ArticlePDF Available

A Practical Approach to Asses Fatal Attacks in Enterprise Network to Identify Effective Mitigation Techniques

Authors:
Umme Salsabil at American International University-Bangladesh
Umme Salsabil
M Tanseer Ali at American International University-Bangladesh
M Tanseer Ali
Md. Manirul Islam at American International University-Bangladesh
Md. Manirul Islam
Download full-text PDF
Read full-text
Download citation

Abstract

For any organization, having a secured network is the primary thing to reach their business requirements. A network is said to be secured when it can sustain from attacks, which may damage the whole network. Over the last few decades, internetworking has grown tremendously and lot of importance is given to secure the network. To develop a secure network, network administrators must have a good understanding of all attacks that are caused by an intruder and their mitigation techniques. This paper explores the most fatal attacks that might cause serious downtime to an enterprise network and examines practical approaches to understand the behavior of the attacks and devise effective mitigation techniques. It also describes the importance of security policies and how security policies are designed in real world.
Content uploaded by Md. Manirul Islam
Author content
All content in this area was uploaded by Md. Manirul Islam on Oct 16, 2014
Content may be subject to copyright.
N
C
S
C
International Journal of Computer Networks and Communications Security
VOL. 2, NO. 9, SEPTEMBER 2014, 298–307
Available online at: www.ijcncs.org
ISSN 2308-9830
A Practical Approach to Asses Fatal Attacks in Enterprise Network
to Identify Effective Mitigation Techniques
UMME SALSABIL1, M. TANSEER ALI2, MD. MANIRUL ISLAM3
1 Graduate Student, Faculty of Engineering, American International University-Bangladesh
2 Assistant Professor, Faculty of Engineering, American International University-Bangladesh
3 Assistant Professor, Faculty of Science and IT, American International University-Bangladesh
E-mail: 1salsabil@aiub.edu, 2tanseer@aiub.edu, 3manirul@aiub.edu
ABSTRACT
For any organization, having a secured network is the primary thing to reach their business requirements. A
network is said to be secured when it can sustain from attacks, which may damage the whole network. Over
the last few decades, internetworking has grown tremendously and lot of importance is given to secure the
network. To develop a secure network, network administrators must have a good understanding of all
attacks that are caused by an intruder and their mitigation techniques. This paper explores the most fatal
attacks that might cause serious downtime to an enterprise network and examines practical approaches to
understand the behavior of the attacks and devise effective mitigation techniques. It also describes the
importance of security policies and how security policies are designed in real world.
Keywords: DoS Attack, ARP Spoofing, Evil Twin Attack, Man-in-the-middle Attack, DHCP Starvation.
1 INTRODUCTION
The Internet continues to grow exponentially.
Personal, government, and business applications
continue to multiply on the Internet, with
immediate benefits to end users. However, these
network-based applications and services can pose
security risks to individuals and to the information
resources of companies and governments.
Information is an asset that must be protected. With
the advent of new technologies, sophisticated
attacks are increasing as well paralyzing enterprise
network thus causing financial loss. According to
statistical data, it is being observed that majority of
the attacks are now being originated from inside
network. So it has become more challenging to
secure inside perimeter network as the traffic is not
traversing the firewall and firewall by default trusts
the inside network. The aim of this research is to
assess the behavior of some of the fatal attacks
using de-facto tools in an effort to identify effective
and practical mitigation attacks. Choosing a
particular mitigation technique for an attack has an
impact on the overall performance of the network,
because each attack has different ways for
mitigation.
The attacks are carried out using both physical
equipment and simulators. The data gathered is
analyzed using industry standard data analysis tools
to measure the efficacy of techniques that can
significantly reduce network downtime.
2 ATTACK ANALYSIS
The following fatal attacks were being assessed:
2.1 MAC Flooding Attack
MAC flooding is a technique employed to
compromise the security of network switches.
Switches maintain a MAC Table that maps
individual MAC addresses on the network to the
physical ports on the switch. In a typical MAC
flooding attack, a switch is fed many Ethernet
frames, each containing different source MAC
addresses, by the attacker. The intention is to
consume the limited memory set aside in the switch
to store the MAC address table. After launching a
299
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
successful MAC flooding attack, a malicious user
could then use a packet analyzer to capture
sensitive data being transmitted between other
computers, which would not be accessible were the
switch operating normally.
To simulate the attack, we used Dsniffs ‘macof’
tool in Kali Linux environment in the attacker
machine which generates random MAC addresses
exhausting the switch’s memory. It is capable of
generating 155,000 MAC entries on a switch per
minute. But the question is, what happens if the
switch is asked to process a constant stream of
MAC addresses? In certain circumstances and on
certain switches, this will cause the switch to go
into a fail-safe mode, in which it basically turns
into a hub. In other words, by overloading the
switch, a hacker could have access to all the data
passing through the switch.
Fig. 1. MAC Flooding using macof
2.2 DHCP Starvation Attack
DHCP means Dynamic Host Configuration
Protocol, where DHCP Server provides IP Address,
Subnet Mask, Gateway Address and DNS Server
Addresses. The following diagram illustrates how
DHCP works.
