International Journal of EmergingTrends & Technology in Computer Science(IJETTCS)
Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 3, May June 2014 ISSN 2278-6856
Volume 3, Issue 3 May June 2014 Page 19
Abstract: Two of the most widely used protocols of the TCP / IP suit are HTTP (Hyper Text Transfer Protocol) and DHCP (Dynamic Host Control Protocol). Both of them operate in the client server environment. HTTP is widely used protocol for web based communication and is used for majority of the intranet & internet based applications. Where- as DHCP is used for allocation and management of IP addresses to the individual clients. In this paper we are trying to mix the best of the both worlds and develop a new web based mechanism which could be implemented in intranet and internet environment. The implementation of this proposal will provide mobility to the user and at the same time enhance the security features and facilitate the improved management and monitoring mechanism of private IP allotment in a large organization. The proposed mechanism is a typical application focused upon the allotment and monitoring of Private IPs based upon the typical biometric characteristics of an individual user in combination with his unique identity which may be guaranteed by a government based organization or a widely trusted third party. Based upon the said implementation the user is always allocated the same private IP address as he moves across the geographical boundaries of the organization across the country or even different countries.
1. INTRODUCTION For all computer based communication the source and destination devices need to be properly identified as sender and receiver by the use of proper identification mechanism. One such mechanism is the IP addressing. The IP addressing can be done both manually and automatically using DHCP. The IP addresses along with other network related parameters such as subnet mask, default gateway, IP address of the Primary and Secondary DNS Servers etc. can be distributed automatically by using an application layer protocol called as DHCP on the computer communication network [9]. A DHCP enabled client requests for an IP address from its local DHCP Server. The user is assigned an IP address from the available pool of pre-defined IP Addresses by the DHCP Server. The allocated IPs are returned back to the pool when the user leaves the network for reassigning to others. The dynamic address assignment mechanism of DHCP can be used for various hardware and software based computing and communication devices[5]. The assigned IP address will also change as the user reboots, changes the hardware or establishes a new session. The probability of getting the same IP address which was assigned previously is very low. Similarly when the user moves from one of its geographic locations to another he may get a different IP address from the DCHP server for that area. This frequent change of IP address creates many problems for the user in getting connected and accessing the network based resources. Similarly if the user gets disconnected during a downloading session then it may become difficult to rescue the previous session since a new IP might be assigned to the user. It is also possible to freeze an IP address based upon MAC address of the user device. MAC addresses are the actual addresses for the network terminal host [3]. Therefore whenever such user sends a request for a new IP address, his MAC address is searched from the table and such a user is always facilitated by the assigned dedicated IP address. The concept works till the user continues to use the same device. Once a user changes the device or if the user moves out of the local network, it will not be possible for the user to get the same IP.
2. WHAT IS DHCP? Computers around the world are connected via IP network. Each IP network has several interconnected computers. In order to be connected and to communicate with each other the systems need IP addresses. The IP Addresses can be set up manually by the network administrator or automatically assigned by using DHCP. DHCP is a network protocol which helps the host machine to get access on IP network. It is widely used protocol which allows hosts on a TCP/IP network to dynamically obtain basic configuration information like IP address, subnet mask, default gateway, Primary and Secondary DNS Server, etc. automatically from a DHCP server. DHCP helps in avoiding the manual process of configuring the necessary parameters on each system. The Centralized Web Based Allocation and Management Approach towards Private IP Addressing for providing Mobility and Security
Alok Pandey 1 , Dr. Jatinderkumar R. Saini 2
1 Sr. Systems Manager, Department of Computer Science Engineering, Birla Institute of Technology Mesra, J aipur Campus, Rajasthan, INDIA .
