This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks
April 2009 (vol. 20 no. 4)
pp. 567-580
Yang Xiang, Central Queensland University, Rockhampton
Wanlei Zhou, Deakin University, Melbourne
Minyi Guo, Shanghai Jiao Tong University, Shanghai
IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.

[1] H. Farhat, “Protecting TCP Services from Denial of Service Attacks,” Proc. ACM SIGCOMM Workshop Large-Scale Attack Defense (LSAD '06), pp. 155-160, 2006.
[2] H. Wang, C. Jin, and K.G. Shin, “Defense against Spoofed IP Traffic Using Hop-Count Filtering,” IEEE/ACM Trans. Networking, vol. 15, no. 1, pp. 40-53, 2007.
[3] M.T. Goodrich, “Efficient Packet Marking for Large-Scale IP Traceback,” Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), pp. 117-126, 2002.
[4] H. Aljifri, “IP Traceback: A New Denial-of-Service Deterrent,” IEEE Security and Privacy, vol. 1, no. 3, pp. 24-31, 2003.
[5] A. Belenky and N. Ansari, “On IP Traceback,” IEEE Comm., vol. 41, no. 7, pp. 142-153, 2003.
[6] Z. Gao and N. Ansari, “Tracing Cyber Attacks from the Practical Perspective,” IEEE Comm., vol. 43, no. 5, pp. 123-131, 2005.
[7] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” Proc. 14th Systems Administration Conf. (LISA '00), pp. 319-327, 2000.
[8] R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proc. Ninth USENIX Security Symp. (Security '00), pp. 199-212, 2000.
[9] S.M. Bellovin, ICMP Traceback Messages—Internet Draft, Network Working Group, 2000.
[10] A. Mankin et al., “On Design and Evaluation of Intention-Driven ICMP Traceback,” Proc. 10th Int'l Conf. Computer Comm. and Networks (ICCCN '01), pp. 159-165, 2001.
[11] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 30-41, 2003.
[12] N.G. Duffield and M. Grossglauser, “Trajectory Sampling for Direct Traffic Observation,” Proc. ACM SIGCOMM '00, pp. 271-282, 2000.
[13] A.C. Snoeren et al., “Single-Packet IP Traceback,” IEEE/ACM Trans. Networking, vol. 10, no. 6, pp.721-734, 2002.
[14] T. Baba and S. Matsuda, “Tracing Network Attacks to Their Sources,” IEEE Internet Computing, vol. 6, no. 3, pp. 20-26, 2002.
[15] J. Li et al., “Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation,” Proc. IEEE Symp. Security and Privacy (S&P '04), pp. 115-129, 2004.
[16] S. Savage et al., “Network Support for IP Traceback,” ACM/IEEE Trans. Networking, vol. 9, no. 3, pp.226-237, 2001.
[17] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internet,” Proc. ACM SIGCOMM '01, pp. 15-26, 2001.
[18] D.X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM '01, pp. 878-886, 2001.
[19] M. Waldvogel, “GOSSIB versus IP Traceback Rumors,” Proc. 18th Ann. Computer Security Applications Conf. (ACSAC '02), pp. 5-13, 2002.
[20] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy (S&P '03), pp. 93-107, 2003.
[21] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems,” ACM Computing Surveys, vol. 39, no. 1, pp. 1-42, 2007.
[22] B. Al-Duwairi and M. Govindarasu, “Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback,” IEEE Trans. Parallel and Distributed Systems, vol. 17, no. 5, pp. 403-418, May 2006.
[23] C. Gong and K. Sarac, “IP Traceback Based on Packet Marking and Logging,” Proc. IEEE Int'l Conf. Comm. (ICC), 2005.
[24] Y.K. Tseng, H.H. Chen, and W.S. Hsieh, “Probabilistic Packet Marking with Non-Preemptive Compensation,” IEEE Comm. Letters, vol. 8, no. 6, pp. 359-361, 2004.
[25] M. Adler, “Trade-Offs in Probabilistic Packet Marking for IP Traceback,” J. ACM, vol. 52, no. 2, pp. 217-244, 2005.
