrel away inebriety, Man-in-the-Middle MiM, Intrusion Prevention Detection technique IPS/IDS, Denial of Service DoSCHAPTER 1INTRODUCTION1.1 OverviewAs we mentioned in the abstract section that this research is focal point on the internal attack within the local area network LAN which is forming the major and critical attacks which the network resources are exposed to acco rding to new studies conducted in the Information Security domain1. We impart demonstrate two major attacks affecting the Internet users the local network The MiM attack2 (Man-in-the-Middle Attack) and DoS (Denial-of-Service). There are many tools and softwares wide available and for free of cost which cornerstone carry out many attacks over the network and violate the privacy of users, such tools homogeneous Sniffers3 monitors data travelling over a network, it either kindle be of authorized or unauthorized function. It was started initially as a Network Analyzer to help the administrator to perform health check and maintain the network activities however it is apply today to redirect the avocation and access confidential files.Traditionally, research in the area of information and communication security foc employ on helping developers of organizations prevent security vulnerabilities in the systems they produce, before the systems are released to customers. the majority of studies on network security, are considering only the external attacks. Internal as well as external are of the outmost importance when it comes to information security, but need to be complemented with more depth research for developing detection and prevention mechanisms, and studying internal threats.The research plan we followed in our work presented here are as followsa. Address Resolution Protocol ARPb. ARP Spoofing attack Poisoningc. ARP Spoofing establish MiM DoS attacksd. Experimentse. Optimal ARP Spoofing detection algorithmf. Results analysisg. Conclusion1.1.1 What is an ARPThe Address Resolution Protocol (ARP) 4 is used by computers to constitute network promisees (IP) to physical savoir-fairees or what is normally refer to Media Access Control addresses ( mack).It translates IP addresses to Ethernet macintosh addresses and classified as a Networking protocol used to find legions address given its IP address. Some network expert consider it as a DataLink La yer protocol because it only operates on the local area network or point-to-point link that a entertain is connected to5. The Address Resolution Protocol (ARP) is documented in RFC 8261 and later it was adopted by other(a) media, such as FDDI6. For more details active Internet Protocols Suits see appendix 11.1.2 How it works The ARP Process RARPAs we stated formerly from an computer architecture perspective, ARP is a layer 3 function (Network), however in a programming perspective ARP is considered as layer 2 (Datalink) because it calls the LAN data like layer code. RARP is stand for Reverse Address Resolution Protocol, and it is a network protocol used to resolve a mackintosh address to the corresponding network layer address, i.e. RARP is used to make up a MAC address to an IP address exactly the reverse function of the ARP request/ say.1.1.3 Types of ARP/RARP protocol messagesThere are four types of ARP massages that are sent by an ARP protocola. ARP requestb. ARP replyc. R ARP requestd. RARP replyAs we just said in the definition, ARP is used to map network address (IP) to physical address (MAC) and when a host need to communicate with a nonher host it needs to know its MAC address. Here comes ARP protocol and works by dispeling a packet (ARP-Request) for any hosts connected over the Ethernet network. The ARP packet contains the IP address of the sender and the IP address of the target it is interested in communicating with. See (1.2) and (1.3)However, the target host, identifying that the IP address in the ARP request packet is belong to itself, so it returns an answer back in a unicast reply (ARP-Reply) and the host which initiated the ARP request catches the IP,MAC pair and keeps it in ARP pile up storehouse. Keeping the host reply in cache will minimize the ARP traffic in the LAN. See (1.4)So simply when the ARP request is broadcasted to all PCs on the network it asks the following question Is x.x.x.x is your IP address?, if Yes send back your MAC address.Then all PC checks if its IP address is matching the one in ARP request and sends ARP reply with its MAC address.But the repeated ARP requests e peculiar(prenominal)ly when it is broadcasted every time a MAC address is required creates a high traffic in the network, and hence the operational Systems keep copy of the ARP replies in the computers cache memory and update it frequently