This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking
October 2008 (vol. 19 no. 10)
pp. 1310-1324
Tracing IP packets to their origins is an important step in defending Internet against denial-of-service attacks. Two kinds of IP traceback techniques have been proposed as packet marking and packet logging. In packet marking, routers probabilistically write their identification information into forwarded packets. This approach incurs little overhead but requires large flow of packets to collect the complete path information. In packet logging, routers record digests of the forwarded packets. This approach makes it possible to trace a single packet and is considered more powerful. At routers forwarding large volume of traffic, the high storage overhead and access time requirement for recording packet digests introduce practicality problems. In this paper, we present a novel scheme to improve the practicality of log-based IP traceback by reducing its overhead on routers. Our approach makes an intelligent use of packet marking to improve scalability of log-based IP traceback. We use mathematical analysis and simulations to evaluate our approach. Our evaluation results show that, compared to the state-of-the-art log-based approach called hash-based IP traceback, our approach maintains the ability to trace single IP packet while reducing the storage overhead by half and the access time overhead by a factor of the number of neighboring routers.

[1] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial of Service Activity,” Proc. 10th Usenix Security Symp., Aug. 2001.
[2] P. Vixie, G. Sneeringer, and M. Schleifer, Event Report: Events of 21-Oct-2002, http://d.root-servers.orgoctober21.txt, 2008.
[3] D. Pappalardo and E. Messmer, “Extortion via DDoS on the Rise,” Network World, http://www.networkworld.com/news/2005051605-ddos-extortion.html , May 2005.
[4] A. Hussain, J. Heidemann, and C. Papadopoulos, “A Framework for Classifying Denial of Service Attacks,” Proc. ACM SIGCOMM '03, Aug. 2003.
[5] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” Proc. 14th Usenix Systems Administration Conf. (LISA '00), Dec. 2000.
[6] G. Sager, “Security Fun with OCxmon and cflowd,” Presentation at the Internet2 Working Group Meeting, http://www.caida.org/funding/ngi/content/ security1198/, Nov. 1998.
[7] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Network Support for IP Traceback,” IEEE/ACM Trans. Networking, vol. 9, no. 3, pp. 226-237, 2001.
[8] H. Lipson, “Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy,” technical report, Software Eng. Inst., Carnegie Mellon Univ., Nov. 2002.
[9] A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, B. Schwartz, S. Kent, and W. Strayer, “Single-Packet IP Traceback,” IEEE/ACM Trans. Networking, vol. 10, no. 6, pp. 721-734, 2002.
[10] B. Bloom, “Space/Time Trade-Offs in Hash Coding with Allowable Errors,” Comm. ACM, vol. 13, no. 7, pp. 422-426, 1970.
[11] C. Gong and K. Sarac, “IP Traceback Based on Packet Marking and Logging,” Proc. IEEE Int'l Conf. Comm. (ICC '05), May 2005.
[12] B. Al-Duwairi and G. Manimaran, “Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback,” IEEE Trans. Parallel and Distributed Systems, vol. 17, no. 5, pp. 403-418, May 2006.
[13] A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer, “Hash-Based IP Traceback,” Proc. ACM SIGCOMM '01, Aug. 2001.
[14] T. Doeppner, P. Klein, and A. Koyfman, “Using Router Stamping to Identify the Source of IP Packets,” Proc. Seventh ACM Conf. Computer and Comm. Security (CCS '00), Nov. 2000.
[15] D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM '01, Apr. 2001.
[16] D. Dean, M. Franklin, and A. Stubblefield, “An Algebraic Approach to IP Traceback,” ACM Trans. Information and System Security, vol. 5, no. 2, pp. 119-137, 2002.
[17] M. Goodrich, “Efficient Packet Marking for Large-Scale IP Traceback,” Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), Nov. 2002.
[18] A. Yaar, A. Perrig, and D. Song, “FIT: Fast Internet Traceback,” Proc. IEEE INFOCOM '05, Mar. 2005.
[19] C. Gong and K. Sarac, “Toward a More Practical Marking Scheme for IP Traceback,” Proc. Third Int'l Conf. Broadband Comm., Networks and Systems (BROADNETS '06), Oct. 2006.
[20] T. Lee, W. Wu, and W. Huang, “Scalable Packet Digesting Schemes for IP Traceback,” Proc. IEEE Int'l Conf. Comm. (ICC '04), June 2004.
[21] J. Li, M. Sung, J. Xu, L. Li, and Q. Zhao, “Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation,” Proc. IEEE Symp. Security and Privacy, May 2004.
[22] M. Muthuprasanna, G. Manimaran, M. Manzor, and V. Kumar, “Coloring the Internet: IP Traceback,” Proc. 12th Int'l Conf. Parallel and Distributed Systems (ICPADS '06), July 2006.
[23] S. McCreary and K. Claffy, “Trends in Wide Area IP Traffic Patterns: A View from Ames Internet Exchange,” Proc. 13th ITC Specialist Seminar on IP Traffic Modeling, Measurement and Management, Sept. 2000.
[24] I. Stoica and H. Zhang, “Providing Guaranteed Services without Per Flow Management,” Proc. ACM SIGCOMM '99, Aug. 1999.
[25] A. Broder and M. Mitzenmacher, “Network Applications of Bloom Filters: A Survey,” Internet Math., vol. 1, no. 4, pp. 485-509, 2005.
[26] Rocketfuel, http://www.cs.washington.edu/research/network ing rocketfuel/, 2008.
[27] Network Simulator (ns-2), http://www.isi.edu/nsnamns/, 2008.
[28] CAIDA, http://www.caida.org/toolsskitter/, 2007.
[29] J. Postel, Internet Protocol, RFC 791, Sept. 1981.
[30] K.M. Moriarty, Incident Handling: Real-Time Inter-Network Defense, IETF Internet draft, work in progress, Oct. 2005.
[31] T. Korkmaz, C. Gong, K. Sarac, and S. Dykes, “Single Packet IP Traceback in AS-Level Partial Deployment Scenario,” Int'l J. Security and Networks, vol. 2, nos. 1-2, pp. 95-108, 2007.

Index Terms:
Infrastructure protection, Network-level security and protection, Network Protocols, Network Operations, Internetworking, Protocols
Citation:
Chao Gong, Kamil Sarac, "A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking," IEEE Transactions on Parallel and Distributed Systems, vol. 19, no. 10, pp. 1310-1324, Oct. 2008, doi:10.1109/TPDS.2007.70817
Usage of this product signifies your acceptance of the Terms of Use.