IP TRACEBACK Scenarios

Internet Protocol (IP) trace back is the enabling technology to control Internet crime. In this paper, we present novel and practical IP traceback systems which provide a defense system with the ability to find out the real sources of attacking packets that traverse through the network. IP traceback is to find the origin of an IP packet on the Internet without relying on the source IP address field. Due to the trusting nature of the IP protocol, the source IP address of a packet is not authenticated. As a result, the source address in an IP packet can be falsified (IP address spoofing). Spoof IP packets can be used for different attacks. The problem of finding the source of a packet is called the IP traceback problem. IP Traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. Most existing approaches to this problem have been tailored toward DDoS attack detection

Adaptive Response System for Distributed Denial-of-Service Attacks

The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS) attacks in today’s Internet raise growing security concerns and call for an immediate response to come up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually inflexible and determined attackers with knowledge of these mechanisms, could work around them. Most existing detection and response mechanisms are standalone systems which do not rely on adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating detected attack traffic, there is a need for an Adaptive Response System. We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a distributed DDoS mitigation system capable of executing appropriate detection and mitigation responses automatically and adaptively according to the attacks. It supports easy integrations for both signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual components takes into consideration the strengths and weaknesses of existing defence mechanisms, and the characteristics and possible future mutations of DDoS attacks. These components consist of an Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together interactively to adapt the detections and responses in accordance to the attack types. Experiments conducted on DARE show that the attack detection and mitigation are successfully completed within seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in accordance to the attacks being launched with high accuracy, effectiveness and efficiency. We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim under attack verifies the authenticity of the source by performing virtual relocations to differentiate the legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6 protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to verify that it would work with the existing Mobile IPv6 implementation. It was observed that the operations of each module were functioning correctly and TRAPS was able to successfully mitigate an attack launched with spoofed source IP addresses

Towards IP traceback based defense against DDoS attacks.

Lau Nga Sin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.Includes bibliographical references (leaves 101-110).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 1.1 --- Research Motivation --- p.2Chapter 1.2 --- Problem Statement --- p.3Chapter 1.3 --- Research Objectives --- p.4Chapter 1.4 --- Structure of the Thesis --- p.6Chapter 2 --- Background Study on DDoS Attacks --- p.8Chapter 2.1 --- Distributed Denial of Service Attacks --- p.8Chapter 2.1.1 --- DDoS Attack Architecture --- p.9Chapter 2.1.2 --- DDoS Attack Taxonomy --- p.11Chapter 2.1.3 --- DDoS Tools --- p.19Chapter 2.1.4 --- DDoS Detection --- p.21Chapter 2.2 --- DDoS Countermeasure: Attack Source Traceback --- p.23Chapter 2.2.1 --- Link Testing --- p.23Chapter 2.2.2 --- Logging --- p.24Chapter 2.2.3 --- ICMP-based traceback --- p.26Chapter 2.2.4 --- Packet marking --- p.28Chapter 2.2.5 --- Comparison of various IP Traceback Schemes --- p.31Chapter 2.3 --- DDoS Countermeasure: Packet Filtering --- p.33Chapter 2.3.1 --- Ingress Filtering --- p.33Chapter 2.3.2 --- Egress Filtering --- p.34Chapter 2.3.3 --- Route-based Packet Filtering --- p.35Chapter 2.3.4 --- IP Traceback-based Packet Filtering --- p.36Chapter 2.3.5 --- Router-based Pushback --- p.37Chapter 3 --- Domain-based IP Traceback Scheme --- p.40Chapter 3.1 --- Overview of our IP Traceback Scheme --- p.41Chapter 3.2 --- Assumptions --- p.44Chapter 3.3 --- Proposed Packet Marking Scheme --- p.45Chapter 3.3.1 --- IP Markings with Edge Sampling --- p.46Chapter 3.3.2 --- Domain-based Design Motivation --- p.48Chapter 3.3.3 --- Mathematical Principle --- p.49Chapter 3.3.4 --- Marking Mechanism --- p.51Chapter 3.3.5 --- Storage Space of the Marking Fields --- p.56Chapter 3.3.6 --- Packet Marking Integrity --- p.57Chapter 3.3.7 --- Path Reconstruction --- p.58Chapter 4 --- Route-based Packet Filtering Scheme --- p.62Chapter 4.1 --- Placement of Filters --- p.63Chapter 4.1.1 --- At Sources' Networks --- p.64Chapter 4.1.2 --- At Victim's Network --- p.64Chapter 4.2 --- Proposed Packet Filtering Scheme --- p.65Chapter 4.2.1 --- Classification of Packets --- p.66Chapter 4.2.2 --- Filtering Mechanism --- p.67Chapter 5 --- Performance Evaluation --- p.70Chapter 5.1 --- Simulation Setup --- p.70Chapter 5.2 --- Experiments on IP Traceback Scheme --- p.72Chapter 5.2.1 --- Performance Metrics --- p.72Chapter 5.2.2 --- Choice of Marking Probabilities --- p.73Chapter 5.2.3 --- Experimental Results --- p.75Chapter 5.3 --- Experiments on Packet Filtering Scheme --- p.82Chapter 5.3.1 --- Performance Metrics --- p.82Chapter 5.3.2 --- Choices of Filtering Probabilities --- p.84Chapter 5.3.3 --- Experimental Results --- p.85Chapter 5.4 --- Deployment Issues --- p.91Chapter 5.4.1 --- Backward Compatibility --- p.91Chapter 5.4.2 --- Processing Overheads to the Routers and Network --- p.93Chapter 5.5 --- Evaluations --- p.95Chapter 6 --- Conclusion --- p.96Chapter 6.1 --- Contributions --- p.96Chapter 6.2 --- Discussions and future work --- p.99Bibliography --- p.11