with any new pair, this will help in reducing the ARP requests number9.By the way ARP spoofing technique which we are going to twaddle about in the next chapter is occurring when forged ARP replies is created and sent to the source computer who initiated the ARP request formerly and updated its ARP cache with belie information. We will know afterward this genial of exploitation is called poisoning the ARP cache.The Reverse Address Resolution Protocol RARP is broadcasting a RARP request packet with the target MAC address which will be received by all hosts in the Ethernet network. Host w hich its MAC address is matching the one in the RARP request will reply with its IP address in the RARP reply packet and sends it to the host which initiated the RARP request.Afterward the IP address which consists of 32 bit will be converted to 48 bit Ethernet address, by the suitable encapsulation mechanism. This is the common practice for the Address Resolution Protocol (ARP), which is documented in RFC 826 51.ARP defines the exchanges between network interfaces connected to an Ethernet media segment in night club to map an IP address to a link layer address on demand. Link layer addresses are hardware addresses (although they are not unchallengeable) on Ethernet card game where the IP addresses are logical addresses assigned to machines attached to the Ethernet. Accordingly a Datalink layer address is known by other names, i.e. Ethernet Addresses, Media Access Control (MAC) Addresses, and even Hardware Addresses. However, the correct shape from the kernels perspective is Link Layer Address because this address can be changed via command line tools 50.1.1.4 ARP and RARP message formatsThe ARP packet consists of Ethernet question and Data packet the Ethernet header is divided to 6 bytes for the destination address 6 bytes for source address 2 bytes for the frame type in hex (e.g. 0806 for ARP 8035 for RARP)Where, the data packet structure of ARP packet is encapsulated and the information that every part holds are demonstrated in the following table10Table 1.1 ARP and RARP packet structure+Bits 0 7Bits 8 15Bits 16 310Hardware type (HTYPE)Protocol type (PTYPE)32Hardware space (HLEN)Protocol length(PLEN)Operation (OPER)64Source hardware address MAC (SHA) ( number one 32 bits)96Source hardware address (last 16 bits)Source protocol address (first 16 bits)128Sender protocol address (last 16 bits)Destination hardware address (first 16 bits)160Destination hardware address (THA) (last 32 bits)192Destination protocol address (TPA) Hardware address type (2 byt es). 1=Ethernet Protocol address type ( 2 bytes). 0800H (hexadecimal) = IP address Operation type 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply etc.1.1.5 TCP Standard Ports/ServicesThe table below is showing, a list of services and ports used by TCP protocolTable 1.2 TCP Ports and ServicesPort KeywordsDescription20FTP-DATAFile Transfer Default Data21FTPFile Transfer Control23TELNETTelNet Telecommunication network 25SMTPSimple Mail Transfer37TIMETime42NAMESERVERHost digit Server43NICNAMEWho Is53DOMAINDomain Name Server79FINGERFinger80HTTPWWW110POP3Post Office Protocol Version 3111SUNRPCSUN Remote modus operandi CallCHAPTER 2LITERATURE REVIEW2.1 Background2.1.1 ARP Spoofing ground on MiM and DoS attacksARP spoofing is also called ARP poison routing (ARP) or ARP cache poisoning or ARP stash Corrupting. It is a method of attacking an Ethernet local area network by updating the target ARP cache with a forged ARP request and reply packets9. This will try to change the ta rget MAC address by another one which the attacker has a control on it. Updating ARP cache with a fake launching value is so called ARP Poisoning.What is sniffer? or (The Network Analyzer) it is a software or a hardware which log the traffic over a network and captures the data packets, then decodes the packets and analyzes the content. Kindly notice in our research that the following terms Spoofing, Poisoning and Cache Corrupting are referring to the same term .Furthermore, since ARP is considered as a trusted protocol within the network and is not designed to deal with venomed activities in the network, so attackers found unusual ways to illegitimately penetrate into the network causing harmful costs.These harms or costs can be much worse when the attacker tries to impersonate another user, performs Man-in-the-Middle attacks (MiM), or even causes Denial of Service (DoS) on a Server or even the whole Network11.P.S. Spoof means hoax or imitation. Thanks to the British comedian Art hur Roberts (1852-1933), who introduced the word spoof to the world in the 19th century. He invented a game and called it Spoof, it incorporates tricks