Indonesi
an
Journa
l
of El
ect
ri
cal Engineer
ing
an
d
Comp
ut
er
Scie
nce
Vo
l.
12
,
No.
3
,
Decem
ber
201
8
, p
p.
11
17~
11
25
IS
S
N: 25
02
-
4752, DO
I: 10
.11
591/ijeecs
.v1
2
.i
3
.pp
11
17
-
11
25
1117
Journ
al h
om
e
page
:
http:
//
ia
es
core.c
om/j
ourn
als/i
ndex.
ph
p/ij
eecs
A Re
view on V
arious Sni
ffing Att
ac
ks
and
i
ts Miti
gation
Tec
hn
iqu
es
B.
Pra
badevi,
N.
Je
yant
hi
VIT
Univer
sit
y
,
Vell
ore
,
Ind
ia
Art
ic
le
In
f
o
ABSTR
A
CT
Art
ic
le
history:
Re
cei
ved
Ja
n
7
,
201
8
Re
vised
Ju
l
9
,
201
8
Accepte
d
Aug
2
1
, 201
8
Secur
ity
in
th
e
e
ra
of
d
igi
t
al
computing
pl
a
y
s
a
v
i
ta
l
ro
le.
Of
v
arious
at
tacks
in
the
fi
el
d
of
computing,
Dist
ribut
ed
Deni
al
of
servic
e
(DD
oS)
at
ta
cks
,
Man
-
in
-
the
-
Mid
dle
Att
ac
k
(MIT
M)
and
dat
a
the
f
t
have
th
ei
r
m
aj
o
r
impact
o
n
the
emergi
ng
ap
pli
c
at
ions.
Th
e
sniffing
at
tacks,
one
of
the
m
o
s
t
prom
ine
nt
rea
sons
for
DD
oS
at
tacks,
are
th
e
m
aj
or
se
cur
ity
thre
a
ts
in
the
client
-
serv
er
computing.
Th
e
content
or
pac
ke
t
sniffe
r
snorts
the
m
ost
sensiti
v
e
informati
on
fro
m
the
net
work
and
al
te
rs
or
disturbs
the
le
git
ima
te
func
ti
on
al
i
t
y
of
the
v
ic
t
im
s
y
st
em.
The
r
efo
re
i
t
is
ex
tre
m
ely
i
m
porta
nt
to
have
a
gre
ater
k
nowledge
on
th
ese
vuln
era
bi
li
t
i
es,
th
ei
r
issues,
and
var
ious
m
it
iga
ti
on
te
ch
nique
s.
Thi
s
st
ud
y
an
aly
ses
th
e
exi
sti
ng
sniff
ing
at
t
ac
ks
,
var
iations
of
sni
ffing
a
tt
a
cks
an
d
pre
ven
ti
on
or
det
e
ct
ion
m
ec
ha
nism
s.
The
rea
sons
for
m
ost
vital
R
ansom
ware
ar
e al
so d
iscu
ss
ed.
Ke
yw
or
d
s
:
DDoS
DoS
MITM
Packet s
nif
fin
g
Ra
ns
om
war
e
Sn
if
fin
g
at
ta
ck
Copyright
©
201
8
Instit
ut
e
o
f
Ad
vanc
ed
Engi
n
ee
r
ing
and
S
cienc
e
.
Al
l
rights re
serv
ed
.
Corres
pond
in
g
Aut
h
or
:
B.
Pr
a
ba
dev
i,
VI
T
Unive
rsity
,
Vell
or
e
, In
dia
.
Em
a
il
:
pr
aba
de
vi.b@
vit.ac.i
n
1.
INTROD
U
CTION
The
D
DoS
at
ta
ck
is
an
unbreakable
sec
ur
it
y
pr
oble
m
in
t
he
inter
net
of
thin
gs
.
D
D
oS
is
on
e
of
th
e
var
ia
nts
of
De
nial
of
se
r
vice
(DoS
)
at
ta
cks.
The
m
ajo
r
pur
po
s
e
of
a
D
oS
at
ta
ck
is
to
dis
rupt
the
victim
from
serv
ic
in
g
it
s
l
egitim
at
e
us
er
s.
D
os
at
ta
cks
achieve
it
s
goal
by
flo
oding
unse
rv
ic
ea
ble
traf
fic
un
t
il
the
processi
ng
ca
pa
ci
ty
of
the
vic
tim
’s
netwo
r
k
is
slou
ghe
d
off
.
This
in
tur
n
m
akes
the
victim
co
m
pu
te
r
to
de
ny
serv
ic
es
to
it
s
le
gitim
at
e
us
er
s.
It
achieve
s
it
s
ta
rg
et
ei
ther
by
consum
ing
victim
netwo
r
k’
s
ba
ndwidt
h
or
it
s
connecti
vity
[1
-
2].
The
m
os
t
prom
isi
ng
var
ia
nts
of
D
oS
at
ta
cks,
the
D
D
oS
at
ta
c
ks
had
c
on
tri
bute
d
a
bout
14
%
of
th
reats
in
the
cl
oud
e
nv
i
ronm
ent
[2]
.
In
DDoS
at
ta
ck,
t
he
at
ta
c
ker
cau
ses
t
he
at
ta
ck
by
a
netw
ork
of
r
e
m
ote
-
con
t
ro
ll
ed
a
nd
w
idely
isolat
ed
nodes
w
hich
in
tur
n
w
orks
coope
rati
vely
by
floo
di
ng
la
r
ge
vo
lum
e
of
traff
i
c
at
the
victim
’s
ne
twork
.
The
goa
l
of
the
at
ta
ck
i
s
no
t
to
e
xploit
the
data
direct
ly
bu
t
to
com
pr
om
ise
the
victim
’s
resou
rces
from
servic
ing i
ts l
egitim
at
e u
sers.
The
D
D
oS
at
ta
ck
net
work
c
on
sist
s
of
four
ro
le
s
[
3]
viz.,
at
ta
cker
,
ha
nd
le
rs,
age
nt
s
an
d
vic
ti
m
as
dep
ic
te
d
i
n
F
ig
ure
1.
T
he
c
omm
and
f
or
a
tt
ack
is
directed
f
ro
m
the
at
ta
cker
to
ha
ndle
rs
wh
ic
h
c
on
ta
in
inf
or
m
at
ion
ab
ou
t
the
ty
pe
of
at
ta
ck,
victim
’s
inf
or
m
at
ion
and
it
s
durati
on.
The
handl
ers
in
tur
n
pro
pag
at
e
this
to
age
nts
wh
ic
h
will
sen
d
the
at
ta
c
k
da
ta
pack
et
s
to
the
victi
m
.
Var
iou
s
D
DoS
at
ta
ck
to
ols
are
av
ai
la
ble
as
f
ree
op
e
n
s
ource
s
oft
war
e
f
or
la
unchi
ng
the
D
D
oS
at
ta
cks.
W
it
h
the
help
of
the
se
t
oo
ls
,
the
at
ta
cker
can
la
un
c
h
m
ult
iple
at
ta
cks
to
m
ul
ti
ple
victim
s
si
m
ul
ta
neously
by
us
ing
var
io
us
fa
ke
pack
et
s.
Ba
ndwi
dth
dep
le
ti
on
a
nd
r
eso
ur
ce
de
pleti
on
are
t
he
tw
o
cat
egories
on
wh
ic
h
the
D
DoS
at
ta
cks
a
re
cl
assifi
ed
[1
]
.
Th
ou
gh
var
i
ou
s
detect
ion
a
nd
pre
ven
t
ion
m
echan
is
m
s
fo
r
DDoS
at
ta
cks
are
a
va
il
able,
it
re
m
ain
s
an
em
erg
ing
issue
.
The
dynam
ic
distrib
uted
co
m
pu
ti
ng
te
ch
nolo
gies
li
ke
Cl
oud
pro
vid
es
it
s
ser
vices
th
r
ough
the
inter
net,
has
wide
ap
plica
ti
on
s
a
nd
trem
e
ndously
increa
sing
us
ers
.
S
om
e
of
the
ap
plica
ti
on
s
of
cl
oud
incl
udes
th
e
m
os
t
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2502
-
4752
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci,
Vo
l.
12
, N
o.
3
,
Dece
m
ber
2
01
8
:
11
17
–
11
25
1118
com
m
on
ly
us
ed
so
ci
al
netw
orki
ng
sit
es
li
ke
Faceboo
k,
G
oogle
pl
us
an
d
web
sto
res
li
ke
Goog
le
dri
ve
and
Drop
box.
A
s
cl
oud
offe
rs
var
i
ou
s
flav
ors
of
se
r
vices,
it
has
bec
om
e
the
best
ba
se
m
ent
fo
r
m
os
t
of
the
com
peting
in
dustrie
s
over
t
he
globe.
T
he
D
DoS
at
ta
cks
ha
ve
m
ajo
r
im
pa
ct
ov
e
r
t
he
te
c
hnologies
li
ke
cl
oud.
