ARP cache poisoning mitigation and forensics investigation

Address Resolution Protocol (ARP) cache spoofing or poisoning is an OSI layer 2 attack that exploits the statelessness vulnerability of the protocol to make network hosts susceptible to issues such as Man in the Middle attack, host impersonation, Denial of Service (DoS) and session hijacking. In this paper, a quantitative research approach is used to propose forensic tools for capturing evidences and mitigating ARP cache poisoning. The baseline approach is adopted to validate the proposed tools. The evidences captured before attack are compared against evidences captured when the network is under attack in order to ascertain the validity of the proposed tools in capturing ARP cache spoofing evidences. To mitigate the ARP poisoning attack, the security features DHCP Snooping and Dynamic ARP Inspection (DAI) are enabled and configured on a Cisco switch. The experimentation results showed the effectiveness of the proposed mitigation technique

Application of PSVR-DNS Algorithm for Attacker Detection and Isolation

The DNS (Domain Name System) is used to map and convert human-friendly domain names to the numeric IP (Internet Protocol) addresses. As with the operation of any communication system, there are some security risks associated with the operation of DNS. Actions targeting the availability or stability of a network\u27s DNS service are considered DNS attack. For example, a high volume of traffic and a large number of requests coming to DNS servers are part of a type of DoS (Denial of Service) attack that uses DNS for amplification. Although most DNS servers are open source, some commercial protective DNS services are available for network traffic control, filtering and automatic blocking of requests to undesirable, dangerous or malicious internet domains, but the price of such services is high. In this paper, a new PSVR-DNS (Probability Support Vector Regression-Domain Name System) algorithm is proposed for the purpose of detecting and isolating attackers who pose a threat to an uninterrupted work of the DNS servers. The main focus is on the prevention of the DNS cache poisoning. The collected results showed that the proposed PSVR-DNS algorithm achieves better performance related to faster detection and isolation of attacks compared to some existing algorithms

An Analysis of Selected IPv6 Network Attacks

Tato diplomová práce se zabývá analýzou a demonstrací vybraných IPv6 útoků, konkrétně dvou Man-in-the-Middle útoků a jednoho Denial of Service útoku - Rogue Router Advertisement a Neighbor Cache Poisoning resp. Duplicate Address Detection DoS. V její první části autor prezentuje informace související s danou problematikou a nutné na pochopení problému. Dále autor poskytuje detailní popis realizace daných útoků v praxi za pomoci veřejně dostupných nástrojů. Druhá část práce nastíňuje možnosti prevence proti prezentovaným útokům, analyzuje implementace některých způsobů obrany na Cisco a H3C zařízeních a diskutuje jejích použitelnost.This master's thesis analyses and demonstrates selected IPv6 attacks including two Man-in-the-Middle attacks and one Denial of Service attack - Rogue Router Advertisement, Neighbor Cache Poisoning and Duplicate Address Detection DoS, respectively. In the first part the author presents necessary information related to the issue and provides detailed information on how to realize these attacks in practice using publicly available tools. The second part of the thesis presents various ways of mitigating presented attacks, analyses implementations of some of those countermeasures on Cisco and H3C devices and discussess their applicability.