ETD system

Electronic theses and dissertations repository


Tesi etd-01192015-134503

Thesis type
Tesi di laurea magistrale
Design and development of an active probing technique to validate the "source IP address" header field in a live stream of IP packets
Corso di studi
relatore Prof. Lenzini, Luciano
correlatore Prof. Mingozzi, Enzo
correlatore Dott. Dainotti, Alberto
correlatore King, Alistair
Parole chiave
  • active measurements
  • passive measurements
  • IP spoofing
  • darknet
  • active probing
  • experiments
  • data analysis
  • source IP address
  • validation
Data inizio appello
Data di rilascio
Riassunto analitico
The Internet is a world-wide computer network using the standard Internet Protocol (IP). Every Internet host has an address (IP address), two hosts (A and B) need to know each other IP address to be able to communicate. Because IPv4 does not provide a validation mechanism for source IP addresses, B cannot be sure about the truthfulness of such address. In fact, malicious hosts can forge the source IP address. This action is called IP spoofing.
In this thesis, I perform a preliminary exploratory work on heuristics for source IP address validation based on the IPID field of the IP header. First, I analyze IPID behaviors of different operating systems with with respect to different types of IP protocols (ICMP, TCP, and UDP). Then I present a novel source IP address validation heuristic based on active probing, which borrows ideas from IP alias resolution techniques used to identify multiple interfaces (each with a different IP address assigned) of a router.
To test this heuristic, I developed a software tool to probe hosts with different methods and detect monotonic incrementing IPID time series. I set up my experiment to use packets (triggers) received by a large darknet operated at UC San Diego. Then, I analyze the gathered data to study the characteristics of triggers and replies. This exploratory experimentation aims to find a correlation between a trigger and the probes’ replies by exploiting monotonic incrementing IPID shared counters. Moreover, I present a thresholding approach to classify triggers as “not spoofed” or “unknown”.
Finally, I discuss my conclusions on presented data, validation results, and future work about how to improve the validation technique and open questions about my current analysis.