The Community for Technology Leaders
RSS Icon
Issue No.04 - April (2009 vol.20)
pp: 567-580
Yang Xiang , Central Queensland University, Rockhampton
Wanlei Zhou , Deakin University, Melbourne
Minyi Guo , Shanghai Jiao Tong University, Shanghai
IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.
Communication/Networking and Information Technology, Performance of Systems
Yang Xiang, Wanlei Zhou, Minyi Guo, "Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks", IEEE Transactions on Parallel & Distributed Systems, vol.20, no. 4, pp. 567-580, April 2009, doi:10.1109/TPDS.2008.132
[1] H. Farhat, “Protecting TCP Services from Denial of Service Attacks,” Proc. ACM SIGCOMM Workshop Large-Scale Attack Defense (LSAD '06), pp. 155-160, 2006.
[2] H. Wang, C. Jin, and K.G. Shin, “Defense against Spoofed IP Traffic Using Hop-Count Filtering,” IEEE/ACM Trans. Networking, vol. 15, no. 1, pp. 40-53, 2007.
[3] M.T. Goodrich, “Efficient Packet Marking for Large-Scale IP Traceback,” Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), pp. 117-126, 2002.
[4] H. Aljifri, “IP Traceback: A New Denial-of-Service Deterrent,” IEEE Security and Privacy, vol. 1, no. 3, pp. 24-31, 2003.
[5] A. Belenky and N. Ansari, “On IP Traceback,” IEEE Comm., vol. 41, no. 7, pp. 142-153, 2003.
[6] Z. Gao and N. Ansari, “Tracing Cyber Attacks from the Practical Perspective,” IEEE Comm., vol. 43, no. 5, pp. 123-131, 2005.
[7] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their Approximate Source,” Proc. 14th Systems Administration Conf. (LISA '00), pp. 319-327, 2000.
[8] R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS Floods,” Proc. Ninth USENIX Security Symp. (Security '00), pp. 199-212, 2000.
[9] S.M. Bellovin, ICMP Traceback Messages—Internet Draft, Network Working Group, 2000.
[10] A. Mankin et al., “On Design and Evaluation of Intention-Driven ICMP Traceback,” Proc. 10th Int'l Conf. Computer Comm. and Networks (ICCCN '01), pp. 159-165, 2001.
[11] C. Jin, H. Wang, and K.G. Shin, “Hop-Count Filtering: An Effective Defense against Spoofed DDoS Traffic,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 30-41, 2003.
[12] N.G. Duffield and M. Grossglauser, “Trajectory Sampling for Direct Traffic Observation,” Proc. ACM SIGCOMM '00, pp. 271-282, 2000.
[13] A.C. Snoeren et al., “Single-Packet IP Traceback,” IEEE/ACM Trans. Networking, vol. 10, no. 6, pp.721-734, 2002.
[14] T. Baba and S. Matsuda, “Tracing Network Attacks to Their Sources,” IEEE Internet Computing, vol. 6, no. 3, pp. 20-26, 2002.
[15] J. Li et al., “Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation,” Proc. IEEE Symp. Security and Privacy (S&P '04), pp. 115-129, 2004.
[16] S. Savage et al., “Network Support for IP Traceback,” ACM/IEEE Trans. Networking, vol. 9, no. 3, pp.226-237, 2001.
[17] K. Park and H. Lee, “On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internet,” Proc. ACM SIGCOMM '01, pp. 15-26, 2001.
[18] D.X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM '01, pp. 878-886, 2001.
[19] M. Waldvogel, “GOSSIB versus IP Traceback Rumors,” Proc. 18th Ann. Computer Security Applications Conf. (ACSAC '02), pp. 5-13, 2002.
[20] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy (S&P '03), pp. 93-107, 2003.
[21] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems,” ACM Computing Surveys, vol. 39, no. 1, pp. 1-42, 2007.
[22] B. Al-Duwairi and M. Govindarasu, “Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback,” IEEE Trans. Parallel and Distributed Systems, vol. 17, no. 5, pp. 403-418, May 2006.
[23] C. Gong and K. Sarac, “IP Traceback Based on Packet Marking and Logging,” Proc. IEEE Int'l Conf. Comm. (ICC), 2005.