A composable approach to design of newer techniques for large-scale denial-of-service attack attribution

Since its early days, the Internet has witnessed not only a phenomenal growth, but also a large number of security attacks, and in recent years, denial-of-service (DoS) attacks have emerged as one of the top threats. The stateless and destination-oriented Internet routing combined with the ability to harness a large number of compromised machines and the relative ease and low costs of launching such attacks has made this a hard problem to address. Additionally, the myriad requirements of scalability, incremental deployment, adequate user privacy protections, and appropriate economic incentives has further complicated the design of DDoS defense mechanisms. While the many research proposals to date have focussed differently on prevention, mitigation, or traceback of DDoS attacks, the lack of a comprehensive approach satisfying the different design criteria for successful attack attribution is indeed disturbing. Our first contribution here has been the design of a composable data model that has helped us represent the various dimensions of the attack attribution problem, particularly the performance attributes of accuracy, effectiveness, speed and overhead, as orthogonal and mutually independent design considerations. We have then designed custom optimizations along each of these dimensions, and have further integrated them into a single composite model, to provide strong performance guarantees. Thus, the proposed model has given us a single framework that can not only address the individual shortcomings of the various known attack attribution techniques, but also provide a more wholesome counter-measure against DDoS attacks. Our second contribution here has been a concrete implementation based on the proposed composable data model, having adopted a graph-theoretic approach to identify and subsequently stitch together individual edge fragments in the Internet graph to reveal the true routing path of any network data packet. The proposed approach has been analyzed through theoretical and experimental evaluation across multiple metrics, including scalability, incremental deployment, speed and efficiency of the distributed algorithm, and finally the total overhead associated with its deployment. We have thereby shown that it is realistically feasible to provide strong performance and scalability guarantees for Internet-wide attack attribution. Our third contribution here has further advanced the state of the art by directly identifying individual path fragments in the Internet graph, having adopted a distributed divide-and-conquer approach employing simple recurrence relations as individual building blocks. A detailed analysis of the proposed approach on real-life Internet topologies with respect to network storage and traffic overhead, has provided a more realistic characterization. Thus, not only does the proposed approach lend well for simplified operations at scale but can also provide robust network-wide performance and security guarantees for Internet-wide attack attribution. Our final contribution here has introduced the notion of anonymity in the overall attack attribution process to significantly broaden its scope. The highly invasive nature of wide-spread data gathering for network traceback continues to violate one of the key principles of Internet use today - the ability to stay anonymous and operate freely without retribution. In this regard, we have successfully reconciled these mutually divergent requirements to make it not only economically feasible and politically viable but also socially acceptable. This work opens up several directions for future research - analysis of existing attack attribution techniques to identify further scope for improvements, incorporation of newer attributes into the design framework of the composable data model abstraction, and finally design of newer attack attribution techniques that comprehensively integrate the various attack prevention, mitigation and traceback techniques in an efficient manner

IP traceback marking scheme based DDoS defense.

Ping Yan.Thesis submitted in: December 2004.Thesis (M.Phil.)--Chinese University of Hong Kong, 2005.Includes bibliographical references (leaves 93-100).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- INTRODUCTION --- p.1Chapter 1.1 --- The Problem --- p.1Chapter 1.2 --- Research Motivations and Objectives --- p.3Chapter 1.3 --- The Rationale --- p.8Chapter 1.4 --- Thesis Organization --- p.9Chapter 2 --- BACKGROUND STUDY --- p.10Chapter 2.1 --- Distributed Denial of Service Attacks --- p.10Chapter 2.1.1 --- Taxonomy of DoS and DDoS Attacks --- p.13Chapter 2.2 --- IP Traceback --- p.17Chapter 2.2.1 --- Assumptions --- p.18Chapter 2.2.2 --- Problem Model and Performance Metrics --- p.20Chapter 2.3 --- IP Traceback Proposals --- p.24Chapter 2.3.1 --- Probabilistic Packet Marking (PPM) --- p.24Chapter 2.3.2 --- ICMP Traceback Messaging --- p.26Chapter 2.3.3 --- Logging --- p.27Chapter 2.3.4 --- Tracing Hop-by-hop --- p.29Chapter 2.3.5 --- Controlled Flooding --- p.30Chapter 2.4 --- DDoS Attack Countermeasures --- p.30Chapter 2.4.1 --- Ingress/Egress Filtering --- p.33Chapter 2.4.2 --- Route-based Distributed Packet Filtering (DPF) --- p.34Chapter 2.4.3 --- IP Traceback Based Intelligent Packet Filtering --- p.35Chapter 2.4.4 --- Source-end DDoS Attack Recognition and Defense --- p.36Chapter 2.4.5 --- Classification of DDoS Defense Methods --- p.38Chapter 3 --- ADAPTIVE PACKET MARKING SCHEME --- p.41Chapter 3.1 --- Scheme Overview --- p.41Chapter 3.2 --- Adaptive Packet Marking Scheme --- p.44Chapter 3.2.1 --- Design Motivation --- p.44Chapter 3.2.2 --- Marking Algorithm Basics --- p.46Chapter 3.2.3 --- Domain id Marking --- p.49Chapter 3.2.4 --- Router id Marking --- p.51Chapter 3.2.5 --- Attack Graph Reconstruction --- p.53Chapter 3.2.6 --- IP Header Overloading --- p.56Chapter 3.3 --- Experiments on the Packet Marking Scheme --- p.59Chapter 3.3.1 --- Simulation Set-up --- p.59Chapter 3.3.2 --- Experimental Results and Analysis --- p.61Chapter 4 --- DDoS DEFENSE SCHEMES --- p.67Chapter 4.1 --- Scheme I: Packet Filtering at Victim-end --- p.68Chapter 4.1.1 --- Packet Marking Scheme Modification --- p.68Chapter 4.1.2 --- Packet Filtering Algorithm --- p.69Chapter 4.1.3 --- Determining the Filtering Probabilities --- p.70Chapter 4.1.4 --- Suppressing Packets Filtering with did Markings from Nearby Routers --- p.73Chapter 4.2 --- Scheme II: Rate Limiting at the Sources --- p.73Chapter 4.2.1 --- Algorithm of the Rate-limiting Scheme --- p.74Chapter 4.3 --- Performance Measurements for Scheme I & Scheme II . --- p.77Chapter 5 --- CONCLUSION --- p.87Chapter 5.1 --- Contributions --- p.87Chapter 5.2 --- Discussion and Future Work --- p.91Bibliography --- p.10