2 Director (I/C) & Associate Professor, Narmada College of Computer Application, Bharuch, Gujarat , INDIA. International Journal of EmergingTrends & Technology in Computer Science(IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org Volume 3, Issue 3, May June 2014 ISSN 2278-6856
Volume 3, Issue 3 May June 2014 Page 20
network admin does not need to go to each system and configure the addresses manually. DHCP server maintains a list of all computers connected to the network using the IP addresses at a given time and removes them from the list as the devices get disconnected or move out of the network. It also manages the issue of duplicate IP addresses which can cause network conflicts. Dynamic Host Configuration Protocol (DHCP) is an extension of the Bootstrap Protocol (BOOTP) [1]. When a DHCP client boots up, it broadcasts a DHCP discovery packet looking for DHCP servers. The available DHCP servers on the network respond to this packet with a DHCP offer packet. The client then chooses a server to obtain TCP/IP configuration information like IP address, subnet mask, default gateway etc. The configuration information is allocated (leased) to the client for a short period of time. The client must periodically renew its lease in order to continue to use the configuration. Unfortunately the base DHCP protocol does not include any mechanism for authentication [2]. This weakness has been exploited by hackers and other antisocial elements for conducting various spurious activities by gaining access to the network using various tricks classified as DHCP spoofing attacks. Using DHCP spoofing, an un-trusted client can flood a network with DHCP messages. It is a type of attack on DHCP server to obtain IP addresses using spoofed DHCP messages. In DHCP spoofing the attacker attempts to fool the server and obtain the IP address by using fake messages to gain access.
3. TYPES OF DHCP ATTACKS A variety of attacks can be launched as mentioned below: DHCP server spoofing where an un-authorized DHCP servers provides false information to clients.[4][10] Unauthorized clients gaining access to network based resources.[4] Resource exhaustion attacks from malicious DHCP clients.[4] Denial of services [6], [8], [10] M.I.T.M. attacks of different forms [10] Attacks on the DNS & other available servers [10] Exhaustion of valid IP address [8] Exhaustion of C.P.U. and network resources [8] Spoofing of IP address of the other clients [11] Spoofing of MAC addresses of clients [11] [13] Since there is no privacy protection, an eavesdropper can monitor and capture the information being exchanged on the network [12] As the client has no way to validate the identity of a DHCP server, unauthorized DHCP servers can be operated on networks, providing incorrect information to DHCP clients. This can serve either as a denial-of-service attack, preventing the client from gaining access to network connectivity, or as a man-in-the-middle attack. Because the DHCP server provides the DHCP client with server IP addresses, such as the IP address of one or more DNS servers [4], an attacker can convince a DHCP client to do its DNS lookups through its own DNS server, and can therefore provide its own answers to DNS queries from the client. This in turn allows the attacker to redirect network traffic through itself, allowing it to eavesdrop on connections between the client and network servers it contacts, or to simply replace those network servers with its own. Because the DHCP server has no secure mechanism for authenticating the client, clients can gain unauthorized access to IP addresses by presenting credentials, such as client identifiers, that belong to other DHCP clients. By presenting new credentials each time it asks for an address, the client can consume all the available IP addresses on a particular network link, preventing other DHCP clients from getting services.
3.1 DHCP SERVER SPOOFING ATTACK In a DHCP server spoofing attack an unauthorized machine becomes a DHCP server on the network. The attacker could start passing unauthorized DHCP based information and gain valuable information from the connected clients on the network. For example, a rogue DHCP server could allocate default-gateway and DNS addresses pointing to a compromised machine set up with a sniffer to unsuspecting clients. The compromised machine could take all information from clients, sniff it and then forward the information on to the real default- gateway. The information sniffed might include usernames and passwords and other confidential, financial data being exchanged. This is often referred to as a man in the middle (MITM) attack. DHCP server spoofing -- It gives a spoofed access to the user to the hijacked DHCP server. The attack aims to make attackers PC as a DHCP server and then access the victims network. This can be very risky as the users might loose valuable information because of a Rogue server working in the place of the actual one. An attacker can do lot more like copying the data, sending / distributing of virus, sniffing of network, etc. How DHCP Spoofing attack occurs? This attack occurs when the leased time period of the temporary IP expires. The system sends the DHCP Discover packet and the attacker responds on the packet. When the attacker responds to the query he can set himself as the default gateway or DNS without the knowledge of the user. This can be seen as a type of traffic intercepting between the user and the actual gateway. The attacker has a chance to flood the DHCP server with DHCP offer packet causing a DoS type attack. The IP address is pre-assigned by the attackers.
