Professional Documents
Culture Documents
Network Attacks Taxonomy Tools and Systems
Network Attacks Taxonomy Tools and Systems
Network Attacks Taxonomy Tools and Systems
Review
Department of Computer Science & Engineering, Tezpur University, Napaam, Tezpur 784028, Assam, India
Department of Computer Science, University of Colorado at Colorado Springs, CO 80933-7150, USA
art ic l e i nf o
a b s t r a c t
Article history:
Received 28 January 2013
Received in revised form
11 July 2013
Accepted 5 August 2013
Available online 15 August 2013
To prevent and defend networks from the occurrence of attacks, it is highly essential that we have a
broad knowledge of existing tools and systems available in the public domain. Based on the behavior and
possible impact or severity of damages, attacks are categorized into a number of distinct classes. In this
survey, we provide a taxonomy of attack tools in a consistent way for the benet of network security
researchers. This paper also presents a comprehensive and structured survey of existing tools and
systems that can support both attackers and network defenders. We discuss pros and cons of such tools
and systems for better understanding of their capabilities. Finally, we include a list of observations and
some research challenges that may help new researchers in this eld based on our hands-on experience.
& 2013 Elsevier Ltd. All rights reserved.
Keywords:
Network attacks
Tools
Systems
Protocol
DoS
Contents
1.
2.
3.
4.
5.
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
1.1.
Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
1.2.
Prior surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
1.3.
Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
1.4.
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Network attacks and related concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
2.1.
Anomalies in network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
2.2.
Steps in launching an attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
2.3.
Launching and detecting attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Network security tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
3.1.
Information gathering tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
3.1.1.
Snifng tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
3.1.2.
Scanning tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
3.2.
Attack launching tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
3.2.1.
Trojans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
3.2.2.
DoS/DDoS attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
3.2.3.
Packet forging attack tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
3.2.4.
Application layer attack tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
3.2.5.
Fingerprinting attack tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
3.2.6.
User attack tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
3.2.7.
Other attack tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
3.3.
Network monitoring tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
3.3.1.
Visualization and analysis tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Attack detection systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Observations and conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
308
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
1. Introduction
Due to the Internet's explosive growth and its all-pervasive nature,
users these days rely on computer networks for most day-to-day
activities. Network attacks attempt to bypass security mechanisms of a
network by exploiting the vulnerabilities of the target network.
Network attacks disrupt legitimate network operations and include
malfunctioning of network devices, overloading a network and denying services of a network to legitimate users, highly reducing network
throughput, scanning maliciously and other similar activities.
An attacker may also exploit loopholes, bugs, and miscongurations in
software services to disrupt normal network activities. Network
security tools facilitate network attackers as well as network
defenders in identication of network vulnerabilities and collection of network statistics. Network attackers intentionally try to
identify loopholes based on common services open on a host and
gather relevant information for launching a successful attack. Thus
it is of considerable interest to attackers to determine whether or
not the defenders of a network are monitoring network activities
regularly. Network defenders try to reduce abnormal activities
from live network trafc. Defenders do not usually hide their
identity during observation while attackers do.
A large number of network security tools have been designed to
launch, capture, visualize, and detect different types of attacks with
multiple objectives. Example tools include LOIC (Pras et al., 2010),
HOIC (Manseld-Devine, 2011), Wireshark (Orebaugh et al., 2006),
Gulp (Satten, 2007), Ntop (Deri et al., 2001), etc. These tools can be
used for capture of live network trafc, preprocessing, feature extraction, vulnerability analysis, trafc visualization and actual detection of
attacks. Thus, network security tools help in network security engineering from the viewpoint of both attackers and defenders.