[24] Y.K. Tseng, H.H. Chen, and W.S. Hsieh, “Probabilistic Packet Marking with Non-Preemptive Compensation,” IEEE Comm. Letters, vol. 8, no. 6, pp. 359-361, 2004.
[25] M. Adler, “Trade-Offs in Probabilistic Packet Marking for IP Traceback,” J. ACM, vol. 52, no. 2, pp. 217-244, 2005.
[26] A. Belenky and N. Ansari, “P Traceback with Deterministic Packet Marking,” IEEE Comm. Letters, vol. 7, no. 4, pp. 162-164, 2003.
[27] A. Belenky and N. Ansari, “On Deterministic Packet Marking,” Computer Networks, vol. 51, no. 10, pp. 2677-2700, 2007.
[28] Y. Xiang, W. Zhou, and J. Rough, “Trace IP Packets by Flexible Deterministic Packet Marking (FDPM),” Proc. IEEE Int'l Workshop IP Operations and Management (IPOM '04), pp. 246-252, 2004.
[29] Y. Kim, J.Y. Jo, and F.L. Merat, “Defeating Distributed Denial-of-Service Attack with Deterministic Bit Marking,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM '03), pp. 1363-1367, 2003.
[30] G. Jin and J. Yang, “Deterministic Packet Marking Based on Redundant Decomposition for IP Traceback,” IEEE Comm. Letters, vol. 10, no. 3, pp. 204-206, 2006.
[31] T. Wolf and J.S. Turner, “Design Issues for High-Performance Active Routers,” IEEE J. Selected Areas in Comm., vol. 19, no. 3, pp. 404-409, 2001.
[32] Type of Service in the Internet Protocol Suite, RFC1349, Network Working Group, 1992.
[33] Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers, RFC2474, Network Working Group, 1998.
[34] I. Stoica and H. Zhang, “Providing Guaranteed Services without Per Flow Management,” Proc. ACM SIGCOMM '99, pp. 81-94, 1999.
[35] R. Ennals, R. Sharp, and A. Mycroft, “Task Partitioning for Multi-Core Network Processors,” Lecture Notes in Computer Science, pp.76-90, Springer, 2005.
[36] W. Zhou, “Using Multi-Core to Support Security-Sensitive Applications,” Proc. IFIP Int'l Conf. Network and Parallel Computing (NPC '07), MultiCoreSec Wanlei0709.pdf, 2007.
[37] S. Floyd and V. Jacobson, “Random Early Detection Gateways for Congestion Avoidance,” IEEE/ACM Trans. Networking, vol. 1, no. 4, pp. 397-413, 1993.
[38] P. Gevros et al., “Congestion Control Mechanisms and the Best Effort Service Model,” IEEE Network, vol. 15, no. 3, pp. 16-26, 2001.
[39] J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” Proc. 11th Int'l World Wide Web Conf. (WWW '02), pp. 252-262, 2002.
[40] H. Wang, D. Zhang, and K.G. Shin, “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 4, pp. 193-208, Oct.-Dec. 2004.
[41] W. Feller, An Introduction to Probability Theory and Its Applications. John Wiley & Sons, 1968.
[42] SSFNet, Scalable Simulation Framework, http:/, 2005.
[43] R.C. Chen, W. Shi, and W. Zhou, Simulation of Distributed Denial of Service Attacks, TR C04/09, technical report, School of Information Technology, Deakin Univ., 2004.
[44] R. Rivest, RFC 1321—The MD5 Message-Digest Algorithm, Network Working Group, 1992.
[45] A. Binstock and J. Rex, Practical Algorithms for Programmers. Addison-Wesley, 1995.
[46] B.W. Kernighan and D.M. Ritchie, The C Programming Language, second ed. Prentice Hall, 1988.
[47] E. Kohler et al., “The Click Modular Router,” ACM Trans. Computer Systems, vol. 18, no. 3, pp. 263-297, 2000.
[48] Y. Xiang and W. Zhou, “Mark-Aided Distributed Filtering by Using Neural Network for DDoS Defense,” Proc. IEEE Global Telecomm. Conf. (GLOBECOM), 2005.
12 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool