IP Spoofing Detection Using Modified Hop Count Ayman Mukaddam Imad Elhajj Ayman Kayssi Ali Chehab Electrical and Computer Engineering Department American University of Beirut Beirut 1107 2020, Lebanon {agm10, ie05, ayman, chehab}@aub.edu.lb Abstract— With the global widespread usage of the Internet, more and more cyber-attacks are being performed. Many of these attacks utilize IP address spoofing. This paper describes IP spoofing attacks and the proposed methods currently available to detect or prevent them. In addition, it presents a statistical analysis of the Hop Count parameter used in our proposed IP spoofing detection algorithm. We propose an algorithm, inspired by the Hop Count Filtering (HCF) technique, that changes the learning phase of HCF to include all the possible available Hop Count values. Compared to the original HCF method and its variants, our proposed method increases the true positive rate by at least 9% and consequently increases the overall accuracy of an intrusion detection system by at least 9%. Our proposed method performs in general better than HCF method and its variants. Keywords—IP spoofing, hop count, hop count filtering, statistical analysis. I. INTRODUCTION Internet access, in today's world, can no longer be considered a commodity but rather a human right [1]. Many critical services like banking, online shopping, e-commerce, distance learning, remote surgery, searching, and social media are based on the Internet service. According to [2], there are more than 2.4 billion Internet users as of June 30, 2012. Therefore, any disruption to this service is considered problematic and can result in drastic financial losses to several businesses. Unfortunately, the Internet was not designed with security as a primary concern but rather it was designed based on scalability. This allowed several attackers or hackers to exploit several of the design weaknesses that are inherent to the protocols used in today's Internet. A particularly interesting weakness in the protocols used in today's Internet lies in the IP Protocol. This weakness allowed attackers to "spoof" (masquerade) the source IP address and thus be able to perform several attacks such as hijacking sessions, packet spoofing, denial of service, advanced scanning techniques, and distributed attacks. By design, the IP protocol does not offer any form of authentication of the source IP address. Therefore, an attacker can send an IP packet with a "spoofed" source IP address. An attacker can thus benefit from this ability to remain anonymous, to launch targeted attacks, and to circumvent some security restrictions that are based solely on verifying the sources of IP addresses [3]. There are many variations of attacks that utilize IP Spoofing such as Non-Blind Spoofing, Blind Spoofing, Man in The Middle, Denial of Service, and Decoy Scan. There are two well-known methods to prevent IP spoofing: Address filtering and IPsec. Other methods address specific cases like the Generalized TTL Security Mechanism [4]. This work was inspired by the “Hop-Count Filtering” (HCF) technique proposed by Wang et al. [5] [6] to detect IP spoofing. Their algorithm is based on the idea that although an attacker can spoof the source IP address, the attacker cannot spoof the number of hops a packet traverses to reach the destination. Therefore, the algorithm first learns the IP to Hop Count (HC) mapping and stores the mapping in an IP2HC table. Once a packet arrives, it is compared to the HC stored for this IP. If the HC values match, then the packet is legitimate. Otherwise, the packet is discarded. The main strength of the HCF technique lies in its simplicity. This paper aims at proposing a variation of the HCF technique in order to enhance the accuracy of the HCF by including in the IP2HC table all valid HCs seen in the learning phase. This modification enhances the overall accuracy compared to the original HCF and its variations [6]. The remainder of this paper is organized as follows: section 2 discusses the previous work related to HCF technique and its variations. Section 3 presents statistical analysis of HC and RTT. In Section 4 we describe our proposed algorithm. Section 5 presents the results of the proposed algorithm. Finally, we conclude the paper in section 6. II. LITERATURE REVIEW This section provides a literature review of several methods that detect spoofed IP packets like Hop Count Filtering technique and Reverse Path Forwarding, Hop Count (HC) is defined as the number of hops a packet traverses as it moves from the sender to the receiver. HC is not sent in the IP packet but is rather inferred from the IP Time-to- Live Field (TTL). The receiver can estimate the HC by subtracting the received TTL value from the closest initial TTL value bigger than the received packet’s TTL. Usually, these initial TTL values are operating system dependent and are limited to few possibilities, which include 30, 32, 60, 64, 128, and 255 [1]. Therefore, guessing the initial TTL set by the OS is possible without explicitly knowing what the OS is, especially that the number of hops between two hosts is 2014 IEEE 28th International Conference on Advanced Information Networking and Applications 1550-445X/14 $31.00 © 2014 IEEE DOI 10.1109/AINA.2014.62 512