3.2 DHCP Exhaustion - This type of attack is carried out by modifying the address service on DHCP servers. Under this attack, the I.P. addresses are spoofed and a large number of attacks are carried out with one process. International Journal of EmergingTrends & Technology in Computer Science(IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org Volume 3, Issue 3, May June 2014 ISSN 2278-6856
Volume 3, Issue 3 May June 2014 Page 21
When the DHCP Discover message is broadcasted form a system it also sends the MAC address with the packet data. The attacker keeps changing the MAC address of his system. By this the attacker uses up all the unallocated IP addresses causing DHCP exhaustion from the assigned pool. As a result the user machine fails to collect with the genuine DHCP server and may be redirected to the attackers server. DHCP address exhaustion attack This attack focuses on depleting the address pool on the DHCP server, thus causing a denial of service attack. In a DHCPDISCOVER message broadcast out from a client, there is a field called chaddr which is the client hardware address or MAC address. The chaddr field is set to the source MAC address of the client by default. If an attacker constantly keeps changing his MAC address, he could keep requesting different addresses from the DHCP pool and eventually deplete it. Fortunately, port-security helps mitigate this attack. However, if a client keeps the same MAC address but simply changes the chaddr field to something unique on every request, an attacker could just as well exhaust all DHCP addresses in the pool without causing a port- security violation. The pool could become depleted and legitimate users may not be able to obtain address leases.
3.3 IP Address Hijacking Normally, when a client is done with an address leased to it via DHCP, it sends a DHCPRELEASE to the server to notify the server that it can go ahead and add that IP address back into the pool of available addresses. An attacker that has knowledge of an authorized IP addressed leased through DHCP could send a packet to the server with the DHCPRELEASE field set to that authorized IP address. The attacker could attempt to release that IP address and then take over the IP address on the network. Or at-least, the attacker could be disrupting network communications. Hijacking the IP This is the later part when the DHCP Discover and DHCP offer process ends. Here the user machine sends DHCP Release message to the server to tell the server that IP address is provided and the user machine can access the network now. But the hijacker here has the knowledge to capture DHCP Release packet and exploit. He can then capture the IP and cause network disruption.
4. LITERATURE REVIEW Different approaches have been adopted by different researchers in this direction some of them are as mentioned below :- E-DHCP: Extended Dynamic Host Configuration Protocol by Jacques Demerjiana et al [14]. In their paper the authors point out the two basic reasons which justify the need of a protocol that could manage the internet addresses dynamically for the smooth functioning of networks. Firstly the lack of internet addresses which rules out the possibility of using static IP addresses and secondly providing mobility of the equipments. As an outcome DHCP is the centre of networks architecture. They also point out one of the serious shortfalls of DHCP protocol - protection against malicious Internet hosts, because of which DHCP is vulnerable to various types of security attacks as it lacks in the authentication mechanism. Thus the intruder could also impersonate the identity of the genuine user for different unwanted anti- social activities. The authors finally suggest a mechanism that makes use of a symmetric public key encryption RSA, X.509 identity certificates and attribute certificates. They also point out the need for authentication of the DHCP server itself on the network as an intruder can also impersonate as a DHCP server and send erroneous information to any local DHCP client and thus disrupt the working of the network itself by passing false information to the clients. Next Generation Automatic IP Configuration Deployment Issues by Tomasz Mrugalski et al [15]. Their paper also discusses the issues related to shortfalls of well defined authentication / authorization of DCHP and recommend possible solutions in the DHCPv6 protocol. The issues related to implementation of FQDN and poisoning of available DNS server entries for diverting the traffic to a malicious host have also been discussed. The authors highlight some of the ways like controlling the policy updation, provision of access control mechanisms, restricting the clients to update the DNS server records, only administrators can do so, provision of control of updation of DNS resource records and provision for fail over to be made. Secure DHCPv6 that uses RSA Authentication integrated with Self-Certified Address by Zhiyang Su et al [16]. This paper also highlights some of the security considerations for DHCP. The authors summarize some of the possible solutions to security concerns like MAC address to hardware binding typically in the switches at the port level and several other authentication methods like Configuration tokens, Delayed Authentication, EDHCP, Certificate based authentication based upon RSA, X.509 identity certificates, asymmetric keys and PKI, etc As can be seen that a lot of work has been done in terms of improving the security aspects of DHCP but very little attention has been paid the in direction of providing both mobility and security to the user at the same time. Our focus is upon providing faster and secure mechanisms based upon simple yet effective security control mechanism and at the same time providing mobility to the end user or the device. Some similar work has been done by Asjad Amin, et al [17]--Designing a Hierarchical DHCP servers model to automatically provide dedicated IP address anywhere in the world with mobility In our proposed scheme the following points will be implemented.
