Detecting and Preventing IP Spoofing and Local Area Network Denial (LAND) Attack for Cloud

Computing with the Modification of Hop Count Filtering (HCF) Mechanism

Subrina Sultana, Sumaiya Nasrin , Farhana Kabir Lipi , Md Afzal Hossain, Zinia Sultana and Fatima Jannat
Department of Computer Science and Engineering Military Institute of Science and Technology, Dhaka,
Bangladesh Faculty of Computer Science and Information Technology University of Malaya, Kuala
Lumpur, Malaysia

Challenges and Methodologies Applications Pros Cons

issues
There are a lot of The aim of the proposed IP spoofing is the Cloud computing
strategies like approach is to give a creation of Internet provides a simple way Cloud
malformed packets, IP transparent solution for Protocol (IP) packets to access servers, computing
spoofing, smurf attack, detecting and preventing which have a storage, databases and technology is
teardrop attack, syn ill-formed packets through modified source a broad set of expanding in
flood attack, LAND filtering out the invalid address in order to application services every single day.
attack etc. which are packets and minimizing either hide the over the internet. Cloud DDoS is now a
used for DDoS attack. In memory exhaustion. identity of the sender services platform such days a major
the scenario of cloud Among them 90% of the or to embody as Amazon Web security threat
environment, cloud spoofed addresses can be another computer Services owns and in cloud
servers may crash due detected using HCF system or both [14]. maintains the network- network. To
to excessive workload method . To achieve this As a result, the connected hardware secure the
comparing its capacity goal, first HCF mechanism legitimate user required for these resources of
when a huge number of is used and then a data machines are being application services, cloud it is
service requests arrive table named IPto-hop- affected. Hop-count while we provision and important to
in a specific time count (IP2HC) table which is the total number of use what we need via a improve the
period. This is generated by the HCF is intermediate devices web application. Cloud mechanism to
phenomenon is known maintained with some between the source computing providers prevent DDoS
as DDoS attack, and as a added parameter to detect and destination. offer their services attacks on
result users are denied and prevent the IP spoofed Although hop count according to different cloud. There are
to get services. There and ill-formed packets. calculation is one of models like huge chances of
are a lot of approaches And finally performance of the solution to detect Infrastructure as a the arrival of
to detect and prevent the proposed approach is spoofed packet as the Service (IaaS) which is a spoofed packets
DDoS attacks such as calculated with respect to attacker can not self-service model for during
Hop count filtering time consumption, error change it, it has also a accessing and managing transmissions
technique (HCF), Count and modification needed major drawback. remote data centers and causes a
Based Filtering, in the data table Sometimes it is infrastructures, severe loss. So
Confidence Based happened that the Platform as a Service the proposed
Filtering (CBF) etc. initial and final TTL of (PaaS) where cloud framework is a
a legitimate packet providers deliver a solution to
can be same with the computing platform and several types of
spoofed packet. As a Software as a Service DDoS attack in
result, hop-count of (SaaS) where users gain an efficient
spoofed IP packets access to application manner and
may be matched with software and databases minimize the
the stored hop-count memory
in IP2HC table. So, overflow of the
then it is difficult to server. This
detect the spoofed approach also
packet. So, only hop- tries to solve
count is not enough the drawbacks
to find the spoofed of existing
packets. Therefore, algorithms. In
we proposed a HCF future, the
mechanism, which is authors intend
an efficient anti- to implement
spoofing mechanism this proposed
with some algorithm in
modification by broader aspect
considering three as well as test
additional this algorithm in
parameters i.e. real cloud by
source port number, performing
source address and DDoS attack. As
syn flag. Source port this proposed
number is a 16 bit algorithm
number in the IP checks more
packet which tells the parameters for
type of the service intense safety,
the client is intending so one of the
to use. Only port main limitations
number is not of this work is
enough to determine it’s more
the packet is valid or consumption
not. Because attacker time than the
may send packet with other two
forged source existing
address. So, syn flag algorithms. The
and source address future work
are also checked to plan will also try
determine whether to provide some
the packet is spoofed more types of
or not. DDoS attack
solutions in this
system and will
also try to
reduce the run
time.
Security with IP Address Assignment and Spoofing for Smart IOT Devices