It
is
on
e
of
th
e
tem
pting
ta
rg
e
ts
fo
r
cy
be
r
-
c
rim
e
[4
]
.
Of
va
riou
s
DDoS
at
ta
cks
[
1],
the
m
a
j
or
f
ocus
is
towards
sn
if
fer
at
ta
cks
wh
ic
h
sn
i
ff
th
e
m
os
t
sensiti
ve
inform
at
ion
ov
e
r
the
tra
nsm
issi
on
cha
nnel
as
data
is
of
m
ajo
r
con
ce
r
n
f
or a
ny
co
m
pu
ti
ng
e
nv
i
ronm
ent.
Fi
gure
1
.
A
tt
ac
k netw
ork of D
DoS
2.
SN
IFFE
R AT
TACKS
Sn
if
fin
g
is
the
pr
oce
ss
of
ca
pturin
g
-
decodi
ng
-
ins
pecti
ng
-
interp
reti
ng
the
data
from
t
he
pac
kets
transm
itted
ov
er
the
tra
ns
m
i
ssion
c
ha
nn
el
eg:
TCP/
IP
ne
twork
.
The
sn
i
ff
e
r
is
an
a
ppli
cat
ion
that
do
es
the
sn
i
f
fin
g
proces
s.
It
is
al
s
o
ca
ll
ed
as
netw
ork
protoc
ol
a
na
ly
zer.
A
sn
i
ff
e
r
ha
s
tw
o
m
od
es
of
oper
at
ion
as
fo
ll
ows:
a)
Pr
om
isc
uous
m
od
e
-
in
t
his
m
od
e,
the
s
nif
f
er
ca
n
ste
al
the
inf
or
m
at
ion
f
r
om
the
traff
ic
passing
over
th
e
netw
ork
i.e
. fr
om
all
d
evices
connecte
d
to
th
e host syst
em
b)
Non
-
Prom
iscu
ous
m
od
e
-
i
n
this
m
od
e
the
sn
if
fer
ca
n
ste
al
on
ly
the
in
f
or
m
at
ion
goin
g
to
a
nd
from
it
s
ho
st
syst
em
The
i
nfor
m
at
i
on
ste
al
th
by
the
sn
i
ff
e
r
is
ver
y
se
ns
it
ive
su
c
h
as
us
e
r
crede
ntial
s
li
ke
I
Ds
an
d
pass
words,
acc
ount
detai
ls,
n
et
work
s
pecifi
cs,
cred
it
card
nu
m
ber
s,
em
ail
te
xts,
file
tra
ns
fe
rs,
DN
S
Q
uer
ie
s,
chat
sessio
ns
,
web
pa
ges
being
visit
ed
et
c.
Sn
if
fin
g
cau
se
s
so
m
e
risky
ty
pe
of
at
ta
cks
wh
ic
h
are
dif
ficult
to
detect
.
Th
us
,
s
niff
i
ng
ca
n
be
cat
egorized
un
der
a
“passi
ve”
ty
pe
of
at
ta
ck
wh
e
re
the
at
ta
cker
s
ca
n
be
m
u
te
or
i
m
per
cepti
ble
ov
e
r
the
net
work.
Th
e
prot
oc
ols
in
wh
ic
h
ei
ther
pass
word
or
data
are
sen
t
in
a
cl
ear
te
xt
and
wh
e
re
bo
t
h
pa
sswor
d
a
nd
da
ta
are
sent
in
a
cl
ear
te
xt
are
vu
l
ner
a
ble
to
these
sn
i
ff
in
g
at
ta
cks.
F
or
e
xa
m
ple
Tel
net,
HTTP,
SMTP,
N
NTP
,
POP,
FTP
a
nd
I
MA
P ar
e
s
ome
of the
pro
t
oc
ols
vu
l
ner
a
ble
to s
niff
i
ng.
Wh
y a
nd
how
t
he hacke
rs/ att
ackers
s
niff
?
The
hac
ker
pe
rfor
m
s
the
s
nif
fin
g
process
ei
ther
t
o
get
the
sensiti
ve
inf
or
m
at
ion
directl
y
or
to
fin
d
the
te
ch
nical
de
ta
il
s
about
the
netw
ork
to
c
a
us
e
furthe
r
at
ta
cks.
This
can
be
achie
ved
by
us
in
g
c
omm
er
ci
al
or
op
e
n so
ur
ce
s
oft
war
e
to
ols.
T
her
e
are
t
hr
ee
ways to
sn
i
ff
a
netw
ork
a)
W
i
reless
s
nif
fe
r
-
s
pecifica
ll
y
desig
ne
d
to
ca
pture
data
on
wireless
netw
orks
.
Also
cal
le
d
as
wireless
pack
et
sn
if
fer
or w
irel
ess
n
et
work s
niff
e
r.
b)
Exter
nal
s
niff
e
r
–
This
ki
nd
of
sn
if
fer
has
the
ca
pab
il
it
y
of
exte
rn
al
ly
m
on
it
ori
ng
al
l
i
nbound
a
nd
ou
t
bound
tra
ff
i
c
fr
om
an
extern
al
local
it
y
to
a
web
ser
ver
by
gather
in
g
in
f
or
m
at
ion
about
the
serv
e
r.
In
sim
ple
te
r
m
s,
sn
if
fin
g
f
rom
the
third
-
pa
rty
extern
al
l
ocati
on
or
sn
if
fin
g
data
f
ro
m
the
exter
nal
interface
u
si
ng the s
nif
fer
t
oo
l
s.
c)
In
te
r
nal
sn
if
fer
–
These
sn
if
f
ers
wer
e
desig
ned
to
e
xp
l
oit
the
internal
co
-
operate
netw
ork.
I
n
thi
s
sn
if
fer
,
t
he
intr
ud
e
r
com
prom
ise
s
a
m
achine
on
inte
rn
al
ne
twork
a
nd
runs
a
sn
iffe
r
to
st
eal
the
data
for
c
om
pr
om
is
ing
oth
e
r
c
om
pu
te
rs
c
onnecte
d ov
e
r
t
he netwo
rk.
In
this
co
ntext
,
the
te
rm
sn
iffin
g
ref
e
rs
to
“t
he
inf
or
m
at
i
on
that
can
be
ste
al
th”.
The
ways
are
as
fo
ll
ows:
a)
A
LA
N
s
niff
:
-
A
sn
if
fin
g
to
ol
will
be
instal
le
d
in
the
inter
nal
LA
N.
T
he
sn
if
fer
/
at
ta
cke
r
scans
t
he
IP
a
ddresses
of
al
l
the
hosts
connecte
d
in
t
he
L
AN.
T
hro
ugh
t
his,
the
i
nfor
m
at
ion
(li
ke
op
e
n
ports,
Evaluation Warning : The document was created with Spire.PDF for Python.
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci
IS
S
N:
25
02
-
4752
A Revi
ew
on
V
ar
io
us
Snif
fi
ng Att
acks
and
it
s
Mit
iga
ti
on Te
chn
i
qu
e
s
(
B.Pr
abadevi
)
1119
act
ive
hosts,
se
rv
e
r
port
fo
li
o,
et
c.)
can
be
ste
al
th.
The
p
ort
s
pecific
at
ta
cks
can
be
la
un
c
he
d
with
t
his
inf
or
m
at
ion
.
b)
A
prot
oco
l
s
ni
ff
:
-
T
he
at
ta
cker
s
nif
fs
inf
orm
ation
ab
out
the
netw
ork
protoc
ols
us
e
d.
The
at
ta
cke
r
perform
s the followi
ng steps:
a)
A broa
d
li
st o
f protoc
ols is
det
erm
ined
from
t
he
in
f
or
m
at
ion
sn
if
f
e
d.
b)
The
a
bove
li
st
is
segr
e
gated
base
d
on
the
t
ype
of
at
ta
cks
that
can
be
la
unche
d
a
nd
dist
incti
ve
ty
pe
of s
niff
e
rs
w
il
l be
de
velo
ped to
pe
rfor
m
this.
Fo
r
e
xam
ple
if
the
li
st
con
ta
i
ns
the
U
DP
pr
oto
c
ol,
then
a
sp
eci
al
UDP
sn
iffe
r
will
be
init
ia
li
zed
to
capt
ure a
nd d
e
crypt the
d
et
ai
ls o
f
ass
ociat
ed a
pp
li
cat
io
ns
li
ke
DNS, Tel
net
and s
o.
c)
An
ARP
sn
i
ff
:
-
By
sn
i
ff
in
g
t
hro
ugh
this
res
olu
ti
on
protoc
ol,
the
at
ta
cker
gets
the
set
of
IP
a
ddress
e
s
and
acc
om
pany
ing
MAC
ad
dr
ess
es
to
o.
T
his
inf
or
m
at
ion
will
be
suffi
ced
to
la
unc
h
router
at
ta
cks
,
sp
oo
fin
g
at
ta
ck
s and
ARP
Po
i
so
ni
ng att
acks.
d)
TCP
sessio
n
ste
al
ing
:
-
The
ne
twork
inter
fac
e
act
ing
as
a
sn
iffe
r
will
sei
zur
es
e
ntire
traf
fic
betwee
n
so
urce
a
nd
de
s
ti
nation.
