INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
NETWORK SECURITY BASED ON TRACEBACK APPROACH BY USING TRACER Mr.K.Sanjai, Mr.K.Sowbarani SSM College of Engineering,
ABSTRACT :
Namakkal.
and such activity tends to cause a great problem.
At present, the number of unauthorized access incidents on the Internet is
At present, the access control
growing, and the current access control
technologies including firewalls are
technologies cannot stop specific way
commonly
of access. We had proposed a hop-by-
unauthorized access, but some specific
hop IP traceback method that can be
way of access cannot be stopped by the
used to trace a source of an attack.
access control technologies. Nowadays
In this paper, we are going to propose
installing Intrusion Detection Systems
a prototype system. The main features
(IDS) coupled with firewalls, and
of our proposed method are the packet
monitoring networks enables us to
feature, which is composed of specific
quickly
packet information contained in a
unauthorized access. The following
packet
an
figure shows a current dealing with
the
unauthorized access.
for
unauthorized
identification packet,
of
and
algorithm using datalink identifier to
Server
identify a routing of a packet. We are also
proposing
a
distributed
used
detect
to
and
prevent
react
to
Attacker
Internet
management approach that controls the tracing process and information within a particular group of networks.
INTRODUCTION : While the Internet as a business
LAN
Firewall
infrastructure increases its importance, the number of unauthorized access incidents on the Internet is growing,
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 167
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
However, even if these tools can
ISBN : 378 - 26 - 138420 - 6
Proactive tracing:
detect unauthorized activities, their
This prepares information for
sources cannot be identified. The
tracing when packets are in transit. In a
reason is that denial of service (DoS)
case where packet tracing is required,
attacks, which have recently increased
the
in number, can easily hide their
information and identifies the source
sources and forge their IP addresses.
of the packets.
Thus, it is not possible for the access
Reactive Tracing:
control alone to be a factor of
the
attack
refers
tracing when required. Here, we have
unauthorized access, it is necessary to
selected reactive tracing that does not
pinpoint the source in order to prevent
increase network traffic at normal
the unauthorized activity. For this
times and generates traffic for tracing
reason, we are proposing a prototype
only when actual tracing is required.
system.
The Trend of the Reactive
TRACEBACK METHOD : ability
required
to
Tracing Methods:
perform
The majority of reactive tracing
traceback is “to identify the true IP
methods trace the attack path from the
address of the terminal originating
target back to the source. The challenges involved in this type of
attack packets.” If we can identify the
method are traceback algorithm and
true IP address of the attacker’s
packet matching technique.
terminal, we can also get information about the organization (e.g. name or
(1)Hop-by-Hop Tracing :
telephone number) involved in the
This method is to trace an IP
attack or the attacking terminal. As the
packet from the target back to the
method of the source pursuit of
source hop-by-hop, and trace the
unauthorized access, some researches using
of
This “reactive tracing” starts
unauthorized access. As the measure of
The
target
IP
(Internet
Protocol)
source based on the incoming
are
packets
performed. The source pursuit using IP
that
arrive
one
after
another during a flood type attack.
is called IP traceback. IP traceback
The following figure shows a flow
methods can be divided into two
of trace to detect the source hop-
groups.
by-hop.
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 168
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
Another proposed technique is that when unauthorized access is detected, a Security association (SA) Attacker of the IPsec is created dynamically,
IP N/W
and authenticating the packet with IPsec identifies the travel path and the source of the packet. Since this technique uses existing IPsec protocol, it has an advantage that it is not Target (2) Hop-by-Hop Tracing with
necessary
Overlay Network :
to
implement
a
new
protocol.
(4) Traffic Pattern Matching :
The particular problems involved in tracing routers hop-by-hop are that if
Another proposed technique
there are too many hops, the number of
traces the forwarding path of the traffic
necessary processing for tracing will
by comparing traffic patterns observed
be increased. As the result, it will take
at the entry and exit point of the
a longer time to trace, and information
network based on the network map.
for tracing can be lost before trace processing is completed. Therefore, a
Traceback Approaches:
method to build the overlay network
In the field of reactive tracing
for tracing purposes that involves a
study, several methods that identify a
less number of hops is proposed. With
source of a packet with forged source
this method, IP tunnels between the
IP
edge routers and the special tracking
address
Although
routers are created, and the IP packets
have most
been of
proposed.
the
existing
techniques deal with flood type DoS
are rerouted to the tracking router via
attacks, there are more attacks using
IP tunnel. Hop-by-hop tracing is
only one or a few IP packets such as
performed over the overlay network
attacks exploiting IP fragment. It is
that consists of IP tunnels and tracking
important
routers.
to
unauthorized
be access
able
to
using
trace single
packet. Based on the above, we have proposed
a
hop-by-hop
traceback
method. We are developing a system
(3) IPsec Authentication :
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 169
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
implementing our method even if the
forwarded packet that corresponds to
attacker forges its source IP address.
an attack packet.
