Yinan Jing,Jingtao Li,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/aina.2006.22

2006-01-01

Abstract:Distributed denial-of-service attacks have become the major threat to Internet today. IP traceback is one of the most effective techniques to defeat these attacks by identifying attack sources even in the presence of IP spoofing. Because of low marking packet utilization, the convergence time of traditional probabilistic packet marking (PPM) schemes is still too long. In order to shorten the convergence time, a distributedlog- based IP traceback scheme is proposed. Theoretical analysis and simulation results show that this scheme not only can converge more quickly than previous PPM schemes, but also has much less log overhead than other log-based schemes.

Yinan Jing,Peng Tu,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/CIT.2005.99

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And based on previous research, available probabilistic packet marking (PPM) schemes have more advantages than other IP traceback techniques. But the traditional schemes have too low marking packets utilization. In this paper, a new distributed-log-based scheme (DLS), which combines PPM and logging techniques, is proposed to utilize marking packets sufficiently. And, theoretical analysis and simulation results have proven that this scheme can converge more quickly than others. Based on this scheme the origin of an attack path can be traced by only several packets. Moreover, a MACenhanced hierarchical IP traceback system (HITS) is proposed to supply a gap of end-host schemes. We believe that MAC-enhanced HITS can be deployed and managed more conveniently and securely than endhost schemes. And the traceback results educed by it are more credible and authoritative.

Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/tc.2015.2439287

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

Haipeng Qu,Purui Su,Dongdai Lin,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-540-31957-3_109

2005-01-01

Abstract:DDoS attack is a big problem to the Internet community due to its high-profile, severe damage, and the difficulty in defending against it. Several countermeasures are proposed for it in the literature, among which, Probabilistic Packet Marking (PPM) first developed by Savage et al. is promising. However, the PPM marking schemes have the limitations in two main aspects: high computation overhead and large number of false positives. In this paper, a new packet marking scheme is proposed, which is more practical because of higher precision, and computationally more efficient compared with the PPM scheme proposed by Savage. Furthermore, this scheme can achieve a more higher precision than Advanced Marking Schemes in case of the victim knowing the map of its upstream routers.

Yang Xiang,Wanlei Zhou,Minyi Guo

DOI: https://doi.org/10.1109/tpds.2008.132

IF: 5.3

2008-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Qiang LI,Hong-zi ZHU,Jiu-bin JU

2005-01-01

Journal of Computer Applications

Abstract:Based on the current research on improving real-time PPM algorithms in IP traceback, the relations among marking probability, traffic volume for constructing an attack path and the distance of the attacking path were analysed. And an approach of real-time IP tracebacking which deploys larger traffic first probabilistic packet marking scheme (LTFMS) was proposed. According to the statistics on the present traffic of routers, a victim could construct a major attacking path in minimum time. For large-scale DDoS attacks, by establishing a simulated test environment and experiment analysis, LTFMS can construct more attacking paths than the existing schemes within the same time.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

JING Yinan,TU Peng,WANG Xueping,ZHANG Gendu

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.02.044

2007-01-01

Abstract:On the basis of analysis about advanced marking scheme(AMS),a reverse-validation IP traceback scheme is proposed,which no longer requires the too strong assumption of AMS.In order to improve other adaptive algorithms,an adaptive edge marking scheme(AEMS) is proposed.Theoretic analysis and simulation results prove that it can converge more quickly and stably than AMS.

Huang Changlai,Mao Dilin,Gao Chuanshan

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.07.060

2010-01-01

Abstract:Deterministic packet marking(DPM) is an efficient IP traceback technique tackling with large-scale DDoS attacks;and probabilistic packet marking(PPM) has been studied as a promising approach to realize IP traceback.In this paper,based on the analyses on the advantages and disadvantages of DPM and PPM techniques,we combine the advantages of these two fundamental techniques and introduce a lightweight packet marking(LPM) scheme which uses autonomous system number and router ID number as packet marking information.By reloading the offset filed of IP header we obtain more available marking space.Simulation result shows that the LPM scheme is easy to implement and achieves good outcomes in convergence time,false alarm rate and computational overhead.

Yinan Jing,Qiang Jiang,Xiaochun Xiao,Xueping Wang

DOI: https://doi.org/10.4236/cn.2013.53b2088

2013-01-01

Communications and Network

Abstract:Due to constrained resources, DDoS attack is one of the biggest threats to MANET.IP traceback technique is useful to defend against such type of attacks, since it can identify the attack sources.Several types of traceback schemes have been proposed for wired networks.Among all the existing schemes, probabilistic packet marking (PPM) scheme might be the most promising scheme for MANET.However its performance in MANET is not as good as that in Internet.In this paper, a new scheme based on the coding technique (CT) is proposed for traceback in MANET.Furthermore, a new idea of Incremental traceback is raised to cope with the situation of incremental attack (ICT).We present the protocol design and conduct theoretical analysis of this scheme.Additionally, we conduct experiments to compare it with the traditional PPM scheme.The experimental results show that the new coding-based traceback scheme outperforms the PPM scheme in MANET.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/GLOCOM.2013.6831159

