This Article 
 Bibliographic References 
 Add to: 
You Can Run, But You Can't Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers
September 2005 (vol. 16 no. 9)
pp. 799-813
David K.Y. Yau, IEEE Computer Society

Abstract—There is currently an urgent need for effective solutions against distributed denial-of-service (DDoS) attacks directed at many well-known Web sites. Because of increased sophistication and severity of these attacks, the system administrator of a victim site needs to quickly and accurately identify the probable attackers and eliminate the attack traffic. Our work is based on a probabilistic marking algorithm in which an attack graph can be constructed by a victim site. We extend the basic concept such that one can quickly and efficiently deduce the intensity of the "local traffic” generated at each router in the attack graph based on the volume of received marked packets at the victim site. Given the intensities of these local traffic rates, we can rank the local traffic and identify the network domains generating most of the attack traffic. We present our traceback and attacker identification algorithms. We also provide a theoretical framework to determine the minimum stable time t_{min}, which is the minimum time needed to accurately determine the locations of attackers and local traffic rates of participating routers in the attack graph. Entensive experiments are carried out to illustrate that one can accurately determine the minimum stable time t_{min} and, at the same time, determine the location of attackers under various threshold parameters, network diameters, attack traffic distributions, on/off patterns, and network traffic conditions.

[1] Internet scanning database, index.html, 1999.
[2] “Computer Emergency Response Team, Cert Advisory ca-2000-01: Denial-of-Service Developments,” advisoriesca-2000-01.html , 2000.
[3] S. Bellowin, “Security Problems in the TCP/IP Protocol Suite,” Computer Comm. Rev., pp. 32-48, 1989.
[4] H. Burch and B. Cheswick, “Tracing Anonymous Packets to their Approximate Source,” Usenix LISA, Dec. 2000.
[5] R.L. Burden and J.D. Faires, Numerical Analysis. Boston: PWS-Kent Publishing Company, 1988.
[6] D. Dean, M. Franklin, and A. Stubblefield, “An Algebraic Approach to IP Traceback,” Proc. Network and Distributed System Security Symp. (NDSS '01), Feb. 2001.
[7] P. Ferguson and D. Senie, “RFC 2267: Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,” The Internet Society, Jan. 1998.
[8] J. Howard, “An Analysis of Security Incidents on the Internet,” PhD Thesis, Carnegie Mellon Univ., Aug. 1998.
[9] K.T. Law, J.C.S. Lui, and D.K.Y. Yau, “You Can Run, But You Can't Hide: An Effective Methodology to Traceback DDOS Attackers,” Technical Report CS-TR-2002-06, Computer Science Eng. Dept., Chinese Univ. Hong Kong, 2002.
[10] A. Mankin, D. Massey, C.-L. Wu, S.F. Wu, and L. Zhang, “On Design and Evaluation of Intention-Driven ICMP Traceback,” Proc. IEEE Int'l Conf. Computer Comm. and Networks, 2001.
[11] R. Nelson, Probability, Stochastic Processes, and Queueing Theory: The Mathematics of Computer Performance Modeling. Springer-Verlag, 1995.
[12] T. Peng, C. Leckie, and R. Kotagiri, “Adjusted Probabilistic Packet Marking for IP Traceback,” Proc. Conf. Networking, May 2002.
[13] S.M. Ross, Stochastic Processes. John Wiley, 1996.
[14] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. 2000 ACM SIGCOMM Conf., pp. 295-306, Aug. 2000.
[15] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network Support for IP Traceback,” ACM/IEEE Trans. Networking, vol. 9, no. 3, June 2001.
[16] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, and W.T. Strayer, “Hash-Based IP Traceback,” Proc. ACM SIGCOMM 2001 Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm., Aug. 2001.
[17] D.X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM Conf., Apr. 2001.
[18] E. Steven and M. Bellovin, “ICMP Traceback Messages,” draft-bellovin-itrace-00.txt, Mar. 2000.
[19] R. Stone, “Centertrack: An IP Overlay Network for Tracking DOS Floods,” Proc. Ninth USENIX Security Symp., Aug. 2000.
[20] S.F. Wu, L. Zhang, D. Massey, and A. Mankin, “Intention-Driven ICMP Trace-Back, Internet Draft,” draft-wu-itrace-intention-00.txt, Feb. 2001.
[21] D.K.Y. Yau, J.C.S. Lui, and F. Liang, “Defending against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles,” Proc. IEEE Int'l Workshop Quality of Service (IWQoS), May 2002.
[22] D.K.Y. Yau, J.C.S. Lui, F. Liang, and Y. Yeung, “Defending against Distributed Denial-of-Service Attacks with Max-Min Fair Server-Centric Router Throttles,” Proc. 10th IEEE Int'l Workshop Quality of Service, 2002.

Index Terms:
DDoS attack, traceback, attack traffic filtering, minimum stable time.
Terence K.T. Law, John C.S. Lui, David K.Y. Yau, "You Can Run, But You Can't Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers," IEEE Transactions on Parallel and Distributed Systems, vol. 16, no. 9, pp. 799-813, Sept. 2005, doi:10.1109/TPDS.2005.114
Usage of this product signifies your acceptance of the Terms of Use.