The
a
tt
acker
intere
ste
d
in
t
he
detai
ls
li
ke
ports
use
d,
IP
a
ddress
es,
ser
vice
s
offer
e
d,
se
que
nce
num
ber
s
of
TCP
pa
ckets
,
co
ntr
ol
inf
orm
at
ion
and
da
ta
,
will
la
un
c
h
this
at
ta
ck.
W
it
h
these
detai
ls
the
at
ta
cker
can
e
ven
c
r
eat
e
a
fab
ricat
ed
sessio
ns
be
tween
the
c
omm
un
ic
at
ing
dev
ic
es
a
nd
c
an
beh
a
ve
as
m
an
-
in
-
t
he
-
m
i
dd
le
ei
the
r
to
disru
pt
ser
vices
or
pret
en
ds
to
ca
ptur
e
sensiti
ve data
.
e)
Applic
at
ion
-
le
vel
sn
iffi
ng
:
-
The
ap
plica
ti
on
sp
eci
fic
at
ta
cks
will
be
la
un
che
d
thr
ou
gh
this
sn
iffi
ng
by
getti
ng
t
he
li
st
of
act
ive
app
li
cat
io
ns
on
th
e
victim
.
The
at
ta
ck
er
s
niffs
the
pa
ck
et
s
to
get
the
inf
or
m
at
ion
ab
ou
t
the
ap
plica
ti
on
s
ei
ther
to steal
the
m
or
t
o
cause
f
urt
her
at
ta
cks
based
o
n
the n
at
ure
of
t
he
inf
orm
at
ion
.
E
g:
By
sn
if
fin
g
us
e
r
cred
e
ntial
s
sn
iffe
r
ca
n
exe
cute
SQL
I
nje
ct
ion
at
ta
cks
,
fin
gerpr
i
nting,
et
c.
f)
Web
pass
word
sn
iffin
g:
-
As
web
com
m
un
ic
at
ion
s
are
do
ne
over
H
TTP
,
the
at
ta
cker
can
ste
al
the
HTTP
ses
sio
ns
and
par
se
it
fo
r
us
er
c
redenti
al
s
causin
g
cookie
poiso
ning
at
ta
cks.
Th
ough
SSL
pro
vid
es
sec
uri
ty
m
echan
ism
s
for
HTTP,
the
em
erg
ing
s
nif
fin
g
to
ols
are
m
or
e
eff
ic
ie
nt
and
m
os
t
of
the inter
nal
we
bs
it
es are
vuln
erab
le
.
g)
The
s
nif
fin
g
is
te
rm
ed
as
PA
CK
ET
S
N
I
FFING
-
It
is
th
e
process
of
m
on
it
ori
ng
e
very
pack
et
s
on
t
he
netw
ork
.
T
his
is
do
ne
by
insertin
g
a
pro
gr
am
that
will
m
on
it
or
the
data
pac
kets
a
nd
f
orwards
a
co
py
of
it
to
the
a
tt
acker
.
Packet
sn
if
fin
g
is
al
ways
done
in
t
he
prom
isc
uous
m
od
e.
By
r
ecei
vin
g
first
125
keyst
roke
s
of
the
pac
ke
ts
the
at
ta
cker
ca
n
le
arn the
us
e
r
cre
den
ti
al
s [5].
a)
NET
WO
R
K S
NI
F
FIN
G: the
netw
ork
s
nif
fin
g
at
ta
cks
[6] ca
n be
of d
if
fer
e
nt for
m
s v
iz
.
b)
Cl
ie
nt sid
e s
nif
fin
g: Th
is
is la
un
c
he
d usin
g
s
cripti
ng lan
gua
ges
i
nf
e
rr
e
d by the
us
er
ag
e
nt.
c)
Ser
ver
side s
ni
ff
in
g: T
his is
done
fro
m
ser
ve
r
side
usi
ng c
om
m
un
ic
at
ion
prot
oco
ls
[
6].
d)
Browser
s
niff
i
ng
:
Uses
the
w
ebsite
s
an
d
we
b
a
pp
li
cat
io
ns
to
la
unc
h
the
a
tt
acks.
T
his
k
ind
of
s
nif
fe
r
m
akes
us
e
of
the
inf
orm
ation
f
ro
m
brows
er
cache
s
an
d
bro
wser
histo
ry.
By
m
isc
onstruing
t
he
scriptin
g
co
de
s
the
at
ta
cker
can
sn
if
f
the
pr
i
vate
inform
at
ion
an
d
can
br
i
ng
NI
C
to
prom
isc
uo
us
m
od
e b
y i
ns
ta
l
li
ng
s
nif
fer
t
ool [6
]
.
e)
Con
te
nt
sn
if
fin
g:
Also
te
rm
ed
as
MIM
E
sn
if
fin
g
or
Me
dia
ty
pe
sn
iffi
ng.
To
m
i
m
ic
cha
ng
e
s
in
th
e
Web
a
pp
li
cat
ion
s
the
at
ta
ck
er
cha
ng
es
the
con
te
nt
ty
pe
or
file
form
at
.
This
har
m
s
bo
th
cl
ie
nt
a
nd
serv
e
r
si
de.
Th
e v
ic
ti
m
can
av
oid
t
his
by cu
st
om
izing
th
e
brow
se
r o
ptions
for
c
o
nte
nts [7
-
8].
f)
Passwor
d
s
niffi
ng
:
The
s
nif
f
er
ste
al
s
the
m
os
t
pr
ivate
and
se
ns
it
ive
in
form
ation
f
rom
the
pack
et
s
su
c
h
as
us
e
r
cr
eden
ti
al
s
espec
ia
ll
y
passw
ord
s
thr
ough
w
hich
al
l
the
inf
orm
at
ion
can
be
ste
al
th.
O
ne
of the a
ppr
oac
hes
t
o
a
vo
i
d
thi
s is u
si
ng
da
ta
trigg
e
rs [6
]
.
Fig
ure
2
de
pic
ts
the
inform
ation
an
at
ta
cke
r
can
gain
at
each
la
ye
r
of
O
SI
by
sn
if
fin
g
a
networ
k.
Abd
ul and
Syed s
uggeste
d
th
e v
a
rio
us
att
ac
ks
at
Netw
ork
l
ay
er of OS
I
m
od
el
[
9].
The
s
nif
fin
g
ca
n be
perform
ed
by th
ree m
et
ho
ds [
7] v
iz
.
a)
IP
Ba
sed
s
niff
i
ng
:
T
he
pac
ket
sn
iffin
g
m
et
ho
d
set
s
the
N
I
C
to
pr
om
isc
uo
us
m
od
e
an
d
sn
if
fs
al
l
the
pack
et
s
b
ase
d on IP fil
te
r
a
nd
works i
n non
-
switc
he
d
ty
pe of
n
et
works.
b)
MAC
Ba
sed
s
niff
i
ng
:
T
his
m
et
hod
sim
i
la
r
to
I
P
bas
ed
s
nif
fin
g
with
t
he
e
xcep
ti
on
t
hat
s
niffs
pac
kets
base
d on MAC
addres
s f
il
te
rs.
c)
ARP
Ba
se
d
sni
ff
in
g:
Un
li
ke
above
tw
o
m
eth
ods,
it
does
not
set
NI
C
to
non
-
prom
isc
uo
us
m
od
e
a
nd
works
on
a
s
w
it
ched
netw
ork
.
I
n
t
his
m
et
ho
d
the
AR
P
re
quest
-
rep
ly
m
es
sage
a
re
us
e
d
and
pois
ons
the
ARP
cach
es
of
com
m
unic
at
i
on
entit
ie
s
an
d
re
directs
traff
ic
of
at
ta
cker’s
inte
rest
base
d
on
t
he
config
ur
at
io
n d
on
e
.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2502
-
4752
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci,
Vo
l.
12
, N
o.
3
,
Dece
m
ber
2
01
8
:
11
17
–
11
25
1120
Figure
2
.
P
os
si
ble w
ay
s
of s
ni
ff
in
g
at
va
rio
us OS
I
la
ye
rs
3.
SN
IFF
IN
G
A
TT
AC
K
S
AND
TO
OLS
Sn
if
fin
g
pr
oce
ss
is
exec
uted
ei
ther
m
anu
a
ll
y
or
by
us
ing
softwa
re
pro
gr
am
s.
Thes
e
so
ft
ware
pro
gr
am
s
are
cal
le
d
as
sn
iffi
ng
too
ls
wh
ic
h
perform
s
sn
iffing
a
nd
us
e
d
f
or
la
un
c
hing
va
rio
us
at
ta
cks
in
the
netw
ork.
3.1
M
ac At
tacks
These
ty
pe
of
at
ta
cks
is
t
he
va
riat
ion
of
Den
ia
l
of
Se
rvi
ce
(DoS
)
by
wh
ic
h
the
s
nif
fer
gain
s
the
inf
or
m
at
ion
ac
cess.
