Communication is the cornerstone of business and personal relationships. Today, people in offices and homes do a great deal of communicating over computer networks and expect such communication to be reliable and their data secure. Therefore, network security has become a major concern for Internet Service Providers (ISPs) and company network administrators. Network security seeks to prevent hackers from attacking a network and disrupting the flow of communication, productivity, and overall service.
Hacker is a slang term used to refer to individuals who attack or gain unauthorized access to computer systems for the purpose of manipulating and/or stealing data and/or disrupting the flow of data in and out of a network. Hacking can occur from within or from outside the network being hacked and requires knowledge of how a network is organized.
Network communication is best explained by using the International Organization for Standardization (ISO) standard referred to as Open System Interconnection (OSI). OSI is a standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Its purpose is to guide product implementers so that their products will consistently work with other products.
The OSI seven layers are as follows: Application Layer 7, Presentation Layer 6, Session Layer 5, Transport Layer 4, Network Layer 3, Data Link Layer 2, and Physical Layer 1. For example, a Local Area Network (LAN) connected to a subscriber network by an Ethernet switch is considered to be in the Network Layer 3. The Data Link Layer 2 includes two sub layers, a Logical Link Control (LLC) layer and Media Access Control (MAC) layer. The MAC layer interfaces directly with the network media such as Ethernet switches, routers, or subscriber access devices through a MAC address. A MAC address is a hardware address that uniquely identifies each node or device on a network as compared to an Internet Protocol (IP) address that is a virtual identifier of a user or computer on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. These addresses and other transmission information are found in network packets sent and received by network users.
FIG. 1 shows typical network packet protocol fields. The protocol address space 102 specifies the type of protocol or packet type, such as IP. The operation code 104 specifies whether the packet is an ARP request packet or an ARP reply packet. The hardware address of the sender 106 and the protocol address of the sender 108 are the sender's MAC address and IP address, respectively. An IP address is an identifier for a computer or device on a Transmission Control Protocol/Internet Protocol (TCP/IP) network. Networks using the TCP/IP protocols route packets based on the IP address of the destination. The protocol address of the target 112 is the destination IP address of the machine the sender is trying to contact. Because the purpose of an ARP request packet is to resolve the target MAC address, the hardware address of the target 110 is undefined in a request packet and would only be defined in an ARP response packet.
Routers and switches are the typical devices for handling packet transmission into and out of networks. A router is a device or, in some cases software, that determines the next network point to which a packet should be forwarded toward its destination. This device is also called a gateway and it serves as the entrance into the network. A router is connected to at least two networks and decides which way to send each packet based on its current understanding of the state of the networks it is connected to. A switch is a device that filters and forwards packets to LAN segments and supports any packet protocol (e.g., ARP or IP). Generally, a switch includes the function of a router, which creates and maintains a routing or forwarding table of the available routes and their conditions for correctly forwarding packets. Many attacks are designed to take advantage of these gateway functions.
Firewall systems are the most common defense to combat unauthorized access to or from a network. Firewalls can be implemented in both hardware and software, or combination of both. All messages entering or leaving the network pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. A few common firewall techniques are packet filtering and using a proxy server. Proxy servers intercept all messages entering and leaving the network and effectively hide the true network addresses of users behind the firewall, thus keeping an outside attacker from misappropriating a user's IP address. Packet filtering examines each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure and susceptible to IP spoofing. IP spoofing is one technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must find an IP address of a trusted host and then modify the packet header information so that it appears that the packets are coming from that host. Consequently the packets are erroneously transmitted creating a gap in network security.
FIG. 2 shows a common method of network ingress filtering. As discussed above, packet filtering is a common firewall technique to prevent unauthorized access to or from a network. In this method, a provider assigns a user IP address from a range of available IP addresses and records what IP address is assigned to which user (step 202). The provider gateway waits for the arrival of a new packet from the user (step 204). When a new packet arrives at the gateway device the source IP address of the user packet is extracted (step 206). If the source IP address of the packet resides within the provider's assigned range of IP addresses (step 208), the packet is forwarded towards its destination (step 212). If the source IP address of the packet does not reside within the provider's assigned range of IP addresses (step 208), the packet is discarded (step 210). Although this method prevents an attack using forged source IP addresses that do not conform to the ingress filtering rules, it does not prevent against flooding attacks that originate from valid IP addresses using a spoofed MAC address. A flooding attack is an excessive transmission of packet traffic that results in the denial of service due to an excessive consumption of provider network resources.
Approaches to network security often depend on what type of IP address lease scheme an Internet service provider employs. An Internet service provider (provider) can offer two types of IP addresses to its users, a static IP address and a dynamic IP address. In either case the provider has a fixed range of valid IP addresses it can offer. In the case of a static IP address, a provider will assign or lease, for a mutually agreed upon term, a fixed IP address. This allows a user to register a domain name and have the name associated with its fixed IP address. Alternatively, the provider may dynamically assign an IP address to the user by using a Dynamic Host Configuration Protocol (DHCP) server. In this case, the DHCP server assigns an IP address from the provider's valid range of IP addresses each time the user logs-on to the provider network by sending a DCHP request packet. Ideally, in either case, only one IP address is assigned per user MAC address. An issue arises in the dynamic case, however, when a user forges or spoofs a MAC address within the IP address request. When done repeatedly, this attack causes the DHCP server to assign all its available IP addresses to fictitious MAC addresses leaving none available for legitimate users.
FIGS. 3A and 3B illustrate current methods of handling spoofed MAC and IP addresses in the case of a dynamically assigned IP address. These methods are implemented by a DHCP relay agent coupled to a DHCP server. The server determines if assigning an IP address is appropriate and updates the database if necessary. The database contains IP address, MAC address, and remote identification (ID). Remote ID is a field that identifies the remote host or user and might be a caller ID, modem ID, or user name prompted for by a remote access server.
FIG. 3A shows a method of preventing a DHCP exhaustion attack by spoofed MAC addresses. A DHCP exhaustion attack consists of a hacker spoofing MAC addresses within individual DHCP request packets until the server has assigned all available IP addresses. As shown in FIG. 3A, a new connection, or more specifically an IP address, is requested from the DCHP server (step 302). Once the request packet has been received, the DHCP server extracts the MAC address from within the DHCP request and checks to see if the MAC address is already associated with the remote ID in the database (step 304). If the MAC address is already associated with the remote ID, the DHCP server re-offers the same IP address that is in the lease database (step 306). If the MAC address is not associated with a remote ID, the DHCP server verifies (step 304) that the number of IP addresses has not been exceeded for this subscriber before assigning a new lease (step 308).
FIG. 3B illustrates a current method of an edge device dealing with forged IP addresses by implementing a DHCP relay agent. After the DHCP server assigns an IP address to the user and creates a remote ID entry (step 310), the edge device receives packets from the user, extracts source and destination information, and accesses the database (step 312). The edge device checks to see if the source IP address within the packet transmitted by the user is associated with the remote ID (step 314). If the IP address is not associated with the remote ID the edge device discards the packets accordingly (step 316). If the IP address is associated with the remote ID then the packets are forwarded toward their destination (step 318).
However, neither of the methods discussed above address a denial of service attack created by spoofed source MAC addresses in a layer 2 network after a static or dynamic IP address has been assigned. A spoofed MAC address is harmless in a layer 3 network because the MAC address is not seen beyond the first hop router. However, in a layer 2 based network, spoofed MAC addresses may cause incorrect forwarding decisions and overflows in the forwarding tables on the provider's switches and bridges.