Fig. 2. DHCP Operation
The intent of the DHCP Consumption Attack is
for the Attacker to prevent hosts from gaining
access to the network by denying them an IP
address by consuming all of the available IP
address in the DHCP Pool.
Fig. 3. DHCP Attack Test Scenario
To simulate real-world attack, we used Yersinia
tool in Kali Linux environment and generated fake
DHCP Discover messages from attacker machine.
DHCP server address space was full within a while.
Fig. 4. DHCP Attack Using Yersinia
We used Wireshark tool to capture data from
attacker machine to analyze the data for further
investigation.
Fig. 5. Wireshark capture from attacker PC
300
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
Wireshark Data Analysis
Attack Ratio, PPS : 35000 (Avg.)
Attack Duration : 1 minute to 5 minute
Attack Source,
MAC
: Random, Dynamic
Attack Message
Type
: DHCP Discover
Attack Result : DHCP address pool
exhausted and
legitimate users will
not get IP address
from DHCP Server
2.3 ARP Spoofing
ARP stands for Address Resolution Protocol and
it allow the network to translate IP addresses into
MAC addresses. Basically, ARP works like this:
When one host using IP on a LAN is trying to
contact another it needs the MAC address of the
host it is trying to contact. It first looks in its ARP
cache to see if it already has the MAC address, but
if not it broadcasts out an ARP request asking "
who has this IP address I'm looking for?" If the host
that has that IP address hears the ARP query it will
respond with its own MAC address and a
conversation can begin using IP. In common bus
networks like Ethernet using a hub or 801.11b all
traffic can be seen by all hosts whose NICs are in
promiscuous mode, but things are a bit different on
switched networks. A switch looks at the data sent
to it and tries to only forwards packets to its
intended recipient based on MAC address.
Switched networks are more secure and help speed
up the network by only sending packets where they
need to go. Using a program like Arpspoof,
Ettercap or Cain we can lie to other machines on
the local area network and tell them we have the IP
they are looking for, thus funneling their traffic
through us.
To simulate real-world attack, we used arpspoof
tool in Kali Linux environment to redirect packets
from a target host on the LAN intended for another
host on the LAN by forging ARP replies.
Fig. 6. ARP Spoofing
SSLStrip was being used to reroute encrypted
HTTPS requests from network users to plaintext
HTTP requests, effectively sniffing all credentials
passed along the network via SSL. Finally, we used
ettercap for credentials hijacking.
Fig. 7. Sniffed Data
In the victim machine, the only visible change is
in ARP table. The attacker machine’s MAC address
replaces the gateway router’s MAC address after
ARP spoofing. From the Wireshark capture, we can
clearly see that the MAC address of the destination
host is that of the attacking machine.
Fig. 8. Wireshark Capture of ARP Spoofing
In short, ARP Spoofing is the mother of most of
the deadliest Man-in-the-Middle attacks [1].
2.4 ICMP Flood Attack
ICMP Flood attacks exploit the Internet Control
Message Protocol (ICMP), which enables users to
send an echo packet to a remote host to check
whether it’s alive. During a DDoS ICMP flood
attack the agents send large volumes of
ICMP_ECHO_ REPLY packets (“ping”) to the
victim. These packets request reply from the victim
and this results in saturation of the bandwidth of the
victim’s network connection. During an ICMP
flood attack the source IP address may be spoofed
[4].
To simulate real-world ICMP flood attack, we
used Hping3 tool to flood victim’s machine with
ICMP_ECHO_REPLY message.
301
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
Fig. 9. Wireshark Capture of ICMP Flood Attack
2.5 Wifi Jamming Attack
Wi-Fi is increasingly becoming the preferred
mode of internet connection all over the world. To
access this type of connection, one must have a
wireless adapter on their computer. Wi-Fi provides
wireless connectivity by emitting frequencies
between 2.4GHz to 5GHz based on the amount of
data on the network. Since RF is essentially an
open medium, jamming can be a huge problem for
wireless networks. Jamming is one of many
exploits used compromise the wireless
environment. It works by denying service to
authorized users as legitimate traffic is jammed by
the overwhelming frequencies of illegitimate
traffic. A knowledgeable attacker with advanced
software like wirelessmon can detect and request
connection to Hotspots and easily jam the 2.4 GHz
frequency in a way that drops the signal to a level
where the wireless networks can no longer
function.
To simulate real-world WiFi Jamming attack, we
used airmon-ng to search for monitor interface and
airodump-ng to get target network details e.g.
ESSID, BSSID, and Channel Number. Then the
attack can be launched using mdk3 or other wifi-
jammer tool. The attack floods the wireless AP with
unsolicited authentication messages and jams the
wireless network.
Fig. 10. Wireshark Capture of Jamming Attack
Wireshark Data Analysis
Attack Ratio : 217 PPS
Attack Type : Authentication Message
from random spoofed
sources
Attack Result : Jams the WiFi BSSID with
unicast flood and other
mobile stations would be
disconnected from the
network
2.6 Wifi Hacking
WEP Wired Equivalent privacy uses weak 40 bit
key & short 24-bit initialization vectors to encrypt
data. It was discovered that WEP could be cracked
within minutes with standard off the shelf
equipment. The reason for this weakness is the
short IV (initialization vector) and the keys aren’t
changed, except by the user.