Enhancing the security of wireless sensor network based home automation systems

Home automation systems (HASs)seek to improve the quality of life for individuals through the automation of household devices. Recently, there has been a trend, in academia and industry, to research and develop low-cost Wireless Sensor Network (WSN) based HASs (Varchola et al. 2007). WSNs are designed to achieve a low-cost wireless networking solution, through the incorporation of limited processing, memory, and power resources. Consequently, providing secure and reliable remote access for resource limited WSNs, such as WSN based HASs, poses a significant challenge (Perrig et al. 2004). This thesis introduces the development of a hybrid communications approach to increase the resistance of WSN based HASs to remote DoS flooding attacks targeted against a third party. The approach is benchmarked against the dominant GHS remote access approach for WSN based HASs (Bergstrom et al. 2001), on a WSN based HAS test-bed, and shown to provide a minimum of a 58.28%, on average 59.85%, and a maximum of 61.45% increase in remote service availability during a DoS attack. Additionally, a virtual home incorporating a cryptographic based DoS detection algorithm, is developed to increase resistance to remote DoS flooding attacks targeted directly at WSN based HASs. The approach is benchmarked against D-WARD (Mirkovic 2003), the most effective DoS defence identified from the research, and shown to provide a minimum 84.70%, an average 91.13% and a maximum 95.6% reduction in packets loss on a WSN based HAS during a DoS flooding attack. Moreover, the approach is extended with the integration of a virtual home, hybrid communication approach, and a distributed denial of defence server to increase resistance to remote DoS attacks targeting the home gateway. The approach is again benchmarked against the D-WARD defence and shown to decrease the connection latency experienced by remote users by a minimum of 90.14%, an average 90.90%, and a maximum 91.88%.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

A Defense Framework Against Denial-of-Service in Computer Networks

Denial-of-Service (DoS) is a computer security problem that poses a serious challenge totrustworthiness of services deployed over computer networks. The aim of DoS attacks isto make services unavailable to legitimate users, and current network architectures alloweasy-to-launch, hard-to-stop DoS attacks. Particularly challenging are the service-level DoSattacks, whereby the victim service is flooded with legitimate-like requests, and the jammingattack, in which wireless communication is blocked by malicious radio interference. Theseattacks are overwhelming even for massively-resourced services, and effective and efficientdefenses are highly needed. This work contributes a novel defense framework, which I call dodging, against service-level DoS and wireless jamming. Dodging has two components: (1) the careful assignment ofservers to clients to achieve accurate and quick identification of service-level DoS attackersand (2) the continuous and unpredictable-to-attackers reconfiguration of the client-serverassignment and the radio-channel mapping to withstand service-level and jamming DoSattacks. Dodging creates hard-to-evade baits, or traps, and dilutes the attack "fire power".The traps identify the attackers when they violate the mapping function and even when theyattack while correctly following the mapping function. Moreover, dodging keeps attackers"in the dark", trying to follow the unpredictably changing mapping. They may hit a fewtimes but lose "precious" time before they are identified and stopped. Three dodging-based DoS defense algorithms are developed in this work. They are moreresource-efficient than state-of-the-art DoS detection and mitigation techniques. Honeybees combines channel hopping and error-correcting codes to achieve bandwidth-efficientand energy-efficient mitigation of jamming in multi-radio networks. In roaming honeypots, dodging enables the camouflaging of honeypots, or trap machines, as real servers,making it hard for attackers to locate and avoid the traps. Furthermore, shuffling requestsover servers opens up windows of opportunity, during which legitimate requests are serviced.Live baiting, efficiently identifies service-level DoS attackers by employing results fromthe group-testing theory, discovering defective members in a population using the minimumnumber of tests. The cost and benefit of the dodging algorithms are analyzed theoretically,in simulation, and using prototype experiments