1.1. Motivation
Even though there are several published surveys of network
security tools such as Conti and Abdullah (2004), Barber (2001),
Pilli et al. (2010), their scopes are limited and they usually discuss
only a few tools. In Conti and Abdullah (2004), the authors discuss
network attack tools which are specic to visual ngerprinting. In
Barber (2001), the authors include a few tools that are commonly used
by hackers. An exhaustive survey of network forensics is presented in
Pilli et al. (2010). The authors categorize the tools into two major
groups, viz., network forensic analysis tools and network security
tools. None of the surveys (Conti and Abdullah, 2004; Barber, 2001;
Pilli et al., 2010) include a taxonomy, attack launching tools, and
information gathering tools. They also do not discuss recent network
intrusion detection systems. Hence, in this paper we present a
structured and comprehensive survey on network attacks in terms
of general overview, taxonomy, tools, and systems with a discussion of
challenges and observations. Our paper is detailed with ample
comparisons where necessary and intended for readers who wish to
begin research in this eld.
1.2. Prior surveys
Several surveys on network security are available in the literature (Conti and Abdullah, 2004; Barber, 2001; Pilli et al., 2010;
Gogoi et al., 2011; Zhou et al., 2010; Lunt, 1993; Peng et al., 2007;
Dhanjani and Clarke, 2005; Li et al., 2013). However, only a few
surveys cover network security tools in general. Garcia-Teodoro
et al. (2009) discuss some popular anomaly based intrusion detection techniques and systems. They focus on NIDSs and several
detection techniques under three major categories, viz., statistical,
knowledge based, and machine learning. Corona et al. (2013)
present an overview of adversarial attacks against intrusion detection systems. They provide a general taxonomy of attacks against
IDSs, use of IDS weaknesses for attack implementation, and solutions for each attack they include. An overview of IDSs in terms of
detection and operation is given in Axelsson (2000). Debar et al.
(1999a) present a taxonomy of IDSs from several security aspects.
A few ngerprinting attack tools with their detection methodologies are briey summarized in Conti and Abdullah (2004).
Out of the top 75 network security tool list produced by fyodor, the
creator of nmap, a few tools have been included. Barber (2001)
present a few sophisticated attack tools with their usefulness in
brief. Our survey differs from these previous surveys in view of the
following points.
(a) Unlike (Sherif and Dearmond, 2002), we present tools and
attack detection systems under two main categories viz., tools
for network defenders and tools for attackers. Our survey also
includes a comparison of tools with parameters that are useful
to the network trafc analyzer.
(b) A survey of network forensic analysis methods is reported in
Pilli et al. (2010). Similar to this survey, we describe tools for
network defenders as well as tools for attackers used during
network trafc capture, analysis and visualization. In addition, we also include a discussion on several IDSs, with
architectures to improve the reader's understanding of the
detection mechanisms.
(c) Unlike Corona et al. (2013), we include a taxonomy of network
attacks, tools and detection systems. Tools are categorized into
two classes: tools for network defenders and tools for attackers.
The tools and systems are evaluated using parameters that may
help in choosing a tool or a system for experiment or for specic
applications.
A comparison of the existing surveys on network security tools
and systems is given in Table 1.
Table 1
Comparison with existing surveys.
References
Tools
Systems
Barber (2001)
Lunt (1993)
Axelsson (2000)
1.3. Contributions
This paper provides a structured and comprehensive survey on
network security tools and systems that are needed by network
security researchers. The major contributions of this survey are the
following.
1. Like the taxonomy of network security tools and systems given
in Pilli et al. (2010), we classify the tools and systems into a
number of categories. In addition, we also provide an analysis
of tools in terms of their capabilities, performance, details of
parameters and input/output.
2. Most existing surveys do not fully cover launching and information gathering tools, but we do.
3. In addition to discussing network security tools, we present a
few popular NIDSs with architecture diagrams including components and functions, and also present a comparison among
the NIDSs.
4. Finally, we list several important observations from both technical
and practical viewpoints.
1.4. Organization
The rest of the paper is organized as follows. Network attacks
and related concepts are discussed in Section 2. Section 3 presents
a taxonomy of network security tools, a description of these tools,
in addition to comparisons among them, whereas Section 4 is
dedicated to attack detection systems and architectures. Finally,
we present our observations and conclusions in Section 5.
309
310
Fig. 1. A typical network structure with protected LAN, DMZ and IDS deployment.
an attacker may launch an attack from various machines connected to the network either via wired or wireless media.