WEP uses the stream cipher RC4 for
confidentiality and the CRC-32 checksum for
integrity. The RC4 cipher stream is generated by a
40 or 64-bit RC4 key to encrypt and decrypt the
data. There is also a 128 bit key that is used known
as WEP2. The key is composed of a 24-bit IV
(initialization vector) with a 40-bit WEP key. The
user entered key is a 26 digit hexadecimal string
where each character represents four bits of the key.
The 26 digits represent 104 bit with addition of the
24-bit IV makes a 128-bit key.
The next security protocol, WPA (Wi-Fi
Protected Access) was implemented because of the
weaknesses in the WEP protocol. With APA there
are two kinds of authentication types WPA-
Enterprise and WPA-Home. A good choice for
small office and home use is WPA-PSK (Pre-
Shared Key) because it is simple to setup and is
compatible with many types of hardware. WPA-
PSK uses 8 to 63 ASCII or 64 hex digit character
pass-phrase created by the user and entered in a
client. The stronger this key, the stronger the
security is because weak keys are subject to
password cracking.
A stronger form of WPA released in 2004 is
known as WPA2. The advantage of WPA2 is that it
provides stronger encryption with the use of AES
(Advanced Encryption Standard) which may be a
requirement for some government or corporate
users. All WPA2 that are Wi-Fi certified are
backward compatible with WPA. WPA and WPA2
both use “fresh” sessions using a unique encryption
keys for each client which are specific to that client.
302
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
Fig. 11. WEP Passphrase into WiFi Router
To simulate real-world attack, we used wifite tool
to crack WEP passphrase. Wifite automatically puts
a wireless interface into monitor mode and starts
scanning for the nearby wireless networks. After
selecting the ESSID, wifite automatically starts
processing and find the passphrase.
Fig. 12. WEP Passphrase found in Wifite
2.7 WIRELESS EVIL TWIN ATTACK
Anywhere public Wi-Fi is available is an
opportunity for an attacker to use that insecure hot
spot to attack unsuspecting victims. One specific
Wi-Fi hot spot attack called an “Evil Twin” access
point can impersonate any genuine Wi-Fi hot spot.
Attackers will make sure their evil twin AP is just
like the free hot spot network, and users are then
duped when connecting to an evil twin AP and the
attacker can execute numerous attacks to take
advantage of the unaware victim.
A typical evil twin attack is illustrated in the
graphic below.
Fig. 13. Evil Twin Attack Scenario
To simulate real-world attack, we used airmon-ng
to start wireless interface into monitor mode. Then
we used easy-creds to create fake AP. Ettercap,
SSLStrip, URL Snarf, DSniff were used to sniff
user credentials.
Fig. 14. Sniffing User Data Connected to fake AP
3 MITIGATION TECHNIQUES
Choosing a particular mitigation technique for an
attack has an impact on the overall performance of
the network, because each attack has different ways
for mitigation. We used real-world scenarios to
303
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
initiate the attacks so that we can come up with
practical and effective mitigation techniques.
Suggested mitigation techniques follow:
3.1 MAC Flooding Attack
Mitigation of the CAM table-overflow attack can
be achieved by configuring port security on the
switch. This will allow MAC addresses to be
specified on a particular switch port, or
alternatively, specify the maximum number of
MAC addresses that the switch port can learn. If an
invalid MAC address is detected on the switch port,
the port can be shut down, or the MAC address can
be blocked.
Sticky MAC addresses are also a viable solution
when implementing the mean to mitigate CAM
Table Overflows. The MAC address will be learned
when the first MAC address attempts to connect to
the port and will be written to the running
configuration. Statically a MAC address could be in
on the port also.
Packet capture from attacker machine state that,
attack ratio is random, means source and
destination is random. As a result, switch mac
address-table flooded with random mac addresses.
As a mitigation technique, we can use port
security at switch port for limited number of mac
addresses and also can bind the mac address to the
switch port. We can also use storm-control in
switch port to mitigate the attack.
Pseudocode:
3.2 DHCP Starvation Attack
DHCP Starvation Attack can be mitigated using
storm-control feature in switch port.
But before we enable storm-control in switch
port, we need to identify normal traffic pattern and
traffic rate in every switch port and compare the
normal traffic with attacker machine traffic.
According to attacker machine, traffic rate is
35000 pps during broadcast DHCP Discover
message. Let the normal traffic rate be 100 to
10000 pps. So a threshold value of 30000 pps
would do the trick. This is the most cost-effective
solution.
Pseudocode:
3.3 ARP spoofing
ARP Spoofing can be prevented in several
effective ways.
3.3.1 Static ARP table
Static Address Resolution Protocol (ARP) entry
is a permanent entry in your ARP cache. One
reason you may want to add static ARP entries is if
you have two hosts that communicate with each
other constantly throughout the day; by adding
static ARP entries for both systems in each other’s
ARP cache, you reduce some network overhead, in
the form of ARP requests and ARP replies.