nonsense12.Why it is so difficult to detect sniffers? The attack is fundamentally performed in the passive mode, which means it is hidden and working in the backend so the standard user will not recognize such attacks. Besides it is not easily for user to detect the sniffing since this kind of attacks is generating usual traffic over the network. The other point is the fact that sniffers can be familiarly linked to an sprightly intrusion attacks. While talking about the requirement and resources sniffing is only requiring a standard machine connected over the network with normal hardware configurations and there is no need to special requirements or high performance. Threat is always seen as external and many researches shows that most of the attacks are from the internal resources according to the recent Global security surveys i n 200913, another study 14 shows that internal threat is incredible increased to more than 80% of the security breaches, where external attacks showed about 15% with internal help and 5% just from pure outsiders.2.1.2 How ARP caches are updated?Let us recall how the communication happens on an Ethernet LAN. As we early stated that all communications in layer 2 is based on the MAC address, so for any PC wants to talk to a target on the network is has to address it to the targets MAC address.If a source computer tries to communicate with another computer in TCP/IP based network it has to translate the targets IP into the corresponding physical address (MAC) and here where we use an ARP protocol. The translation happens by request/reply ARP broadcast workes. When the ARP requester receives the reply, it catches the pair and keep it in its ARP cache memory so it wont ask for it over again15.2.1.3 ARP Cache Poisoning (Spoofing) AttackIt is the process of corrupting an ARP cache with fa ke IP/MAC entries. It also used to perform some other attacks, for instance Man-in-the-Middle (MiM) attack, also known as (MITM) Denial of Service (DoS) attack (refer to section 3.2)As we discussed earlier if an entry is live in the ARP cache, then it can be updated or corrupted using ARP reply or ARP request.But what about if the entry is NOT exist in the ARP cache? The answer is ARP request packets always work to corrupt any run System ARP cache whether the entry exists or not in the ARP cache. On the other hand, for hackers, ARP requests allow them to corrupt always the target ARP cachesA recent study16 showed by experiment the impact of the ARP request update on different Operating Systems. An experiment revealed which OS with dynamic entries in the ARP cache was vulnerable to the ARP cache poisoning attack.2.1 17, an evaluation for the impact of the ARP request update on different Operating Systems, e.g. Windows XP Professional, Windows 2000, 2003 Server, Linux 2.x, and Solar is 5.9Table 2.1 ARP request impact on various OSWindowsXPWindows2000Windows2003 ServerLinux 2.4Linux 2.6Free BSD4.11SunOSSolaris5.9Entry exist inARP cache?YesNoYesNoYesNoYesNoYesNoYesNoYesNoARP requestARP replyXXXX = ARP request or reply message is true by the system allows the update or creation of MAC / IP entryX = ARP request or reply message is rejected by the system doest NOT allow update creation MAC/IP entryThe results of the experiment indicated that1. If the entry does not exist in the ARP cache, all well-tried OSs, except Windows 2000, Free BSD 4.11 and SunOS Solaris 5.9, will not allow the creation of a new entry by an ARP reply message.2. If the entry does not exist in the ARP cache, all tested OSs allow the creation of a new entry by an ARP request message.3. However, if the entry existed already in the ARP cache, all tested OSs allowed its update by an ARP reply (even in the absence of an ARP request) or request message.Therefore, when using ARP reply messages, th e ARP cache poisoning attack becomes difficult to realize against most OSs. However, it system indeed possible when using ARP request messages. In conclusion, most common OSs are still vulnerable to the ARP cache poisoning attack. Malicious users can first use ARP request messages to create fake IP/MAC entries in the ARP caches of their target hosts. Then, fake ARP reply massages are used to maintain the existence of fake IP/MAC entries in the ARP caches of the target hosts.2.1.4 Example of ARP Cache SpoofingAs mentioned above the ARP Spoofing process is in the main to corrupt the ARP cache of any host over the network with fake IP/MAC pair in order to perform some serious attacks such as Man-in-the-Middle attack MiM or Denial-of-Service DoS. In the following demonstration we will show the two different steps before and after the ARP cache poisoning is taking place, in the (2.1) and (2.2).2.1.4.1 