The increasing number of highly sophisticated attacks of complex and evolving nature has made the task of defending networks
challenging. The appropriate use of tools and systems can simplify
the task signicantly. This necessitates an awareness of the characteristics and relevance of these tools and systems, and their usage.
311
(iv)
(v)
(vi)
(vii)
(viii)
(ix)
(x)
(xi)
(xii)
(xiii)
(xiv)
(xv)
1
http://snoopwpf.codeplex.com/
and RADIUS shared keys. It can also launch man-in-themiddle attacks for SSHv1 trafc.
Aimsniff: It is a simple tool to capture the IP address of an
AOL Instant Messenger user while a direct connection is
established between the user with others. Once the connection is established, one is able to simply click on the
sniff button to capture the IP address.
Tcptrace: It is a powerful tool to analyze tcpdump les and
to generate various types of outputs including connection
specic information, such as the number of bytes and
segments sent and received, elapsed time, retransmissions,
round trip times, window advertisements and throughput.
It accepts a wide range of input les generated by several
capture tools such as tcpdump, snoop, etherpeek, HP Net
Metrix, and WinDump. It also provides a graphical presentation of trafc characteristics for further analysis.
Tcptrack: It can sniff and display TCP connection information, as seen in the network interface. Tcptrack can perform
the following functions: (a) watch passively for connections
on the network interface, (b) keep track of their state and
(c) display a list of connections. It displays source IP,
destination IP, source port, destination port, connection
state, idle time, and bandwidth usage.
Nstreams: It is a tool to display and analyze network
streams generated by users between several networks,
and between networks and the outside. Nstreams also
can output optionally the ipchains or ipfw rules matching
these streams. It parses outputs generated by tcpdump or
les generated using tcpdump with w option.
Argus: Argus runs on several operating systems such as
Linux, Solaris, Mac OS X, FreeBSD, OpenBSD, NetBSD, AIX,
IRIX, Windows and OpenWrt. It can process either live
trafc or captured trafc les and can output status reports
on ows detected in the stream of packets. It reports reect
ow semantics. This tool provides information on almost all
packet parameters, such as reachability, availability, connectivity, duration, rate, load, loss, jitter, retransmission,
and delay metrics for all network ows.
Karpski: This is a user-friendly tool with limited snifng and
scanning capabilities. It provides exibility to include protocol
312
(xvi)
(xvii)
(xviii)
(xix)
(xx)
(xxi)
(xxii)
We note that the snifng tools we have discussed above are not
equally useful for all purposes all the time. Their usefulness and
importance depend on the user's requirements and purpose at a
certain point in time. For example, one cannot use the Cain & Able
to capture live network trafc since it performs only password
Fig. 3. Different types of port scans. (a) Single source port scan (one-to-many), (b) distributed port scan (many-to-one) and (c) distributed port scan (many-to-many).
313
Table 2
Comparison of snifng tools.
Tool's name
Input
Protocol
Purpose
Effectiveness
Sources
Ethereal
Tcpdump
Net2pcap
Snoop
Angst
Ngrep
Ettercap
Dsniff
Cain & able
Aimsniff
Tcptrace
Tcptrack
Argus
Karpski
IPgrab
Nast
Gulp
Libpcap
Nfsen
Nfdump
I
I
I
N
H/p
I
I
I
I
H
F
I/p
F
I
I/p
I
I
I
I
I
C/HT/S
C/U/IC
C/U/IC
C/U/IC/ Te/ F
C
C/U/IC
C/U
F/Te/ S/HT/P
Packet capturing
Packet capturing
Packet capturing
Packet capturing
Snifng
Capturing packet
Man-in-the-middle attack
Password snifng
Password recovery
Capturing packet
Analysis of trafc
TCP connection analysis
Analysis of audit data
Packet analyzer
Display packet header
Trafc analysis
Packet capturing/visualization
Packet capturing
Flow capturing/ visualization
Flow capturing/visualization
www.ethereal.com.