International Journal of EmergingTrends & Technology in Computer Science(IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org Volume 3, Issue 3, May June 2014 ISSN 2278-6856
Volume 3, Issue 3 May June 2014 Page 22
1. The focus is upon the implementation aspect rather than designing of new protocol. 2. Our approach is confined to an organization having multiple locations of presence which may be within the same country or different countries. 3. The proposed work in being carried out in the Indian context with reference to the government based unique identification mechanism called AADHAR. 4. Our work is based upon the implementation of a web based approach which works in the internet and intranet environment 5. It is a combination of secure communication between different databases which store user specific information based upon biometric parameters of the user.
By securing and controlling the allotment of private IPs we try to avoid scenarios where an already allocated private IP on a network is used and exploited by an unauthorized user / hacker for carrying out different network based attacks based upon DHCP spoofing.
5. RESEARCH METHODOLOGY A new system is proposed in our research paper in which each user will have a dedicated IP of his own with facility to move anywhere in the organization wide network as shown in fig.1.
Fig.1
Our approach is to strengthen the security and at the same time make it more versatile and user friendly by providing greater amounts of regulations [7]. We are trying to ensure that a dedicated private IP is always available for a specific user irrespective of his current location. Although with the introduction of IPv6, the numbers of IP addresses are not limited and problem of limited IP addresses has been fairly resolved. In the proposed model we suggest a distributed recording and processing system for DHCP servers that may be available on organization wide network which may span to different locations across a city or a nation. The IP address as assigned by a DHCP server remains allocated to a specific user and remains till he deregisters for the facility thus providing mobility and enhancing security. It is proposed to mix the best of the two worlds of HTTP and DHCP for the development of the proposed model which would better regulate and provide more user friendliness. The proposed web based mechanism could also be implemented in intranet and internet environment. The suggested model would facilitate the registration process of new users and assigning them a dedicated private IP address. It would also take care of the already registered existing users and provide them with their already assigned fixed private IP address. Each user is connected through the DHCP Server of the local network of the organization. These local DHCP Servers are in turn connected to different Sub Network level DHCP servers of the same organization which may be located at different locations in a city or a nation. These Sub-Network Level DHCP Servers are in turn connected to the main DHCP server of the organization. The first step for any user is to get registered for a dedicated IP address facility. Once a user is registered, he is always provided with his IP address no matter which network level the user is currently in or moves to. This is achieved so by our distributed processing and administering design. The local level DHCP Server maintains the data of all the registered users along with their allocated IP address, MAC addresses, User Name, Password, Unique identification of the user based upon the SSN No. or AADHAR and Biometric finger scan of the user. The same is replicated to other DHCP Servers at different locations across the organization wide network which may span across different locations in a city or different cities in a country. As the user attempts to log in the network at any one of the local locations, the system asks for all unique parameters as mentioned above. It verifies and searches the same in its local database, if found in its databases the user is granted the same IP address as is recorded in the system. If the details are not found in its local data bases the query is passed to the next Sub Network level for resolution. If found then the details are passed back to the local network local database and recorded there for further uses. The IP is granted and the access time along with the usage are recorded. A copy of the user details is also sent to the main DHCP Server at the Organizations top most level. If the user details are found then they are cross verified and updated if needed. In case, if not then the user details are recorded here also. This provides redundancy of operation in case of any operational failures. Now when the user moves to a different location of the same organizations network which may be to a different city he tries to log in the system. The system will once again prompt for the user details. The query is once again passed to different levels of DHCP servers starting at the local then being passed to the Sub Network level and finally at the top most network level for resolution and updating of records. The flow chart for the proposed model is as shown in fig 2
ADVANTAGES OF OUR PROPOSED SCHEME 1. Roaming benefits for the IP address service provider When a person travels to a different location he may use the services of a different ISP. The local ISP can International Journal of EmergingTrends & Technology in Computer Science(IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org Volume 3, Issue 3, May June 2014 ISSN 2278-6856
Volume 3, Issue 3 May June 2014 Page 23
derive financial benefits for assigning the specific IP address to the client by introducing some roaming charges which could be mutually shared amongst the various agencies involved in the process.
