IP Spoofing Detection Through Time to Live Header Analysis Final - - PowerPoint PPT Presentation

ip spoofing detection through time to live header analysis
SMART_READER_LITE
LIVE PREVIEW

IP Spoofing Detection Through Time to Live Header Analysis Final - - PowerPoint PPT Presentation

Sep 22, 2022 498 likes •664 views

Chair for Network Architectures and Services Technische Universitt Mnchen IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke Supervisor : Prof. Dr.-Ing. Georg Carle Advisors : Quirin Scheitle,

slide-1
SLIDE 1

Chair for Network Architectures and Services Technische Universität München

IP Spoofing Detection Through Time to Live Header Analysis

Final Talk BSc Informatics Arno Hilke

Supervisor:

  • Prof. Dr.-Ing. Georg Carle

Advisors: Quirin Scheitle, Oliver Gasser, Paul Emmerich, Felix von Eye

April 27, 2016 Chair for Network Architectures and Services Department of Informatics Technische Universität München

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 1

slide-2
SLIDE 2

Chair for Network Architectures and Services Technische Universität München

Introduction

Motivation Background

Research Questions Approach Results

Intermediate Format Flow Characteristics TTL Stability

Future Work Conclusion

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 2

slide-3
SLIDE 3

Chair for Network Architectures and Services Technische Universität München

Motivation Goal detect anomalies passively

◮ TTL already available in packet header ◮ may be aided by active measurements

֒ → cf. Till Wickenheiser: „Correlating inbound Time to Live header data to network characteristics“

Basic Idea path lengths likely differ between authentic source and MWN, and adversary and MWN

◮ premise: source and MWN have communicated before ◮ adversary could test different TTL values, or try to measure

paths

֒ → but more effort, especially when using many IP addresses

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 3

slide-4
SLIDE 4

Chair for Network Architectures and Services Technische Universität München

Background Time to Live (TTL) 8 bit field in IPv4/IPv6 header (Hop Count for IPv6)

◮ decreased by every router ◮ packet discarded when zero ◮ prevents loops

IP spoofing forging the source address of IP packet

◮ attacker does not care about responses ◮ conceal true source ◮ e.g. DNS amplification attack

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 4

slide-5
SLIDE 5

Chair for Network Architectures and Services Technische Universität München

Research Questions Analyse captured data in respect to the following questions:

◮ Is TTL analysis for spoofing/anomaly detection viable?

◮ Are incoming TTL values for individual hosts or flows

stable?

◮ Are TTL values sufficiently spread, so that the chance of

the spoofed packet having coincidentally the correct TTL value is reasonably low?

◮ Can hosts be grouped together, e.g. as subnets?

◮ Is there a different behaviour between IPv4 and IPv6? ◮ Are there differences between TCP and UDP?

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 5

slide-6
SLIDE 6

Chair for Network Architectures and Services Technische Universität München

Approach Challenge analyse 9 TiB of data efficiently in respect to research questions

◮ raw data: per IPv4 packet 18 byte, ordered by time of

arrival

Table: Raw data format for one packet

  • Ext. IP

Protocol

  • Ext. port
  • Int. port

TTL Timestamp 4 B/16 B 1 B 2 B 2 B 1 B 8 B

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 6

slide-7
SLIDE 7

Chair for Network Architectures and Services Technische Universität München

Solution create intermediate data format to accelerate run time of analysis programs

◮ reduce timestamps from 8 B to 4 B ◮ aggregate packets to flows

Flow Definition used in this thesis:

◮ identified by ext. IP address, protocol, int. and ext. port ◮ times out 10 minutes after last received packet

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 7

slide-8
SLIDE 8

Chair for Network Architectures and Services Technische Universität München

Intermediate Data Format

Table: Intermediate data format for one flow

  • Ext. IP Start End Ext. port Int. port Prot. # Dist. TTLs

4 B/16 B 4 B 4 B 2 B 2 B 1 B 1 B per dis- tinct TTL

  • Start TTL

End TTL # Packets TTL value 4 B 4 B 4 B 1 B

◮ instead of 18 B per IPv4 packet, 18 B + 13 B per distinct

TTL for each flow

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 8

slide-9
SLIDE 9

Chair for Network Architectures and Services Technische Universität München

Evaluation

◮ analyse intermediate data in respect to research questions

֒ → create CSV files with aggregated, specific data

◮ packets per flow ◮ flow duration ◮ TTL values in flow ◮ unique IP addresses

◮ use python to evaluate CSV data ◮ additionally matplotlib for diagram generation

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 9

slide-10
SLIDE 10

Chair for Network Architectures and Services Technische Universität München

Results Memory Reduction

Table: Memory consumption for raw and intermediate data

Raw data Intermediate data Total 9.2 TiB 258.9 GiB (2.7%) IPv4 8.2 TiB 232.7 GiB (2.8%) IPv6 1.0 TiB 26.1 GiB (2.5%) Data Distribution

◮ 93% of recorded packets and flows were IPv4 ◮ 86% of captured packets employed TCP ◮ 49% of flows used TCP

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 10

slide-11
SLIDE 11

Chair for Network Architectures and Services Technische Universität München

Packet Distribution

◮ most flows consist of only a few packets ◮ more than 80% of UDP flows consist of only one packet ◮ similar behaviour for IPv4 and IPv6

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 11

slide-12
SLIDE 12

Chair for Network Architectures and Services Technische Universität München

Flow Duration

◮ ~90% of TCP flows are longer than respective UDP flows,

highest 10% roughly the same

◮ IPv6/TCP flows are longer than IPv4/TCP flows

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 12

slide-13
SLIDE 13

Chair for Network Architectures and Services Technische Universität München

TTL Stability

Table: Percentage of flows with only one TTL

IPv4 IPv6 Flows All TCP UDP All TCP UDP All 96.33% 93.56% 99.01% 98.49% 96.41% 99.83% > 1 packet 93.03% 92.55% 95.16% 96.37% 95.80% 98.74%

◮ TTL values in flows are relatively stable ◮ two to five distinct TTLs increasingly unlikely, more than

five very rare

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 13

slide-14
SLIDE 14

Chair for Network Architectures and Services Technische Universität München

Future Work Further evaluations for TTL Stability

◮ adjacency of TTL values ◮ frequency of TTL values

Additional Levels of Evaluation

◮ utilise port numbers to infer applications ◮ analyse on host/IP address level

Other Data Sets

◮ different time period ◮ other or more L4 protocols (e.g. ICMP

, SCTP)

◮ different vantage point in the internet

⇒ evaluate TTL based filter mechanism conclusively and possibly realise it

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 14

slide-15
SLIDE 15

Chair for Network Architectures and Services Technische Universität München

Conclusion

◮ ~96% of flows have only one TTL value ◮ UDP flows are more stable than TCP flows ◮ IPv4/TCP flows are more stable for higher packet counts in

comparison

◮ viability of TTL filtering can’t be conclusively assessed yet ◮ evaluations show decent conditions, possibly with some

restrictions

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 15

slide-16
SLIDE 16

Chair for Network Architectures and Services Technische Universität München

Thank you for your attention!

Any questions?

Arno Hilke – IP Spoofing Detection Through TTL Header Analysis 16