www.tcpdump.org
www.secdev.org
www.softpanorama.org
www.angst.sourceforge.net
www.ngrep.sourceforge.net
www.ettercap.sourceforge.net
www.naughty.monkey.org
www.oxid.it
www.sourceforge.net
www.tcptrace.org
www.rhythm.cx
www.qosient.com/argus
www.softlist.net
www.ipgrab.sourceforge.net
www.nast.berlios.de
staff.washington.edu/corey
www.tcpdump.org
www.nfsen.sourceforge.net
www.nfdump.sourceforge.net
C/U/HT
C
C
C/U
C/U
C/U
C/U/IC
C/U/IC
C/U
C/U
Here, I interface ID, N network IP, H host IP, F trafc captured le, p port, C TCP, U UDP, IC ICMP, IG IGMP,HT HTTP, S SMTP, F FTP, P POP, Te Telnet.
Table 3
Comparison of scanning tools.
Tool's name
Input
Protocol
Purpose
Effectiveness
Sources
Nmap
Amap
Vmap
Unicornscan
Ttlscan
Ike-scan
Paketto
IP/p
IP/p
T
T/p
T/p
T
IN
C/U
C/U
C/U
C/U
C
C/U
C
Scanning
Scanning
Version mapping
Scanning
Scanning
Host discovery
Scanning
www.insecure.org
www.freeworld.thc.org
www.tools.l0t3k.net
www.unicornscan.org
www.freebsd.org
www.stearns.org
www.packages.com
314
(v)
(vi)
(vii)
(viii)
(ix)
(x)
(xi)
(xii)
(xiii)
(xiv)
(xv)
(xvi)
(xvii)
the use of this tool is % blast targetIP port start_ size end_
size /b (i.e., begin text) GET/SOME TEXT /e (i.e., end text) URL
The command is used to send attack packets of size minimum
start_size bytes to maximum end_size bytes to a server with
a specied target IP.
Crazy Pinger: It attempts to launch an attack by sending
a large number of ICMP packets to a victim machine or to
a large remote network.
UDPFlood: This tool can ood a specic IP at a specic port
instantly with UDP packets. The ooding rate, the maximum duration and the maximum number of packets can
be specied in this tool. It can also be used to test the
performance of a server.
FSMax: It is a server stress testing tool. To test a server for
buffer overows that may be exploited during an attack, it
accepts a text le as input and executes a server through a
sequence of tests based on the input.
Nemsey: The presence of this tool implies that a computer is
insecure, and infected with malicious software. It attempts
to launch an attack with a specied number of packets of
specied sizes, including information such as protocol
and port.
Panther: This UDP based DoS attack tool can ood a
specied IP at a specied port instantly.
Slowloris: It creates a large number of connections to a
target victim Web server by sending partial requests, and
attempts to hold them open for a long duration. As a
consequence, the victim servers maintain these connections as open, consuming their maximum concurrent connection pool, which eventually compels them to deny
additional legitimate connection attempts from clients.
BlackEnergy: This Web based DDoS attack tool, an HTTPbased BotNet, uses IRC based command and control
method.
HOIC: It is an HTTP based DDoS tool that focuses on
creation of high speed multi-threads to generate HTTP
ood trafc. It is able to ood simultaneously up to 256
Web sites. The built-in scripting system in this tool allows
the attacker to deploy boosters, which are scripts designed
to thwart DDoS counter measures.
Trinoo: This is an effective DDoS attack tool, that uses a
master host and several broadcast hosts. It issues commands using TCP connection to the master host, and the
master instructs the broadcast hosts via UDP to ood
specic target IPs at random ports with UDP packets. To
launch an attack using this tool, an attacker should possess
prior access to the host to install a Trinoo master or
broadcast, either by passing or by compromising the existing security system.
Shaft: It is a variant of Trinoo, which provides statistics on
TCP, UDP and ICMP ooding attacks. These help attackers
identify the victim machine's status (i.e., completely down
or alive), or to decide on the termination of zombies in
addition to the attack.
Knight: This IRC-based tool can launch multiple DDoS
attacks to create SYN ood, UDP ood, and urgent pointer
ood on Windows machines.
Kaiten: This is an IRC-based attack tool and is able to launch
multiple attacks, viz., UDP ood, TCP ood, SYN ood,
PUSH SYN ood attacks. It uses random source addresses.
