IMPLEMENTING PREVENTIVE MECHANISM FOR ICMP FLOOD ATTACK USING GNS3ABSTRACTComput

er network attacks increased drastically. These attacks are due to loopholes pre
sent in the security issues and establishment of network. One of the most common
and dangerous attack is ICMP Flood attack which leads to denial of service. ICM
P flood is one of the DoS attack, used mainly for attacking target system. The m
ain purpose of ICMP flood is to crash the target system by sending request packe
ts continuously so as to flood the victim system with packets which whereby redu
ce the capacity to send data under normal traffic. Generally, killers send reque
st packets in high number displaying the fake source address so as to show tha
t it is a victim's address. The network bandwidth is consumed quickly, and it a
lso prevents legal packets from reaching their destination. In this paper we mai
nly focus on ICMP flood attack on network and the mechanism to overcome the atta
ck in order to protect the network. In order to secure the computer network som
e policies has to be described. Internal network is secured by implementing and
establishing policies. This can be noticed by testing through GNS3 simulator whi
ch provides graphical user interface to simulate complex networks while being as
close as possible from the way real network and devices perform.EXISTING SYSTEM
:By definition, Mobile Ad hoc Network (MANET) is a collection of mobile nodes eq
uipped with both a wireless transmitter and a receiver that communicate with eac
h other via bidirectional wireless links either directly or indirectly. Unfortun
ately, the open medium and remote distribution of MANET make it vulnerable to va
rious types of attacks. For example, due to the nodes lack of physical protection
, malicious attackers can easily capture and compromise nodes to achieve attacks
. In particular, considering the fact that most routing protocols in MANETs assu
me that every node in the network behaves cooperatively with other nodes and pre
sumably not malicious, attackers can easily compromise MANETs by inserting malic
ious or non cooperative nodes into the network. A denial-of-service attack is ch
aracterized by an explicit attempt by attackers to prevent legitimate users of a
service from using that service. . There are several kinds of DOS attacks, t
he popular are as follows: ICMP Flood attack, Teardrop Attacks, SYN flood attack
, Land attacks, Smurf attacks, Distributed DOS attacks. The above mentioned DOS
attacks are used by attackers to affect target system. ICMP Flood attack is one
of the most dangerous attacks among all other attacks. In this paper we mainly f
ocus on the pinging of ICMP echo request and echo response message.DISADVANTAGES
OF EXISTING SYSTEM:Watchdog scheme fails to detect malicious misbehaviors with
the presence of the following: 1) Passive attack collisions; 2) Active attack co
llisions; 3) limited transmission power; 4) false misbehavior DOS Attacks; 5) in
sider attacker collusion; and 6) partial packet dropping.The TWOACK scheme succe
ssfully solves the receiver collision and limited transmission power problems po
sed by Watchdog. However, the acknowledgment process required in every packet tr
ansmission process added a significant amount of unwanted network overhead. Due
to the limited battery power nature of MANETs, such redundant transmission proce
ss can easily degrade the life span of the entire network.There are different ex
isting mechanisms available for the detection of ICMP flood attack. They are as
follows: 1) Signature-based Detection System, 2) Extensions to ICMP Messages, Cr
yptographic Techniques. The proposed algorithm is the solution for the loopholes
present in the existing mechanisms.
PROPOSED SYSTEM:In this paper, we develo
p an accurate algorithm for detecting selective packet drops made by insider att
ackers. Our algorithm also provides a truthful and publicly verifiable decision
statistics as a proof to support the detection decision. The high detection accu
racy is achieved by exploiting the correlations between the positions of lost pa
ckets, as calculated from the auto-correlation function (ACF) of the packet-loss
bitmap a bitmap describing the lost/received status of each packet in a sequence
of consecutive packet transmissions. In fact, many of the existing IDSs in MANET
s adopt an acknowledgment-based scheme, including TWOACK and AACK. The functions
of such detection schemes all largely depend on the acknowledgment packets. Hen
ce, it is crucial to guarantee that the acknowledgment packets are valid and aut
hentic. To address this concern, we adopt a digital signature in our proposed sc
heme named Enhanced AACK.The basic idea behind this method is that even though m
alicious dropping may result in a packet loss rate that is comparable to normal

channel losses, the stochastic processes that characterize the two phenomena exh
ibit different correlation structures (equivalently, different patterns of packe
t losses). Therefore, by detecting the correlations between lost packets, one ca
n decide whether the packet loss is purely due to regular link errors, or is a c
ombined effect of link error and malicious drop. Our algorithm takes into accoun
t the cross-statistics between lost packets to make a more informative decision,
and thus is in sharp contrast to the conventional methods that rely only on the
distribution of the number of lost packets.ADVANTAGES OF PROPOSED SYSTEM:In thi
s paper we apply policy to on the edge devices like router to counter ICMP flood
attack.Our proposed approach IDS is designed to tackle three of the six weaknes
ses of Watchdog scheme, namely, false misbehavior, limited transmission power, a
nd receiver collision.The proposed system with new HLA construction is ICMP coll
usion-proof.The proposed system gives the advantage of privacy-preserving preven
tive mechanism for ICMP flood attackOur construction incurs low communication an
d storage overheads at intermediate nodes. This makes our mechanism applicable t
o a wide range of wireless devices, including low-cost wireless sensors that hav
e very limited bandwidth and memory capacities. This is also in sharp contrast t
o the typical storage-server scenario, where bandwidth/storage is not considered
an issue. Last, to significantly reduce the computation overhead of the baselin
e constructions so that they can be used in computation-constrained mobile devic
es, a packet-block-based algorithm is proposed to achieves scalable signature ge
neration and detection. This mechanism allows one to trade detection accuracy fo
r lower computation complexity.SYSTEM CONFIGURATION:-HARDWARE CONFIGURATION:-Pro
1.1 GhzRAM256 MB(min)Hard Disk- 20 GBKey Boardcessor-Pentium IVSpeedStandard Windows KeyboardMouseTwo or Three Button MouseMonitorSVGA
SOFTWARE CONFIGURATION:-Operating System: Windows XPProgramming Language: JAVAJa
va Version: JDK 1.6 & above.CONCLUSIONWith rapid usage of computers on networks
is increasing day by day. Several advanced techniques have been continuously dev
eloping for several years, it is very important to protect our office and busine
ss networks from new evolved attacks. Recently surveys showing that the attack o
n smaller organizations has increased to a great extend. Attacks like DOS attack
s are also increasing thus there is a great need of more awareness among users
and the development of advanced security policies, rules, devices to protect ne
tworks form security breaches. In this paper we have discussed few categories of
attacks, and several mechanisms to detect and prevent the network, but it is ve
ry hard to implement, configure or purchase these mechanisms. Internal networks
of small organizations can be well protected by applying improvised policies on
edge devices like routers, web servers, firewalls etc. In our simulation the res
ults are showing very high success rate in dropping the packets and even it reac
hed the maximum level. Further work is to develop more efficient rules or polici
es which can be implemented on edge devices to counter maximum types of attacks
with higher success rate and efficiency.