A Novel IP Traceback Scheme for Spoofing Attack

Internet has been widely applied in various fields, more and more network security issues emerge and catch people\u27s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of trace back schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packet marking with packet logging and therefore create hybrid IP trace back schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP trace back scheme with efficient packet logging aiming to have a fixed storage requirement for each router in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction

A Logarithmic and Exponentiation Based IP Traceback Scheme with Zero Logging and Storage Overhead

IP spoofing is sending Internet Protocol (IP) packets with a forged source IP address to conceal the identity of the sender. A Denial-of-Service attack is an attempt to make a machine unavailable to the intended users. This attack employs IP Spoofing to flood the victim with overwhelming traffic, thus bringing it down. To prevent such attacks, it is essential to find out the real source of these attacks. IP Traceback is a technique for reliably determining the true origin of a packet. To traceback, a marking and a traceback algorithm are proposed here which use logarithmic and exponentiation respectively. The time required for marking and traceback has been evaluated and compared with state-of-art techniques. The percentage of increase in marking information is found to be very less in the proposed system. It is also demonstrated that the proposed system does not require logging at any of the intermediate routers thus leading to zero logging and storage overhead. The system also provides 100% traceback accuracy

Locating Network Domain Entry and Exit point/path for DDoS Attack Traffic

A method to determine entry and exit points or paths of DDoS attack traffic flows into and out of network domains is proposed. We observe valid source addresses seen by routers from sampled traffic under non-attack conditions. Under attack conditions, we detect route anomalies by determining which routers have been used for unknown source addresses, to construct the attack paths. We consider deployment issues and show results from simulations to prove the feasibility of our scheme. We then implement our Traceback mechanism in C++ and more realistic experiments are conducted. The experiments show that accurate results, with high traceback speed of a few seconds, are achieved. Compared to existing techniques, our approach is non-intrusive, not requiring any changes to the Internet routers and data packets. Precise information regarding the attack is not required allowing a wide variety of DDoS attack detection techniques to be used. The victim is also relieved from the traceback task during an attack. The scheme is simple and efficient, allowing for a fast traceback, and scalable due to the distribution of processing workload. © 2009 IEEE.Accepted versio

IP TRACEBACK Scenarios

Internet Protocol (IP) trace back is the enabling technology to control Internet crime. In this paper, we present novel and practical IP traceback systems which provide a defense system with the ability to find out the real sources of attacking packets that traverse through the network. IP traceback is to find the origin of an IP packet on the Internet without relying on the source IP address field. Due to the trusting nature of the IP protocol, the source IP address of a packet is not authenticated. As a result, the source address in an IP packet can be falsified (IP address spoofing). Spoof IP packets can be used for different attacks. The problem of finding the source of a packet is called the IP traceback problem. IP Traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. Most existing approaches to this problem have been tailored toward DDoS attack detection

IP traceback with deterministic packet marking DPM

In this dissertation, a novel approach to Internet Protocol (IP) Traceback - Deterministic Packet Marking (DPM) is presented. The proposed approach is scalable, simple to implement, and introduces no bandwidth and practically no processing overhead on the network equipment. It is capable of tracing thousands of simultaneous attackers during a Distributed Denial of Service (DDoS) attack. Given sufficient deployment on the Internet, DPM is capable of tracing back to the slaves for DDoS attacks which involve reflectors. Most of the processing is done at the victim. The traceback process can be performed post-mortem, which allows for tracing the attacks that may not have been noticed initially or the attacks which would deny service to the victim, so that traceback is impossible in real time. Deterministic Packet Marking does not introduce the errors for the reassembly errors usually associated with other packet marking schemes. More than 99.99% of fragmented traffic will not be affected by DPM. The involvement of the Internet service providers (ISP) is very limited, and changes to the infrastructure and operation required to deploy DPM are minimal. Deterministic Packet Marking performs the traceback without revealing the internal topology of the provider\u27s network, which is a desirable quality of a traceback scheme

Network domain entrypoint/path determination for DDoS attacks

Accepted versio