Hongcheng Tian,Jun Bi,Wei Zhang,Xiaoke Jiang

DOI: https://doi.org/10.1109/ICNP.2011.6089038

2011-01-01

Abstract:IP traceback can be used to find the origins and paths of attacking traffic. However, so far, no Internet-level IP traceback system has ever been deployed because of deployment difficulties. In this paper, we present an easily-deployable light-weight IP traceback based on flow (EasyTrace). In EasyTrace, it is not necessary to deploy any dedicated traceback software and hardware at routers, and an AS-level overlay network is built for incremental deployment. We theoretically analyze the quantitative relation among the probability that a flow is successfully traced back various AS-level hop number, independently sampling probability, and the number of packets that the flow comprises.

Hongcheng Tian,Jun Bi

DOI: https://doi.org/10.1109/lcomm.2012.051512.120467

IF: 3.5529

2012-01-01

IEEE Communications Letters

Abstract:IP traceback can be used to find the origins and paths of attacking traffic. However, so far, most approaches for IP traceback are hard to be deployed in the Internet because of deployment difficulties. In this paper, we present an incrementally deployable approach based on sampled flows for IP traceback (SampleTrace). In SampleTrace, it is not necessary to deploy any dedicated traceback software and hardware at routers, and an AS-level overlay network is built for incremental deployment. We theoretically analyze the quantitative relation among the probability that a flow is successfully traced back various AS-level hop number, independently sampling probability, and the packet number that the attacking flow comprises. According to Bernoulli's Law of Large Numbers, when a large number of attacking flows are practically traced back in the Internet by SampleTrace, the successfully-traced back relative frequency will approach the successfully-traced back probability.

Changlai Huang,Ming Li,Chuanshan Gao

DOI: https://doi.org/10.1109/csie.2009.96

2009-01-01

Abstract:IP traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. Like any countermeasures for DDoS attack, a well-designed scheme requires tracebacking system to react to spot it in real-time. This paper proposes a novel traceback scheme based on autonomous system (AS) marking. We break down the tracing procedure into intra-AS and inter-AS phases by embedding the marking information IP header with the AS number and AS’s border router ID. Compared with traditional schemes, the advantages of our approach include quick convergence, light computation overhead as well as without the leakage of sensitive information.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Hongcheng Tian,Jun Bi,Xiaoke Jiang

DOI: https://doi.org/10.1007/s13119-012-0007-x

2012-01-01

Networking Science

Abstract:IP traceback can be used to find direct generator(s) and path(s) of attacking traffic. Probabilistic marking schemes, as one type of IP traceback technologies, have been most studied, but they are difficult to fast reconstruct attacking path(s) and defend against spoofed marks generated by attacking source(s). In this paper, we present Adaptive Probabilistic Marking scheme (APM). In APM, when each packet enters the first-hop router, its TTL value is set to a uniform value, and when it is forwarded by routers in the network, each intermediate router decreases the TTL value by one. Consequently, each intermediate router may infer the router-level hop number that each packet has already traveled, and then correspondingly marks the packet with the probability inversely proportional to the router-level hop number. APM is focused on the probability with which a router marks a packet, and APM can cooperate with other probabilistic marking schemes. NS2 simulation experiments prove that, in APM, the time for the victim to receive necessary marks for the path reconstruction is reduced by more than 20% compared with existing probabilistic marking schemes, and spoofed marks cannot reach the victim and influence the traceback process.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/tc.2015.2439287

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

Luo Wen,Wu Jianping,Xu Ke,JP Wu

DOI: https://doi.org/10.1007/978-3-540-31957-3_10

2005-01-01

Abstract:IP traceback is an important task in Internet security area. Techniques have been developed to deploy in pure IP network, but, to date, no system has been presented to use the facility of MPLS in MPLS-enabled network. We present Overlay Logging, a technique combines the hash based logging (SPIE) and the convenience of setup overlay network in MPLS network. Our system can achieve a relatively lower false positive rate than SPIE, needs less hardware investment, and reduces the storage pressure. It is impervious to multi-path routing in the network. What's more, the network overhead and configuration cost of our system is low.

Yangyang Wang,Jun Bi,Keyao Zhang

DOI: https://doi.org/10.1007/s11432-015-1057-7

2017-01-01

Science China Information Sciences

Abstract:SDN provides an approach to create desired network forwarding plane by programming applications. For a large-scale SDN network comprised of multiple domains and running multiple controller applications, it is difficult to measure and diagnose the problems of flow tables in data plane. Tracing the forwarding path of SDN is one of effective way for data plane state measurement. Previously proposed methods for debugging SDN were applied to a single administrative domain. There is less effort to trace the flow entries of the data plane in large-scale multi-domain SDN networks. In this paper, we propose a method of software defined data plane tracing in large-scale multi-domain SDN networks. Our method can trace forwarding paths, and get the matched flow entries and other customized trace information. We present the designs compatible with OpenFlow 1.0 and 1.3 switches. The performance and deployment effect are evaluated by simulation test and analysis. It shows that our method has better performance than traditional IP traceroute, and its deployment at about 20% of AS nodes can enable 70% of AS paths to be traceable.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Yang Xiang,Wanlei Zhou,Minyi Guo

DOI: https://doi.org/10.1109/tpds.2008.132

IF: 5.3

2008-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.