Our system performs real-time tracing
Beginning with the forwarding
and exactly identifies the source of the
unit closest to the sensor that has
specific packet along the attack path.
detected
unauthorized
access,
we
identify each adjacent forwarding unit along the attack path, and ultimately
Our Traceback Architecture:
reach the source of the attack packet
In general, the source IP address of
even if a forged source IP address is
a packet can easily be forged at the
used.
source of the packet. On the other
Our Traceback Model:
hand, it is difficult for a sender of a
In this section, we describe our
packet to forge the datalink-level packets,
trace back architecture that identifies
because, in the event of frame or cell
the source of a packet with forged
transfer, forwarding unit (such as
source IP address. The architecture
router) in turn converts the datalink-
consists
level
components:
identifier
when
identifier
sending
to
the
interface
of
the
following
three
(1)Sensor :
identifier of the unit. Therefore, at each forwarding unit, we can identify its
This component is deployed at
adjacent unit having forwarded a
target site has two functions. One is to
particular packet based on the datalink-
detect unauthorized access from the
level identifier of the adjacent unit and
network another is to request a
the
manager to start tracing.
datalink-level
identifier
corresponding to the packet. (2)Tracer :
In our approach, forwarding
This component implements a
nodes, or tracers, keep data about an incoming packet and its datalink-level
function
identifier such as source MAC Address
maintain information about forwarded
in
address
IP packets as well as a function to trace
corresponding to their datalink-level
the source of the forwarded packet
identifier in each forwarding unit and
along the attack path on forwarding
identify the adjacent unit by searching
unit.
a
buffer
memory
in
forwarding
nodes
to
for the datalink-level identifier of the
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 170
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
the packet. The propose architecture
(3)Monitoring Manager : In response to a request from a
of our traceback model is shown
sensor, this component controls tracers
below. In which all the monitoring
and manages the entire tracing process.
managers are coupled with the tracer in
We can install a tracer and a
order to trace the source of the
manager on each unit or install a single
forwarded packet. And a sensor is
manager as a central manager of the
coupled with the monitoring manager
entire network.
and target network in order to detect the unauthorized access and also for the purpose of requesting the tracer to
Process Method:
start the process of tracing.
Process Flow:
Basic model of our traceback method in practical terms, particularly
Our traceback approach involves
network policy may restrict tracing a
several Steps, from attack detection to
packet with certain limitation. We
source identification,
cannot trace a packet beyond our own network
boundary
if
neighboring
Step 1: Sensors are deployed at each
networks impose different policy. We
therefore
suggest
target network. When a sensor detects a
an
attack, it creates data containing
distributed management approach that
features of the attack packet and sends
controls
a tracing request to the monitoring
the
tracing
process
and
information within a particular group
manager deployed in its AMN.
of networks. This control section is called as Autonomous Management
Step 2: The monitoring manager
Network (AMN). The
order the AMN’s tracer to trace the
monitoring
manager,
attack packet. The tracer identifies
which is deployed in each AMN,
the adjacent node and returns the
executes a tracing process within its tracing process goes beyond AMN’s
boundary,
the
result to the monitoring manager.
the
monitoring
Step 3: Based on the result
manager of the AMN that initiated the
returned, the process described above
tracing process asks the monitoring
continues until the tracer identifies
manager in the adjacent AMN to trace
the attack packet’s source.
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 171
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
The image cannot be display ed. Your computer may not hav e enough memory to open the image, or the image may hav e been corrupted. Restart y our computer, and then open the file again. If the red x still appears, y ou may hav e to delete the image and then insert it again.
Step 4: If a tracing process goes beyond
the
AMN’s
boundary,
processing is handed over to the relevant monitoring manager that controls that AMN.
Step 5: The monitoring managers in each AMN traces the packet in their AMN and sends the tracing result to the monitoring manager that
Packet Feature :
initiated the traceback request.
Our traceback method uses a
Step 6: The requester monitoring
packet feature as a parameter for Trace
manager sends the final results to the
Request and Trace Order. In order to
sensor that requested the trace.
uniquely identify the individual packet, we extract several fields of the IP packet that are not altered by tracers
Traceback Protocol:
and create a packet feature. The
The basic functions of the traceback
extracted fields are as follows:
protocol define the following tasks:
• Version
A trace request from a sensor
• Header Length
and a notice of the tracing
• Identification
result to the sensor. A
trace
order
from
• Protocol
a
•Source and Destination
monitoring manager to a tracer
• A part of IP data
and a notice of the processing result
to
the
IP addresses
monitoring
manager. A trace request and a notice of the tracing result exchanged between monitoring managers.
