logo SBA

ETD

Archivio digitale delle tesi discusse presso l’Università di Pisa

Tesi etd-01192015-134503


Tipo di tesi
Tesi di laurea magistrale
Autore
PUCCETTI, ALESSANDRO
URN
etd-01192015-134503
Titolo
Design and development of an active probing technique to validate the "source IP address" header field in a live stream of IP packets
Dipartimento
INGEGNERIA DELL'INFORMAZIONE
Corso di studi
COMPUTER ENGINEERING
Relatori
relatore Prof. Lenzini, Luciano
correlatore Prof. Mingozzi, Enzo
correlatore Dott. Dainotti, Alberto
correlatore King, Alistair
Parole chiave
  • active measurements
  • active probing
  • darknet
  • data analysis
  • experiments
  • IP spoofing
  • passive measurements
  • source IP address
  • validation
Data inizio appello
20/02/2015
Consultabilità
Completa
Riassunto
The Internet is a world-wide computer network using the standard Internet Protocol (IP). Every Internet host has an address (IP address), two hosts (A and B) need to know each other IP address to be able to communicate. Because IPv4 does not provide a validation mechanism for source IP addresses, B cannot be sure about the truthfulness of such address. In fact, malicious hosts can forge the source IP address. This action is called IP spoofing.
In this thesis, I perform a preliminary exploratory work on heuristics for source IP address validation based on the IPID field of the IP header. First, I analyze IPID behaviors of different operating systems with with respect to different types of IP protocols (ICMP, TCP, and UDP). Then I present a novel source IP address validation heuristic based on active probing, which borrows ideas from IP alias resolution techniques used to identify multiple interfaces (each with a different IP address assigned) of a router.
To test this heuristic, I developed a software tool to probe hosts with different methods and detect monotonic incrementing IPID time series. I set up my experiment to use packets (triggers) received by a large darknet operated at UC San Diego. Then, I analyze the gathered data to study the characteristics of triggers and replies. This exploratory experimentation aims to find a correlation between a trigger and the probes’ replies by exploiting monotonic incrementing IPID shared counters. Moreover, I present a thresholding approach to classify triggers as “not spoofed” or “unknown”.
Finally, I discuss my conclusions on presented data, validation results, and future work about how to improve the validation technique and open questions about my current analysis.
File