HONG Jingfeng,DUAN Haixin,YAO Shuzhen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.066

2006-01-01

Abstract:A new approach to tracing sources of DDoS attacks based on passive sniffing overlay network(PSON) is proposed,which can span multiple autonomy systems to trace back to multiple attack sources of a large scale DDoS attack.Based on this solution,it designs and implements an IP traceback system: SnifferTrack.The architecture and composition of the system are described,as well as the tracing process and algorithms.Several limitations of the system and future work are also proposed.

Hongcheng Tian,Jun Bi,Xiaoke Jiang,Wei Zhang

DOI: https://doi.org/10.1109/internet.2010.32

2010-01-01

Abstract:For existing probabilistic marking technologies for IP traceback, such as Probabilistic Packet Marking (PPM), TTL-based Packet Marking (TPM) and Dynamic Probabilistic Packet Marking (DPPM), it is difficult to reconstruct attack path(s) fast and defend against spoofed marks. In this paper, we present Adaptive Probabilistic Marking scheme (APM), where the TTL value of each packet is set to a uniform number at the first-hop router, and each router deduces the distance that each packet has already traveled, and then adaptively marks the packet with the probability inversely proportional to the distance. We theoretically prove that, in APM, the victim requires the fewest packets for a successful traceback, the effect of spoofed marks can be eliminated. NS2 experiments show, in APM, the time for the victim to collect all the obligatory marks for the path reconstruction is reduced by more than 20% compared with existing schemes, and spoofed marks cannot reach the victim.

JING Yi-nan,WANG Xue-ping,XIAO Xiao-chun,ZHANG Gen-du

DOI: https://doi.org/10.1049/cp:20061579

2006-01-01

Abstract:Distributed denial-of-service attack is one of the major threats to Internet currently.IP traceback is a technique to trace back the attack sources in presence of IP spoofing,and plays a key role in defense for DDoS attacks.Compared with other IP traceback techniques,the probabilistic packet marking (PPM) scheme has more advantages.However,because of low marking information utilization,its traceback speed is still too slow.In order to traceback attackers as quickly as possible,a logless fast IP traceback (LFIT) scheme is proposed,which uses a few router storage space and in-band channel to improve the marking information utilization. Simulation results show that it has two distinct advantages,namely faster traceback speed and little router and network overhead.

Yinan Jing,Peng Tu,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/CIT.2005.99

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And based on previous research, available probabilistic packet marking (PPM) schemes have more advantages than other IP traceback techniques. But the traditional schemes have too low marking packets utilization. In this paper, a new distributed-log-based scheme (DLS), which combines PPM and logging techniques, is proposed to utilize marking packets sufficiently. And, theoretical analysis and simulation results have proven that this scheme can converge more quickly than others. Based on this scheme the origin of an attack path can be traced by only several packets. Moreover, a MACenhanced hierarchical IP traceback system (HITS) is proposed to supply a gap of end-host schemes. We believe that MAC-enhanced HITS can be deployed and managed more conveniently and securely than endhost schemes. And the traceback results educed by it are more credible and authoritative.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Hasibul Jamil,Abdul Alim,Laurent Schares,Pavlos Maniotis,Liran Schour,Ali Sydney,Abdullah Kayi,Tevfik Kosar,Bengi Karacali

2024-10-22

Abstract:The increasing complexity of AI workloads, especially distributed Large Language Model (LLM) training, places significant strain on the networking infrastructure of parallel data centers and supercomputing systems. While Equal-Cost Multi- Path (ECMP) routing distributes traffic over parallel paths, hash collisions often lead to imbalanced network resource utilization and performance bottlenecks. This paper presents FlowTracer, a tool designed to analyze network path utilization and evaluate different routing strategies. FlowTracer aids in debugging network inefficiencies by providing detailed visibility into traffic distribution and helping to identify the root causes of performance degradation, such as issues caused by hash collisions. By offering flow-level insights, FlowTracer enables system operators to optimize routing, reduce congestion, and improve the performance of distributed AI workloads. We use a RoCEv2-enabled cluster with a leaf-spine network and 16 400-Gbps nodes to demonstrate how FlowTracer can be used to compare the flow imbalances of ECMP routing against a statically configured network. The example showcases a 30% reduction in imbalance, as measured by a new metric we introduce.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Yu Zhang,Ricardo Oliveira,Yangyang Wang,Shen Su,Baobao Zhang,Jun Bi,Hongli Zhang,Lixia Zhang

DOI: https://doi.org/10.1109/jsac.2011.111007

IF: 16.4

2011-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Although traceroute has the potential to discover AS links that are invisible to existing BGP monitors, it is well known that the common approach for mapping router IP addresses to AS numbers based on BGP routing tables is highly error-prone. We develop a systematic framework to quantify the potential errors of traceroute measurement in AS-level topology inference. In comparing traceroute-derived AS paths with BGP AS paths, we take a novel approach to identifying mismatched path segments and then inferring the causes of these mismatches through a set of tests. Our results show that about 60% of mismatches are due to routers using IP addresses belonging to peering neighbors. This result helps settle a debate in previous works regarding the major cause of errors in traceroute measurement. With the approximate ground truth of the ASes with BGP monitors inside, we identify the inaccuracy of publicly available traceroute-derived topology datasets and find that between 8% and 42% of AS adjacencies on the monitored ASes are false. With a new method to characterize AS links, we show that the derived (false) links between Tier-1/large ISPs and their customers' customers appear more frequently than real links do.