We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15
Department of Electronics & Communication Engineering
The National Institute of Engineering
(An Autonomous Institute under VTU, Belagavi) Mysuru – 570 008
COURSE PROJECT REPORT
(EC6C03)
[IP SPOOFING AND DETECTION]
Submitted to the partial fulfillment for the completion of experiential learning.
Submitted by:
SURYA C URS 4NI20EC115
NEERAJ M GOWDA 4NI20EC071
SHARANU HIREMATH 4NI20EC099
MURALI KRISHNA V HEGDE 4NI20EC068
VI Semester B.E
Under the supervision of:
Dr. Vijay B.T. Assistant Professor, NIE, Mysuru.
2022-23 ABSTRACT
The project aims to explore IP spoofing techniques using the Scapy
library and detect such spoofed packets using machine learning, specifically Logistic Regression. IP spoofing refers to the act of manipulating the source IP address in network packets to deceive or hide the true origin of the communication. This project investigates both the offensive aspect of IP spoofing and the defensive aspect of detecting and mitigating spoofed packets. In the offensive part, the Scapy library is utilized to develop a tool that allows for the generation and sending of IP spoofed packets. Various spoofing scenarios are examined, including Denial of Service (DoS) attacks, Distributed Denial of Service (DDoS) attacks, and Man-in-the-Middle attacks. The tool provides flexibility in customizing the packet headers to mimic different sources, destinations, and protocols. By combining offensive and defensive aspects, this project provides a comprehensive understanding of IP spoofing techniques and their potential impact on network security. It demonstrates the practical implementation of IP spoofing using Scapy and explores the effectiveness of machine learning algorithms in detecting spoofed packets. The results of the project contribute to the ongoing efforts in enhancing network security by raising awareness about the vulnerabilities associated with IP spoofing and proposing machine learning-based solutions for detection and mitigation. IP SPOOFING USING SCAPY: • IP Spoofing is one of the method in which DDoS attack can be done. • DDoS Attack means "Distributed Denial-of-Service (DDoS) Attack" and it is a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites. • IP spoofing is the creation of Internet Protocol packets with a false source IP address, for the purpose of impersonating another computing system. • IP spoofing can be used for both legitimate and malicious purposes. Legitimate uses include certain network testing scenarios, where the goal is to examine the behaviour of a network under specific conditions. • Man-in-the-Middle Attacks: Attackers can spoof their IP address to intercept network traffic between two parties, allowing them to eavesdrop on the communication or modify the data exchanged. • Evasion of Access Controls: By spoofing a trusted IP address, an attacker can bypass access controls that rely on IP-based authentication or authorization mechanisms. • IP spoofing is generally considered a malicious activity when used to deceive, disrupt, or exploit computer networks and systems. Engaging in IP spoofing with malicious intent is illegal in many jurisdictions and can result in criminal charges. • Scapy is a powerful interactive packet manipulation libary written in Python. Scapy is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
Sending IP packets using scapy
Here, we are sending the packets named ‘X’. It contains many
features such as Time to Live(TTL),Source address(x.src), Destination address(x.dst),And the protocol used TCP ,loading some message in the packet and still around 23 features are present. The main use of scapy is to produce multiple fake IP addresses in one device and send it one destination, at the receiver feels that the packets coming are from different devices. Sending so many packets leads to receiver overwhelmed and stops processing the requests sent, whereas the server goes down. WIRESHARK:
Wireshark is a popular open-source network protocol analyzer that
allows users to capture and analyze network traffic in real-time. It is available for various operating systems, including Windows, macOS, and Linux. Wireshark provides a graphical user interface (GUI) that facilitates the inspection and interpretation of network packets. Packet Capture: Wireshark allows users to capture network traffic from different interfaces, such as Ethernet, Wi-Fi, or loopback. It supports live packet capturing as well as the ability to read packet capture files from other tools. Protocol Analysis: Wireshark supports a wide range of network protocols, including TCP/IP, HTTP, DNS, DHCP, and many more. It can dissect and decode these protocols to provide detailed information about the packets and their contents. Filtering and Search: Wireshark offers powerful filtering capabilities to focus on specific packets of interest. Filters can be based on various criteria, such as IP address, port number, protocol, or packet content. It also provides search functionality to locate specific packets or information within the captured data. Packet Inspection and Reconstruction: Wireshark allows users to inspect individual packets, view their headers and payloads, and analyze the structure of different protocols. It can even reassemble fragmented packets to provide a complete view of the network communication. Statistics and Graphing: Wireshark provides statistical analysis features, such as flow and endpoint statistics, to help identify patterns and anomalies in network traffic. It can also generate graphs and charts to visualize network behavior over time. Extensibility: Wireshark supports various plugins and customizations, allowing users to extend its functionality or add support for additional protocols. IP SPOOFING DETECTION USING ML : IP spoofing refers to the practice of modifying or falsifying the source IP address in network packets with the intent to deceive or hide the identity of the sender. Machine learning (ML) techniques can be utilized to detect IP spoofing attempts by analyzing network traffic patterns and identifying suspicious or anomalous behavior. Here's an approach for IP spoofing detection using ML: Dataset collection: Gather a labeled dataset consisting of network traffic data, including legitimate and spoofed IP addresses. The dataset should ideally contain a diverse range of network activities and various types of spoofing attacks.