RefRef: RefRef is used to exploit existing SQL injection
vulnerabilities using features included in MySql such as
SELECT permissions to create a DoS attack on the associated
SQL server. It sends malformed SQL queries carrying payloads which force servers to exhaust their own resources.
It works with a Perl compiler to launch an attack.
315
316
(vi)
(vii)
(viii)
(ix)
(x)
(xi)
(xii)
(xiii)
317
http://spot-act.heck.in/queso-scanner-v-0-5.xhtml
http://www.perlmagic.org/
318
(v)
(vi)
(vii)
(viii)
(ix)
(ii) Network Trafc Monitor: This tool provides support in presenting and scanning detailed trafc scenarios since the
inception of an application process and also allows analyzing
trafc details.
(iii) Rumint: This tool enables visualization of live captured trafc.
It can also save captured trafc as a pcap le in the Windows
environment.
(iv) EtherApe: EtherApe allows one to sniff live packets and to
monitor captured data in the Unix environment.
(v) NetGrok: It is a real-time network visualization tool that
presents a graphical layout and a tree map to support visual
description of the network data. It can visualize live packets,
capture traces, and help in ltering.
(vi) NetViewer: This tool not only supports observation of captured live trafc in an aggregated way, but also helps identify
network anomalies. In addition, NetViewer supports visualization of useful trafc characteristics to assist in tuning of
defense mechanisms.
(vii) VizNet: It helps visualize the performance of a network based
on bandwidth utilization.
Most visualization tools discussed above support both visualization and analysis of network trafc. To visualize and also to
analyze a network, one can use EtherApe in Unix or NetViewer in
the Windows platform. For real-time visualization of live trafc for
intrusion detection, NetViewer is the best due to its ability to
detect anomalous network trafc. Network defenders need realtime visualization tools that can detect abnormal behaviors in
network trafc and immediately generate alert messages to inform
the administrator.
(v)
(vi)
(vii)
(viii)
(ix)
(x)
319
320
(xvii)
(xviii)
(xix)
(xx)
(xxi)
321
Table 4
Comparison of attacking tools.
Tool's name
Input
Protocol
Purpose
Effectiveness
Sources
Jolt
Burbonic
Targa
Blas20
Crazy Pinger
UDPFlood
FSMax
Nemsey
Panther
Land & LaTierra
Slowloris
Blackenergy
HOIC
Shaft
Knight
Kaiten
RefRef
Hgod
LOIC
Trinoo
TFN
TFN2K
Stachaldraht
Mstream
Trinity
T
T
T
T
V
V
F
T/p
T/p
T
T
S
T
V
V
V
T
T/p
T/p
T/p
T
T
T
T
T
IC
C
C/U/IC
C
IC
U
DoS
DoS
DoS
DoS
DoS
DoS
DoS
DoS
DoS
DoS
DoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
DDoS
www.ylib.com
www.packetstormsecurity.org
www.packetstormsecurity.org
C
U
C
HT
C/U/ IC
HT
U/C/IC
C/U
U/C
C/U/IC
C/U/ IC
U
U/C/IC
U/C/IC
C
C
C/U
www.softwaretopic.informer.com
www.foundstone.com
www.brothersoft.com
packetstormsecurity.org
www.bestspywarescanner.net
www.ha.ckers.org/slowloris
www.airdemon.net
www.rapidshare.com
www.cert.org
www.mcafee.com
www.hackingalert.net
www.ylib.com
www.sourceforge.net
www.nanog.org
www.codeforge.com
www.goitworld.com
www.packetstormsecurity.org
www.ks.uiuc.edu
www.garykessler.net
Here, T target IP, V victim IP, S server IP, C TCP, U UDP, IC ICMP, F input text le, p port, HT HTTP.
Table 5
Comparison of packet forging attack tools.
Tool's name
Input
Protocol
Purpose
Effectiveness
Sources
Packeth
Packit
Packet Excalibur
Nemesis
Tcpinject
Libnet
SendIP
IPsocery
Pacgen
Arp-sk
ARP-SPOOF
Libpal
Aicmspend
S/D
I
U/C/IC
C/U/IC
Packet generator
Packet analysis and injection
H
H
H
H
H
H
H
T
H
T
IC/IG/ C/U
C
C
C/U
C/U/ IC/IG
C/U
A
A
C/U/IC
IC
Packet crafting/injection
Packet generator
Packet injection
Packet generator
Packet generator
Packet generator
ARP packet generator
Packet intercept
Packet intercept
ICMP packet ooding
www.sourceforge.net
www.packetfactory.openwall.ne
www.freecode.com
www.sourceforge.net
www.packetstormsecurity.org
www.packetfactory.net/libnet
www.softpedia.com
www.tools.l0t3k.net
www.sourceforge.net
www.arp-sk.org
www.sourceforge.net
www.sourceforge.net
www.packetstormsecurity.nl
Here, S source IP, D destination IP, I interface ID, H host IP, T target IP, C TCP, U UDP, IC ICMP, IG IGMP, A ARP.
Table 6
Comparison of ngerprinting tools.
Tool's name
Input
Protocol
Purpose
Effectiveness
Sources
Nmap
P0f
Xprobe
CronOS
Queso
AmapV4.8
Disco
Sprint
H/N
H
T
T
H
T/p
C/U
C
C/U
C
C/U
C/U
C
C
Network scanning
Remote network identication
Port scanning
OS identication
OS ngerprinting
Host and port scanning
IP discovery and Fingerprinting
OS identication
www.nmap.org
www.lcamtuf.coredump.cx
www.sourceforge.net
pen-testing.sans.org
www.tools.l0t3k.net
www.linux.softpedia.com
www.tools.l0t3k.net
www.safemode.org
Here, H host IP, N network IP, T target IP, C TCP, U UDP, p port.
322
Table 7
Comparison of other tools.
Tool's name
Input
Protocol
Purpose
Effectiveness
Sources
Ping
Hping2
Hping3
Traceroute
Tctrace
Tcptrace route
Traceproto
Fping
Arping
H
T
T
H
H
I
H
T
S
IC
IC/C/U
IC/C/U
IC/C/U
C
C
C/U/IC
IC
A
Host discovery
Port scanning
Port scanning
Route discovery
Route discovery
DNS lookup
Route discovery
Target host discovery
Send ARP request
www.download.cnet.com
www.hping.org.
www.hping.org.
www.brothersoft.com
www.tcptrace.org
www.michael.toren.net
www.traceproto.sourceforge.net
www.softpedia.com
www.linux.softpedia.com
Here, H host IP, T target IP, I interface ID, S source IP, C TCP, U UDP, IC ICMP, A ARP.
Table 8
Comparison of visualization tools.
Tool's name
Input Protocol
Tnv
F
Network Trafc Monitor 1.02 H
Rumint
H
EtherApe
H
Netgrok
H
Netviewer
H
VizNet
H
C/U/
C/U/
C/U/
C
C/U/
C/U
C/U
Purpose
IC
Trafc visualization
IC
Live trafc monitoring
IC/IG Visualize life trafc
Trafc ow visualization
IC
Real-time trafc visualization
Trafc analysis
Trafc analysis and visualization
Effectiveness
Sources
www.tnv.sourceforge.net
www.monitor-network-trafc.winsite.com
www.rumint.org
www.brothersoft.com
www.softpedia.com
www.brothersoft.com
www.viznet.ac.uk
Here, H host IP, F captured data le, C TCP, U UDP, IC ICMP, IG IGMP.
Table 9
Tools by category.