MAC
fl
ooding
at
ta
c
k
ta
kes
place
by
flo
od
i
ng
the
netw
orki
ng
de
vice
‘s
witc
h’
with
nu
m
erous
re
quest
s
fr
om
diff
e
ren
t
sou
rce
MAC
ad
dr
esse
s.
Now
s
witc
h
en
te
rs
a
‘f
ai
lo
pen’
m
od
e
wh
ic
h
in
tu
r
n
act
s
as
a
hu
b
broa
dcasti
ng
re
qu
e
sts
to
al
l
the
port
s
in
the
ne
twork
rather
t
han
t
o
co
rr
ect
port.
Since
t
he
switc
h
has
li
m
it
ed
m
e
m
or
y
(i.e.
Cont
ent
Add
ressa
bl
e
m
e
m
or
y
to
m
ap
the
MAC
addresses
t
o
physi
cal
addres
s)
the
at
ta
cker
flo
od
s
the
switc
h
with
volum
inous
MAC
a
ddr
esses
util
iz
ing
it
s
fu
ll
capac
it
y.
No
w
t
he
sn
if
fer
instal
le
d
can
c
aptu
re t
he
sens
it
ive infor
m
at
i
on. F
i
g
ure
3 de
picts t
he
M
AC
flo
od
i
ng att
ack
[10
]
.
Figure
3
.
MAC
f
lo
odin
g Att
ack
3.2.1
Pre
venti
ng
M
AC fl
oo
d
ing
atta
c
ks
The
‘s
witc
hp
or
t’
port
-
sec
uri
ty
featur
e
by
CISCO
w
hi
ch
al
lows
re
stric
ti
ng
the
input
from
un
a
utho
rized
hosts
by
e
xam
i
ning
t
he
M
AC
ad
dr
e
sses.
T
he
three
ty
pes
of
sec
ur
e
MA
C
ad
dr
es
ses
i
nc
lud
e
Stat
ic
secur
e,
dy
nam
ic
secur
e
and
Sti
cky secur
e M
AC addre
sses which are
co
nfi
gure
d
m
anu
al
ly
, d
y
na
m
ic
al
l
y
and b
y ei
the
r way
r
es
pecti
ve
ly
[
10]
.
Evaluation Warning : The document was created with Spire.PDF for Python.
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci
IS
S
N:
25
02
-
4752
A Revi
ew
on
V
ar
io
us
Snif
fi
ng Att
acks
and
it
s
Mit
iga
ti
on Te
chn
i
qu
e
s
(
B.Pr
abadevi
)
1121
It
al
so
enfor
ce
d
three
sec
ur
it
y
vio
la
ti
on
s
to
wh
ic
h
the
swit
ch
reacts
w
hen
the
no
.
of
MA
C
add
re
sses
reaches
the
li
m
it
on
the
co
ncerne
d
port.
In
s
uch
sce
na
rios,
the
victi
m
either
dro
ps
the
pack
et
s
(w
it
h
anonym
ou
s
MAC
address
)
or
exh
ibit
shutd
own
sta
tus
[
10]
.
The
restrict
io
n
for
instal
li
ng
the
sn
iffe
r
sho
uld
be
m
and
at
ed.
I
Pv6
with
e
nc
rypt
ed
se
ssio
ns
ca
n
be
us
e
d
i
ns
t
ead
of
I
Pv4.
P
or
t
secu
rity
fe
at
ur
e
c
onfi
nes
these
at
ta
cks
an
d
l
oc
ks
dow
n by se
nd
i
ng S
NMP tr
ap [1
1].
3.2
DHCP
At
ta
c
ks
DH
CP
is
Dy
nam
ic
Ho
st
Config
ur
at
io
n
P
ro
t
oco
l,
a
net
work
protoc
ol
us
ed
f
or
dis
pensi
ng
the
config
ur
at
io
n
detai
ls
dynam
i
cal
ly
.
The
co
nfi
gurati
on
i
nform
at
ion
inclu
de
s
IP
a
ddress,
R
ou
te
rs,
s
ubnet
Ma
sk
,
DNS se
rv
e
rs
a
nd so.
It in
vo
l
ve
s foll
ow
i
ng st
eps [11]
:
1)
The
cl
ie
nt
req
ue
sts
for
the
con
fi
gurati
on
detai
ls
fr
om
the
avail
able
serv
er
s
thr
ough
D
HCP
DI
SC
O
VER
broad
ca
st m
essa
ge.
2)
The
DH
CP
se
r
ver
dynam
ic
al
l
y
assigns
the
I
P
ad
dr
ess
fro
m
the
pool
of
IP
ad
dress
f
or
assignm
ent
with
the
le
ase
tim
e.
Also
pro
vid
es
with
a
dd
it
io
nal
inf
or
m
at
ion
thr
ough
D
HCP
OF
F
ER
un
ic
ast
m
essage
op
ti
onal
ly
.
DH
CP
REQU
EST
is
the
broa
dcast
m
essage
us
e
d
for
getti
ng
op
t
ion
al
detai
ls
from
the ser
ve
r
b
y t
he
cli
ent.
DH
CP
A
C
K
is
the
un
ic
ast
res
pons
e
m
essage f
r
om
the serve
r.
DH
CP h
as
th
re
e
ways
f
or
al
lo
cat
ing
I
P
ad
dr
e
ss
[12]
to
c
li
en
ts
viz.,
A
uto
m
at
ic
,
Ma
nu
al
an
d
Dy
nam
ic
al
locat
ion
w
hi
ch
al
locat
es
pe
rm
anen
t
IP
ad
dr
ess
,
adm
in
sel
ect
ed
IP
ad
dress
an
d
pre
-
s
pecified
IP
ad
dr
ess
es
with
le
ase
ti
m
e
res
pecti
vely
.
Be
cause
of
th
is
ad
dr
ess
al
lo
cat
ion
it
has
s
om
e
of
the
iss
ues
w
her
e
t
he
DH
C
P
s
erv
e
r wil
l be i
n
the
p
a
ssive
m
od
e and h
a
s l
i
m
i
te
d
secu
rity
f
eat
ures.
a)
A
R
ogue
D
HCP
ser
ve
r
:
Be
c
ause
of
w
hic
h
the
at
ta
cker
ca
n
pr
et
e
nd
to
be
D
HCP
se
r
ver
i.e.
a
rog
ue
DH
CP
ser
ver
a
nd
com
m
un
ic
at
es
with
cl
ie
nts
m
aking
the
victim
’s
network
to
s
hu
t
dow
n.
The
cl
i
ent
s
respo
nd
to
t
he
requests
th
r
ough
de
fau
lt
gate
way
w
hich
can
be
trac
ke
d
by
the
at
ta
cker
ex
plo
it
ing
the
entire
dom
ai
n
via
DNS
inf
or
m
at
ion
and
othe
r
co
nf
i
gurati
on
pa
ram
et
ers.
This
can
be
te
r
m
ed
as
Ma
n
-
In
-
T
he
-
Mi
ddle
(
MITM
) Att
acks
wh
ic
h
is
dif
ficult
to dete
ct
.
b)
Ma
le
vo
le
nt
D
HCP
cl
ie
nt
:
B
y
pr
et
e
nd
i
ng
a
s
D
HCP
cl
ie
nt
the
at
ta
c
ker
c
an
us
e
G
obble
r
li
ke
to
ols
to
at
ta
ck
the
DHC
P
ser
ver
by
DH
CP
fl
ood
[
13
]
.
To
pro
vide
secu
red
inte
racti
on
s
Y
un
and
Jia
[
13]
pro
po
se
d
a
S
A
KA Enc
ryptio
n al
gorithm
f
or
DH
CP
pr
oto
c
ol
.
c)
DH
CP
S
ta
r
vation Att
ack
:
The
“D
HCP
St
arv
at
io
n
Atta
c
ks
”
ha
ppens
by
flooding
the
DH
CP
request
s
with
spoofe
d
MAC
us
in
g
at
ta
ck
too
ls.
T
he
at
ta
ckers
di
ssipate
the
e
ntire
ad
dr
e
ss
s
pa
ce
by
sen
ding
enou
gh
re
qu
es
ts.
Lat
te
r
the
a
tt
acker
can
set
up
a
r
ogue
DH
C
P
s
erv
e
r
as
m
entione
d
a
bove
.
Yaib
uates
et
.a
l,
pro
po
se
d
IC
MP
base
d
de
te
ct
ion
m
et
ho
d
for
a
no
m
al
ou
s
DHC
PREQUEST
by
at
ta
cker
s
[14].
Ma
ny
researc
hers
ha
d
pr
opos
e
d
va
rio
us
te
chn
iq
ues
for
pr
e
ve
nting
DHC
P
at
ta
cks
na
m
el
y
through
Digital
sign
at
ures
an
d
public
key
crypto
grap
hy,
b
y
m
ai
ntaining
a
pr
e
def
i
ned
li
st
of
aut
hen
ti
cat
e
d
MAC
addres
ses
[
15
-
16]
.