S Rajashree , Soman K S , Dr. Pritam Gajkumar Shah Research Scholar, Department of Computer Science
and Engineering, Jain University, Bangalore, India

Challenges and Methodologies Applications Pros Cons

issues

The widespread use of IP spoofing involves IP spoofing . Light weight

internet is causing more flooding of IP packets by prevention using approach to IP This paper
cyber-attacks using IP unauthorised users by reverse path spoofing assumes IP proposes a
spoofing. The security replicating the source forwarding as applied filtering rules method for
for IoT devices to address of authorised to Software defined (firewalls, access dynamic IP
prevent IP spoofing users. The internet devices networks Reverse control lists) are address
involves validating the (routers) examine only the path forwarding configured at the assignment to IoT
source address of destination IP address and check at the gateway gateway device. It is device and
received IP packets at source address is generally is validated by difficult to configure spoofing of IP
the gateway. This is not validated. In the IP verifying the IP filtering rules for packets for IPv4
required to prevent a spoofing scenario existence of route to all possible values of and IPv6
unauthorized user from destination has no the source IP address. source IP addresses protocols. This
using IP address as knowledge of who is the If route exist RPF many of which will method proposes
source address and real user and when it sends check succeeds. Link- not be known in modifications in
flooding packets to the packets back to the source state-based advance. ARP IP stack for
gateway there by using IP address and the real AntiSpoofing uses Spoofing-based supporting
the bandwidth user will not receive the Link State Data Base Attacks like DoS Exchange of
allocated to authorized expected data. Also the (LSDB) contains attack, Host messages. The
users. This paper unauthorised users can mapping between IP impersonation use of protocols
proposes a scheme for hog the network which will prefixes and attack, ManIn-The- like a DHCP for
IP address assignment deprive the real users of incoming interfaces. Middle attack are dynamic IP
to smart IoT devices the network bandwidth. When data arrives at described in [8]. IP address
(which communicate an interface the spoofing using trace assignment and
using TCP/IP) and LSDB, the verification back method [9] configuration of
validation of source IP is done for source requires router to filters (Access
address in the received address in IP packets generate ICMP error Control Lists) for
IP packets from the IoT to find a valid message (path back IP spoofing is
Device at the Gateway interface. If the valid scatter) to identify avoided. This
device. interface is not found the location of method avoids
the packet is spoofed source usage of complex
discarded. In the device. cryptographic
spoofing prevention schemes for
method (SPM) the authentication of
packets transmitted packets.
between source and Limitation of this
destination method is that it
autonomous system assumes that the
(AS) are marked with MAC address
 a key by source AS which is used as
and the receiving AS device identifier
validates the key can be duplicated
by unauthorised
users.