2. Identity verification - Each person can only get one IP address so he must provide his National identity number at the time of new IP address request. In case of a large organization some special requests can be made. Such organizations can be provided with a pool of dedicated IP addresses for their employees.
Fig.2
Other Ways To Protect Against DHCP Spoofing Some of the commonly suggested best practices in this area are :- 1. For complete security do not use DHCP and configure each TCP/IP host manually so as to avoid someone exploiting the protocol. Many big enterprise use dedicated network admin to configure the same. 2. For a DHCP attack the hijacker needs to gain access to the network. If he is not able to get in to the network then he cannot do anything. For doing so the attacker will send DHCP offer packets to hijack the client PC and then convert his own system into a Rogue DHCP server which will capture the data and traffic. So if the DHCP protocol is enabled on the network then adequate precaution must be taken. The IP information is refreshed within short interval of time which can be captured by the hijacker. 3. Configure DHCP with proper admin control. It is possible in DHCP to configure a separate group of Administrator. This group has rights to make changes and authorizes users to DHCP settings. This is essential for large networks. Managing tight account registration settings is essential. 4. Proper audit is also necessary to check the authorized and unauthorized access to the network.
5. CONCLUSION The proposed scheme will work in both intranet and internet environment. It will provide mobility to the user and at the same time enhance the security features and facilitate the improved management and monitoring mechanism of private IP allotment in a large organization. Based upon the said implementation the user is always allocated the same private IP address as he moves across the geographical boundaries of the organization across the country or even different countries and enjoy several benefits like less down time from server, obtaining SSL Certificate based upon fixed IP addresses, Maintaining sessions for uploading and downloading sessions. By securing and controlling the allotment of private IPs, we try to avoid scenarios where an already allocated private IP on a network is used and exploited by an un- authorized user / hacker for carrying out different network based attacks based upon DHCP Spoofing. The proposed mechanism is focused upon the allotment and monitoring of Private IPs, based upon the typical biometric characteristics of an individual users in combination with guaranteed unique identification based upon a government based identification mechanism like AADHAR in the Indian context.
References [1] R. Droms (October 1993) RFC 1541- Dynamic Host Configuration Protocol Network Working Group [2] Michael Patrick (January 2001). "RFC 3046 - DHCP Relay Agent Information Option". Network Working Group. http://tools.ietf.org/html/rfc3046. [3] Ling-Feng Chiang, Jiang-Whai Dai, A New Method to Detect Abnormal IP Address on DHCP, Journal of Networks, VOL. 4, NO.6, August 2009 [4] Ralph Droms (March 1997). "RFC 2131 - Dynamic Host Configuration Protocol". Network Working Group. http://tools.ietf.org/html/rfc2131 [5] R.Droms, Automated Configuration of TCP/IP with DHCP, Journal of IEEE Internet Computing, Vol.3, No.4, pp. 45-53,July 1999 [6] S. Thomson, Bellcore, T. Narten (December 1998) RFC- 2462 - IPv6 Stateless Address Auto configuration - Network Working Group http://tools.ietf.org/html/rfc2462. [7] Jenq-Haur Wang and Tzao-Lin Lee, Enhanced Intranet Management in a DHCP-enabled Environment, in Proc. 26 th Annual International Computer Software and Applications Conference(COMPSAC02) [8] R.Droms, W.Arbaugh (June 2001)- RFC- 3118 - Authentication for DHCP Messages - Network Working Group http://tools.ietf.org/html/rfc3118. International Journal of EmergingTrends & Technology in Computer Science(IJETTCS) Web Site: www.ijettcs.org Email: editor@ijettcs.org Volume 3, Issue 3, May June 2014 ISSN 2278-6856
