Yan WANG,Lingdi PING

2011-01-01

Abstract:IP traceback is the technology to control Internet crime. A promising solution to IP traceback is probabilistic packet marking (PPM). In this paper we present a novel and practical IP traceback algorithm which can improve the PPM convergency and computational overhead. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. It has been used not only to trace Distributed Denial of Service (DDoS) attacking packets but also to enhance filtering attacking traffic. It has wide applications for other security systems. To the best of our knowledge, this thesis is the first of its kind considering the impact of packet loss in designing packet marking scheme.

Guang Jin,Jiangang Yang

DOI: https://doi.org/10.1109/LCOMM.2006.1603385

IF: 3.5529

2006-01-01

IEEE Communications Letters

Abstract:A novel deterministic packet marking scheme for IP trace back against distributed denial of service attacks is presented. Besides the hash correlation functions, our scheme has a unique technique: redundant decomposition, which plays an important role in improving the recovery performance. Theoretical analyses, the pseudo code and the experimental results are provided. The scheme is proved to be accurate and efficient and can handle large-scale DDoS attacks.

Huang Changlai,Mao Dilin,Gao Chuanshan

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.07.060

2010-01-01

Abstract:Deterministic packet marking(DPM) is an efficient IP traceback technique tackling with large-scale DDoS attacks;and probabilistic packet marking(PPM) has been studied as a promising approach to realize IP traceback.In this paper,based on the analyses on the advantages and disadvantages of DPM and PPM techniques,we combine the advantages of these two fundamental techniques and introduce a lightweight packet marking(LPM) scheme which uses autonomous system number and router ID number as packet marking information.By reloading the offset filed of IP header we obtain more available marking space.Simulation result shows that the LPM scheme is easy to implement and achieves good outcomes in convergence time,false alarm rate and computational overhead.

Hongcheng Tian,Jun Bi,Xiaoke Jiang,Wei Zhang

DOI: https://doi.org/10.1109/internet.2010.32

2010-01-01

Abstract:For existing probabilistic marking technologies for IP traceback, such as Probabilistic Packet Marking (PPM), TTL-based Packet Marking (TPM) and Dynamic Probabilistic Packet Marking (DPPM), it is difficult to reconstruct attack path(s) fast and defend against spoofed marks. In this paper, we present Adaptive Probabilistic Marking scheme (APM), where the TTL value of each packet is set to a uniform number at the first-hop router, and each router deduces the distance that each packet has already traveled, and then adaptively marks the packet with the probability inversely proportional to the distance. We theoretically prove that, in APM, the victim requires the fewest packets for a successful traceback, the effect of spoofed marks can be eliminated. NS2 experiments show, in APM, the time for the victim to collect all the obligatory marks for the path reconstruction is reduced by more than 20% compared with existing schemes, and spoofed marks cannot reach the victim.

Yinan Jing,Jingtao Li,Gendu Zhang

DOI: https://doi.org/10.1007/11534310_124

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And in terms of previous research fruits, the technique based on probabilistic packet marking (PPM) has been proven that it has more advantages than other IP traceback techniques. In this paper, we present a hierarchical IP traceback system, which is more practical and can be implemented and deployed more conveniently and securely than previous end-host schemes. We also present an improved edge marking algorithm called adaptive edge marking scheme (AEMS), which not only can shorten the convergence time, but also be more stable and robust. And detailed theoretical analysis and simulation results have also been presented to show the advantage and efficiency of this scheme.

Hai-Xin Duan,Jian-Ping Wu

DOI: https://doi.org/10.1109/ICITA.2005.158

2005-01-01

Abstract:In this paper we present a new model ERPPM for providing traceback information in IP packets, which marking the packet with a dynamic optimal marking probability to ensure that the victim receives all the marked packets with equal probability, which can greatly reduce the number of packets needed to reconstruct the attacking path.

Hongcheng Tian,Jun Bi,Xiaoke Jiang

DOI: https://doi.org/10.1007/s13119-012-0007-x

2012-01-01

Networking Science

Abstract:IP traceback can be used to find direct generator(s) and path(s) of attacking traffic. Probabilistic marking schemes, as one type of IP traceback technologies, have been most studied, but they are difficult to fast reconstruct attacking path(s) and defend against spoofed marks generated by attacking source(s). In this paper, we present Adaptive Probabilistic Marking scheme (APM). In APM, when each packet enters the first-hop router, its TTL value is set to a uniform value, and when it is forwarded by routers in the network, each intermediate router decreases the TTL value by one. Consequently, each intermediate router may infer the router-level hop number that each packet has already traveled, and then correspondingly marks the packet with the probability inversely proportional to the router-level hop number. APM is focused on the probability with which a router marks a packet, and APM can cooperate with other probabilistic marking schemes. NS2 simulation experiments prove that, in APM, the time for the victim to receive necessary marks for the path reconstruction is reduced by more than 20% compared with existing probabilistic marking schemes, and spoofed marks cannot reach the victim and influence the traceback process.