The
m
os
t
widel
y
pr
efer
re
d
m
itigati
on
te
chn
iq
ues
by
CISCO
for
D
HCP
at
ta
cks
is
DH
CP
s
noopi
ng
-
a
net
wor
k
secu
rity
featur
e
,
w
hich
filt
ers
the
un
a
utho
rized
DH
CP
m
essag
es
us
in
g
a
bin
di
ng
da
ta
ba
s
e
known
a
s
DH
CP
sno
op
i
ng
bindin
g
ta
ble.
T
he
m
essages
are
f
il
te
red
by
m
ea
ns
of
switc
h
ports
th
rou
gh
w
hich
D
HCP
co
m
m
un
ic
at
es,
si
nce
the
bindin
g
ta
bl
e
keeps
track
of
al
l
the
po
rts
both
untr
us
te
d
a
nd
tr
us
te
d.
Th
r
ough
truste
d
ports
the
de
vice
s
can
res
pond
to
the
m
essages
w
he
reas
the
de
vices
wait
ing
t
o
com
m
un
ic
at
e
t
hro
ugh
un
tr
us
t
ed
po
rts
are
de
pr
i
ved
of
ser
vice
by
sh
utti
ng
dow
n
the
ports,
s
o
these
untr
us
te
d
ports
holds
on
ly
re
quest
s
[12].
P
or
t
Sec
ur
it
y
featu
re
is
oth
e
r
featur
e
f
or
a
voiding
t
his
at
ta
ck,
by
re
stric
ti
ng
the
unwa
nted
in
pu
t
to
t
he
ports
by
li
m
it
i
ng
t
he
MAC
a
ddresses
acce
ssing t
he p
or
ts
[
11
-
12]
.
3.3
SYN
Att
ac
ks
SYN
is
the
synch
r
on
iz
at
io
n
bit
us
ed
i
n
T
CP
durin
g
th
r
ee
-
way
ha
nds
hak
i
ng.
The
S
YN
flo
od
i
ng
at
ta
ck
is
re
spo
ns
ible
f
or
m
ou
nting
m
os
t
of
t
he
prom
inent
a
tt
acks
in
inter
ne
t
[17]
a
nd
int
ern
et
of
thi
ngs
.
O
ne
su
c
h
at
ta
ck
is
DoS.
These
at
ta
cks
a
re
la
un
c
hed
by
sen
ding
in
num
ero
us
S
YN
re
quest
s
w
hich
are
spo
ofed
a
nd
exceed
s
the
vi
ct
i
m
’s
capaci
ty
to
handle
th
e
requests
as
de
pi
ct
ed
in
t
he
Fi
g
ur
e
4.
T
he
at
ta
cker
gai
ns
this
SYN
inf
or
m
at
ion
by
spo
of
i
ng
the
F
IN
/R
ST
re
ques
ts
w
hich
are
re
la
te
d
to
SYN
by
seq
uen
ce
num
ber
s
of
packet
s
as
SYN
-
ACK
pair
holds
f
ull
inf
or
m
at
ion
abou
t
TCP
con
ne
ct
ion
s
[
18]
.
The
at
ta
cks
are
vulnera
ble
duri
ng
half
-
op
e
n
sta
te
of
vi
ct
i
m
serv
er
durin
g
w
hich
it
r
ecei
ve
re
qu
est
s
from
the
cl
ie
nts.
[18]
detect
s
the
SYN
at
ta
cks
by
SYN
-
ACK
a
nd
Cl
iACK
pai
r’
s
be
hav
i
our.
Wang
et
al
.
[19]
pro
posed
a
schem
e
cal
le
d
SYN
-
dog
bas
ed
on
beh
a
viou
r
of
S
YN
-
AC
K
pair
to
s
niff
the
S
Y
N
at
ta
ck
s
ourc
es.
Li
hu
a
Mi
ao
et
al
,
[
20]
pr
opos
e
d
a
sc
he
m
e
fo
r
detect
ing
the
S
YN
at
ta
cks
us
i
ng
Net
flo
w
in
f
or
m
at
ion
,
th
r
ough
w
hich
m
os
t
of
the
i
nter
ne
t
base
d
S
Y
N
at
ta
cks
are
detect
ed
a
nd
pr
ese
nted
a s
cenari
o
f
or
detect
ing
th
e z
ombies.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2502
-
4752
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci,
Vo
l.
12
, N
o.
3
,
Dece
m
ber
2
01
8
:
11
17
–
11
25
1122
Figure
4
.
TCP
SYN f
l
ood
at
ta
ck
3.4
D
NS
P
ois
on
in
g Attac
ks
This
is
DNS
ca
che
po
is
on
i
ng
at
ta
cks
or
DNS
spo
of
i
ng
at
ta
cks.
It
is
know
n
that,
D
NS
is
widely
us
e
d
for
res
olv
i
ng
the
dom
ai
n
na
m
e
to
IP
a
ddre
ss
an
d
vice
ve
rsa.
T
his
ty
pe
of
at
ta
ck
ta
kes
place
w
he
n
th
e
DNS
serv
e
r
it
sel
f
is
com
pr
om
ise
d
by
w
hich
the
a
tt
acker
can
al
t
er
or
falsi
fy
th
e
DNS
ta
ble.
S
o
the
DNS
dir
ect
s
it
s
cl
ie
nts
to
sp
ur
i
ou
s
IP
ad
dr
es
s
or
dom
ai
n.
Or
the
at
ta
cker
can
gain
in
form
at
ion
from
the
rev
e
rse
look
up
ta
ble
wh
ic
h
co
ntains
the
li
st
of
I
P
a
ddresses
relat
ed
to
at
t
acke
r’
s
m
achine
[
17
]
.
So
m
et
i
m
es
the
host
us
es
t
he
DNS
serv
e
rs
pro
vide
d
by
t
he
host
’s
or
gan
iz
at
io
n
or
from
IS
P.
In
t
he
f
or
m
er
case
to
im
pr
ove
the
res
ponse
the
fr
e
qu
e
ntly
resol
ved
qu
e
ries
ar
e
cached
.
T
he
at
ta
cker
ta
kes
t
his
oppo
rtu
nity
to
ex
plo
it
or
poiso
nin
g
the
c
ache
in
tur
n
div
e
rting
the
us
e
rs
to
il
li
cit
web
sit
e
s.
I
n
this
scena
rio,
t
he
us
er
ge
ts
respo
ns
es
f
ro
m
po
is
on
e
d
serv
e
r
.
To
m
it
igate
these
at
ta
cks
som
e
of
the
rese
arch
e
rs
pro
pos
ed
var
i
ous
te
ch
niques
li
ke
Sec
ur
e
D
NS
–
DNSSEC
,
DNSCu
rv
e
S
e
cur
it
y
pro
xy
and
T
SIG
w
hic
h
are
us
ed
for
protect
ing
on
the
wire
at
ta
cks
[
22]
.
Most
of
th
e
orga
nizat
ion
s
adopt
var
i
ou
s
secur
it
y
feat
ures
to
m
it
igate
these
at
ta
ck
s.
Y
u
a
nd
et
al
.,
us
e
d
s
ource
port
rand
om
iz
a
ti
on
an
d
set
ti
ng
Ti
m
e
to
Live
fiel
d
to
protect
t
he
se
rv
e
rs
a
fte
r
D
NS
cache
po
is
onin
g
[
23]
.
D
NS
po
is
onin
g
m
ay
le
ad
to
phis
hin
g,
so
m
e
of
w
hich
a
re
detect
ed
by
Kim
and
Hu
[24]
us
i
ng
netw
ork
perfor
m
ance
par
am
et
ers
wi
th
naï
ve
Ba
ye
sia
n
an
d
K
-
ne
arest
nei
ghbo
ur
i
ng
al
gorith
m
.
Ton
ggua
ng
et
al
.,
pr
opose
d
a
detect
ion
te
c
hniqu
e
for
pr
o
te
ct
ing
D
NS
s
er
ve
rs
f
ro
m
DDo
S
at
ta
cks
[
25
]
.
Also
Nhu
ong,
su
ggest
e
d
a
se
cur
it
y
po
li
cy
to p
rev
e
nt DD
oS
att
ac
k
a
gainst
fu
t
ure netw
orks
whi
ch gu
a
ra
ntees
us
ers
w
it
h
a
dvanced ser
vices
[26].
3.5
A
RP
P
ois
on
in
g Attac
ks
The
A
ddress
Re
so
luti
on
Protoc
ol
op
e
rates
on
li
nk
la
ye
r
of
ISO
i
.e.
w
orks
only
on
L
AN
f
or
conve
rting
t
he
giv
e
n
IP
a
ddr
ess
into
c
orres
pondin
g
MAC
ad
dr
ess
.
T
his
protoc
ol
is
use
d
by
any
network
dev
ic
es
t
o
c
om
m
un
ic
at
e
with
eac
h
ot
her
[
27
]
.
Re
quest
a
nd
Re
spo
ns
e
a
re
tw
o
op
e
rati
on
s
with
ARP
.