Towards a SDN-Based Integrated Architecture for Mitigating IP Spoofing Attack

CHAOQIN ZHANG, GUANGWU HU , GUOLONG CHEN, ARUN KUMAR SANGAIAH , PING’AN ZHANG, XIA
YAN, AND WEIJIN JIANG

Challenges and Methodologies Applications Pros Cons

issues
Current Internet packet 1. We propose an PROTOCOL AND In this paper, we IP source address
delivery only relies on integrated IP spoofing HOST-STACK present an spoofing or IP
packet’s destination IP validating solution named REDESIGN integrated IP spoofing attack, it
address and forwarding ISASA, which can cover There are also some spoofing validating refers to
devices neglect the both intra- and inter- other schemes solution named attackers release
validation of packet’s IP domain areas effectively showing their merits ISASA for both intra- packets with
source address, it with lower SDN devices from the aspect of domain and inter- forged IP source
makes attackers can deployment cost. It is a protocol/host-stack domain scenarios. addresses so that
leverage this flaw to novel design that combines redesign. For The intra-domain they can conceal
launch attacks with SDN architecture and instance, SPM [17] part scheme first their real
forged IP source protocol redesign to realize and Base [18] solve computes key identities and
address so as to meet IP source address this problem by network nodes and launch attacks,
their vicious purposes validation purpose. 2. In leveraging some takes SDN switches e.g., reflect
and avoid to be tracked. intra-domain scenario, we rarely used fields to replace traditional network traffics
In order to mitigate this leverage the SDN control (e.g., ToS) in the IP devices in these to flood victim
threat and enhance pattern to computes key header and replacing nodes, so that it can hosts. Once
Internet accountability, nodes location and takes them with gain a balance suffering such
many solutions have SDN switches to replace customized tags. But between fake attack, it is hard
been proposed either traditional devices in these this design may packets filtering rate for victim to trace
from the intra-domain nodes, so that it can gain a disturb other special and deployment back to
or the inter-domain balance between fake applications (e.g., cost. Further, taking perpetrators and
aspects. However, most packets filtering rate and Quality of Service). advantage of SDN identify their real
of them faced with deployment cost. To the Additionally, SANE pattern, filtering identities, which
some issues hard to best of knowledge, it’s the [19] redesigns the rules can be severely
cope with, e.g., low first idea to use SDN TCP/IP stack and generated and compromises
filtering rates, high technology to realize this introduces an distributed by Internet
deployment cost. And purpose 3. In Inter-domain isolation layer central controller accountability
most importantly, few part, we propose a time- between networks based on network indeed. From the
of them can cover both synchronized packet and data link layers real-time topology. perspective of
intra-domain and inter- signature signing and so as to achieve its In the meanwhile, technique, IP
domain areas at the verification protocol purpose of traffic the inter-domain spoofing threat is
same time. With the between AS alliances. redirection and host part scheme derived from the
central control and Through the established authentication proposes a time- design that
edge response pattern, allied relationship, two enforcement. synchronized packet Internet packet
the novel network ASes can exchange secret Moreover, the Host signature signing and forwarding in
architecture of software key, network abstract view Identity Protocol verification protocol routers only
defined networking and other information. (HIP) [20] sets up a between AS relies on packet’s
(SDN) possess whole Eventually, packets shuttle new layer named alliances. Through destination IP
network intelligence between one pair of allied Host Identity (HI) in the established allied address, but
and distribute control AS will be tagged signature the middle of IP and relationship, two neglects the
rules directly to edged header in source AS and transportation layers. ASes can exchange validation of
SDN switches, which removed after they have It obtains reliable secret key, network packet’s IP source
brings a good been verified in the host identities abstract view and address to verify
opportunity to solve the destination AS. through other information. sender
IP spoofing problem. By asymmetrically Eventually, packets authenticity.
taking advantage of encrypting the HI shuttle between the Taking this
SDN, in this paper, we data. But in the two ASes will be vulnerability,
propose an SDN-based meantime, it tagged signature attackers can
integrated IP source complicates system header and removed launch serious
address validation implementation as it after they have been attacks against
architecture (ISAVA) has to modify client’s verified in the specified targets,
which can cover both host-stack. More destination AS. and as a matter
intra- and inter-domain importantly, it needs Lastly, we have of fact, most of
areas and effectively to install a DNS-like implemented the attack directly
lower SDN devices system to resolve the system prototype, related with this
deployment cost, while mapping relationship and our conducted volubility, i.e.,
achieve desirable between HI and IP experiments prove TCP-SYN flooding
control granularities in addresses. Therefore, ISASA poses , DDoS and Smurf
the meantime. the largest overhead desirable .
Specifically, within comes from their performance. In the
autonomous system implementation and future, based on
(AS), ISAVA relies on an deployment. some new research
SDN incremental [38], [39], we plan to
deployment scheme enhance the system
which can achieve IP architecture design
prefix (subnet)-level and joint with
validation granularity network equipment
with minimum SDN manufacturer, so
devices deployment. that we can release
While among ASes, related products
ISAVA sets up border onto market and
server and establishes a apply them into real
vouch mechanism network scenarios
between allied ASes for
signing outbound
packets so as to achieve
AS-level validation
granularity. Finally,
conducted experiments
confirm that ISAVA
intra-domain scheme
can get beyond 90%
filtering rates with only
10% deployment in
average, while the
inter-domain scheme
can get high filtering
rates with low system
cost and less storage
usage.
Illegal Packet Tracing And Track Hackers UsingIp Traceback Scheme

Shala.K.S A.S.L.Pauls College of Engineering and Technology, India. ksshala@yahoo.co.in

Shenbagamoorthy.G A.S.L.Pauls College of Engineering and Technology, India.