ARP Cache Spoofing (before ARP corruption)In (2.1) its clear that the ARP cache table is legitimate for all hosts connected to the network via a switch, where we can see that every IP-address is mapped to a valid and corresponding MAC-address for that host. For instance in ARP cache table of the host A the IP-address of the host B is mapped with the MAC-address of the host B. And the same case is employ on host C.On the other hand, in ARP cache table of the host B for example the IP-address of the host A is mapped with the MAC-address of the host A. And the same case is applied on host C. Let us see what changes may occur after the cache poisoning2.1.4.2 ARP Cache Spoofing (after corruption)In (2.2) Host C is the malicious host in this scenario. It corrupted the ARP cache tables for both hosts A and B. The ARP cache table for host A is becoming illegitimate now, where we can see that every IP-address is mapped to an invalid and not the corresponding MAC-address for that host. For instance in ARP cache table of the host A the IP-address of the host B is mapped wit h the MAC-address of the host C. And the same case is applied on host B.In this case whenever the host A want to communicate with host B, the TCP/IP traffic will be guided to pass by the malicious host C rather of B..So what..?Hackers use the process of generating such abnormal ARP request packets to corrupt the ARP cache for real hosts and perform different attacks over the network (e.g. MiM or DoS).2.1.5 Gratuitous ARPThis process is concerned about IP address duplication attack. Such a situation is due to the case when a host sends an ARP request to look for its MAC. This may occur when the host reboots, or once changing its Ethernet Number or the IP address17.Gratuitous ARP is doing the following tasksi. Finding IP address conflicts in the Network by verificatory if there is another host that has the same IP address and displaying this message duplicate IP address sent from Ethernet address abcdef .ii. If a host changing its MAC or IP address by sending an ARP request, then i t will world power to update the ARP cache on the Network with the new MAC/IP addressP.S. ARP Gratuitous is mainly influence old Operation Systems, such as Windows XP SP1 or older.2.1.6 MiM attackThe man-in-the-middle attack, (abbreviated as MiM, or sometimes MITM18) comes from the Packet-Sniffing19. MiM doesnt listen to all the packets that walk along the network as the Sniffer works, however it interfere with one or more hosts in the network and starts snooping between them. Such hosts been listened by a MiM are commonly called victims. A victim can be a normal host (e.g. PC or Notebook), gateway or even a routerAn attacker who is mainly spying between two or more victims is establishing a autonomous connections between the victims and convey messages between them as if they are directly connected. And hence we call him Man-in-the-Middle.So far MiM is just listening to the traffic transitory through two victims. Although this kind of outrage is illegitimate and can reach sensiti ve information like passwords, e-mail messages, encryption secernatesetc. however it become worse and worse when he tries to go further than and inject false and fake packets and convey them between the deceived victims.According to20 MiM attack is classified as an active attack, because the hacker manages the traffic in the network between the source and the destinations.MiM is very famous approach used by hackers nowadays and uses the ARP protocol in order to attack the ARP-Cache tables and hence control the targets21. By poisoning the ARP tables for all hosts in the network for example will instruct the hosts to reroute the traffic to the Attacker host instead of the Gateway, where he starts interfering between any two or more victims.One more thing needs to be mentioned that the attacker has to forward all the interrupted packets to the original destination, so that the synchronized connection will remain and doesnt time outIn the above ARP spoofing occurs when sending a fake and spoofed ARP reply to the target, i.e. if the Attacker has an IP 10.10.1.10 and wants to sniff the traffic between the Victim who has an IP 10.10.1.20 and the Gateway which has an IP 10.10.1.254 it simply sends fake ARP replies to associate its own MAC address with the Gateway IP 10.10.1.254. The Victim then is trapped and starts sending all the packets intended to the Gateway to the Attacker address as in the above illustration.2.1.7 Denial of Service DoSDoS attacks occurring when any suspicious host over the network performs ARP cache poisoning and receives any packet designated to the original target to the suspicious host and cause a block