3.3.2 Arpwatch
Arpwatch is an open source computer software
program that helps you to monitor Ethernet traffic
activity (like Changing IP and MAC Addresses) on
your network and maintains a database of
ethernet/ip address pairings. It produces a log of
noticed pairing of IP and MAC addresses
information along with a timestamps, so you can
carefully watch when the pairing activity appeared
on the network. It also has the option to send
reports via email to a network administrator when a
pairing added or changed.
Fig. 15. Arpwatch Detecting ARP Spoof
304
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
3.3.3 Dynamic ARP Inspection (DAI)
ARP inspection prevents malicious users from
impersonating other hosts or routers (known as
ARP spoofing). By default, all ARP packets are
allowed through the security appliance. You can
control the flow of ARP packets by enabling ARP
inspection.
When you enable ARP inspection, the security
appliance compares the MAC address, IP address,
and source interface in all ARP packets to static
entries in the ARP table, and takes the following
actions:
If the IP address, MAC address, and source
interface match an ARP entry, the packet is passed
through. If there is a mismatch between the MAC
address, the IP address, or the interface, then the
security appliance drops the packet.
The attacker, however, sends another ARP
response to the host with the attacker MAC address
instead of the router MAC address. The attacker
can now intercept all the host traffic before
forwarding it on to the router. ARP inspection
ensures that an attacker cannot send an ARP
response with the attacker MAC address, so long as
the correct MAC address and the associated IP
address are in the static ARP table.
Another important feature of DAI is that it
implements a configurable rate-limit function that
controls the number of incoming ARP packets. This
function is particularly important because all
validation checks are performed by the CPU, and
without a rate-limiter, there could be a DoS
condition.
3.4 ICMP Flood Attack
To defend against ICMP Flood Attack, iptables
script can be applied as below:
1
iptables -N icmp_flood
2
iptables -A INPUT -p icmp -j
icmp_flood
3
iptables -A icmp_flood -m limit --
limit 1/s --limit-burst 3 -j RETURN
4
iptables -A icmp_flood -j DROP
After iptables rules is applied, if the attacker is
sending ICMP Echo Request packets continuously,
victim’s machine will not respond by sending
ICMP Echo Reply packets as all the packets are
being dropped by the firewall.
If DDoS attack is not that excessive, an
appropriate configuration of the operating system
and affected service could help to counteract the
attack. Linux kernel parameters that enable to
modify the behavior when faced with certain
circumstances. Some of these parameters can be
found in /etc/sysctl.conf.
tcp_syncookies: protects you against Syn Flood
attacks. The way it works is as follows: when the
syn segment request queue completes, the kernel
responds with a syn-ack segment as normal, but
creates a special, encrypted sequence number that
represents the source and target IP, the port and the
timestamp of the received packet. Activate syn
cookies with:
ignore_broadcasts: ICMP (echo request) packets
are sent to a broadcast address in Smurf attacks
with a false IP source. This false IP is the target of
the attack, as it receives multiple echo reply
response packets as a result of the broadcast packet
sent by the attacker. One way of deactivating the
ICMP echo-broadcast requests is by activating the
following option:
rp_filter: Known also as source route verification,
it has the same purpose as Unicast RPF (Reverse
Path Forwarding) 14 and uses Cisco routers. It is
used to check that the packets that enter via an
interface are accessible based on the source address,
making it possible to detect IP Spoofing:
For attacks that are performed by programs like
LOIC, it is also possible to implement measures
using iptables and hashlimit modules to limit the
number of packets that you want a particular
service to accept.
305
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
The clauses hashlimit-burst and hashlimit-upto
set the maximum size of the bucket and the number
of IP packets that limit the connections to port 80.
You can also take steps to resist numerous
forceful attacks at services such as ssh, ftp, etc. by
limiting the number of IPs allowed per minute.
Regardless of the measures adopted in the
operating system, it is recommended that public
services such as web services, FTP, DNS, etc
located in a DMZ (Demilitarized Zone) are made
secure separate to the rest. For example, in the case
of Apache it would be very useful to give it
modules such as mod_evasive, mod_antiloris,
mod_security, mod_reqtimeout or similar to help
fight against a great variety of DDoS attacks
against this platform.
3.5 WiFi Jamming Attack
Jamming attack detection is the prerequisite of
jamming attack mitigation method. It is so
important that the operation of jamming attack
mitigation cannot be performed unless the jamming
attack has been detected. It is a big challenge to
detect the jammers because there are different kinds
of jammers and even the same jammer can switch
between different jamming models or jamming
powers. There are also lots of network conditions,
such as low throughput, normal communication,
congestion, and so on, which have similarity with
the jammed network, making it difficult to
distinguish the jamming situations from legitimate
ones. The jamming attacks should also be
differentiated from the special circumstances, such
as system power off, operating system hung up,
antenna problems, communicating distance and so
on, which may also lead to the similar results as the
jamming attacking. For example, if the attack
occurred on an RF corresponding to channel 1, the
access point should switch to channel 6 or 11 in
order to avoid the attack. However, selecting a
different channel does not always eliminate the
issue of interference. An experienced attacker will
often use all available channels in the attack.
The nature of the Wi-Fi jamming attack relies on
the discovery of ESSID and BSSID of the Access
Point or Wireless Router. So the best way to
mitigate Wi-Fi jamming attack is to disable SSID
broadcast. The attacker machine will not find the
ESSID and BSSID and channel number for attack.