The
un
s
olici
te
d
str
uctu
re
of
AR
P
m
akes
it
vulnera
ble
to
a
ny
at
ta
cker
w
ho
has
acce
ss
to
the
LA
N.
T
he
us
er
requests
the
A
RP
with
IP
a
ddress
t
o
know
the
MAC
addr
ess,
the
res
ponse
is
saved
on
to
the
cache
f
or
the
fu
t
ur
e
us
e.
Be
caus
e
of
la
ck
of
a
uth
e
ntica
ti
on
i
n
ARP
,
the
at
ta
cker
can
s
end
s
poofe
d
A
RP
respo
ns
es
causin
g
ARP
spo
of
i
ng
at
ta
ck
,
as
sho
wn
i
n
Fig
ur
e
5
.
Wh
en
this
is
cached
i
n
the
victim
’s
syst
e
m
,
the
at
ta
cker
him
se
lf
will
pr
et
en
d
to
be
the
owne
r
of
IP
ad
dress
an
d
sen
d
the
fa
ke
ARP
respo
ns
e
s.
Also
t
he
at
ta
cker
g
ai
ns
acce
ss
to
the traf
fic d
i
re
ct
ed
by t
he
vict
i
m
. Th
e att
ack
ers
ca
n
ev
en
ac
ts as a r
ou
te
r direct
ing
t
he
tra
f
fic to legit
im
ate
us
e
r
by
co
nf
i
gurin
g
his
m
achine.
This
at
ta
ck
i
n
tur
n
can
exec
ut
e
DoS
at
ta
cks
(dr
opping
t
he
pac
kets
de
sti
ne
d
f
or
the
le
gitim
a
te
us
er
),
by
la
un
chin
g
the
MITM
at
ta
ck.
Nu
gra
ha
et
al
.,
pro
po
se
d
te
ch
niques
f
or
m
i
t
igati
ng
broa
dcast
sto
r
m
s
on
Ether
ne
t
[28].
S
om
e
of
the
m
it
igati
o
n
m
et
ho
ds
for
the
ab
ove
sai
d
at
ta
cks
are:
D
ynam
ic
Evaluation Warning : The document was created with Spire.PDF for Python.
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci
IS
S
N:
25
02
-
4752
A Revi
ew
on
V
ar
io
us
Snif
fi
ng Att
acks
and
it
s
Mit
iga
ti
on Te
chn
i
qu
e
s
(
B.Pr
abadevi
)
1123
ARP
I
ns
pecti
on
(DA
I)
,
the
N
et
work
tra
ff
ic
inspe
ct
io
n
to
ols
li
ke
PW
at
c
h,
ARP
Watch,
a
nd
X
ARP
[29]
can
be
us
e
d
to
identif
y
the
sp
oofin
g
at
ta
cks,
ARP
Ce
ntral
serv
e
r
(A
CS
)
[
30
]
wh
ic
h
m
a
intain
s
ta
ble
of
I
P
-
MAC
relat
ion
s
hip.
A
lso
ARP
Ca
c
he
po
is
onin
g
at
ta
cks
are
detect
ed
usi
ng
m
any
of
firm
war
e’s
li
ke
Op
e
nWrt,
ne
w
Eff
ic
ie
nt
a
nd
Secu
re
(
ES
-
A
RP)
protoc
ols,
m
od
ifie
d
ICMP
[
31
]
proto
cols.
A
c
om
par
at
ive
st
ud
y
on
var
i
ou
s
m
itigati
on
te
c
hn
i
qu
e
s
with
f
act
or
s
li
ke
a
ppro
ac
hes
ad
opte
d,
detect
io
n
ty
pe,
prot
oco
ls
us
e
d
was
done
[
32
]
.
Fr
om
the
stu
dy
of
va
rio
us
at
ta
cks,
it
’s
bee
n
fla
wless
t
hat
no
at
ta
cks
are
ind
e
pe
nd
e
nt.
E.g.:
MITM
re
m
ai
ns
vestige
f
or
m
o
st
of
the
at
ta
ck
s.
These
at
ta
c
ks
can
be
la
un
c
hed
by
ope
n
source
t
oo
ls
[
29]
and
few
of
t
he
m
are
li
ste
d
in
the
T
ab.
2.
O
ne
ca
n
able
to
detect
the
netw
ork
s
niff
e
r
by
usi
ng
any
a
nt
-
s
niff
i
n
g
to
ols.
Of
t
he
fou
r
prom
inent
anti
-
sn
i
ff
e
r
too
ls
Pr
om
i
-
Scan,
P
MD,
L0
pht
A
ntiSnif
f,
a
nd
SupCom
antisniffe
r
[
33
]
,
S
upCom
detect
s
m
os
t
of
the
hosts
in
volve
d
in
sn
i
ff
i
ng
by
co
nduct
ed
te
sts
ov
e
r
di
ff
ere
nt
operati
ng
syst
em
s
[
33
-
34]
.
Mohd
An
a
ur et
al.,
us
e
d Key
Exc
hange
prot
oco
l t
o ov
e
rc
om
e relay
an
d t
im
ing
att
acks
[
35
]
.
Figure
5
.
ARP
Ca
che Poiso
ni
ng A
tt
ack
The
vulne
ra
bili
ty
sta
ti
st
ic
s
of
var
io
us
s
ni
ff
in
g
at
ta
cks
ta
ke
from
the
so
urces
li
ke
Sy
m
antec’s
In
te
ll
igence
Re
port [3
6], Phis
hM
e [
37]
and
My
CER
T [
38]
are stat
ed
i
n
t
he
Tab
le
3.
Table
2.
List
of Ne
tw
ork
Pac
ket Analy
zers/
Sn
if
fer
s
TOOL
TYP
E
ENDAC
E
Deep Pack
et
An
al
y
ser
wiresh
ark
Netwo
rk p
roto
co
l
an
aly
zer
u
sed
f
o
r
e
x
a
m
in
in
g
data in
a
static an
d
dyna
m
i
c
netwo
rk
Tcpd
u
m
p
Netwo
rk
sn
if
f
er
u
sed
f
o
r
so
rting
the n
etwo
rk p
rob
le
m
s
Dsn
if
f
Pass
iv
e sn
if
f
s th
e
n
etwo
rk f
o
r
sen
sitiv
e inf
o
r
m
atio
n
and
i
m
p
le
m
en
ts arps
p
o
o
f
,
MI
TM
attacks
and
dn
ss
p
o
o
f
Etherp
eek
Proto
co
l analyser
Sn
if
f
it
Netwo
rk an
al
y
ser
eth
erflo
o
d
Desig
n
ed
f
o
r
th
e white h
at
h
acki
n
g
pur
p
o
se
ET
H
ERCAP
Pack
et sn
if
f
er
th
at laun
ch
es MI
T
M
at
tack
s
Ins
id
er
Netwo
rk scan
n
er
P0
f
Exa
m
in
es p
ackets
to
iden
tif
y
the OS
Netwo
rkMin
er
Pass
iv
e sn
if
f
er
an
d
f
o
rens
ic analyser
o
f
netwo
rks
Etter
cap
Sn
if
f
er
th
at dis
sects
active and
pas
siv
e
p
roto
co
ls,
id
en
tifies M
I
TM
attacks
an
d
also
sn
iff
s d
y
n
a
m
ic
co
n
n
ectio
n
s
KISM
ET
Pass
iv
e sn
if
f
er
sn
iff
s UDP,
ARP
,
D
H
CP, T
CP
f
o
r
attack
s
Cain
and
Abel
Sn
if
f
er
u
sed
f
o
r
cr
acki
n
g
pas
swo
rds
that can lau
n
ch
AR
P sp
o
o
f
i
n
g
attack
NetStu
m
b
ler
Activ
e sn
if
f
er
Nto
p
Deter
m
in
es th
e net
wo
rk statu
s
Ng
rep
Pack
et sn
if
f
er
id
en
tif
ies UDP,
TCP,
I
CMP pack
ets
EtherApe
Netwo
rk traff
ic
m
o
n
ito
r/
Pack
et sn
if
fer
KisMAC
Netwo
rk d
isco
v
ery to
o
l iden
tif
ies co
u
n
ter
attacks
to au
th
en
ticated
netwo
rks
Aircr
a
ck
-
ng
SUIT
E
Prov
id
es
v
ariou
s
so
f
tware
f
o
r
an
aly
sis
,
d
etectio
n
o
f
n
etwo
rk
p
ackets
an
d
crea
tes
en
cry
p
te
d
p
ackets
u
sed
fo
r
in
jectio
n
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2502
-
4752
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci,
Vo
l.
12
, N
o.
3
,
Dece
m
ber
2
01
8
:
11
17
–
11
25
1124
Table
3.
V
uln
e
rab
il
it
y st
at
ist
i
cs of
var
i
ou
s
s
niff
i
ng att
acks
Ty
p
es o
f
Attacks
Vo
lu
m
e
So
u
rce
DDo
S
83%
Sy
m
an
tec’s
Glo
b
al I
n
tellig
en
ce Ne
t
w
o
rk,
2016
DDo
S by
IoT dev
i
ces
1
Tbp
s
Sy
m
an
tec’s
Glo
b
a
l
Intellig
en
ce
Net
wo
rk
Rep
o
rt
o
n
th
e
v
icti
m
F
rench
h
o
sying
co
m
p
an
y
E
m
ail
Phis
h
in
g
53%
Glo
b
al E
m
a
il sp
a
m
r
ate
E
m
ail
Spa
m
s
Dete
cted
~9
8
K
My
C
ERT
Sp
a
m
Co
n
tain
in
g
Vir
u
s
1
.2K
My
C
ERT
Ph
ishMe
sta
te
s
that
of
va
rio
us
Em
a
il
ph
ishin
g
deli
ver
in
g
ot
her
m
al
war
es,
Em
a
il
ph
ishin
g
deliveri
ng
ran
s
om
war
e
is
m
or
e
(i.e
93%)
by
first
quarte
r
en
d
of
2016
[
36
]
.
IS
TR
2017
[
35]
sta
te
s
th
at
m
al
war
es
cr
eat
ed
by
e
m
ai
l
ph
ishing
wa
s
increa
sing
progressi
ve
ly
,
t
ho
ugh
em
ai
l
ph
ishin
g
ha
s
been
re
duce
d
fr
om
1
in
220
m
ai
l
s
(20
15)
to
1 in
131
m
ai
ls (2
01
6).
3.
CONCL
US
I
O
N
An
e
xtensi
ve
s
urvey
on
sn
if
fi
ng
at
ta
cks
,
va
riou
s
form
s
of
sn
iffi
ng,
va
rio
us
ways
to
sn
if
f
and
var
i
ous
sn
if
fin
g
m
et
hods
is
accom
pli
sh
e
d.
Als
o
the
too
ls
that
us
e
d
to
la
un
c
h
sn
i
ff
in
g
at
ta
cks
a
nd
var
io
us
m
itigati
on
factors
f
or
t
he
at
ta
cks
are
ide
ntifie
d.
From
t
his
sur
vey
it
is
vibrant
that
m
os
t
of
the
at
ta
c
ks
are
c
onta
gi
ou
s
t
o
so
m
e
oth
er
at
ta
cks.
Of
va
rio
us
s
niff
i
ng
at
t
acks
ph
is
hing
and
D
DoS
we
re
the
m
os
t
de
vastin
g
at
ta
cks
wh
ic
h
had
ex
plo
it
ed
lot
of
re
source
s
.
The
f
uture
st
ud
y
is
t
o
f
oc
us
on
im
ple
m
entin
g
a
m
itigati
on
te
chn
i
qu
e
to
de
te
c
t
the v
a
riants
of
sn
if
fin
g
at
ta
cks
.
REFERE
NCE
S
[1]
Praba
devi
B
.
an
d
Je
y
ant
hi
N.
“
Distribut
ed
Den
ia
l
of
service
A
tt
a
cks
and
i
ts
e
ffe
ct
s
on
C
loud
Envi
ronm
ent
-
a
Surve
y
”
.
Proc
eedings
of
IEE
E
2
014
Inte
rnationa
l
Symposium
on
Net
works
,
Com
pute
rs
and
Com
muni
cations,
2014
:
1
-
5.
[2]
Doulige
ris,
Chri
stos,
and
Aikat
er
ini
Mitrokot
sa
.
“
DD
oS
at
ta
cks
and
def
ense
m
ec
ha
nism
s:
cl
assific
a
ti
on
and
state
-
of
-
the
-
ar
t” .
Sc
ie
n
ce Direc
t
Compute
r Ne
tworks,
2004
;
44(5):
643
-
666.
[3]
S.
Diet
ric
h
,
N.
Long,
and
D.
“
Ditt
ric
h.
Anal
yzi
ng
Distribut
ed
Denia
l
of
Servic
e
Too
ls:
The
Shaft
Case”
,
i
n
Proce
ed
ings
of
t
he
14th
USENIX
Confe
renc
e
on
Syste
m
Admini
st
ration
,
New
Orle
ans,
Lou
isia
na
,
Unite
d
States
of
Am
eri
ca
,
2000
:
329
-
340.
[4]
John Hara
uz,
Lo
ri
M.
Kaufm
an,
Bruce
Pott
er.
“
Data
se
cur
ity
in
th
e
world
of
cl
oud
computing”
.
I
E
EE
Confe
r
enc
e on
Data
Sec
uri
ty i
n
the
World
of
Clo
ud
Computing
,
2
009:
61
-
64.
[5]
Inform
at
ion
Secur
ity
—
Com
put
er
Attacks
at
Depa
rtment
of
Defe
nse
Pos
e
Inc
rea
sing
Ri
sks
:
A
Report
to
Congressional
R
eque
sters,
1996.
[6]
Anubhi
Kulshre
stha
and
Sanjay
Kum
ar
Dube
y
.
“
A
Li
t
era
tur
e
R
e
vie
w
on
Sniff
in
g
Attacks
in
Co
m
pute
r
Network
”.
Inte
rnational
Jo
urnal
of Adv
an
c
ed
Eng
ine
ering
R
ese
arch
and
Sc
ie
nc
e
,
2014;
1
(2)
:
32
-
37
.
[7]
S.
Pande
y
and
A.
S.
Chauha
n.
“
Secur
e
Conte
nt
Sniffing
for
W
eb
Brows
er:
A
Surve
y
”
.
Int
ernati
onal
Journal
of
Adv
anc
ed Re
sea
rch
in
Comput
er
and
Comm
unication Engi
ne
erin
g
,
2013;
2(9):
35
95
–
3601
.
[8]
S
y
ed
Im
ran
Ah
m
ed
Qadri
and
Kira
n
Pande
y
.
“
Ta
g
Based
Cli
e
nt
Side
Det
ectio
n
of
Conte
nt
Sniffing
Att
ac
ks
w
it
h
File
Enc
r
y
p
ti
on
and
File
Split
te
r
Te
chn
ique
”
.
Int
e
rnational
Journal
of
Adv
anc
ed
C
omputer
Re
searc
h
.
2012;
2(5),
No
-
3:
215
-
221.
[9]
Azee
m
Mohamm
ed
Abdul,
Sy
e
d
Um
ar
.
“
Atta
c
ks
of
De
nia
l
-
of
-
Servic
e
on
Net
works
Lay
er
of
OS
I
Model
an
d
Maint
ai
n
ing
of
Secur
i
t
y
”,
Indone
sian j
ournal
o
f
E
le
c
tric
al
Engi
n
e
ering
and
Comp
ute
r Sc
ie
nc
e
,
20
17,
5(1):181
-
186
.
[10]
Kunal
Gopal
Th
akur
,
Vish
al
Shir
guppi,
Jus
ti
n
Fra
nci
s a
nd
Shaz
ia
Ali.
Packe
t
sniff
er,
A
semin
ar
Repor
t.
2010.
[11]
“
Configuri
ng
Port
-
Based
Tra
ff
ic
Control
”
.
In
:
B.
Catal
yst
2960
and
2960
-
S
Swit
ch
Soft
ware
Co
nfi
guration
Gui
de
.
12.
2(55)SE. City: CISCO.
2009:
1
-
18.
[12]
Yus
uf
Bhai
ji.
“
L
a
y
er
2
a
tt
a
cks
&
m
it
iga
ti
on
t
ec
hni
ques”
,
C
isco Ex
po,
2009
.
[13]
Yun
Yang
and
Jia
Mi.
“
Design
of
DH
CP
protoc
ol
base
d
on
acce
s
s
cont
rol
and
SA
KA
enc
r
y
pti
o
n
al
gorit
hm
”
.
IEEE
2nd
Inte
rnat
iona
l
Conf
ere
nce on Com
pute
r E
ngin
ee
ring a
nd
Tech
nology
(
ICCET)
,
2010;
6
:V6
-
264,
V6
-
267:16
-
18.
[14]
Yaibua
t
es
M.
an
d
Chai
srich
aro
e
n
R.
“
ICMP
bas
ed
Malicious
At
ta
ck
Id
ent
if
ication
Method
for
DH
CP
”.
2014
4th
Joi
nt
Int
ernati
o
nal
Confe
renc
e
on
Information
and
Comm
u
nic
ati
on
Te
chn
ology
,
E
lectron
ic
and
Elec
tri
c
al
Engi
ne
ering
(
JI
CT
EE
)
,
2014:1
-
5.
[15]
Dinu,
D.D.
and
Toga
n
M.
“
DH
CP
serve
r
authentica
t
ion
usin
g
digi
t
al
certi
f
i
ca
t
es”
,
2014
1
0th
Int
ernati
on
al
Confe
renc
e
on
C
omm
unic
ati
ons (
COMM)
,
2014:1
-
6
[16]
H.
Altunba
sak,
S.
Krasess
er,
H.
Ow
en,
J.
Sokol,
and
J.
Grim
m
ing
er.