Feature extraction: Extract relevant features from the network traffic
data. These features may include packet headers, timestamps, protocol types, packet sizes, and statistical characteristics of the network flows. Labeling and preprocessing: Assign labels to the dataset, indicating whether each network flow is legitimate or spoofed. Preprocess the data by normalizing or scaling the features, handling missing values, and encoding categorical variables. Model selection: Choose an appropriate ML algorithm for IP spoofing detection. Some common choices include decision trees, random forests, support vector machines (SVM), or deep learning models such as recurrent neural networks (RNN) or convolutional neural networks (CNN). Training: Split the labeled dataset into training and validation sets. Train the ML model on the training set, using the labeled data to learn the patterns and characteristics of both legitimate and spoofed traffic. Model evaluation: Evaluate the trained model's performance using the validation set. Common evaluation metrics include accuracy, precision, recall, and F1-score. Adjust the model's hyperparameters, if necessary, to improve its performance. Testing and deployment: Apply the trained model to new, unseen network traffic data to detect IP spoofing attempts in real-time. Monitor the network traffic continuously and classify each network flow as legitimate or spoofed based on the model's predictions. Iteration and improvement: Monitor the model's performance over time and collect feedback on misclassifications or false positives. Continuously update and retrain the model using new data to improve its accuracy and adapt to evolving IP spoofing techniques. It's important to note that ML-based IP spoofing detection is not foolproof, as attackers can adapt and evolve their techniques to bypass detection. Therefore, it's recommended to complement ML- based approaches with other security measures, such as network firewalls, intrusion detection systems (IDS), and network traffic analysis tools, to strengthen overall network security. ML CODE USING LOGISTIC REGRESSION ALGORITHM : MODEL PERFORMANCE EVALUATION: When evaluating the performance of a logistic regression model for IP spoofing detection, several metrics can be used to assess its effectiveness. Here are some common evaluation metrics for binary classification problems: Accuracy: It measures the overall correctness of the model's predictions and is calculated as the ratio of correct predictions to the total number of predictions. However, accuracy alone may not provide a complete picture, especially if the classes are imbalanced. Precision: Precision represents the proportion of true positive predictions out of all positive predictions (both true positives and false positives). It measures the model's ability to correctly identify IP spoofing instances while minimizing false positives. Recall (Sensitivity or True Positive Rate): Recall calculates the proportion of true positive predictions out of all actual positive instances. It quantifies the model's ability to identify IP spoofing cases and is particularly useful when the focus is on minimizing false negatives. F1-score: The F1-score is the harmonic mean of precision and recall. It provides a balanced measure of the model's performance, considering both false positives and false negatives. It is especially useful when the classes are imbalanced. Receiver Operating Characteristic (ROC) curve: The ROC curve plots the true positive rate (sensitivity) against the false positive rate (1 - specificity) at various classification thresholds. It provides insights into the trade-off between sensitivity and specificity and allows for the selection of an appropriate threshold based on the desired balance. Area Under the ROC Curve (AUC-ROC): AUC-ROC represents the overall performance of the model across various classification thresholds. It provides a single metric to evaluate the model's discrimination ability. Higher AUC-ROC values indicate better performance. When evaluating the logistic regression model for IP spoofing detection, it's recommended to consider multiple metrics to gain a comprehensive understanding of its performance. The choice of evaluation metrics should be based on the specific goals and requirements of the application An accuracy of 70.16 % is achieved for a test data which is 25% of the dataset. The accuracy can be further increased by the following: Using more no. of training examples. Using more complex algorithms like Decision Trees, Random Forests, XGBoost etc. Feature Engineering, such that important features like src, dst, Protocol, pktrate, pktperflow etc. have more weights. CONCLUSION: In this project, we explored the detection of IP spoofing using Scapy, a powerful Python library for network packet manipulation, along with machine learning techniques, specifically logistic regression. We began by discussing IP spoofing, which involves falsifying the source IP address in network packets to deceive or hide the identity of the sender. This malicious activity poses a significant security threat to networks and can lead to various attacks, such as denial of service (DoS) and man-in-the- middle (MitM) attacks. To detect IP spoofing, we utilized Scapy to capture and analyze network traffic data. Scapy allowed us to inspect packet headers, extract relevant information, and identify patterns or anomalies associated with spoofed IP addresses. Furthermore, we employed machine learning, specifically logistic regression, to develop a detection model. Logistic regression is a widely used classification algorithm that can handle binary classification problems effectively. By training the model on labeled data consisting of legitimate and spoofed IP addresses, we leveraged the power of machine learning to learn patterns and characteristics associated with IP spoofing. Evaluation of the logistic regression model was performed using various metrics, including accuracy, precision, recall, F1-score, ROC curve, and AUC-ROC. These metrics provided a comprehensive assessment of the model's performance in terms of its ability to correctly classify IP traffic as legitimate or spoofed. The results of our evaluation demonstrated that the logistic regression model achieved promising performance in detecting IP spoofing. The accuracy, precision, recall, and F1-score of the model were found to be satisfactory, indicating its effectiveness in identifying spoofed IP addresses while minimizing false positives and false negatives. Additionally, the ROC curve analysis and AUC-ROC score confirmed the model's discrimination ability across different classification thresholds, further validating its performance. Overall, the combination of Scapy for network traffic analysis and logistic regression for machine learning-based detection proved to be a promising approach for IP spoofing detection. This method can enhance network security by providing real-time identification of potential spoofed IP addresses and assisting in mitigating the associated risks. It is important to note that IP spoofing techniques can evolve, and attackers may attempt to bypass detection mechanisms. Therefore, continuous monitoring, updating the detection model with new data, and incorporating additional security measures are recommended to maintain effective IP spoofing detection in the face of evolving threats.
Rust for Network Programming and Automation, Second Edition: Work around designing networks, TCP/IP protocol, packet analysis and performance monitoring using Rust 1.68