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 172
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
If we create a packet feature consisting
ISBN : 378 - 26 - 138420 - 6
Versi
Header
Type of
on
Length
Service
of only IP header fields, identical
Total Length
Identification
packets may exist. Therefore, in order
TTL
Flags
Protocol
to improve the precision of packet
Fragment
Header Checksums
Source IP Address
identification, we decide to include a
Destination IP Address
part of IP data field (maximum 20
Options
bytes).The following figure shows the
Padding
IP Data Part ---- MAX( 20 Bytes)
structure of the packet feature.
Trace and Search process has two modules: Packet Search module
Implementation
of
Our
and
Upstream
Network
Interface
Traceback System:
Decision
The heart of our trace back approach is
module accepts Trace Order and
the tracer. The following section
searches for the specified packet
describes how to implement a tracer,
feature from Packet Information Area.
which is one of the major functions in
If a record matching with the trace
tracing tasks.
packet is found, Upstream Network
Implementation of Tracer:
Interface Decision module decides the
module.
Packet
Search
upstream network interface and notices
The tracing function consists of
this trace result to the monitoring
2 modules.
manager
(1) Packet Conversion and Store
using
Notification
of
Processing Result.
process After routing process, Packet Conversion and Store process gets a packet to forward and creates a record containing the address of the
Routing Process
Packet store
Packet Info Area
Trace Informa tion
upstream unit (MAC address) and a packet feature extracted from the packet. This record is stored into Packet Information Area in the tracer. Every incoming packet is processed through this procedure. Packet Search module
(2) Trace and Search process
N/w interface Decision module
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 173
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
Information Management: Protocol process
There are two types of information used in tracers. One is the packet
Structure of tracer
information that converts traversed packets
Trace algorithm:
information
into
packet
features and stores them, and the other is the network interface information
We have developed the algorithm that
that
processes Trace Order reception, trace
information
execution for upstream path decision
connected each other.
stores
network between
interface two
units
and trace report. Below we describe our algorithm.
(1) Packet Information Area Packet Information Area contains
Step 1: Start the Tracing process.
packet
Step 2: Receive the packet feature
network interface information and
and passed it to packet search module.
forwarding
Step 3:
necessary information for tracing. On
Check Packet Information
features
time
which
of
includes
the
packet
Area with packet feature received.
our implementation, records are stored
Step 4: If any match found then let
in the memory area of the tracer for the
matched record as target record.
purpose of real-time processing. If the
Step
volume of Packet Information Area
5:
Compares
the
Address
exceeds the memory capacity, the
Information (i.e. MAC address) in target record
oldest record will be deleted and the
with the address
latest one will be stored in turn.
Information (i.e. MAC address &IP address) of the connected tracer stored
(2) Network interface Information
in trace information.
We are having three methods for
Step 6: If match found decide IP
obtaining
address and return to the monitoring
network
interface
information from the unit connected
manager as trace result.
with the tracer.
Step 7: Repeat step 3 to step 6 until
Method 1: Trace table method
source of the attack is detected.
Checking
Step 8: Stop the Tracing Process.
the
network
interface
number, IP addresses and physical
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 174
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
addresses (e.g. MAC address on LAN)
Conclusion :
of the connected tracers in advance,
We proposed a traceback system that
and storing them in the unit.
can pursue the source even if an IP address
Method 2: ARP table method
is
forged,
and
have
demonstrated the effectiveness of the
Using the ARP table stored in the unit
traceback processing. We will consider
to look up the IP address and physical
the relationship among the network
address of the connected tracer when
load, and the number of tracers. In the
Trace Order is received.
viewpoint of the introduction of the traceback, we have 2 subjects. First
Method
3:
Order-driven
query
subject is the method to identify
method
matching packets and identify the
Without providing a obtaining
fixed
network
table,
sources under DOS attack where
interface
identical
packets
are
sent
from
information using the lower layer
different sources. Second subject is to
protocols (e.g. RARP protocol) in
introduce
response to Trace Order.
However, in the mean time we will
the
tracer
function.
implement our proposed model in The above methods leads to the
future to assure security in network
following conclusion, As network
communications.
interface information is temporarily stored
in
the
ARP
table,
some
Authors :
information may be changed when
1.K.Sanjai, IV-CSE, SSM college of
searching the table; Although the
Engineering
order-driven query method is suitable for
obtaining
the
latest
2.K.Sowbarani, IV-CSE,SSM college
network
of Engineering
interface information, the process is complicated and takes longer time
REFERENCES :
because the query task to the adjacent
1.Mr.Ragav,
node is called every time a trace order
Technical
Lead-
NIIT,Chennai
is issued. Therefore, we select the trace
2.Mr.D.Namachivayam,
table method that provides real-time,
Assistant
Professor SSM college of engineering.
reliable, and efficient tracing.
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 175
www.iaetsd.in
INTERNATIONAL ASSOCIATION OF ENGINEERING & TECHNOLOGY FOR SKILL DEVELOPMENT
ISBN : 378 - 26 - 138420 - 6
2nd INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN ENGINEERING RESEARCH 176
www.iaetsd.in