A defense system against DDoS attacks by large-scale IP traceback

In this paper, we present a new approach, called Flexible Deterministic Packet Marking (FDPM), to perform a large-scale IP traceback to defend against Distributed Denial of Service (DDoS) attacks. In a DDoS attack the victim host or network is usually attacked by a large number of spoofed IP packets coming from multiple sources. IP traceback is the ability to trace the IP packets to their sources without relying on the source address field of the IP header. FDPM provides many flexible features to trace the IP packets and can obtain better tracing capability than current IP traceback mechanisms, such as Probabilistic Packet Marking (PPM), and Deterministic Packet Marking (DPM). The flexibilities of FDPM are in two ways, one is that it can adjust the length of marking field according to the network protocols deployed; the other is that it can adjust the marking rate according to the load of participating routers. The implementation and evaluation demonstrates that the FDPM needs moderately only a small number of packets to complete the traceback process; and can successfully perform a large-scale IP traceback, for example, trace up to 110,000 sources in a single incident response. It has a built-in overload prevention mechanism, therefore this scheme can perform a good traceback process even it is heavily loaded.

Topology based packet marking for IP traceback

IP source address spoofing exploits a fundamental weakness in the Internet Protocol. It is exploited in many types of network-based attacks such as session hijacking and Denial of Service (DoS). Ingress and egress filtering is aimed at preventing IP spoofing. Techniques such as History based filtering are being used during DoS attacks to filter out attack packets. Packet marking techniques are being used to trace IP packets to a point that is close as possible to their actual source. Present IP spoofing  countermeasures are hindered by compatibility issues between IPv4 and IPv6, implementation issues and their effectiveness under different types of attacks. We propose a topology based packet marking method that builds on the flexibility of packet marking as an IP trace back method while overcoming most of the shortcomings of present packet marking techniques.

Flexible deterministic packet marking: an IP traceback system to find the real source of attacks

Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has a wide array of applications for other security systems.

A feasible IP traceback framework through dynamic deterministic packet marking

DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

用于IP追踪的包标记的注记

拒绝服务攻击是一类最难对付的网络安全问题.近来,人们提出了多种对策.其中由Savage等人提出的一类基于概率的包标记方案比较有研究价值.这里先对拒绝服务攻击的对策作一简述,然后分析了几种包标记方案,指出了它们的一些缺陷,并提出了一些改进措施.其中,对基本型概率包标记方案的一个修改使得计算量大大减少.

IP追踪中的自适应包标记

拒绝服务(DoS)攻击是目前最难处理的网络难题之一.最近,研究人员针对DoS攻击提出了多种方案,这些方案都各有优缺点.其中,由Savage等人提出的概率包标记方案受到了广泛的重视,也有不少的变种出现.在这一类的标记方案中,路由器以固定的概率选择是否标记一个数据包,这导致受害需要较多的数据包进行攻击路径的重构.本文提出一种自适应的标记策略,经实验验证受害者用较少的数据包即可重构攻击路径,这不仅为受害者及早地响应攻击争取了更多的时间,还限制了攻击者的伪造能力.

基于有序标记的IP包追踪方案

包标记方案是一种针对DoS攻击提出的数据包追踪方案，由于其具有响应时间快、占用资源少的特点，近年来受到了研究者的广泛关注．但由于包标记方案标记过程的随机性，使得受害者进行路径重构时所需收到的数据包数目大大超过了进行重构所必需收到的最小数据包数目，从而导致重构误报率的提高和响应时间的增长．本文提出了一种基于有序标记的IP包追踪方案，该方案通过存储每个目标IP地址的标记状态，对包标记的分片进行有序发送，使得在DoS发生时，受害者重构路径所需收到的标记包的数目大大降低，从而提高了对DoS攻击的响应时间和追踪准确度．该算法的提出进一步提高了包标记方案在实际应用中的可行性．

一种分块包标记的IP追踪方案

DDoS攻击以其高发性、高破坏力和难以防范的特点，近年来成为互联网的主要安全威胁之一．研究者们提出了多种对抗DDoS攻击的方法．：乓中，Savage等人提出的概率包标记方案以其易于实施、消耗资源小等优点，引起人们的重视．然而概率包标记方案存在两个明显缺陷：多攻击路径重构时的高误报率和高计算复杂度．在概率包标记的基础上，提出了一种分块包标记方案，该方案与概率包标记方案相比具有较低的误报率和较低的计算复杂度，因而具有更高的实际应用意义．

IP spoofing attack and its countermeasures

IP spoofing is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. It causes serious security problem in the cyber world, and is currently exploited widely in the information warfare. This paper at first introduces the IP spoofing attack through examples, technical issues and attacking types. Later its countermeasures are analysed in detail, which include authentication and encription, filtering and IP traceback. In particular, an IP traceback mechanism, Flexible Deterministic Packet Marking (FDPM) is presented. Since the IP spoofing problem can not be solved only by technology, but it also needs social regulation, the legal issues and economic impact are discussed in the later part.

Traceback of DDoS attacks using entropy variations

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantagesit is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

Mark-aided distributed filtering by using neural network for DDoS defense

Currently Distributed Denial of Service (DDoS) attacks have been identified as one of the most serious problems on the Internet. The aim of DDoS attacks is to prevent legitimate users from accessing desired resources, such as network bandwidth. Hence the immediate task of DDoS defense is to provide as much resources as possible to legitimate users when there is an attack. Unfortunately most current defense approaches can not efficiently detect and filter out attack traffic. Our approach is to find the network anomalies by using neural network, deploy the system at distributed routers, identify the attack packets, and then filter them. The marks in the IP header that are generated by a group of IP traceback schemes, Deterministic Packet Marking (DPM)/Flexible Deterministic Packet Marking (FDPM), assist this process of identifying attack packets. The experimental results show that this approach can be used to defend against both intensive and subtle DDoS attacks, and can catch DDoS attacks’ characteristic of starting from multiple sources to a single victim. According to results, we find the marks in IP headers can enhance the sensitivity and accuracy of detection, thus improve the legitimate traffic throughput and reduce attack traffic throughput. Therefore, it can perform well in filtering DDoS attack traffic precisely and effectively.

Detecting and tracing DDoS attacks by intelligent decision prototype

Over the last couple of months a large number of distributed denial of service (DDoS) attacks have occurred across the world, especially targeting those who provide Web services. IP traceback, a counter measure against DDoS, is the ability to trace IP packets back to the true source/s of the attack. In this paper, an IP traceback scheme using a machine learning technique called intelligent decision prototype (IDP), is proposed. IDP can be used on both probabilistic packet marking (PPM) and deterministic packet marking (DPM) traceback schemes to identify DDoS attacks. This will greatly reduce the packets that are marked and in effect make the system more efficient and effective at tracing the source of an attack compared with other methods. IDP can be applied to many security systems such as data mining, forensic analysis, intrusion detection systems (IDS) and DDoS defense systems.

New developments in network forensics - tools and techniques

Network forensics is a branch of digital forensics which has evolved recently as a very important discipline used in monitoring and analysing network traffic-particularly for the purposes of tracing intrusions and attacks. This paper presents an analysis of the tools and techniques used in network forensic analysis. It further examines the application of network forensics to vital areas such as malware and network attack detection; IP traceback and honeypots; and intrusion detection. Further, the paper addresses new and emerging areas of network forensic development which include critical infrastructure forensics, wireless network forensics, as well as its application to social networking. © 2012 IEEE.