Hongcheng Tian,Jun Bi,Xiaoke Jiang

DOI: https://doi.org/10.1007/s13119-012-0007-x

2012-01-01

Networking Science

Abstract:IP traceback can be used to find direct generator(s) and path(s) of attacking traffic. Probabilistic marking schemes, as one type of IP traceback technologies, have been most studied, but they are difficult to fast reconstruct attacking path(s) and defend against spoofed marks generated by attacking source(s). In this paper, we present Adaptive Probabilistic Marking scheme (APM). In APM, when each packet enters the first-hop router, its TTL value is set to a uniform value, and when it is forwarded by routers in the network, each intermediate router decreases the TTL value by one. Consequently, each intermediate router may infer the router-level hop number that each packet has already traveled, and then correspondingly marks the packet with the probability inversely proportional to the router-level hop number. APM is focused on the probability with which a router marks a packet, and APM can cooperate with other probabilistic marking schemes. NS2 simulation experiments prove that, in APM, the time for the victim to receive necessary marks for the path reconstruction is reduced by more than 20% compared with existing probabilistic marking schemes, and spoofed marks cannot reach the victim and influence the traceback process.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Liming Lu,Mun Choon Chan,Ee-Chien Chang

DOI: https://doi.org/10.1145/1368310.1368337

2008-01-01

Abstract:ABSTRACTIn this paper, we model Probabilistic Packet Marking (PPM) schemes for IP traceback as an identification problem of a large number of markers. Each potential marker is associated with a distribution on tags, which are short binary strings. To mark a packet, a marker follows its associated distribution in choosing the tag to write in the IP header. Since there are a large number of (for example, over 4,000) markers, what the victim receives are samples from a mixture of distributions. Essentially, traceback aims to identify individual distribution contributing to the mixture. Guided by this model, we propose Random Packet Marking (RPM), a scheme that uses a simple but effective approach. RPM does not require sophisticated structure/relationship among the tags, and employs a hop-by-hop reconstruction similar to AMS [16]. Simulations show improved scalability and traceback accuracy over prior works. For example, in a large network with over 100K nodes, 4,650 markers induce 63% of false positives in terms of edges identification using the AMS marking scheme; while RPM lowers it to 2%. The effectiveness of RPM demonstrates that with prior knowledge of neighboring nodes, a simple and properly designed marking scheme suffices in identifying large number of markers with high accuracy.

Haipeng Qu,Purui Su,Dongdai Lin,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-540-31957-3_109

2005-01-01

Abstract:DDoS attack is a big problem to the Internet community due to its high-profile, severe damage, and the difficulty in defending against it. Several countermeasures are proposed for it in the literature, among which, Probabilistic Packet Marking (PPM) first developed by Savage et al. is promising. However, the PPM marking schemes have the limitations in two main aspects: high computation overhead and large number of false positives. In this paper, a new packet marking scheme is proposed, which is more practical because of higher precision, and computationally more efficient compared with the PPM scheme proposed by Savage. Furthermore, this scheme can achieve a more higher precision than Advanced Marking Schemes in case of the victim knowing the map of its upstream routers.

Zhuqing Wan,Yong Zhang,Tianjie Cao,Mingming Wu,FengJian Wang

DOI: https://doi.org/10.1109/ICCSIT.2009.5234375

2009-01-01

Abstract:A novel Authenticated Packet Marking Scheme for JP trace-back is proposed in this paper, it is based on the Probabilistic Packet Marking Scheme developed by Savage, et a. The new scheme adopts a new dynamic probability value sequence to mark packets and uses the IP capital checksum to check the marked information. Compared with PPM Scheme, The new scheme doesn't need the topology and it improves a lot on precision, computation, convergence and security. It is easy to be implemented and can track Distributed Denial of Service attacks effectively.

Yi Shi,Xinyu Yang,Ning Li-,Yong Qi

DOI: https://doi.org/10.1007/11937807_12

2006-01-01

Abstract:Probabilistic Packet Marking algorithm, one promising solution to the IP traceback problem, uses one fixed marking space to store router information. Since this fixed space is not sufficient for storing all routers information, each router writes its information into packets chosen with probability p, so-called probabilistic marking. Probabilistic marking seems to be helpful in lowering router overhead, however, it also bring computation overhead for the victim to reconstruct the attack paths and large number of false positives. In this paper, we present a new approach for IP traceback, Deterministic Packet Marking Scheme with Link Signatures, which needs routers mark all packets during forwarding (so-called deterministic marking). We make a study of how much both the probabilistic and our deterministic packet marking schemes affect router overhead through simulations. The results confirm that our deterministic marking scheme will slightly lower router overhead, and besides, it has superior performance than another improved probabilistic packet marking method, Advanced Marking Schemes. Further performance analysis and simulation results are given to show that our technique is superior in precision to previous work-it has almost zero false positive rate. It also has lower computation overhead for victim and needs just a few packets to trace back attacks and to reconstruct the attack paths even under large scale distributed denial-of-service attacks. In addition, our scheme is simple to implement and support incremental deployment. © Springer-Verlag Berlin Heidelberg 2006.

LIU Hong,CHEN Xiu-zhen,YAN Qing-lei

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.03.026

2013-01-01

Abstract:Aiming at the problem of limited marking space existing in DPPM,a new packet marking method known as n-Multi-DPPM is proposed,and this method,in combination of dynamic probabilistic algorithm and multi-tags marking technology based on DPPM,implements IP traceback.Then a simulation experiment is designed to test n-Multi-DPPM,and the experiment results indicate that the number of packets needed for implementing IP traceback under n-Multi-DPPM is 1/n of the number of packets under DPPM.Thus,n-Multi-DPPM is of good feasibility and could trace ICMP flood attack efficiently.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/tc.2015.2439287

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

Qiang LI,Hong-zi ZHU,Jiu-bin JU

2005-01-01

Journal of Computer Applications

Abstract:Based on the current research on improving real-time PPM algorithms in IP traceback, the relations among marking probability, traffic volume for constructing an attack path and the distance of the attacking path were analysed. And an approach of real-time IP tracebacking which deploys larger traffic first probabilistic packet marking scheme (LTFMS) was proposed. According to the statistics on the present traffic of routers, a victim could construct a major attacking path in minimum time. For large-scale DDoS attacks, by establishing a simulated test environment and experiment analysis, LTFMS can construct more attacking paths than the existing schemes within the same time.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Huang Changlai,Mao Dilin,Gao Chuanshan

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.07.060

2010-01-01

Abstract:Deterministic packet marking(DPM) is an efficient IP traceback technique tackling with large-scale DDoS attacks;and probabilistic packet marking(PPM) has been studied as a promising approach to realize IP traceback.In this paper,based on the analyses on the advantages and disadvantages of DPM and PPM techniques,we combine the advantages of these two fundamental techniques and introduce a lightweight packet marking(LPM) scheme which uses autonomous system number and router ID number as packet marking information.By reloading the offset filed of IP header we obtain more available marking space.Simulation result shows that the LPM scheme is easy to implement and achieves good outcomes in convergence time,false alarm rate and computational overhead.

Yinan Jing,Jingtao Li,Gendu Zhang

DOI: https://doi.org/10.1007/11534310_124

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And in terms of previous research fruits, the technique based on probabilistic packet marking (PPM) has been proven that it has more advantages than other IP traceback techniques. In this paper, we present a hierarchical IP traceback system, which is more practical and can be implemented and deployed more conveniently and securely than previous end-host schemes. We also present an improved edge marking algorithm called adaptive edge marking scheme (AEMS), which not only can shorten the convergence time, but also be more stable and robust. And detailed theoretical analysis and simulation results have also been presented to show the advantage and efficiency of this scheme.

Guang Jin,Jiangang Yang,Wei Wei,Yabo Dong

DOI: https://doi.org/10.1109/CHINACOM.2007.4469407

2007-01-01

Abstract:Among IP traceback techniques, deterministic packet marking (DPM) can locate the ingress border routers of destination domains with sound effectiveness and robustness. Yet DPM is inefficient to trace to attack origins of remote domains. A novel mechanism, across-domain deterministic packet marking (ADDPM), for IP traceback is proposed. It uses the 30-bit space in IP header reserved for fragmented traffic. Three deterministic markings are recorded into a packet at both the ingress router of source domain and the border router of destination domain respectively. Besides the both routers' IP addresses, the source AS number is also marked. The victim can trace to the remote attack origin by the markings. Deterministic markings can also be used to differentiate malicious packets. Theoretical analyses, deployment policies and simulation results are provided in detail and show the effectiveness of ADDPM.