Yinan Jing,Peng Tu,Xueping Wang,Gendu Zhang

DOI: https://doi.org/10.1109/CIT.2005.99

2005-01-01

Abstract:IP traceback is one of the most effective techniques to defeat the denial-of-service attacks and distributed denial-of-service attacks. And based on previous research, available probabilistic packet marking (PPM) schemes have more advantages than other IP traceback techniques. But the traditional schemes have too low marking packets utilization. In this paper, a new distributed-log-based scheme (DLS), which combines PPM and logging techniques, is proposed to utilize marking packets sufficiently. And, theoretical analysis and simulation results have proven that this scheme can converge more quickly than others. Based on this scheme the origin of an attack path can be traced by only several packets. Moreover, a MACenhanced hierarchical IP traceback system (HITS) is proposed to supply a gap of end-host schemes. We believe that MAC-enhanced HITS can be deployed and managed more conveniently and securely than endhost schemes. And the traceback results educed by it are more credible and authoritative.

CL Huang,M Li,JH Yang,CS Gao

DOI: https://doi.org/10.1109/wcnm.2005.1544263

2005-01-01

Abstract:Due to the fact that IP spoofing technique is frequently used, defending distributed denial of service (DDoS) attacks faces extreme difficulty. Recently, several approaches have been proposed for path identification to trace DDoS attacks. However, most of these schemes require very large number of packets to conduct the traceback process, which results in lengthy and complicated procedure. This paper proposes a novel DDoS traceback scheme based on real-time consideration by dividing the tracing process into two steps. In the first step, probabilistic packet marking (PPM) based on autonomous system (AS) (ASPPM) is adopted to determine the attack-originating AS. In the second step, random number packet marking (RNPM) is used to identify the exact origin of the attacks in the specific AS. Compared with previous schemes, the two-step traceback scheme has the benefits of quick convergence speed, light computational overhead and low false positive, hence making it possible to trace the DDoS source on a real-time basis.

HT Tian,LS Huang,YF Lei,GL Chen

DOI: https://doi.org/10.1109/pdcat.2003.1236285

2003-01-01

Abstract:The problem of identifying the sources of a denial of service attack is among the hardest in the Internet security area, since attackers often use spoofed source IP addresses. We present a new scheme called MAC-based probabilistic packet marking (MPPM) for IP traceback under DoS attack. A router marks the packets stochastically with fragments of an edge composed of itself and the next hop router. Message authentication code (MAC) is used to link and authenticate fragments of routers' addresses in the marked attack packets. The main advantage of MPPM over known PPM schemes includes less attack packets required to converge, linear computation overhead and more precision. Moreover the optional authentication mechanism provides robustness against faked marks. MPPM also features low router cost and supports incremental deployment.

Changlai Huang,Ming Li,Chuanshan Gao

DOI: https://doi.org/10.1109/csie.2009.96

2009-01-01

Abstract:IP traceback is a critical ability for identifying sources of attacks and instituting protection measures for the Internet. Like any countermeasures for DDoS attack, a well-designed scheme requires tracebacking system to react to spot it in real-time. This paper proposes a novel traceback scheme based on autonomous system (AS) marking. We break down the tracing procedure into intra-AS and inter-AS phases by embedding the marking information IP header with the AS number and AS’s border router ID. Compared with traditional schemes, the advantages of our approach include quick convergence, light computation overhead as well as without the leakage of sensitive information.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

JING Yi-nan,WANG Xue-ping,XIAO Xiao-chun,ZHANG Gen-du

DOI: https://doi.org/10.1049/cp:20061579

2006-01-01

Abstract:Distributed denial-of-service attack is one of the major threats to Internet currently.IP traceback is a technique to trace back the attack sources in presence of IP spoofing,and plays a key role in defense for DDoS attacks.Compared with other IP traceback techniques,the probabilistic packet marking (PPM) scheme has more advantages.However,because of low marking information utilization,its traceback speed is still too slow.In order to traceback attackers as quickly as possible,a logless fast IP traceback (LFIT) scheme is proposed,which uses a few router storage space and in-band channel to improve the marking information utilization. Simulation results show that it has two distinct advantages,namely faster traceback speed and little router and network overhead.

Feng Yang,Xuehai Zhou,Qjyuan Zhang,Jing Xie

DOI: https://doi.org/10.1109/ccnc08.2007.157

2008-01-01

Abstract:False data injection is a big threat to sensor networks. A traceback mechanism based on probabilistic packet marking is proposed in this paper. The performance of the basic marking method is thoroughly studied. There is a defect in the basic marking method that upstream nodes' marks are collected by the sink with low probability. To solve the problem, two different improved marking methods-EPPM&EPNM-are proposed. Every node's marking is collected by the sink with approximately equal probability in EPPM. The sink can locate every node by collecting packets of approximately equal number in EPNM.

