Hongcheng Tian,Jun Bi,Wei Zhang,Xiaoke Jiang

DOI: https://doi.org/10.1109/ICNP.2011.6089038

2011-01-01

Abstract:IP traceback can be used to find the origins and paths of attacking traffic. However, so far, no Internet-level IP traceback system has ever been deployed because of deployment difficulties. In this paper, we present an easily-deployable light-weight IP traceback based on flow (EasyTrace). In EasyTrace, it is not necessary to deploy any dedicated traceback software and hardware at routers, and an AS-level overlay network is built for incremental deployment. We theoretically analyze the quantitative relation among the probability that a flow is successfully traced back various AS-level hop number, independently sampling probability, and the number of packets that the flow comprises.

Hongcheng Tian,Jun Bi,Peiyao Xiao

DOI: https://doi.org/10.1109/icdcsw.2012.49

2012-01-01

Abstract:IP trace back can be used to find the origins and paths of attacking traffic. However, so far, no Internet-level IP trace back system has ever been deployed because of deployment difficulties. In this paper, we present a flow-based trace back scheme on an AS-level overlay network (Easy Trace). In Easy Trace, it is not necessary to deploy any dedicated trace back software and hardware at routers, and an AS-level overlay network is built for incremental deployment. We theoretically analyze the quantitative relation among the probability that a flow is successfully traced back various AS-level hop number, independently sampling probability, and the packet number that the attacking flow comprises.

Hongcheng Tian,Jun Bi,Xiaoke Jiang

DOI: https://doi.org/10.1007/s13119-012-0007-x

2012-01-01

Networking Science

Abstract:IP traceback can be used to find direct generator(s) and path(s) of attacking traffic. Probabilistic marking schemes, as one type of IP traceback technologies, have been most studied, but they are difficult to fast reconstruct attacking path(s) and defend against spoofed marks generated by attacking source(s). In this paper, we present Adaptive Probabilistic Marking scheme (APM). In APM, when each packet enters the first-hop router, its TTL value is set to a uniform value, and when it is forwarded by routers in the network, each intermediate router decreases the TTL value by one. Consequently, each intermediate router may infer the router-level hop number that each packet has already traveled, and then correspondingly marks the packet with the probability inversely proportional to the router-level hop number. APM is focused on the probability with which a router marks a packet, and APM can cooperate with other probabilistic marking schemes. NS2 simulation experiments prove that, in APM, the time for the victim to receive necessary marks for the path reconstruction is reduced by more than 20% compared with existing probabilistic marking schemes, and spoofed marks cannot reach the victim and influence the traceback process.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Yinan Jing,Peng Tu,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/CIT.2005.99

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And based on previous research, available probabilistic packet marking (PPM) schemes have more advantages than other IP traceback techniques. But the traditional schemes have too low marking packets utilization. In this paper, a new distributed-log-based scheme (DLS), which combines PPM and logging techniques, is proposed to utilize marking packets sufficiently. And, theoretical analysis and simulation results have proven that this scheme can converge more quickly than others. Based on this scheme the origin of an attack path can be traced by only several packets. Moreover, a MACenhanced hierarchical IP traceback system (HITS) is proposed to supply a gap of end-host schemes. We believe that MAC-enhanced HITS can be deployed and managed more conveniently and securely than endhost schemes. And the traceback results educed by it are more credible and authoritative.

Changlai Huang,Ming Li,Chuanshan Gao

DOI: https://doi.org/10.1109/csie.2009.96

2009-01-01

Abstract:IP traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. Like any countermeasures for DDoS attack, a well-designed scheme requires tracebacking system to react to spot it in real-time. This paper proposes a novel traceback scheme based on autonomous system (AS) marking. We break down the tracing procedure into intra-AS and inter-AS phases by embedding the marking information IP header with the AS number and AS’s border router ID. Compared with traditional schemes, the advantages of our approach include quick convergence, light computation overhead as well as without the leakage of sensitive information.

Hongcheng Tian,Jun Bi

DOI: https://doi.org/10.1109/icufn.2018.8436721

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attacks continue to pose major threats to the Internet. IP traceback can identify locations of attackers and attacking paths. This paper classifies existing IP traceback schemes, points out advantages and disadvantages of each category, and summarizes five evaluation indexes for IP traceback to evaluate six representative traceback schemes. In addition, this paper proposes three future research areas of IP traceback. And this paper is an important valuable reference for network researchers to go in for the further study on IP traceback.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Hongcheng Tian,Jun Bi,Xiaoke Jiang,Wei Zhang

DOI: https://doi.org/10.1109/internet.2010.32

2010-01-01

Abstract:For existing probabilistic marking technologies for IP traceback, such as Probabilistic Packet Marking (PPM), TTL-based Packet Marking (TPM) and Dynamic Probabilistic Packet Marking (DPPM), it is difficult to reconstruct attack path(s) fast and defend against spoofed marks. In this paper, we present Adaptive Probabilistic Marking scheme (APM), where the TTL value of each packet is set to a uniform number at the first-hop router, and each router deduces the distance that each packet has already traveled, and then adaptively marks the packet with the probability inversely proportional to the distance. We theoretically prove that, in APM, the victim requires the fewest packets for a successful traceback, the effect of spoofed marks can be eliminated. NS2 experiments show, in APM, the time for the victim to collect all the obligatory marks for the path reconstruction is reduced by more than 20% compared with existing schemes, and spoofed marks cannot reach the victim.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Shidong Dai,Xing Li

DOI: https://doi.org/10.1109/wicom.2009.5301979

2009-01-01

Abstract:Traceback is the technique to trace packets back to the sources or the routers near the sources, which is essential while defending against IP spoofing and denial of service attacks. In this paper we present the design of QuIT (Quantitative IP traceback) system which can trace the origin of a single packet and figure out the distribution of packets from each source. QUIT generates audit trails for packets and transfers them along with the traffic to provide the ability of audit for the downstream victims. The traceback can be operated locally near the victim without communicating with other routers or ISPs, which increases the feasibility of deployment. Theoretic analysis and simulation experiments demonstrated that the traffic increased by the QUIT system is less than 0.12% and computation complexity is affordable.

