Research On Backwards Compatible Approaches To Prevent Cache Poisoning In Man-In-The-Middle Attack

From computer science and motivated by the development in different fields of life, there has been a growing need for using computer networks. Furthermore, in order to connect the hundreds of thousands of interconnected networks, which are distributed across the world, the Internet has been created. However, the operation of resource sharing such as hardware, software, data, and information over networks has led to a big security concern.Today, Man-in-the-Middle attack is considered one of the biggest threats to computer network resources. This attack is accomplished by spoofing a host on a network through a malicious device on the same network pretending to be a trusted host. Hence, if someone has successfully impersonated another host, he can read, modify, and damage the victim message before resending it to the destination device.One technique for spoofing a host on the network is the ARP cache poisoning attack. The ARP poisoning works by exploiting the way IP addresses are translated to hardware Ethernet addresses (MAC). ARP is a stateless protocol, this means, it will accept responses without having sent a request. The attacker who wants to receive traffic destined for another host could send forged ARP responses matching any chosen IP address to that host’s MAC address. The machines that receive these spoofed ARP responses can’t distinguish them from legitimate ARP responses and will begin sending packets to the attacker’s MAC address.On the other hand, using the technique of the DNS cache poisoning attack, an attacker can effectively introduce forged DNS information to the cache memory of the domain name resolvers, with the goal of manipulating the resolver data so as to make it unavailable or divert traffic to the wrong destination, which is considered a real threat to the Internet users today.There are several schemes have been proposed for the ARP and DNS to solve the cache poisoning problem, but from that time up to now, these have not been deployed on a large-scale. The reason behind that, some of the previous schemes don’t have backwards compatibility because these involve cryptographic techniques, which impose wide changes in the classic ARP/DNS protocol and include more complexity. The manual methods are laborious for administrators, expensive, and cause a huge burden. Alternatively, the dynamic detection approach has been presented to manage the cache poisoning problem. However, the dynamic approach has a lot of false-positive warning statuses, which informs unreal reports to the network administrator.I address the problem of the cache spoofing attack that occurs as a result of the insecurity in ARP and DNS protocols.The first solution focuses on designing a prevention methodology to improve the security of the DNS. My proposed solution which called "Adaptive Caching Approach to Prevent DNS Cache Poisoning Attack (ACDNS)" relies on a caching mechanism to prevent these kinds of attacks. Because I find that adjusting the caching strategy could lead to better security, in addition to increase efficiency. ACDNS is designed to be backwards compatible with the current standards of DNS and completely appropriate with the basic protocol processes and infrastructure. In particular, my modifications are only in caching-timing by adding a delay time before caching the received answer related to an issued DNS query. In case of the need to store a new mapping the ACDNS stays "waiting□until the expiration of this period, if another DNS answer comes during the interval added with the same TXID, the ACDNS drops these packets. And then, it must send a new query which holds another TXID. I compare the performance of ACDNS with DNS. I show that this methodology completely protects domain name resolvers against cache poisoning attacks. Furthermore, the latency distribution of ACDNS is significantly close to the query resolution latency of the DNS. On the other hand, the original processes of the DNS query are totally compatible with the ACDNS. Hence, my proposal can be incrementally deployed and any single DNS server can implement the proposed modifications, since the ACDNS doesn’t need to perform major modifications in the current DNS infrastructures (at each level).The second solution was also dedicated to the DNS protocol by introducing a scheme named "GDR:Protecting against DNS Cache Poisoning Attacks (GDNS)" for resolving the domain names. The GDNS designed consists of two phases:the Gratuitous DNS Request (GDR) phase. In this phase, the GDNS must send a DNS query for only the expired cached domain names to refresh their entries. This means, sending automatic DNS queries for the recently-used domain names (to renewing their cached records) to increase the query-hit rate in cache. Thus, the GDNS can guarantee that the ZS’s cache-memory will keep the recent domains’ information to reduce the DNS resolution time without the need to issuing a DNS referral to an authoritative top-level domain server (TLD) for each DNS request received. The second phase is the caching-timing, which was used in the first solution, by adding a period of time before caching the received answer for the detection and defense against the DNS cache poisoning attack. Consequently, the GDR algorithm provides two benefits can be summarized as follows:First, it provides an efficient technique to attain close-to-optimal performance for resolving domain names. Second, GDR has significant impacts on reducing the query resolution latency of the GDNS that can occur because of adding a delay time before caching the received answer. The experiments demonstrate that the GDNS can prevent from the cache poisoning attack efficiently. As well as, the results show that the GDNS much reduces the domain name resolution time, where the DNS resolution latency has been used as a performance metric. The third solution was consecrated to prevent from the ARP poisoning. A "CSIDS Client/Server based Intrusion Detection System (CSIDS)" is proposed and implemented for the detection and defense against ARP poisoning attacks. The main idea behind this approach is monitoring ARP packets received. And then, in case of detection a suspicious ARP packet a resolution message will be transferred between CSIDS’s parts (client/server) on the same network. The resolution messages allow CSIDS to specify the malicious packets before updating the ARP cache or sending a response packet to the sender device. Every abnormal packet must be sent to the CSIDS server so as to check it and making (if necessary) a voting process to all CSIDS’s parts on the network before making the decision of replying with a positive or negative packet to the requested host. To evaluate the ability of detection and prevention of CSIDS, I compare the performance of CSIDS with the normal ARP implementation. All the results illustrate that the CSIDS system proved to be easy to implement, and can be applied on LAN to provide high security.The fourth solution mainly presents a good and not costly scheme. The suggested mechanism which called a "Gratuitous Decision Packet System (GDPS)" also aims to overcome the insecurity in the ARP protocol to prevent spoofing an IP address. The GDPS seeks to achieve two main goals:(1) it detects the suspicious of ARP packets by monitoring all ARP packets received.(2) The discrimination between the legitimate and malicious host by sending a modified ARP request. In this scheme I concentrate on the communication mapping of the ARP that allows being a technique to enhance the security of ARP. Because the GDPS depends on sending a set of modified ARP requests, then, the GDPS calculates the response cost, which means the average response-time and the number of ARP reply packets for these two MACs to distinguish between the legitimated and the attacker’s MAC. The results show that the attacker’s machine sends ARP reply packets equal to double the number of packets which are sent by the victim.To perform a security analysis for all above schemes I extended the NS-2framework to include all these protocols, and then I performed various comparisons with the normal implementation of ARP and DNS.To conclude, my schemes have many important merits which can be summarized as follows:(1) the schemes can prevent the common cache poisoning attack efficiently;(2) these have backwards compatibility with the current standards of ARP and DNS protocols;(3) these solutions don’t use cryptography, and the single point of failure problems;(4) the schemes can be easily applied and has only a low cost;(5) the GDNS approach has much reduced the DNS resolution latency;(6) for the third and fourth solutions they match to run with the dynamic environment (DHCP).