Challenges and Methodologies Applications Pros Cons

issues

In this paper we are Digital signature are Most of current The trade-off for The further
tracing the origin of the essential in today’s single packet perfect resilience to enhancement
fake packet. For this we modern worldto verify the traceback schemes packet loss is that needed for this
are using the extended sender of a document’s tend to log packets’ the sender needs to project is to limit
RIHT and MABS identify. A digital signature information on sign each packet, the number of
technology using. is represented in a routers. Here we are which incurs more routers used to
[1]Conventional block- computer as a string of implementing the computation pass information.
based multicast binarydigits. The signature Packet marking and overhead than The critical issue
authentication schemes is computer using as a set the packet logging conventional block- is of high cost due
overlook the of rules andparameters Schemes. Packet based schemes. to heavy
heterogeneity of such that the identity of marking means, the Therefore, efficient information.
receivers by letting the the person signing the rooters information signature generation Information send
sender choose the document as well as the passed in the packets is desirable at the to the client
block size, divide a originality of the data can header fields. Packet sender. consist of details
multicast stream in be verified. The signature logging means the Communication of each router. As
blocks, associate each is generated by the use of router denote the efficiency and a result of that
block with a signature, a primary key. The private number of the digest bandwidth efficiency information
and spread the effect of key is known only to the of the packet. Our is higher compared becomes larger
the signature across all user. The signature is existing [4]RIHT have to other and more routers
the packets in the block verified makes use of a some negatives. To conventional will be required
through hash graphs or public keywhich overcomes these schemes. The logging to pass data
coding algorithms. The corresponds to the private negatives we are time of routers which is
correlation among key. With every user using the MABS interface number expensive. Hence
packets makes them havinga public/private key technology. The and integrates for the
vulnerable to packet pair, this is an example of propose a hybrid IP packet logging with development and
loss, which is inherent public-keycryptography. traceback scheme hash table is launching of the
in the Internet and Public keys, which are called Hybrid IP apparently shorter project we have
wireless networks. known by everyone, canbe Traceback combining than that of other to face more
Moreover, the lack of used to verify the packet marking and schemes. In routers financial issues.
Denial of Service signature of a user. The packet logging. It interface number
resilience renders most private key, which is never uses packet marking and integrates
of them vulnerable to shared , is used in to reduce the number packet logging with
packet injection in signature generation, of routers required hash table , we only
hostile environments. whichcan only done by the for logging. Other need to get index
In this paper, we user. Digital signature are researchers have stored on the
propose a novel used to detect proposed new request packet’s
multicast unauthorizedmodifications schemes to further marking field, and
authentication to data. Also the recipient reduce the storage then with index we
protocol, namely of a digitally requirement for can just obtain the
including two schemes. signeddocument in proving router logging and to logged data from the
The basic scheme to a third party that the decrease the number hash table without
eliminates the Document was indeed of routers required any search. Since we
correlation among signed by the person who for logging, Even do not need to
packets and thus it is claimed to be signed though the marking spend time on
provides the perfect by. This is known as non field of packet in search, the path
resilience to packet repudiations because the Huffman codes, can reconstruction in our
loss, and it is also person whosigned the store a path of longer scheme is obviously
efficient in terms of document cannot length than in the faster. A fixed
latency, computation, repudiate the signature at fixed-length coding, storage requirement
and communication a later time . Digital the marking field may in packet logging
overhead due to an signature algorithms can be full before the without the need to
efficient cryptographic used in e – mails, packet reaches its refresh the logged
primitive called batch electronic fund transfer, destination. In such a tracking information.
signature, which electronic data exchange, situation, they need Also, the proposed
supports the just like anyapplications to log the packet’s scheme has zero
authentication of any that would need to assure information on the false positive and
number of packets the integrity andoriginality routers that fail to false negative rates
simultaneously. We of the data. mark on the marking in an attack-path
also present an [2]DSA field. These routers reconstruction. Apart
algorithm which ensure then pair the packet from these
that data is coming digest with the properties, our
from admin or not. marking field, and scheme can also
then they log the pair deploy a marking
into a log table. After field as a packet
logging, the routers identity to filter
clear the marking malicious traffic and
field and repeat the secure against
marking process. DoS/DDoS attacks.
When a router needs Consequently, with
to recover the high accuracy, a low
marking field of a storage requirement,
request packet using and fast
its log table, it computation, routers
computes the digest interface number
of the request packet and integrates
and searches the log packet logging with
table using hash table can serve
exhaustive search. It as an efficient and
could recover the secure scheme for
marking field by the hybrid IP traceback.
above steps. But
there are the
following two
problems in the
Huffman codes: MRT
and MORE’s
schemes. First, after
logging, if the
marking field of the
packet is still 0 on the
adjacent downstream
router, it will be
identified as a logged
router for the packet
while tracing back.
Then it will fail to find
the origin. Second,
since the digests in a
log table might have
 a collision, it causes
the false positive
problem during the
path re construction.
The storage
requirement is
proportional to the
number of logged
packets.
Unfortunately, in the
flooding- based
attack, a huge
amount of attack
packets will log on
the same router.
Thus, it demands a
high storage
requirement on the
logged router