Yinan Jing,Jingtao Li,Xueping Wang,Xiaochun Xiao,Gendu Zhang

DOI: https://doi.org/10.1109/aina.2006.22

2006-01-01

Abstract:Distributed denial-of-service attacks have become the major threat to Internet today. IP traceback is one of the most effective techniques to defeat these attacks by identifying attack sources even in the presence of IP spoofing. Because of low marking packet utilization, the convergence time of traditional probabilistic packet marking (PPM) schemes is still too long. In order to shorten the convergence time, a distributedlog- based IP traceback scheme is proposed. Theoretical analysis and simulation results show that this scheme not only can converge more quickly than previous PPM schemes, but also has much less log overhead than other log-based schemes.

刘正蓝,朱淼良,董亚波

2004-01-01

Abstract:Researchers found unfairness in DiffServ network. To solve this problem, a TSW-based marker is proposed, which is called TCP-friendly fair packet marking algorithm (TFPM). With this marker, proportional fair sharing of excess bandwidth among aggregate can be achieved, and so the better fairness between TCP and UDP flows in an aggregate. The validation of this marking algorithm through simulation experimentation is made, and the simulation result is compared with some other marking algorithms, which verifies that the TFPM algorithm has better fairness than other algorithms.

Yinan Jing,Qiang Jiang,Xiaochun Xiao,Xueping Wang

DOI: https://doi.org/10.4236/cn.2013.53b2088

2013-01-01

Communications and Network

Abstract:Due to constrained resources, DDoS attack is one of the biggest threats to MANET.IP traceback technique is useful to defend against such type of attacks, since it can identify the attack sources.Several types of traceback schemes have been proposed for wired networks.Among all the existing schemes, probabilistic packet marking (PPM) scheme might be the most promising scheme for MANET.However its performance in MANET is not as good as that in Internet.In this paper, a new scheme based on the coding technique (CT) is proposed for traceback in MANET.Furthermore, a new idea of Incremental traceback is raised to cope with the situation of incremental attack (ICT).We present the protocol design and conduct theoretical analysis of this scheme.Additionally, we conduct experiments to compare it with the traditional PPM scheme.The experimental results show that the new coding-based traceback scheme outperforms the PPM scheme in MANET.

Yinan Jing,Xueping Wang,Lili Zhang,Gendu Zhang

DOI: https://doi.org/10.1109/glocom.2011.6133795

2011-01-01

Abstract:Traceback technique is useful to identify the source of an attack. Several types of traceback schemes have been proposed for wired networks. But most of them are not suitable for mobile ad hoc networks (MANETs) due to limited resource and dynamically-changing topology. Among all of existing schemes, probabilistic packet marking (PPM) scheme might be the most promising scheme for MANET because it is more lightweight than others. However, it is difficult for PPM scheme to converge quickly in MANET, since it relies on the assumption of static topology that does not hold in MANET due to dynamic topology. In this paper, we propose a traceable overlay network with relative stable topology support for traceback based on identity replacement mechanism. We present the protocol design and experiments. The experiment results show that our approach can get a much more stable topology for traceback and better traceback performance in MANET.

Jiashuo Yu,Long Huang,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/ISCC58397.2023.10218304

2023-01-01

Abstract:Packet classification is an essential part of computer networks. Existing algorithms propose a partition process to address the memory explosion problem of the decision tree algorithm caused by the huge number of rules with multiple fields. However, the search process requires traversing multiple trees generated by the partition, which reduces the search efficiency. The existing algorithms take simple approaches to optimize the search process, which is low efficiency or high hardware overhead. In this paper, we propose DTRadar, a framework for expediting the decision tree packet lookup process. Its key idea is building an abstract One-Big-Tree(OBT) for multiple decision trees by establishing the middle data structure. DTRadar considers each decision tree as a splittable tree and organizes these subtrees by intermediate data structures. Extensive experiments show that DTRadar benefits existing decision tree-based solutions in classification time by 61.60%, and the memory footprint only increased by 4.21% on average.

Peter Hillmann,Frank Tietze,Gabi Dreo Rodosek

DOI: https://doi.org/10.1515/pik-2015-0010

2024-06-17

Abstract:The identification of the exact path that packets are routed in the network is quite a challenge. This paper presents a novel, efficient traceback strategy in combination with a defence system against distributed denial of service (DDoS) attacks named Tracemax. A single packets can be directly traced over many more hops than the current existing techniques allow. It let good connections pass while bad ones get thwarted. Initiated by the victim the routers in the network cooperate in tracing and become automatically self-organised and self-managed. The novel concept support analyses of packet flows and transmission paths in a network infrastructure. It can effectively reduce the effect of common bandwidth and resource consumption attacks and foster in addition early warning and prevention.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing