Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Wu Liu,Hai-Xin Duan,Jian-Ping Wu,Ping Ren,Li-Hua Lu

DOI: https://doi.org/10.1007/978-3-540-24679-4_146

2004-01-01

Abstract:In this paper we present robust algorithms of transmission and reconstruction of attacking path(s) in IDS for providing traceback information in IP packets without requiring interactive operational support from Internet Service Providers, which is based on IP address compression techniques, polynomial theory and techniques from algebraic coding theory. Our best scheme has improved robustness over previous combinatorial approaches, both for noise elimination and multiple-path re-construction. Another key advantage of our schemes is that they will automatically benefit from any improvement in the underlying mathematical techniques, for which progress has been steady in recent years.

Yang Xiang,Wanlei Zhou,Minyi Guo

DOI: https://doi.org/10.1109/tpds.2008.132

IF: 5.3

2008-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:IP traceback is the enabling technology to control Internet crime. In this paper we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic.

Hai-Xin Duan,Jian-Ping Wu

DOI: https://doi.org/10.1109/ICITA.2005.158

2005-01-01

Abstract:In this paper we present a new model ERPPM for providing traceback information in IP packets, which marking the packet with a dynamic optimal marking probability to ensure that the victim receives all the marked packets with equal probability, which can greatly reduce the number of packets needed to reconstruct the attacking path.

Haipeng Qu,Purui Su,Dongdai Lin,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-540-31957-3_109

2005-01-01

Abstract:DDoS attack is a big problem to the Internet community due to its high-profile, severe damage, and the difficulty in defending against it. Several countermeasures are proposed for it in the literature, among which, Probabilistic Packet Marking (PPM) first developed by Savage et al. is promising. However, the PPM marking schemes have the limitations in two main aspects: high computation overhead and large number of false positives. In this paper, a new packet marking scheme is proposed, which is more practical because of higher precision, and computationally more efficient compared with the PPM scheme proposed by Savage. Furthermore, this scheme can achieve a more higher precision than Advanced Marking Schemes in case of the victim knowing the map of its upstream routers.

HUANG Chang-lai,LING Ming,PENG Ge-gang,GAO Chuan-shan

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.06.022

2006-01-01

Abstract:DDoS attack has increasingly become a great threat to the current Internet. Due to the fact that IP spoofing technique is frequently used,defending DDoS attack faces extreme difficulty. Most of the previous approaches to this problem try to solve it on a generalized Internet scale. For many reasons,the related tracing process requires great overhead and the solutions are difficult to implement.This paper proposes a new DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps.In the first step,ASPPM Scheme is adopted to determine the attack-originating AS.The second step processing concentrates on identifing ins the exact origin of the attacks. Compared the to the previous schemes,the two-step traceback scheme has the benefits of quick convergence speed,light computational overhead and low false positive. So it is possible to trace the DDoS source on a real-time basis.

Shui Yu,Wanlei Zhou,Song Guo,Minyi Guo

DOI: https://doi.org/10.1109/tc.2015.2439287

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

Moon-chuen Lee,Yijun He,Zhaole Chen

2009-01-01

Abstract:Distributed Denial of Service (DDoS) attacks could be considered as one of the most serious security problems to the Internet today. To locate the sources of the attack packets, we usually need to find the paths through which the attack packets traversed from the sources to the victim. In this paper, we identify the weaknesses of an existing algebraic marking scheme for tracing DDoS attacks, and propose an improved version of the marking scheme. Simulation experiment results show that the proposed marking scheme could achieve a high success rate in tracing the attack sources. When compared with other marking schemes, it requires fewer packets for attack paths reconstruction. Further, it is characterized by generating no false positives, creating no additional traffic to the network, having a relatively low packet marking and attack path reconstruction overhead, and being backward compatible.

Qiang LI,Hong-zi ZHU,Jiu-bin JU

2005-01-01

Journal of Computer Applications

Abstract:Based on the current research on improving real-time PPM algorithms in IP traceback, the relations among marking probability, traffic volume for constructing an attack path and the distance of the attacking path were analysed. And an approach of real-time IP tracebacking which deploys larger traffic first probabilistic packet marking scheme (LTFMS) was proposed. According to the statistics on the present traffic of routers, a victim could construct a major attacking path in minimum time. For large-scale DDoS attacks, by establishing a simulated test environment and experiment analysis, LTFMS can construct more attacking paths than the existing schemes within the same time.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Li Gang,Hua Bei

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.10.071

2007-01-01

Abstract:An Autonomous System(AS) Collaborating based tracebacking algorithm for disposing Distributed Denial-of-Service(DDoS) attack is proposed.In this algorithm,border routers of AS mark the forwarded packets with the path information of current AS in certain probability.The victim thus can reconstruct the attack path to trace the attack source according to the marked information.By the authenticated marking method,attackers can be effectively prevented from forging and sophisticating the path information in the head of packets.In contrast to other tracebacking algorithms,this algorithm manages to real-timely traceback the attack source and efficiently hold the attack flow from entering other networks.Hence it alleviates the impact caused by the attack in time.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Qiao YAN,Shu-tao XIA,Jian-ping WU