Enhanced EDoS-Shield for Mitigating EDoS Attacks Originating from Spoofed IP Addresses
Fahd Al-Haidari Mohammed H. Sqalli College of Computer Science and Engineering King Fahd University
of Petroleum and Minerals (KFUPM) Dhahran 31261, KSA Email: {fahdhyd, sqalli}@kfupm.edu.sa Khaled
Salah Department of Computer Engineering Khalifa University of Science, Technology and Research
(KUSTAR) Sharjah 573, UAE Email: khaled.salah@kustar.ac.ae

Challenges and Methodologies Applications Pros Cons

issues
Cloud computing has We have conducted a We proposed a novel A simple attack
become one of the discrete event simulation To mitigate such type and practical could occur when
fastest growing experiment to evaluate the of attacks, according approach using a the attacker is
segments in IT industry. enhanced mitigation to our proposed Graphical Turing test using a fixed
A cloud introduces technique considering the filtering technique, and TTL values from spoofed source IP
resourcerich computing performance of the instead of blocking the IP header to address without
platforms, where protected cloud service the subsequent update white and altering the initial
adopters are charged when deploying the packets coming from black lists in order to TTL value. In such
based on the usage of proposed architecture. The a blacklisted IP mitigate EDoS a case, the first
the cloud’s resources, performance has been address, these attacks originating request will be
known as “pay-as- studied in terms of key packets have to be from spoofed IP forwarded to a V-
youuse” or utility performance indicators forwarded to the V- addresses. The Node for the
computing. With this which include end-to-end Nodes for further proposed approach verification
model, a conventional response time, computing investigation as it is is an enhancement phase. Since it
DDoS attack targeting resources utilization, and shown in Fig. 3. If a to a prior work, will fail the test,
servers and network throughput. We have also legitimate client, namely EDoSShield, the spoofed IP
resources is evaluated the cost having S as a source which is deployable address will be
transformed in a cloud associated with the IP address, sends a as an on-demand added to the
environment to a new computing resources and
attack that targets the bandwidth allocation at
cloud adopter’s the protected cloud service
economic resource, side. The queuing model
namely Economic that we have used to
Denial of Sustainability model the proposed
(EDoS) attack. In this enhanced architecture is
paper, we advocate a similar to the one
novel solution as an presented in our prior
enhancement to prior work for the original EDoS-
work, namely EDoS- Shield , except for
Shield, to mitigate the modifications done at the
EDoS attacks originating VF and V-Node to capture
from spoofed IP Algorithm 1 and Algorithm
addresses. We design a 2 of the enhanced
discrete event mitigation technique,
simulation experiment respectively.
to evaluate its The cost associated with
performance and the the computing resources
results show that it is a and bandwidth allocations
promising solution to at the protected cloud
mitigate the EDoS service side has been
attacks originating from calculated based on the
spoofed IP addresses. same parameters used in .
The enhanced EDoS- The packet service rate of
Shield technique also an instance of the cloud
outperforms the service has been chosen to
original EDoS-Shield in be variable during the
terms of performance simulation based on the
and cost metrics. load of the arriving traffic.
The initial packet service
time was assumed to be
5.25 μs as it was reported
in [30]. Regarding the
threshold that has been
used at a V-Node to
represent the maximum
allowable changes made to
a TTL value in our
proposed algorithm, it has
been set to a value of 5.
This is based on results
that reported that about
95% of the studied paths
had fewer than 5
observable daily changes .
The lifetime used in the
proposed algorithm,
representing the attack’s
duration, has been set to a
value of one hour, since
90% of the studied attacks
last less than an hour .
request during the cloud-based EDoS blacklist along
attack lifetime, then mitigation with its TTL value
it will go through the technique. We and the start time
verification phase as discussed different of the attack. The
long as the security issues subsequent
unmatched counter regarding the packets will be
does not reach the proposed approach. dropped in case
threshold. Upon the Results obtained of matching the
success of the test, S from a discrete event corresponding
will be added to the simulation model TTL present in the
whitelist leading to a show that it is an blacklist.
mixed state where S effective approach to Otherwise, a
is present in both the mitigate EDoS request will go
whitelist and the attacks originating through the
blacklist. This means from spoofed IP verification phase
that the subsequent addresses. The as long as the
packets having S as a enhanced EDoS- unmatched TTL
source IP address will Shield technique also counter does not
be filtered based on outperforms the exceed the given
the information given original EDoS-Shield threshold or if
in both the whitelist in all studied the packet arrives
and the blacklist, i.e., performance and after the attack’s
TTL, timestamp, and cost metrics. As a lifetime elapses.
unmatched TTL future work, we There are two
counter, as it is propose to evaluate cases, namely the
described in the proposed whitelist case and
Algorithm 2. One architecture using an the blacklist case
case that may lead to analytical model as in which an
a false positive well as an attacker could
decision is when a experimental test- utilize IP spoofing
legitimate request bed. to bypass the
from S arrives during filtering
the attack’s lifetime mechanism
and has a TTL value proposed in the
equals to the TTL original EDoS-
value corresponding Shield technique
to S present in the Whitelist Case. A
blacklist. However, scenario of such a
the probability of case is that the
having such a case is attacker initially
very low as was sends a
discussed earlier. legitimate
request so that
its IP address can
be added to the
whitelist as a
legitimate source.
Then, the
attacker could
control a number
of zombies to
generate an
extensive number
of requests
having his
whitelisted IP
address as a
source IP
address, which
represents a
spoofed address
in this case.
Considering the
original EDoS-
Shield, all packets
will bypass the
filtering scheme,
and thus will lead
to flooding the
victim’s targeted
service. However,
since zombies use
the same IP
address present
in the whitelist, it
is easy to detect
such attack based
on the spike of
the traffic rate,
because all the
incoming packets
in this case have
the same source
IP address. Once
this gets
detected, the
source IP address
will be placed in
the blacklist along
with a
timestamp, and it
will be removed
from the
whitelist. Another
way, presented in
Algorithm 1, to
mitigate the
attack in such a
case is to use TTL
values to filter
the packets at the
VF before
forwarding them
to the destination
even if their
source IP address
is present in the
whitelist. Fig. 2
describes such a
problem along
with the
mitigation
scenario. Blacklist
Case. In this case,
a V-Node has
identified an IP
address as a
spoofed address
and that IP
address has been
placed in the
blacklist. A
problem might
occur when a
legitimate client,
having the same
IP address as the
one that has
already been
placed in the
blacklist, is
sending a request
targeting the
protected cloud
service. If we
decide to block all
requests having
the blacklisted IP
address targeting
the same
protected cloud
service, then also
the legitimate
client’s requests
will be blocked
leading to a
behavior similar
to that of a denial
of service attack