3.6 WiFi Hacking
The Mitigation of Wi-Fi Hacking requires strict
implementation of security policies throughout the
network.
3.6.1 Security Policy
Wireless LAN implementation in a large
corporation without any security policies will put
the corporation at serious risk. In fact, all
organizations should have a security policy in
regards to wireless LAN infrastructure in place
before reaching the deployment stage.
i. Before implementing a wireless LAN and
during the planning phase, you need to know
who are your users and where are they seated
in order to ensure the access point signal is
adequate to cover the necessary areas.
ii. Scanning and detecting for rogue access points
on the corporate network regularly is a must.
iii. The default management passwords and SSIDs
on access points should be changed prior to
installing them into corporate network. Strong
passwords should be used when changing the
passwords with at least 8 characters in length.
iv. Educate users to be aware of security &
Enforcing that employees should not rogue
access points into the corporate network.
3.6.2 Network Level Security
i. Isolation of Wireless LAN
The wireless LAN should be implemented on
another network separate from your internal
wired LAN. This means that the access points
should be installed on a separate network with
a firewall in placed between the wireless
network and the wired corporate network.
ii. Securing Wireless LAN with VPN Solution
As discussed earlier, there are many security
vulnerabilities found with WEP. It is
recommended to include Virtual Private
Network (VPN) solution into your wireless
LAN to ensure secure wireless connections.
306
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
iii. Authentication and Authorization via RADIUS
Before allowing a wireless client to connect
and access to the corporate private network, it
is a must to validate or authenticate that client.
This can be achieved by using 802.1X
authentication on a remote authentication dial-
in user service (RADIUS) server.
iv. Handling the SSIDS
The default SSIDs on the access points should
be changed prior to installation into the
corporate network. Disable the broadcast SSID
option though attacker can sniff the SSID by
using Kismet software.
v. Handling the SSIDS
Access Control via MAC Addresses and IP
Addresses
Access points can be configured to filter MAC
addresses to control users connecting to your
corporate wireless network. This means those users
with valid MAC addresses that had been configured
on access points will be allowed connectivity to the
wireless network.
3.7 Wireless Evil Twin Attack
In most existing techniques the detection of the
attack is performed by the network not by the users.
One of the original ways of doing so was by the
manual detection using software like Netstumbler,
by the administration of the network.
AirDefense uses a combination of radio-
frequency sensors jointly with an intrusion
detection server, capturing, processing and
correlating network events trying to find APs with
unknown fingerprints.
Wavelink is mobile device management that
features a software installed on each mobile client
to detect connectivity faults. Among other things
the client software reports to a central server any
AP seen and its location which is than matched
with a list of legal Aps.
Other solutions like RIPPs use different
approaches to detect wireless traffic in wired
networks to detect the existing of illegal APs.
However, most of these solutions suffer from
some, or all, of the following problems:
- They do require complete coverage of the
network otherwise rogue APs may go
undetected.
- They may flag a normal AP as rogue. For
instance, the access point of a nearby coffee
shop.
- They do not work for rogue APs that possess
authentication
- They may access unauthorized networks in
the process of testing all the available APs in
the vicinity.
- And finally, they are ineffective in reacting
to short time attacks. For instance, if an
attack is detected on some area of an airport
how do we go and alert the users; it may be
too late.
To date, Evil Twin attack can most effectively be
mitigated through Multi-hop Detection.
4 CONCLUSION
In this research, we tried to describe several ways
of analyzing traffic depending on the circumstances
and the available means, as well as providing
examples of some common attacks used on local
area networks to mitigate or at least moderate the
impact that these generate on the performance of
your network. There are several areas of potential
future work in this area that could be explored.
This study attempted to test as many types of
common enterprise configurations as possible but
left out several that are in use or will continue to
grow in the future Although this study attempted to
record data as accurately as possible it could be
done even more accurately if an automated process
was developed to track throughput over a period of
time and report the results.
5 REFERENCES
[1] Edward W. Felten, Dirk Balfanz, Drew Dean,
and Dan S. Wallach, “Web Spoofing: An
Internet Con Game”, Technical Report
Department of Computer Science, Princeton
University, February 1997, pp. 540-96.
[2] Radosavac, S., Crdenas, A.A., Baras, J.S.,
Moustakides, G.V, “Detecting IEEE 802.11
MAC layer misbehavior in ad hoc networks:
Robust strategies against individual and
colluding attackers”, Journal of Computer
Security 15 2007, pp.103–128.
307
U. Salsabil et. al / International Journal of Computer Networks and Communications Security, 2 (9), September 2014
[3] Hayoung Oh, Inshil Doh, Kijoon Chae,
“Attack Classification Based on Data Mining
Technique and its Application for Reliable
Medical Sensor Communication”,
International Journal of Computer Science and
Applications, Vol. 6, No. 3, 2009, pp. 20-32.
[4] J. Markovic, J. Martin, and L. Reiher, “A
Taxonomy of DDoS Attack and DDoS Defense
Mechanisms”, ACM SigComm Computer
Communication Review, Vol. 34, No. 2, 2004,
pp. 39-53.