DOI: https://doi.org/10.3969/j.issn.1001-2400.2006.05.034

2006-01-01

Journal of Xidian University

Abstract:A new encoding proposal which improves the compressed edge fragment sampling algorithm of Savage is proposed.In this new proposal,we overload the IP header fields which are correlative with the IP packet fragment to increase marking amounts.Moreover,64 parity-check bits generated by 2 different hash functions are employed to reduce the false positive alarm.Then,we further give some optimization procedures to reduce computational complexity during reconstruction.Finally,the two algorithms,i.e.,the compressed edge fragment sampling algorithm of Savage's(CEFS) and our new proposal named the improved compressed edge fragment sampling algorithm(ICEFS),are compared in three aspects,i.e.,the number of packets required for the victim to reconstruct the attack graph,computational complexity,and false positive alarm.The comparing results show that the new proposal ICEFS has much better performance than CEFS.For example the computational complexity during reconstruction of CEFS is m~8 and that of ICEFS is lower than 3m~2(where m is the number of attackers at the particular distance).When there are only 20 attackers at the same distance,the false positive rate of CEFS is nearly 0.99.When there are(1 000) attackers at the same distance,the false positive rate of ICEFS is still about zero.So ICEFS can be used in tracking large scale DDoS attacks.

Peter Hillmann,Frank Tietze,Gabi Dreo Rodosek

DOI: https://doi.org/10.1515/pik-2015-0010

2024-06-17

Abstract:The identification of the exact path that packets are routed in the network is quite a challenge. This paper presents a novel, efficient traceback strategy in combination with a defence system against distributed denial of service (DDoS) attacks named Tracemax. A single packets can be directly traced over many more hops than the current existing techniques allow. It let good connections pass while bad ones get thwarted. Initiated by the victim the routers in the network cooperate in tracing and become automatically self-organised and self-managed. The novel concept support analyses of packet flows and transmission paths in a network infrastructure. It can effectively reduce the effect of common bandwidth and resource consumption attacks and foster in addition early warning and prevention.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Yinan Jing,Jingtao Li,Gendu Zhang

DOI: https://doi.org/10.1007/11534310_124

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And in terms of previous research fruits, the technique based on probabilistic packet marking (PPM) has been proven that it has more advantages than other IP traceback techniques. In this paper, we present a hierarchical IP traceback system, which is more practical and can be implemented and deployed more conveniently and securely than previous end-host schemes. We also present an improved edge marking algorithm called adaptive edge marking scheme (AEMS), which not only can shorten the convergence time, but also be more stable and robust. And detailed theoretical analysis and simulation results have also been presented to show the advantage and efficiency of this scheme.

TU Peng,JING Yi-nan,FU Zhen-yong,ZHANG Gen-du

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.18.002

2006-01-01

Abstract:Probabilistic packet marking(PPM)is an efficient solution to defeat denial-of-service attacks.One of the available solutions is node sampling scheme proposed by Savage.Based on the theoretic analysis of node sampling scheme,some improvement are provided.Conducting performance analyzing is proven by simulation on the improved scheme by comparing the simulation results,the improved scheme is much better than the original node sampling scheme at performance is obtained.

Hongcheng Tian,Jun Bi

DOI: https://doi.org/10.1109/lcomm.2012.051512.120467

IF: 3.5529

2012-01-01

IEEE Communications Letters

Abstract:IP traceback can be used to find the origins and paths of attacking traffic. However, so far, most approaches for IP traceback are hard to be deployed in the Internet because of deployment difficulties. In this paper, we present an incrementally deployable approach based on sampled flows for IP traceback (SampleTrace). In SampleTrace, it is not necessary to deploy any dedicated traceback software and hardware at routers, and an AS-level overlay network is built for incremental deployment. We theoretically analyze the quantitative relation among the probability that a flow is successfully traced back various AS-level hop number, independently sampling probability, and the packet number that the attacking flow comprises. According to Bernoulli's Law of Large Numbers, when a large number of attacking flows are practically traced back in the Internet by SampleTrace, the successfully-traced back relative frequency will approach the successfully-traced back probability.

Yi Shi,Xinyu Yang,Ning Li-,Yong Qi

DOI: https://doi.org/10.1007/11937807_12

2006-01-01

Abstract:Probabilistic Packet Marking algorithm, one promising solution to the IP traceback problem, uses one fixed marking space to store router information. Since this fixed space is not sufficient for storing all routers information, each router writes its information into packets chosen with probability p, so-called probabilistic marking. Probabilistic marking seems to be helpful in lowering router overhead, however, it also bring computation overhead for the victim to reconstruct the attack paths and large number of false positives. In this paper, we present a new approach for IP traceback, Deterministic Packet Marking Scheme with Link Signatures, which needs routers mark all packets during forwarding (so-called deterministic marking). We make a study of how much both the probabilistic and our deterministic packet marking schemes affect router overhead through simulations. The results confirm that our deterministic marking scheme will slightly lower router overhead, and besides, it has superior performance than another improved probabilistic packet marking method, Advanced Marking Schemes. Further performance analysis and simulation results are given to show that our technique is superior in precision to previous work-it has almost zero false positive rate. It also has lower computation overhead for victim and needs just a few packets to trace back attacks and to reconstruct the attack paths even under large scale distributed denial-of-service attacks. In addition, our scheme is simple to implement and support incremental deployment. © Springer-Verlag Berlin Heidelberg 2006.

HONG Jingfeng,DUAN Haixin,YAO Shuzhen

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.066

2006-01-01

Abstract:A new approach to tracing sources of DDoS attacks based on passive sniffing overlay network(PSON) is proposed,which can span multiple autonomy systems to trace back to multiple attack sources of a large scale DDoS attack.Based on this solution,it designs and implements an IP traceback system: SnifferTrack.The architecture and composition of the system are described,as well as the tracing process and algorithms.Several limitations of the system and future work are also proposed.