Yinan Jing,Peng Tu,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/CIT.2005.99

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And based on previous research, available probabilistic packet marking (PPM) schemes have more advantages than other IP traceback techniques. But the traditional schemes have too low marking packets utilization. In this paper, a new distributed-log-based scheme (DLS), which combines PPM and logging techniques, is proposed to utilize marking packets sufficiently. And, theoretical analysis and simulation results have proven that this scheme can converge more quickly than others. Based on this scheme the origin of an attack path can be traced by only several packets. Moreover, a MACenhanced hierarchical IP traceback system (HITS) is proposed to supply a gap of end-host schemes. We believe that MAC-enhanced HITS can be deployed and managed more conveniently and securely than endhost schemes. And the traceback results educed by it are more credible and authoritative.

Xiuzhen Chen,Jin Ma,Shenghong Li,Ken Chen,Ahmed Serhrouchni

DOI: https://doi.org/10.1007/s11859-013-0961-5

2013-01-01

Wuhan University Journal of Natural Sciences

Abstract:This paper presents a dynamic probabilistic marking algorithm with multiple routing address tags, which allows the victim to traceback the origin of ICMP (Internet Control Message Protocol)-based direct and reflective DoS attacks. The proposed approach makes full use of scalable data space of ICMP packet to achieve multiple information tags. The difference between this proposal and previous proposals lies in two points. First, the number of packets needed by the victim to reconstruct the attack path is greatly reduced because of three key mechanisms: multi-tag, uniform leftover probability, and tag location choice based on the module of accommodated tag numbers within a packet. Second, the true origin of both direct and reflective ICMP-based DoS attacks can be traced.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/GLOCOM.2013.6831159

2013-01-01

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and relatively effective traceback scheme among the available traceback methods. However, the existing DPM schemes inheret a critical drawback of scalability in tracing all possible attack sources, which roots at their static mark encoding and attempt to mark all Internet routers for their traceback purpose. We find that a DDoS attack session usually involves a limited number of attack sources, e.g. at the thousand level. In order to achieve the traceback goal, we only need to mark these attack related routers. We therefore propose a novel Marking on Demand (MOD) scheme based on the DPM mechanism to dynamical distribute marking IDs in both temporal and space dimensions. The proposed MOD scheme can traceback to all possible sources of DDoS attacks, which is not possible for the existing DPM schemes. We thoroughly compare the proposed MOD scheme with two dominant DPM schemes through theoretical analysis and experiments. The the results demonstrate that the MOD scheme outperforms the existing DPM schemes.

Qiang Li,Hongzi Zhu,Meng Zhang,Jiubin Ju

DOI: https://doi.org/10.1109/PDCAT.2005.213

2005-01-01

Abstract:Simulation environments and approaches for evaluating real-time of IP traceback in different network scenarios and attacking patterns are very important. A comparison among some of the most promising PPM (Probabilistic Packet Marking) schemes is presented with several metrics, including the received packet number required for reconstructing the attacking path, computation complexity and false positive etc. We constructe a simulation environment via extending ns2, setting attacking topology and traffic, which can be used to evaluate and compare the effectiveness of different PPM schemes. The simulation approach also can be used to test the performing effects of different PPM schemes in large-scale DDoS attacks. Based on the simulation and evaluation results, several improvable aspects of PPM are proposed, which can increase real-time of IP traceback efficiently.

Yang Xiang,Wanlei Zhou,Minyi Guo

DOI: https://doi.org/10.1109/tpds.2008.132

IF: 5.3

2008-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.

Guang Jin,Jiangang Yang

DOI: https://doi.org/10.1109/LCOMM.2006.1603385

IF: 3.5529

2006-01-01

IEEE Communications Letters

Abstract:A novel deterministic packet marking scheme for IP trace back against distributed denial of service attacks is presented. Besides the hash correlation functions, our scheme has a unique technique: redundant decomposition, which plays an important role in improving the recovery performance. Theoretical analyses, the pseudo code and the experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.