[5] Kong, H.S., Zhang, M.Q., Tang, J. and Luo,
C.Y, “The Research of Simulation for Network
Security Based on System Dynamics”,
Information Engineering University, Institute
of Electronic Technology, Zhengzhou, China,
IAS, vol. 2, 2009, pp 145-148.
[6] A. Hussain, J. Heidemann, and C.
Papadopoulos, “A framework for classifying
denial of service attacks”, In Proceedings of
the Conference on Applications, Technologies,
Architectures, and Protocols for Computer
Communications, SIGCOMM, 2003, pp. 99–
110.
[7] K. Argyraki and D. R. Cheriton, “Active
internet traffic filtering: real-time response to
denial-of-service attacks”, In Proceedings of
the annual conference on USENIX Annual
Technical Conference, 2005, pp. 10–10.
[8] V. Gulisano, R. Jim´enez-Peris, M. Pati˜no-
Mart´ınez, and P. Valduriez. Streamcloud, “A
large scale data streaming system”, In
International Conference on Distributed
Computing Systems, June 2010, pp. 126–137.
[9] Al-Saadoon, G, Al-Bayatti, H, “A Comparison
of Trojan horse Virus Behavior in Linux and
Windows Operating Systems”, World of
Computer Science and Information
Technology jornal, Vol. 1, No. 3, 2011, pp.
56-62.
[10] Thimbleby,H., Anderson,S. and Cairns, A
framework for Modelling Trojan horse s and
Computer Virus Infection, Computer Journal,
Vol. 41, No. 7, 1998, pp. 444-458.
[11] Liu,y., Zhang,l. Liang,j. Qu,s. Ni,z, “Detecting
Trojan horses based on system behavior using
machine learning method”, Machine Learning
and Cybernetics conference IEEE, vol 2,
2010, pp.855 – 860.
[12] Tang, Sh, “The detection of Trojan horse based
on the data mining”, Fuzzy Systems and
Knowledge Discovery International
Conference IEEE, vol. 1, 2009, pp. 311-314.
[13] B.N. Singh, Bhim Singh, Ambrish Chandra,
and Kamal Al-Haddad, “Digital
Implementation of an Advanced Static VAR
Compensator for Voltage Profile Improvement,
Power Factor Correction and Balancing of
Unbalanced Reactive Loads”, Electric Power
Energy Research, Vol. 54, No. 2, 2000, pp.
101-111.
[14] Z. Yang, A. C. Champion, B. Gu, X. Bai, and
D. Xuan, “Link-layer protection in 802.11i
WLANS with dummy authentication,” Wisec,
2009.
AUTHOR
PROFILES:
Umme Salsabil received the
degree in Bachelor of Science in
Electrical and Electronics
Engineering from American
International University-
Bangladesh in 2012. She is a
research student under Faculty of Engineering
at AIUB pursuing Master of Science in
Electrical and Electronics Engineering
majoring in Communication Engineering.
Currently, she is working as an Instructor
under Continuing Education Center at
American International University-Bangladesh.
Her interests are in wired and wireless LAN
security.
M. Tanseer Ali received his
PhD degree in Electrical and
Electronics engineering from
University of Greenwich, UK.
Currently, he is serving as an
Assistant Professor under Faculty of
Engineering at American International
University-Bangladesh. His research interests
include Telecommunication Engineering and
Power System Dynamics.
Md. Manirul Islam received his
B.Sc. in Computer Engineering
from University of Baguio and
MSc. in IT from Saint Louis
University. Currently, he is
serving as an Assistant Professor under Faculty
of Science and Information Technology and
Director, Continuing Education Center at
American International University-Bangladesh.
His research interests include Network
Intrusion Detection and Wireless Sensor
Networks.
... Incorrect configuration leads to a deny in network and access of services to the device. Attackers use DHCP IP address starvation attack to destroy new client's IP network communication by exhausting all available IP addresses in the DHCP server [1]. After launching the attack, attackers may attach their own DHCP server-Rouge DHCP which acts as a DHCP server to provide network configuration parameters to the other legitimate user devices, and assign an IP address of their own computer as a default gateway parameter. ...
STARVATION DELAYED DHCP SERVICE FOR ENABLING POOL RECOVERY
Article
  • Dec 2019
Dynamic Host Configuration Protocol (DHCP) Internet Protocol (IP) address starvation is a method, used by attackers, to breakdown communication over IP network. In order to solve this problem, a method to detect and recover malicious IP address request by using Internet Control Message Protocol (ICMP) protocol has been proposed. However, the ICMP based was not be able to work faster in detecting and recovering the malicious request than the attack rate. This study proposed an ease and effective authentication method to emphasize on limiting the rate of IP addresses request by malicious client during the DHCP discovering process and prevent the DHCP server from being IP address starved. Experimental results revealed that the proposed method was not only limited to the IP addresses requested time by attackers but also able to prevent the DHCP server from facing the IP address starvation attack.
View
... Basically, the evil twin attack can imitate any hot spot Wi-Fi. Then, the attacker can make the hot spot Wi-Fi like free network service and the connected users become open to numerous attacks [21]. ...
View
... There exist possibilities of various cyber attacks such as botnets, medium access control (MAC) flooding, dynamic host configuration protocol (DHCP) starvation, address resolution protocol (ARP) spoofing, the internet control message protocol (ICMP) flooding, Wi-Fi jamming, and evil twin, in a large sized enterprise network (Salsabil et al., 2014). A botnet is a network of compromised bots for carrying out certain malicious activities in an enterprise network. ...
A novel architecture for an integrated enterprise network security system
Article
  • Jan 2019
Securing an enterprise network has become a challenging task as the cyber malware attacks are improving in sophistication. Traditional centralised gateway solutions such as firewall and intrusion detection systems fail to detect highly sophisticated cyber malwares and are no longer helpful for complete protection of large sized enterprise networks. In this paper, we propose a novel architecture, integrated enterprise network security system (IENSS), that consists of distributed security agents and a central controller. Each network segment is covered by one or more agents which operate based on instructions from the controller. The agents gather network traffic as well as other information and process the inputs before sending them to the controller. The controller receives the information collected by agents and processes the data in order to detect various malwares, attacks, or back doors to the enterprise network. Controller utilises machine learning, data mining, and traffic analysis to accomplish various detection approaches. We have presented the IENSS architecture and five detection techniques those are implemented over it. New solutions can be incorporated in our architecture.
View
... There exist possibilities of various cyber attacks such as botnets, medium access control (MAC) flooding, dynamic host configuration protocol (DHCP) starvation, address resolution protocol (ARP) spoofing, the internet control message protocol (ICMP) flooding, Wi-Fi jamming, and evil twin, in a large sized enterprise network (Salsabil et al., 2014). A botnet is a network of compromised bots for carrying out certain malicious activities in an enterprise network. ...
View
... Basically, the evil twin attack can imitate any hot spot Wi-Fi. Then, the attacker can make the hot spot Wi-Fi like free network service and the connected users become open to numerous attacks [21]. ...
Common network attack types and defense mechanisms
Article
Full-text available
  • Jun 2015
For every organization having a well secured network is the primary requirement to reach their goals. A network is said to be secure if it can protect itself from sophisticated attacks. Due to the rapid increase in the number of network users, security becomes the main challenge in the area of network field. Most security related threats target the layers of the OSI reference model. Sophisticated attack types such as Distributed Denial of Service (DDoS), Man-in-the-Middle and IP spoofing attacks are used to attack these layers. In this paper, we analyze most of the attack types that cause serious problems in computer networks and defense techniques to stop or prevent these attacks.
View
Packet Filtering Based On Differentiated Services Code Point For DHCP Starvation Attacks Prevention
Article
Full-text available
  • Oct 2019
The use of the internet today has become a necessity, the most commonly used media to connect to the internet is a Wireless LAN network. For easy access to the network, DHCP service become a standard feature that must exist, because ordinary users no longer need to think about procedures for configuring IP addresses, all of which have been done automatically by the DHCP service. But it turns out that there is a security threat to DHCP service, namely DHCP Starvation attacks that can be exhausting the availability of IP addresses in DHCP service so that the configuration of IP address automatically can no longer be done on the client. Various methods such as authentication, cryptography, and machine learning are used by researchers in preventing DHCP Starvation attacks, but the issue of effectiveness and efficiency still opens up further research opportunities. In this research, packet filtering methods based on DSCP code applied to the Netfilter system are used to do prevention of DHCP Starvation attacks, this method has proven to be very effective in making prevention and more efficient when applied on small scale wireless networks such as at office networks and internet cafe.
View
Link-layer protection in 802.11i WLANS with dummy authentication,” in WiSec
Conference Paper
Full-text available
  • Mar 2009
The current 802.11i standard can provide data confidential- ity, integrity and mutual authentication in enterprise Wire- less Local Area Networks (WLANs). However, secure com- munication can only be provided after successful authenti- cation and a robust security network association is estab- lished. In general, the wireless link layer is not protected by the current standard in WLANs, which leads to many pos- sible attacks, especially in public open-access wireless net- works. We argue that regardless of the type of network under consideration, link-layer protection and data confi- dentiality are of great importance in wireless applications. In this paper, we first identify and analyze the security is- sues ignored by the current 802.11 security standard. Then we propose our solution to patch the current 802.11i stan- dard and address all those issues with a new dummy au- thentication key-establishment algorithm. Dummy means no real authentication for a user. In dummy authentication, we apply public-key cryptography's key-establishment tech- nique to the 802.11 MAC protocol. Our solution can provide link-layer data encryption in open-access wireless networks, separate session encryption keys for different users, and pro- tection for important frames such as management and null data frames as well as Extensible Authentication Protocol (EAP) messages.
View
Detecting IEEE 802.11 MAC layer misbehavior in ad hoc networks: Robust strategies against individual and colluding attackers
Article
Full-text available
  • Jan 2007
Selfish behavior at the Medium Access (MAC) Layer can have devastating side effects on the perfor- mance of wireless networks, with effects similar to those of Denial of Service (DoS) attacks. In this paper we consider the problem of detection and prevention of node misbehavior at the MAC layer, focusing on the back-off manipulation by selfish nodes. We first propose an algorithm that ensures honest behavior of non-colluding participants. Furthermore, we analyze the problem of colluding selfish nodes, casting the problem within a minimax robust detection framework and providing an optimal detection rule for the worst-case attack scenarios. Finally, we evaluate the performance of single and colluding attackers in terms of detection delay. Although our approach is general and can be used with any probabilistic distributed MAC protocol, we focus our analysis on the IEEE 802.11 MAC.