Category
Tool name
Source
Trojans
NukeNabbler
AIMSpy
NetSpy
http://community.norton.com
http://www.securitystronghold.com
http://www.netspy-trojan-horse.downloads
ASS
NMap
p0f
MingSweeper
THC Amap
Angry IP Scanner
http://www.manpages.ubuntu.com
http://www.nmap.org
http://www.lcamtuf.coredump.cx/p0f.shtml
http://www.hoobie.net/ mingsweeper
http://www.freeworld.thc.org/thc-amap
http://www.angryziber.com/w/Download
Targa
Burbonic
Blast20
http://www.security-science.com/
http://www.softpedia.com
http://seomagz.com/2010/03/dos-denial-of-service-attack-tools-ethical-hacking-session-3/
http://www.engage-packet-builder.software.informer.com/
http://www.hping.org
http://www.nemesis.sourceforge.net
http://www.linux.softpedia.com
http://www.softpedia.com
Firesheep
Hunt
Juggernaut
TTY Watcher
IP Watcher
Hjksuit-v0.1.99
http://www.codebutler.github.com/resheep/
http://www.packetstormsecurity.org/sniffers/hunt
http://www.tools.l0t3k.net/Hijacking/1.2.tar.gz
http://www.security-science.com
http://www.download.cnet.com
http://www.tools.l0t3k.net/ Hijacking/hjksuite-0.1.99.tar.gz
Solarwind
Network Probe
NMap
http://www.solarwinds.com
http://www.softpedia.com
http://nmap.org
Kismet
libpcap
libnet
libdnet
libradiate
http://www.linux.die.ne
http://www.sourceforge.net/projects/libpcap
http://www.libnet.sourceforge.net
http://www.libdnet.sourceforge.net/
http://www.packetfactory.net/projects/ libradiate
HOIC
LOIC
RefRef
https://www.rapidshare.com
http://www.softpedia.com
http://www.softpedia.com
323
Table 10
Comparison of attack detection systems, where P represents the types of detection as host based (H) or network based (Net) or hybrid (H), W indicates the class of detection
as misuse (M) or anomaly (A) or both (B), X corresponds to the nature of detection as real-time (R) or non-real time (N), Y and Z represent the nature of processing and data
gathering mechanism as centralized (C) or distributed (D) respectively.
System
Year
Approach
1999
1999
1999
2000
2001
2001
2002
2003
2003
2003
2004
2005
2005
2006
2006
2007
2007
2010
2012
2013
Net
Net
Net
Net
Net
Net
Net
Net
Net
H
H
Net
Net
Net
Net
Net
Net
Net
Net
Net
A
A
A
A
A
A
A
A
A
B
A
B
A
A
A
A
A
B
A
M
R
R
R
N
R
R
R
R
N
R
R
R
R
R
R
R
R
R
R
R
C
C
C
C
C
C
C
C
C
C
C
D
C
C
C
C
C
D
C
D
D
C
D
C
C
D
C
C
C
C
C
D
D
C
D
C
D
D
D
D
and high rate DDoS attacks at the victim end without affecting
legitimate users or normal service is another challenging task.
Based on the above observations, we have identied the following list of research challenges for network security researchers.
Acknowledgments
This work is supported by Department of Information Technology (DIT) and Council of Scientic & Industrial Research (CSIR)
Government of India. The research is also partially funded by the
National Science Foundation (NSF), USA under Grants CNS-095876
and CNS-0851783. The authors are thankful to the funding agencies.
References
Axelsson S. Intrusion detection systems: a survey and taxonomy. Technical Report,
Chalmers University.
Aydn M, Zaim A, Ceylan K. A hybrid intrusion detection system design for
computer network security. Computers and Electrical Engineering 2009;35
(3):51726.
Barber R. Hacking techniques: the tools that hackers use and how they are evolving
to become more sophisticated. Computer Fraud and Security 2001;2001
(3):912.
Beverly R. A robust classier for passive TCP/IP ngerprinting. Passive and Active
Network Measurement 2004:15867.
Bhuyan MH, Bhattacharyya DK, Kalita JK. Surveying port scans and their detection
methodologies. The Computer Journal 2011a;54:156581.
Bhuyan MH, Bhattacharyya DK, Kalita JK. Survey on incremental approaches for
network anomaly detection. International Journal of Communication Networks
and Information Security 2011b;3(3):22639.
Bhuyan M, Bhattacharyya D, Kalita J. NADO: network anomaly detection using
outlier approach. In: Proceedings of the 1st international conference on
communication, computing and security. New York, NY, USA: ACM; 2011c. p.
5316.
324