Volume 3, Issue 3 May June 2014 Page 24
[9] Brijesh Kadri Mohandas and Ramiro Liscano, IP Address Configuration in VANET using Centralized DHCP, in Proc. 33 rd IEEE conference on Local Computer Networks LCN 2008, October. 2008, doi: 10.1109/ LCN. 2008. 4664252. [10] R.Droms, J.Bound, B.Volz, T.Lemon, C.Perkins, M.Carney (July 2003)- RFC - 3315 - Dynamic Host Configuration Protocol for IPv6 (DHCPv6) - Network Working Group. http://tools.ietf.org/html/rfc3315 [11] B. Patel,B. Aboba, S.Kelly, V.Gupta (January 2003)- R.F.C. 3456 - Dynamic Host Configuration Protocol (DHCPv4)-Configuration of IPsec Tunnel Mode Network Working Group http://tools.ietf.org/html/rfc3456 [12] H. Schulzrinne (November 2006)- R.F.C. 4776 - Dynamic Host Configuration Protocol (DHCPv4 and DHCPv6) Option for Civic Addresses Configuration Information- Network Working Group http://tools.ietf.org /html/rfc4776 [13] S.Cheshire, B.Aboba, E.Guttman (May 2005) R.F.C. 3927- Dynamic Configuration of IPv4 Link- Local Addresses - Network Working Group http://tools.ietf.org /html/rfc3927 [14] E-DHCP: Extended Dynamic Host Configuration Protocol by Jacques Demerjiana and Ahmed Serhrouchni Departement INFRES, Ecole Nationale Supbieur Des Tdkcommunications, 46 Rue Barrault, 75013 Paris, France [15] Next generation automatic IP configuration deployment issues by Tomasz Mrugalsk, Krzysztof Nowicki, and Krzyszt of Wnuk Gdansk University of Technology, Gdansk, Poland & Intel Corp. [16] Secure DHCPv6 that uses RSA Authentication integrated with Self-Certified Address by Zhiyang Su School of Electronics Engineering and Computer Science, Peking University, Beijing, China suzhiyang@gmail.com and Hao Ma, Xiaojun Zhang, Bei Zhang, Computer Center, Peking UniversityBeijing, China, mah@pku.edu.cn,zxj@pku.edu.cn, zb@pku.edu.cn [17] Designing a Hierarchical DHCP servers model to automatically provide dedicated IP address anywhere in the world with mobility by Asjad Amin, Haseeb Ahmed, Abubakar Rafique, Muhammad Junaid Nawaz, Muhammad Salahudin, Zulfiqar Ahmed - Department of Telecommunication and Electronic Engineering, The Islamia University of Bahawalpur, Pakistan
AUTHORS Alok Pandey is Senior Systems manager and faculty member at B.I.T. (MESRA), J aipur Campus. His qualifications include B.E.(EEE), MBA and has certifications MCSE, RHCE, CCNA, IBM Certified Ecommerce Diploma in Cyber law. He has an industrial working experience 17 years and teaching experience of 9 years in Data Communication and Computer Networks, Information Security, E-Commerce, Systems Management, ERP etc. He is also a member of CSI, IAENG and ISOC. His research interests include Computer Networks and Network Security
Dr. Jatinderkumar R. Saini is Ph.D. from Veer Narmad South Gujarat University, Surat, Gujarat, India. He secured first rank in all three years of MCA in college and has been awarded gold medals for this. He is also a recipient of silver medal for B.Sc. (Computer Science). He is an IBM Certified Database Associate-DB2 as well as IBM Certified Associate Developer-RAD. He has presented several papers in international and national conferences supported by agencies like IEEE, AICTE, IETE, ISTE, INNS etc. One of his papers has also won the Best Paper Award. He is the chairman of many academic committees and a member of numerous national and international professional bodies and scientific research academies and organizations.