2013-01-01

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and relatively effective traceback scheme among the available traceback methods. However, the existing DPM schemes inheret a critical drawback of scalability in tracing all possible attack sources, which roots at their static mark encoding and attempt to mark all Internet routers for their traceback purpose. We find that a DDoS attack session usually involves a limited number of attack sources, e.g. at the thousand level. In order to achieve the traceback goal, we only need to mark these attack related routers. We therefore propose a novel Marking on Demand (MOD) scheme based on the DPM mechanism to dynamical distribute marking IDs in both temporal and space dimensions. The proposed MOD scheme can traceback to all possible sources of DDoS attacks, which is not possible for the existing DPM schemes. We thoroughly compare the proposed MOD scheme with two dominant DPM schemes through theoretical analysis and experiments. The the results demonstrate that the MOD scheme outperforms the existing DPM schemes.

Wei Guo,Jin Xu,Yukui Pei,Liuguo Yin,Chunxiao Jiang

DOI: https://doi.org/10.1109/ICCWorkshops50388.2021.9473586

2021-01-01

Abstract:DDoS attacks have plagued the Internet for more than 20 years, and it is becoming even violent with the development of IoT. Therefore, it is an essential defense method to trace back DDoS sources. Traditional IP traceback methods have different limitations in a large storage space, increasing marking cost, and low credibility. To solve these problems, a lightweight DDoS attack blockchain-based tracing scheme (LDBT) is proposed, which can deny malicious traffic access to the LAN. First, to avoid secondary DDoS attacks caused by excessive recording information, a digest method is presented and installed on all routers in the LAN. It is used to transfer a huge number of packets to a fixed format, which can keep the scheme lightweight regardless of whether DDoS occurs or not. Second, we present a trusted fuzzy tracing method that searches for DDoS sources efficiently. Under the proposed scheme, the digest data are reliable owing to the decentralization and immutability of the blockchain platform. It also overcomes the problem that edge routers cannot provide precise detection information because the digest is only used to track. Experimental results show that the scheme searches the sources of malicious traffic with high accuracy, and the communication overhead constantly remains at a low level of 80 KB/s. Furthermore, the tracing time of our scheme increases linearly instead of an exponential growth by the hop count.

HONG Jingfeng,DUAN Haixin,YAO Shuzhen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.066

2006-01-01

Abstract:A new approach to tracing sources of DDoS attacks based on passive sniffing overlay network(PSON) is proposed,which can span multiple autonomy systems to trace back to multiple attack sources of a large scale DDoS attack.Based on this solution,it designs and implements an IP traceback system: SnifferTrack.The architecture and composition of the system are described,as well as the tracing process and algorithms.Several limitations of the system and future work are also proposed.

Hongcheng Tian,Jun Bi,Xiaoke Jiang

DOI: https://doi.org/10.1007/s13119-012-0007-x

2012-01-01

Networking Science

Abstract:IP traceback can be used to find direct generator(s) and path(s) of attacking traffic. Probabilistic marking schemes, as one type of IP traceback technologies, have been most studied, but they are difficult to fast reconstruct attacking path(s) and defend against spoofed marks generated by attacking source(s). In this paper, we present Adaptive Probabilistic Marking scheme (APM). In APM, when each packet enters the first-hop router, its TTL value is set to a uniform value, and when it is forwarded by routers in the network, each intermediate router decreases the TTL value by one. Consequently, each intermediate router may infer the router-level hop number that each packet has already traveled, and then correspondingly marks the packet with the probability inversely proportional to the router-level hop number. APM is focused on the probability with which a router marks a packet, and APM can cooperate with other probabilistic marking schemes. NS2 simulation experiments prove that, in APM, the time for the victim to receive necessary marks for the path reconstruction is reduced by more than 20% compared with existing probabilistic marking schemes, and spoofed marks cannot reach the victim and influence the traceback process.

Guang Jin,Jiangang Yang

DOI: https://doi.org/10.1109/LCOMM.2006.1603385

IF: 3.5529

2006-01-01

IEEE Communications Letters

Abstract:A novel deterministic packet marking scheme for IP trace back against distributed denial of service attacks is presented. Besides the hash correlation functions, our scheme has a unique technique: redundant decomposition, which plays an important role in improving the recovery performance. Theoretical analyses, the pseudo code and the experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.

Yinan Jing,Xueping Wang,Xiaochun Xiao,Gendu Zhang

2006-01-01

Journal of Information and Computational Science

Abstract:Distributed denial-of-service attack has become one of the major threats to Internet today. The distributed nature of DDoS problem needs a distributed solution. In this paper, we propose using a hierarchical domain-aware overlay to construct a secure cooperative environment for distributed rate limit. This distributed defense framework has a service-oriented economic model that not only motivates ISPs to deploy it, but also benefits all participants. In addition, an IP traceback-based rate limit algorithm is proposed to leverage the IP traceback technique not only to mitigate the DDoS attack effect as close to attack sources as possible, but also to improve the throughput of legitimate traffic even under a meek attack.