An approach in identifying and tracing back spoofed IP packets to their sources

With internet expanding in every aspect of businesses infrastructure, it becomes more and more important to make these businesses infrastructures safe and secure to the numerous attacks perpetrated on them conspicuously when it comes to denial of service (DoS) attacks. A Dos attack can be summarized as an effort carried out by either a person or a group of individual to suppress a particular outline service. This can hence be achieved by using and manipulating packets which are sent out using the IP protocol included into the IP address of the sending party. However, one of the major drawbacks is that the IP protocol is not able to verify the accuracy of the address and has got no method to validate the authenticity of the sender’s packet. Knowing how this works, an attacker can hence fabricate any source address to gain unauthorized access to critical information. In the event that attackers can manipulate this lacking for numerous targeted attacks, it would be wise and safe to determine whether the network traffic has got spoofed packets and how to traceback. IP traceback has been quite active specially with the DOS attacks therefore this paper will be focusing on the different types of attacks involving spoofed packets and also numerous methods that can help in identifying whether packet have spoofed source addresses based on both active and passive host based methods and on the router-based methods

Scalable schemes against Distributed Denial of Service attacks

Defense against Distributed Denial of Service (DDoS) attacks is one of the primary concerns on the Internet today. DDoS attacks are difficult to prevent because of the open, interconnected nature of the Internet and its underlying protocols, which can be used in several ways to deny service. Attackers hide their identity by using third parties such as private chat channels on IRC (Internet Relay Chat). They also insert false return IP address, spoofing, in a packet which makes it difficult for the victim to determine the packet\u27s origin. We propose three novel and realistic traceback mechanisms which offer many advantages over the existing schemes. All the three schemes take advantage of the Autonomous System topology and consider the fact that the attacker\u27s packets may traverse through a number of domains under different administrative control. Most of the traceback mechanisms make wrong assumptions that the network details of a company under an administrative control are disclosed to the public. For security reasons, this is not the case most of the times. The proposed schemes overcome this drawback by considering reconstruction at the inter and intra AS levels. Hierarchical Internet Traceback (HIT) and Simple Traceback Mechanism (STM) trace back to an attacker in two phases. In the first phase the attack originating Autonomous System is identified while in the second phase the attacker within an AS is identified. Both the schemes, HIT and STM, allow the victim to trace back to the attackers in a few seconds. Their computational overhead is very low and they scale to large distributed attacks with thousands of attackers. Fast Autonomous System Traceback allows complete attack path reconstruction with few packets. We use traceroute maps of real Internet topologies CAIDA\u27s skitter to simulate DDoS attacks and validate our design

A Logarithmic and Exponentiation Based IP Traceback Scheme with Zero Logging and Storage Overhead

IP spoofing is sending Internet Protocol (IP) packets with a forged source IP address to conceal the identity of the sender. A Denial-of-Service attack is an attempt to make a machine unavailable to the intended users. This attack employs IP Spoofing to flood the victim with overwhelming traffic, thus bringing it down. To prevent such attacks, it is essential to find out the real source of these attacks. IP Traceback is a technique for reliably determining the true origin of a packet. To traceback, a marking and a traceback algorithm are proposed here which use logarithmic and exponentiation respectively. The time required for marking and traceback has been evaluated and compared with state-of-art techniques. The percentage of increase in marking information is found to be very less in the proposed system. It is also demonstrated that the proposed system does not require logging at any of the intermediate routers thus leading to zero logging and storage overhead. The system also provides 100% traceback accuracy

Towards Loop-Free Forwarding of Anonymous Internet Datagrams that Enforce Provenance

The way in which addressing and forwarding are implemented in the Internet constitutes one of its biggest privacy and security challenges. The fact that source addresses in Internet datagrams cannot be trusted makes the IP Internet inherently vulnerable to DoS and DDoS attacks. The Internet forwarding plane is open to attacks to the privacy of datagram sources, because source addresses in Internet datagrams have global scope. The fact an Internet datagrams are forwarded based solely on the destination addresses stated in datagram headers and the next hops stored in the forwarding information bases (FIB) of relaying routers allows Internet datagrams to traverse loops, which wastes resources and leaves the Internet open to further attacks. We introduce PEAR (Provenance Enforcement through Addressing and Routing), a new approach for addressing and forwarding of Internet datagrams that enables anonymous forwarding of Internet datagrams, eliminates many of the existing DDoS attacks on the IP Internet, and prevents Internet datagrams from looping, even in the presence of routing-table loops.Comment: Proceedings of IEEE Globecom 2016, 4-8 December 2016, Washington, D.C., US

Detecting and tracing slow attacks on mobile phone user service

The lower bandwidth of mobile devices has until recently filtered the range of attacks on the Internet. However, recent research shows that DOS and DDOS attacks, worms and viruses, and a whole range of social engineering attacks are impacting on broadband smartphone users. In our research we have developed a metric-based system to detect the traditional slow attacks that can be effective using limited resources, and then employed combinations of Internet trace back techniques to identify sources of attacks. Our research question asked: What defence mechanisms are effective? We critically evaluate the available literature to appraise the current state of the problem area and then propose an innovative solution for the detection and investigation of attacks

On mitigating distributed denial of service attacks

Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks are probably the most ferocious threats in the Internet, resulting in tremendous economic and social implications/impacts on our daily lives that are increasingly depending on the wellbeing of the Internet. How to mitigate these attacks effectively and efficiently has become an active research area. The critical issues here include 1) IP spoofing, i.e., forged source lIP addresses are routinely employed to conceal the identities of the attack sources and deter the efforts of detection, defense, and tracing; 2) the distributed nature, that is, hundreds or thousands of compromised hosts are orchestrated to attack the victim synchronously. Other related issues are scalability, lack of incentives to deploy a new scheme, and the effectiveness under partial deployment. This dissertation investigates and proposes effective schemes to mitigate DDoS attacks. It is comprised of three parts. The first part introduces the classification of DDoS attacks and the evaluation of previous schemes. The second part presents the proposed IP traceback scheme, namely, autonomous system-based edge marking (ASEM). ASEM enhances probabilistic packet marking (PPM) in several aspects: (1) ASEM is capable of addressing large-scale DDoS attacks efficiently; (2) ASEM is capable of handling spoofed marking from the attacker and spurious marking incurred by subverted routers, which is a unique and critical feature; (3) ASEM can significantly reduce the number of marked packets required for path reconstruction and suppress false positives as well. The third part presents the proposed DDoS defense mechanisms, including the four-color-theorem based path marking, and a comprehensive framework for DDoS defense. The salient features of the framework include (1) it is designed to tackle a wide spectrum of DDoS attacks rather than a specified one, and (2) it can differentiate malicious traffic from normal ones. The receiver-center design avoids several related issues such as scalability, and lack of incentives to deploy a new scheme. Finally, conclusions are drawn and future works are discussed