[26] A. Belenky and N. Ansari, “P Traceback with Deterministic Packet Marking,” IEEE Comm. Letters, vol. 7, no. 4, pp. 162-164, 2003.
[27] A. Belenky and N. Ansari, “On Deterministic Packet Marking,” Computer Networks, vol. 51, no. 10, pp. 2677-2700, 2007.
[28] Y. Xiang, W. Zhou, and J. Rough, “Trace IP Packets by Flexible Deterministic Packet Marking (FDPM),” Proc. IEEE Int'l Workshop IP Operations and Management (IPOM '04), pp. 246-252, 2004.
[29] Y. Kim, J.Y. Jo, and F.L. Merat, “Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM '03), pp. 1363-1367, 2003.
[30] G. Jin and J. Yang, “Deterministic Packet Marking Based on Redundant Decomposition for IP Traceback,” IEEE Comm. Letters, vol. 10, no. 3, pp. 204-206, 2006.
[31] T. Wolf and J.S. Turner, “Design Issues for High-Performance Active Routers,” IEEE J. Selected Areas in Comm., vol. 19, no. 3, pp. 404-409, 2001.
[32] Type of Service in the Internet Protocol Suite, RFC1349, Network Working Group, 1992.
[33] Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers, RFC2474, Network Working Group, 1998.
[34] I. Stoica and H. Zhang, “Providing Guaranteed Services without Per Flow Management,” Proc. ACM SIGCOMM '99, pp. 81-94, 1999.
[35] R. Ennals, R. Sharp, and A. Mycroft, “Task Partitioning for Multi-Core Network Processors,” Lecture Notes in Computer Science, pp.76-90, Springer, 2005.
[36] W. Zhou, “Using Multi-Core to Support Security-Sensitive Applications,” Proc. IFIP Int'l Conf. Network and Parallel Computing (NPC '07), http://www.deakin.edu.au/~wanlei/papers MultiCoreSec Wanlei0709.pdf, 2007.
[37] S. Floyd and V. Jacobson, “Random Early Detection Gateways for Congestion Avoidance,” IEEE/ACM Trans. Networking, vol. 1, no. 4, pp. 397-413, 1993.
[38] P. Gevros et al., “Congestion Control Mechanisms and the Best Effort Service Model,” IEEE Network, vol. 15, no. 3, pp. 16-26, 2001.
[39] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” Proc. 11th Int'l World Wide Web Conf. (WWW '02), pp. 252-262, 2002.
[40] H. Wang, D. Zhang, and K.G. Shin, “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 4, pp. 193-208, Oct.-Dec. 2004.
[41] W. Feller, An Introduction to Probability Theory and Its Applications. John Wiley & Sons, 1968.
[42] SSFNet, Scalable Simulation Framework, http:/www.ssfnet.org, 2005.
[43] R.C. Chen, W. Shi, and W. Zhou, Simulation of Distributed Denial of Service Attacks, TR C04/09, technical report, School of Information Technology, Deakin Univ., 2004.
[44] R. Rivest, RFC 1321—The MD5 Message-Digest Algorithm, Network Working Group, 1992.
[45] A. Binstock and J. Rex, Practical Algorithms for Programmers. Addison-Wesley, 1995.
[46] B.W. Kernighan and D.M. Ritchie, The C Programming Language, second ed. Prentice Hall, 1988.
[47] E. Kohler et al., “The Click Modular Router,” ACM Trans. Computer Systems, vol. 18, no. 3, pp. 263-297, 2000.
[48] Y. Xiang and W. Zhou, “Mark-Aided Distributed Filtering by Using Neural Network for DDoS Defense,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM), 2005.

Index Terms:
Communication/Networking and Information Technology, Performance of Systems
Citation:
Yang Xiang, Wanlei Zhou, Minyi Guo, "Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 4, pp. 567-580, April 2009, doi:10.1109/TPDS.2008.132
Usage of this product signifies your acceptance of the Terms of Use.