in the connection between the host and the target which is being attacked. Kindly notice that more details regarding Denial of Service DoS will be discussed in section (3.2) in chapter No. 3.2.2 Evaluation Of Common Intrusion Detection Systems And Intrusion Prevention Systems2.2.1 ARP cache poisoning and MiM attacksThe ARP cache spoofing at tack and the Man-in-the-Middle attack are usually maintained and controlled by humans22. There are many solutions proposed in solving this type of security threat, based on different mechanisms or protocols at different OSI model layers such as Application layer, Network layer and Data link layer16.2.2.2 Detection of ARP cache poisoning attackArpwatch23 and Snort24 are tools that are able to detect ARP cache poisoning attack by checking each packet contents. To do that, these tools monitor Ethernet activities and keep databases of Ethernet MAC/IP address pairs. If an analyzed packet has an Ethernet MAC/IP address pair, which does not appear in their databases, then the system administrator is alerted. Arpwatch and Snort are sensors that need to have access to monitoring ports on the switches (usually, known under the name of SPAN port, or mirroring port) or be placed in locations where they can see all the network traffic. Therefore, it would be more interesting and efficient to det ect any ARP anomalies without the use of any access privilege or special ports on the switches. This is the case since substantial performance impact can be caused when port mirroring is in effect. This strategy makes ARP spoofing detection based on sniffing not instead viable on switched LAN networks16.2.2.3 Packets sniffing and MiM attacksOn shared broadcast LAN networks, such as hubbed and wireless networks, packets sniffing can easily be achieved with minimal efforts. However, a switched LAN environment presents a different problem with few available techniques for sniffing. The first technique consists of connecting to an administrative port on the Switch and setting it to broadcast mode. The administrative port will now receive all traffic. A second technique is summarized by sending a large number of spoofed packets, which is usually an ARP packet (Address Resolution Protocol) to the Switch so it fails to open and sends all packets to all ports. However, a recent study25 sho ws that only old switches models are vulnerable to this attack. Another technique, which is based on the MiM attack, is to tell target hosts on the LAN network to use an attackers MAC address in order to get to any other host. This technique is based on the generation of malicious ARP traffic. The attacker host takes a copy of the received traffic then forwards it to the correct host.Today, security devices, such IDSs (An intrusion detection system) 26 and IPSs (An Intrusion Prevention System)27, have become a standard component of security solutions used to protect computing assets from hostile attacks. IDSs are able to detect many types of attacks, such as denial of service (DoS) and IP spoofing attacks. But, their ability and reliability to detect certain attacks are still questionable, notably the MiM attack. Prevention mechanisms, such as S-ARP28 and O-ARP29 lack efficient implementation on real systems and for a performance evaluation2.2.4 Prevention mechanisms based on see A RP protocolsA number of cryptographic protocols have targeted issues related to ARP security. For example, S-ARP28 is a popular ARP security protocol that uses asymmetric cryptography utilizing digitally signed ARP replies. At the receiving end, an entry is updated if and only if the signatures are correctly verified. S-ARP is considerably slow as can be deduced from the results presented in28. Furthermore, S-ARP can not prevent against cache poisoning attacks.a. O-ARP techniqueO-ARP29 is a secure ARP technique that is similar to S-ARP with regards to its message format and key management. However, it uses cryptography only when necessary and tries to avoid it when ever possible. The authors in29 claim that O-ARP is much faster than S-ARP on the average, and can be used as security measure to prevent against cache poisoning attacks. Meanwhile, the authors did not implement O-ARP in any operating system to obtain measurements for its performance.In30 the authors proposed another Secu re Address Resolution Protocol. In this protocol, a secure horde shares secret keys with each host on a subnet. The server maintains a database of MAC/IP address mappings, which is updated periodically through communication with each host. All ARP requests and replies occur between a host and the server, and replies are evidence using the shared pair keys. The main drawback of this technique