Yi Gao,Yuan Jing,Wei Dong

DOI: https://doi.org/10.1109/tnet.2018.2871213

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Knowing the trajectory of each packet in a network enables a large range of network debugging and management tasks. Existing packet trajectory tracing approaches for software-defined networking (SDN) either require high message/computational overhead or only focus on one kind of network topology. In this paper, we propose UniROPE, a robust and lightweight packet trajectory tracing approach that supports various network topologies. Using the flow information, UniROPE dynamically selects one of the two proposed packet trajectory tracing algorithms to achieve a better tradeoff between accuracy and efficiency. We implement UniROPE using P4, a high-level language for programming SDN switch operations, and evaluate its performance in networks with different topologies, scales, and link failure probabilities. Results show that UniROPE achieves a high successful ratio of packet trajectory tracing with small message/computational overheads in various networks. We also use three case studies to show the effectiveness of the traced packet trajectory information for network debugging and management.

JING Yi-nan,WANG Xue-ping,XIAO Xiao-chun,ZHANG Gen-du

DOI: https://doi.org/10.1049/cp:20061579

2006-01-01

Abstract:Distributed denial-of-service attack is one of the major threats to Internet currently.IP traceback is a technique to trace back the attack sources in presence of IP spoofing,and plays a key role in defense for DDoS attacks.Compared with other IP traceback techniques,the probabilistic packet marking (PPM) scheme has more advantages.However,because of low marking information utilization,its traceback speed is still too slow.In order to traceback attackers as quickly as possible,a logless fast IP traceback (LFIT) scheme is proposed,which uses a few router storage space and in-band channel to improve the marking information utilization. Simulation results show that it has two distinct advantages,namely faster traceback speed and little router and network overhead.

Guang Yao,Jun Bi,Athanasios V. Vasilakos

DOI: https://doi.org/10.1109/TIFS.2014.2381873

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now. This paper proposes passive IP traceback (PIT) that bypasses the deployment difficulties of IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way, PIT can find the spoofers without any deployment requirement. This paper illustrates the causes, collection, and the statistical results on path backscatter, demonstrates the processes and effectiveness of PIT, and shows the captured locations of spoofers through applying PIT on the path backscatter data set. These results can help further reveal IP spoofing, which has been studied for long but never well understood. Though PIT cannot work in all the spoofing attacks, it may be the most useful mechanism to trace spoofers before an Internet-level traceback system has been deployed in real.

Yinan Jing,Jingtao Li,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/aina.2006.22

2006-01-01

Abstract:Distributed denial-of-service attacks have become the major threat to Internet today. IP traceback is one of the most effective techniques to defeat these attacks by identifying attack sources even in the presence of IP spoofing. Because of low marking packet utilization, the convergence time of traditional probabilistic packet marking (PPM) schemes is still too long. In order to shorten the convergence time, a distributedlog- based IP traceback scheme is proposed. Theoretical analysis and simulation results show that this scheme not only can converge more quickly than previous PPM schemes, but also has much less log overhead than other log-based schemes.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Yinan Jing,Qiang Jiang,Xiaochun Xiao,Xueping Wang

DOI: https://doi.org/10.4236/cn.2013.53b2088

2013-01-01

Communications and Network

Abstract:Due to constrained resources, DDoS attack is one of the biggest threats to MANET.IP traceback technique is useful to defend against such type of attacks, since it can identify the attack sources.Several types of traceback schemes have been proposed for wired networks.Among all the existing schemes, probabilistic packet marking (PPM) scheme might be the most promising scheme for MANET.However its performance in MANET is not as good as that in Internet.In this paper, a new scheme based on the coding technique (CT) is proposed for traceback in MANET.Furthermore, a new idea of Incremental traceback is raised to cope with the situation of incremental attack (ICT).We present the protocol design and conduct theoretical analysis of this scheme.Additionally, we conduct experiments to compare it with the traditional PPM scheme.The experimental results show that the new coding-based traceback scheme outperforms the PPM scheme in MANET.

TU Peng,JING Yi-nan,FU Zhen-yong,ZHANG Gen-du

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.18.002

2006-01-01

Abstract:Probabilistic packet marking(PPM)is an efficient solution to defeat denial-of-service attacks.One of the available solutions is node sampling scheme proposed by Savage.Based on the theoretic analysis of node sampling scheme,some improvement are provided.Conducting performance analyzing is proven by simulation on the improved scheme by comparing the simulation results,the improved scheme is much better than the original node sampling scheme at performance is obtained.

W Liu,Hx Duan,Y Feng,Yb Li,P Ren

2004-01-01

Abstract:This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. We first analyze the limitation of Edge Sampling Algorithm (ESA) [1], then present a new scheme IESA for providing traceback information in IP packets, which marking the packet with a dynamic marking probability to ensure that the victim receives all the marked packets with equal probability. This scheme can reduce greatly the possibility that a marked packet farther away from victim is remarked by the router nearer to the victim, hence greatly reduces the number of packets needed to reconstruct the attack path, and therefore greatly reduces the reconstruction time.