“
Address
ing
the
wea
k
li
nk
b
e
twee
n
lay
e
r
2
an
d
lay
er
3
in
the
i
nte
rne
t
arc
hi
tect
ure
”.
Proc
ee
d
in
gs
of
the
29th
Annu
al
IEE
E
in
te
rnational
con
f
ere
nce
on
Loca
l
Computer
Net
wo
rks
,
2004:
417
-
4
18.
[17]
Marc
o
de
Vivo,
Gabri
ela
O.
de
Vivo,
Germ
ina
l
Isern.
“
Inte
rne
t
s
ec
uri
t
y
at
t
ac
ks
a
t
the
basic
l
eve
l
s”,
ACM
SIGO
PS
Operating
Syst
e
ms
Re
view
,
1998
;
32(2):
4
–
15.
Evaluation Warning : The document was created with Spire.PDF for Python.
Ind
on
esi
a
n
J
E
le
c Eng &
Co
m
p
Sci
IS
S
N:
25
02
-
4752
A Revi
ew
on
V
ar
io
us
Snif
fi
ng Att
acks
and
it
s
Mit
iga
ti
on Te
chn
i
qu
e
s
(
B.Pr
abadevi
)
1125
[18]
Changhua
Sun,C
hengc
he
n
Hu,Ya
cha
o
Zhou
,
Xin
Xiao
and
B
in
L
i
u.
“
A More
Acc
ura
te
Sch
eme
to D
et
ect
SY
N Flood
Atta
cks”
.
I
EE
E
I
NFOCOM Workshops
,
2009:
1
-
2.
[19]
Haini
ng
W
ang,
Danlu
Zha
ng
an
d
Shin,
K.G.
“
SY
N
-
dog:
sniffing
SY
N
floodi
ng
source
s”.
22nd
I
EE
E
Int
ernati
on
al
Confe
renc
e
on
Distrib
ute
d
Com
puti
ng
S
yste
ms
,
2002:421
-
428.
[20]
Li
hua
Miao
,
W
ei
Ding
and
Jian
Gong.
“A
rea
l
-
ti
m
e
m
et
hod
for
det
ecting
inte
rne
t
-
wide
SY
N
floodi
ng
at
t
ac
ks
”.
IEE
E
Inte
rnat
io
nal
Workshop o
n
Local
and
Me
t
ropolit
an
Area Net
works (
LANMAN)
,
2015
:
1
-
6.
[21]
Gee
tha
K
.
and
S
ree
na
th
N.
“
SY
N
floodi
ng
atta
c
k
—
Ide
nti
f
ication
and
an
aly
sis”
.
IEEE
Int
ernational
Confe
ren
ce
on
Information
Co
mm
unic
ati
on
an
d
Embe
dded
Sys
te
ms
(
ICICES)
2014:1
-
7.
[22]
Trostl
e
J.
,
Van
Besie
n
B.
and
P
uja
ri
A
.
“
Protec
t
ing
against
DN
S
ca
c
he
poisonin
g
at
t
ac
ks”
,
6th
I
EE
E
W
orkshop
on
Sec
ure
N
et
work
Protoc
ols (
NPSec)
,
2010:25
-
30.
[23]
Yu
Xi,
Chen
Xiaoc
h
en
and
Xu
Fangqin.
“
Recoveri
ng
and
Pr
ote
c
ti
ng
aga
inst
DN
S
Cac
he
P
oisoning
Attack
s.
Inte
rnational
C
onfe
renc
e
on
In
formation
Tech
nology
,
Comput
er
Engi
ne
ering
and
Manage
me
nt
Scienc
es
(
I
C
M)
,
2011:
120
-
123.
[24]
Kim
H.
and
Huh
J.H.
“
Dete
cting
DN
S
-
poisoning
-
base
d
p
hishing
attac
ks
from
the
ir
ne
twork
per
form
a
nce
cha
ra
cteri
sti
cs”
,
IEE
E
Elec
tronics
Lett
ers
,
2011;
4
7(11):656,
658.
[25]
Tonggua
ng
Ni,
Xiaqi
ng
Gu
and
Hongy
u
an
W
ang.
“
Dete
ct
ing
DD
oS
Atta
cks
Agai
nst
DN
S
S
erv
ers
Us
ing
Ti
m
e
Serie
s Anal
y
sis”
,
Indone
sian
Jou
rnal
of El
e
ct
ri
ca
l
Eng
ine
ering
,
2
014;
12(1):
753
-
761.
[26]
Dac
-
Nhuong
Le
.
“
DD
o
S
at
ta
ck
Defe
nse
in
Next
Gene
rat
ion
Ne
t
works
using
Privat
e
Secur
ity
Policy
”
,
Int
ernati
o
nal
Journal
of
Infor
mation
and
N
etwor
k
Sec
uri
ty
,
2
014;
3(3):
[27]
Zdrnj
a
,
B.
“
Mal
ic
ious
Java
Scrip
t
Insert
ion
thro
ugh
ARP
Pois
o
ning
Atta
cks,
S
ec
uri
t
y
&
Priva
c
y
”,
I
EE
E
,
200
9;
7(3):72
-
74.
[28]
Nugraha
,
Ben
y
,
Ba
y
u
Fi
tri
an
to,
a
nd
Fahra
ini
Ba
c
har
uddin.
“
Miti
g
at
ing
Broad
ca
st Storm
on
Metro
Et
her
n
et
Networ
k
Us
ing
PV
ST+”
.
TEL
KOMNIKA
(
Tele
communic
ati
on
Computing
El
e
ct
ronics
and
Control)
14,
no.
4
(2016):
1559
-
1564.
[29]
ww
w.sec
urity
fo
cus.
com/
too
ls.
[30]
Kum
ar
S
and
Ta
paswi
S.
“
A
ce
ntra
lized
de
te
c
tion
and
pre
vent
i
on
te
chni
que
ag
ai
nst
ARP
poiso
ning”
.
2012
IEEE
Inte
rnational
Co
nfe
renc
e
on
Cyb
er
Sec
uri
ty,
C
yb
er
Warfare
and
Digit
al Forensic (
Cybe
rSec
)
,
20
12:259
-
264.
[31]
Arote
P.
and
A
r
y
a
K
.
V.
“
Detect
ion
and
Preve
nti
on
ag
ai
nst
ARP
Pois
oning
Atta
ck
Us
ing
Modifie
d
ICMP
and
Voting”
,
2015
I
EE
E
Inte
rnat
ion
al
Conf
ere
nce o
n
Computati
onal
Intelli
g
ence
and
Net
works (
CINE)
,
2015:136
-
14
1.
[32]
Tri
pa
thi
,
N.
and
Mehtre,
B
.
M.
“
Ans
aly
sis
of
var
ious
ARP
poisoning
m
it
ig
at
ion
te
chn
ique
s:
A
c
om
par
ison”,
201
4
IEE
E
In
te
rnatio
nal
Confe
ren
ce
on
Control,
In
strum
ent
ati
on,
Comm
unic
ati
on
and
Computational
Technol
o
g
i
es
(
ICCICCT
)
,
2014
:125
-
132.
[33]
Tra
be
lsi
Zouhe
i
r,
and
Ham
za
Rahmani.
“
An
A
nti
-
Sniffer
Base
d
on
AR
P
Cac
he
Pois
oning
Atta
ck”,
Informatio
n
Syste
ms
Sec
uri
ty,
2005;
13(6):
.
23
-
36.
[34]
htt
p://s
ec
too
ls.or
g/t
ag/
sniff
ers/
[35]
Mohd
Anuar
Mat
Isa,
Habibah
Has
him,
Sye
d
F
arid
Sye
d
Adna
n,
Nur
Nabil
a
Mohamed,
Y
asin
Fi
tri
Alias.
“
Side
-
Channe
l
Secur
ity
on
Ke
y
Ex
c
hange
Protocol:
Ti
m
ing
and
Rel
a
y
Att
ac
ks”
,
Indone
sian
Jou
rnal
of
El
ec
tri
c
al
Engi
ne
ering
and
Computer
Sc
ie
n
ce
(
IJEECS)
,
20
18,
11(2):688
-
69
5.
[36]
S
y
m
ant
e
c’s
2017
Inte
rne
t
Th
rea
t
Repo
rt
:
htt
ps:/
/www
.
s
y
m
ant
e
c.com/securit
y
-
ce
n
te
r
/threa
t
-
rep
ort
?
i
nid=
g
lob
al
nav_sc
f
l
y
out_is
tr,
ISTR,
2017
Vol.
22.
[37]
Phis
hMe
Q1 2016
M8, alwar
e
Re
vie
w:
h
tt
ps:/
/phis
hm
e.
com/project/
phishm
e
-
q1
-
2
016
-
m
al
ware
-
re
vie
w/,
2016.
[38]
M
y
CERT Inc
ident
Statis
tics Ava
il
able at
htt
ps:
//w
ww
.
m
y
c
ert.org
.
m
y
/st
at
isti
cs/20
17.
php
,
2017
.
Evaluation Warning : The document was created with Spire.PDF for Python.