is congestion at the server, which constitutes a single point of failure in the network.b. Ticket-based Address Resolution ProtocolTicket-based Address Resolution Protocol (TARP)31 is another secure ARP protocol. TARP is built as an extension to ARP. TARP implements security by distributing centrally issued secure MAC/IP address mapping attestations through existing ARP messages. These attestations, called tickets are given to clients as they join the network and are subsequently distributed through existing ARP messages. hostile other popular ARP-based solutions, the costs per resolution are reduced to one public key validation per request/reply pair in the finish off case. However, networks implementing TARP are vulnerable to two types of attacks-active host impersonation, and DoS through ticket flooding. In addition, TARP does not include support for dynamic environments, mainly when hosts IP addresses changes dynamically.c. Cryptographic TechniqueAnother approach was presented in32, where the authors proposed a cryptographic technique. The technique is based on the combination of digital signatures and one time passwords based on hash chains.d. ARPSec protocolMoreover, in33, the ARPSec protocol was proposed as an ARP security extension that intends to solve the security weaknesses of the ARP protocol. ARPSec provides an anti-replay protection and documentation using a secret key shared only by the source and the destination of the packet computed by an authenticated Diffie-Hellman exchange. Unfortunately, no real-time implementation or performance evaluations on demonstrable network systems were performed to quantify their efficiency.At the network layer, the IPSec34 protocol can be used to facilitate the confidentiality, integrity, and authentication of information communicated using the IP protocol. IPSec proposes solutions for many security issues within the IP protocol, but does not prevent any malicious users from manipulating ARP packets, at the Data link layer, or redirecting target network IP traffic to other destinations. IPSec guaranties the confidentiality and integrity of the redirected IP traffic, but cannot prevent malicious users from causing DoS attacks on target hosts.2.2.5 Protection mechanisms at the Application layerRecently, some(prenominal) security protection mechanisms have been proposed at the Application layer. However, such mechanisms might not be effective against certain attacks at the lower layers, mainly at the Data Link layer. For example, in35, the authors argued that most deployed user authentication mecha nisms fail to provide protection against the MiM attack, even when they run on top of the SSL/TLS protocol or other similar protocols. The authors then introduced the notion of SSL/TLS session-aware user authentication, and elaborated on possibilities to implement it. Another example is the Interlock protocol, proposed in36, which was later shown to be vulnerable to attacks when used for authentication37. For compound security at the Application layer, in38 a new proposed technique called Delayed Password Disclosure (DPD) was shown to complement a password-based authentication and key exchange protocol to protect against a special form of the MiM attack, the doppelganger window attack. On the other hand, in39 the authors proposed the notion of a Password Protection Module (PPM) that provides protection against the MiM attack for certain situations. PPMs are effective only if they take into account network-related information, such as IP addresses and URLs. This makes PPMs very diff icult to deploy and manage. Additional protection mechanisms were proposed in40 to secure tunneled authentication protocols against the MiM attack. In most cases, prevention mechanisms at the Application layer guarantee the confidentiality and integrity of the traffic exchanged but do not prevent malicious users from redirecting network traffic to their hosts.2.2.6 External protection mechanismsSeveral attempts have been made to address the above security issues through methods external to the ARP protocol. For example, it has been proposed that hosts can statically be cond41 . This would observe a huge administrative overhead and is largely intractable for dynamic environments. Conversely, the port security42 features available in recent switches restrict the use of physical ports to con MAC addresses. If an attacker forges its own MAC address and includes an additional frame header containing malicious mapping, poisoning a victims ARP cache can still be possible. This approach on ly prevents certain kinds of MAC hijacking, but does nothing to prevent MiM attack. Hence, it is only a partial and in many ways limited solution