| | This Article | |
| |
| |
| | Share | |
| |
| |
| | Bibliographic References | |
| |
| |
| | Add to: | |
| |
 Digg
 Furl
 Spurl
 Blink
 Simpy
 Google
 Del.icio.us
 Y!MyWeb
| |
| | Search | |
| |
| |
| | |
Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback
May 2006 (vol. 17 no. 5)
pp. 403-418
Abstract—Tracing DoS attacks that employ source address spoofing is an important and challenging problem. Traditional traceback schemes provide spoofed packets traceback capability either by augmenting the packets with partial path information (i.e., packet marking) or by storing packet digests or signatures at intermediate routers (i.e., packet logging). Such approaches require either a large number of attack packets to be collected by the victim to infer the paths (packet marking) or a significant amount of resources to be reserved at intermediate routers (packet logging). We adopt a hybrid traceback approach in which packet marking and packet logging are integrated in a novel manner, so as to achieve the best of both worlds, that is, to achieve a small number of attack packets to conduct the traceback process and a small amount of resources to be allocated at intermediate routers for packet logging purposes. Based on this notion, two novel traceback schemes are presented. The first scheme, called Distributed Link-List Traceback (DLLT), is based on the idea of preserving the marking information at intermediate routers in such a way that it can be collected using a link list-based approach. The second scheme, called Probabilistic Pipelined Packet Marking (PPPM), employs the concept of a "pipeline” for propagating marking information from one marking router to another so that it eventually reaches the destination. We evaluate the effectiveness of the proposed schemes against various performance metrics through a combination of analytical and simulation studies. Our studies show that the proposed schemes offer a drastic reduction in the number of packets required to conduct the traceback process and a reasonable saving in the storage requirement.
[1] B. Al-Duwairi and T.E. Daniels, “Topology Based Packet Marking,” Proc. IEEE Int'l Conf. Computer Comm. and Networks (ICCCN), Oct. 2004.
[2] T. Baba and S. Matsuda, “Tracing Network Attacks to Their Sources,” Proc. Conf. IEEE Internet Computing, vol. 6, no. 2, pp. 20-26, 2002.
[3] B.H. Bloom, “Space/Time Trade-Offs in Hash Coding with Allowable Errors,” Comm. ACM, vol. 13, pp. 422-426, July 1970.
[4] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” Proc. 2000 USENIX LISA Conf., pp. 319-327, Dec. 2000.
[5] T.E. Daniels, “Reference Models for the Concealment and Observation of Origin Identity in Store-and-Forward Networks,” PhD dissertation, Purdue Univ., West Lafayette, Ind., 2002.
[6] D. Dean, M. Franklin, and A. Stubblefield, “An Algebraic Approach to IP Traceback,” Proc. Network and Distributed System Security Symp. (NDSS '01), Feb. 2001.
[7] F. Hsu and T. Chiueh, “A Path Information Caching and Aggregation Approach to Traffic Source Identification,” Proc. 23rd IEEE Int'l Conf. Distributed Computing Systems (ICDCS), May 2003.
[8] A. Hussain, J. Heidemann, and C. Papadopoulos, “A Framework for Classifying Denial of Service Attacks,” Proc. ACM SIGCOMM, 2003.
[9] M.T. Goodrich, “Efficient Packet Marking for Large-Scale IP Traceback,” Proc. ACM Conf. Computer and Comm. Security, Nov. 2002.
[10] A. Mankin, D. Massey, C.L Wu, S.F Wu, and L. Zhang, “Intention-Driven ICMP Traceback,” Proc. IEEE Int'l Conf. Computer Comm. Networks (ICCCN), Oct. 2001.
[11] D. McGuire and B. Krebs, “Attack on Internet Called Largest Ever,” www.washingtonpost.com, http://www.washington post.com/wp-dyn/articles A828-2002Oct22.html, Oct. 2002.
[12] C. Meadows, “A Formal Framework and Evaluation Method for Network Denial of Service,” Proc. IEEE Computer Security Foundations Workshop, pp. 4-13, June 1999.
[13] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial of Service Activity,” Proc. USENIX Security Symp., Aug. 2001.
[14] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack,” Proc. IEEE INFOCOM 2001, 2001.
[15] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM, pp. 295-306, Aug. 2000.
[16] S.M. Bellovin, “ICMP Traceback Messages,” Internet Draft, draft-bellovin-itrace-00.txt, Mar. 2000.
[17] D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOMM 2001, Apr. 2001.
[18] R. Stone, “Centertrack: An IP Overlay Network for Tracking DoS Floods,” Proc. Ninth USENIX Security Symp., Aug. 2000.
[19] A.C. Snoeren, C. Partiridge, L.A. Sanchez, C.E. Jones, F. Tchhakountio, S.T. Kent, and W.T. Strayer, “Hash-Based IP TraceBack,” Proc. ACM SIGCOMM, Aug. 2001.
[20] M. Sung and J. Xu, “IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks,” Proc. IEEE Trans. Parallel and Distributed Systems, vol. 14, no. 9, pp. 861-872, Sept. 2003.
Index Terms:
Internet security, DDoS attacks, IP traceback.
Citation:
Basheer Al-Duwairi, Manimaran Govindarasu, "Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback," IEEE Transactions on Parallel and Distributed Systems, vol. 17, no. 5, pp. 403-418, May 2006, doi:10.1109/TPDS.2006.63