View
View
Attack classification based on data mining technique and its application for reliable medical sensor communication
Article
  • Jun 2009
Detecting network intrusion has been not only important but also difficult in the network security research area. In Medical Sensor Network(MSN), network intrusion is critical because the data delivered through network is directly related to patients' lives. Traditional supervised learning techniques are not appropriate to detect anomalous behaviors and new attacks because of temporal changes in network intrusion patterns and characteristics in MSN. Therefore, unsupervised learning techniques such as SOM (Self-Organizing Map) are more appropriate for anomaly detection. In this paper, we propose a real-time intrusion detection system based on SOM that groups similar data and visualize their clusters. Our system labels the map produced by SOM using correlations between features. We experiments our system with KDD Cup 1999 data set because MSN data is not available yet. Our system yields the reasonable misclassification rates and takes 0.5 seconds to decide whether a behavior is normal or attack.
View
View
Detecting Trojan horses based on system behavior using machine learning method
Conference Paper
  • Aug 2010
The Research of detection malware using machine learning method attracts much attention recent years. However, most of research focused on code analysis which is signature-based or analysis of system call sequence in Linux environment. Obviously, all methods have their strengths and weaknesses. In this paper, we concentrate on detection Trojan horse by operation system information in Windows environment using data mining technology. Our main content and contribution contains as follows: First, we collect Trojan horse samples in true network environment and classify them by scanner. Secondly, we collect operation system behavior features under infected and clean circumstances separately by WMI manager tools. And then, several classic classification algorithms are applied and a performance comparison is given. Feature selection methods are applied to those features and we get a feature order list which reflects the relevance order of Trojan horse activities and the system feature. We believe the instructive meaning of the list is significant. Finally, a feature combination method is applied and features belongs different groups are combined according their characteristic for high classification performance. Results of experiments demonstrate the feasibility of our assumption that detecting Trojan horses by system behavior information is feasible and affective.
View
Digital implementation of an advanced static compensator for voltage profile improvement, power-factor correction and balancing of unbalanced reactive loads
Article
In this paper, a three-phase advanced static compensator (STATCOM) is proposed to compensate reactive power either for regulating ac supply voltage at a constant value or for unity power-factor and balancing of unbalanced reactive loads. An insulated gate bipolar transistor (IGBT) based current controlled pulse width modulated (CC-PWM) and voltage source inverter (VSI) is employed as the STATCOM. A TMS320C31 DSP is used to implement the control algorithm of the STATCOM. To regulate the instantaneous ac supply voltage across the load through shunt reactive power compensation, a sliding mode controller (SMC) over the amplitude of supply voltage is used to obtain a reactive component of the reference supply current in quadrature with the supply voltage. Another SMC over the voltage of a self-supporting dc bus of the STATCOM is used to compute an active component of reference supply current in-phase with the supply voltage. An indirect PWM current control over the reference (computed) and sensed supply current is employed to generate the gating pulses of the IGBTs of the STATCOM. Test results are presented and discussed in detail to demonstrate the reactive power compensation for terminal voltage regulation and power-factor correction along with load balancing capabilities of the proposed advanced STATCOM.
View
The Detection of Trojan Horse Based on the Data Mining
Conference Paper
  • Jan 2009
Trojan horse is a serious security threat to computer network. Traditionally, Trojan Horses are detected using file's dynamic characteristics or behaviors. However, these methods are not available for unknown or un-awakened Trojan horses. Trojan horse always exists as PE (Portable Executable) file format in the Windows system environment, and the PE file has many static characteristics, which contains many runtime characteristics. In this paper, a new detecting method based on PE file's static attributes is proposed, and intelligent information processing techniques are used to analyze those static attributes, such as decision tree, BP network and Finite State Machine. Further, a detection model is established to estimate whether a PE file is a Trojan horse. This thesis is prepared to value the static Trojan characteristic and build a new way to detect the Trojan horse by using the PE file static characteristics.
View
The Research of Simulation for Network Security Based on System Dynamics
Conference Paper
  • Aug 2009
Network security is attracting more and more attention. Simulation is a better choice to research the problems of network security because of their high complexity. Based on the purpose and actuality of simulation of network security, this paper puts forward a simulation method of network security using system dynamics. After giving the steps of system dynamics simulation of network security, this paper has simulated the attack of worm using system dynamics. The simulation results indicate system dynamics can describe the processes of worm attack well. The research of system dynamics of network security will extend the methods of simulation of network security.
View
A Framework for Modelling Trojans and Computer Virus Infection
Article
  • Jul 1998
Is not possible to view a computer operating in the real world, including the possibility of Trojan horse programs and computer viruses, as simply a finite realization of a Turing machine. We consider the actions of Trojan horses and viruses in real computer systems and suggest a minimal framework for an adequate formal understanding of the phenomena. Some conventional approaches, including biological metaphors, are shown to be inadequate; some suggestions are made towards constructing virally-resistant systems.
View