A defense system against DDoS attacks by large-scale IP traceback

In this paper, we present a new approach, called Flexible Deterministic Packet Marking (FDPM), to perform a large-scale IP traceback to defend against Distributed Denial of Service (DDoS) attacks. In a DDoS attack the victim host or network is usually attacked by a large number of spoofed IP packets coming from multiple sources. IP traceback is the ability to trace the IP packets to their sources without relying on the source address field of the IP header. FDPM provides many flexible features to trace the IP packets and can obtain better tracing capability than current IP traceback mechanisms, such as Probabilistic Packet Marking (PPM), and Deterministic Packet Marking (DPM). The flexibilities of FDPM are in two ways, one is that it can adjust the length of marking field according to the network protocols deployed; the other is that it can adjust the marking rate according to the load of participating routers. The implementation and evaluation demonstrates that the FDPM needs moderately only a small number of packets to complete the traceback process; and can successfully perform a large-scale IP traceback, for example, trace up to 110,000 sources in a single incident response. It has a built-in overload prevention mechanism, therefore this scheme can perform a good traceback process even it is heavily loaded.

Topology based packet marking for IP traceback

IP source address spoofing exploits a fundamental weakness in the Internet Protocol. It is exploited in many types of network-based attacks such as session hijacking and Denial of Service (DoS). Ingress and egress filtering is aimed at preventing IP spoofing. Techniques such as History based filtering are being used during DoS attacks to filter out attack packets. Packet marking techniques are being used to trace IP packets to a point that is close as possible to their actual source. Present IP spoofing  countermeasures are hindered by compatibility issues between IPv4 and IPv6, implementation issues and their effectiveness under different types of attacks. We propose a topology based packet marking method that builds on the flexibility of packet marking as an IP trace back method while overcoming most of the shortcomings of present packet marking techniques.

Protecting web services with service oriented traceback architecture

Service oriented architecture (SOA) is a way of reorganizing software infrastructure into a set of service abstracts. In the area of applying SOA to Web service security, there have been some well defined security dimensions. However, current Web security systems, like WS-Security are not efficient enough to handle distributed denial of service (DDoS) attacks. Our new approach, service oriented traceback architecture (SOTA), provides a framework to be able to identify the source of an attack. This is accomplished by deploying our defence system at distributed routers, in order to examine the incoming SOAP messages and place our own SOAP header. By this method, we can then use the new SOAP header information, to traceback through the network the source of the attack. According to our experimental performance evaluations, we find that SOTA is quite scaleable, simple and quite effective at identifying the source.

Flexible deterministic packet marking: an IP traceback system to find the real source of attacks

Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has a wide array of applications for other security systems.

Traceback of DDoS attacks using entropy variations

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. However, the memoryless feature of the Internet routing mechanisms makes it extremely hard to trace back to the source of these attacks. As a result, there is no effective and efficient method to deal with this issue so far. In this paper, we propose a novel traceback method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques. In comparison to the existing DDoS traceback methods, the proposed strategy possesses a number of advantagesit is memory nonintensive, efficiently scalable, robust against packet pollution, and independent of attack traffic patterns. The results of extensive experimental and simulation studies are presented to demonstrate the effectiveness and efficiency of the proposed method. Our experiments show that accurate traceback is possible within 20 seconds (approximately) in a large-scale attack network with thousands of zombies.

A dynamical deterministic packet marking scheme for DDoS traceback

DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and relatively effective traceback scheme among the available traceback methods. However, the existing DPM schemes inheret a critical drawback of scalability in tracing all possible attack sources, which roots at their static mark encoding and attempt to mark all Internet routers for their traceback purpose. We find that a DDoS attack session usually involves a limited number of attack sources, e.g. at the thousand level. In order to achieve the traceback goal, we only need to mark these attack related routers. We therefore propose a novel Marking on Demand (MOD) scheme based on the DPM mechanism to dynamical distribute marking IDs in both temporal and space dimensions. The proposed MOD scheme can traceback to all possible sources of DDoS attacks, which is not possible for the existing DPM schemes. We thoroughly compare the proposed MOD scheme with two dominant DPM schemes through theoretical analysis and experiments. The the results demonstrate that the MOD scheme outperforms the existing DPM schemes. © 2013 IEEE.

An effective and feasible traceback scheme in mobile internet environment

Around one billion people access the Internet using their mobile phones today, and many of the mobile phones are prone to be compromised by hackers due to their inherited vulnerability. It is critical to identify these compromised mobile phones to effectively eliminate cyber attacks. However, we see few research works in the field. In order to address this desperate situation, we design a practical traceback framework to identify active compromised mobiles in the mobile Internet environment in this letter. In the proposed framework, we creatively use the IMEI number of mobile hardware as unique marks for the traceback purpose. Two-layer traceback tables are designed to collect global attack information and identify local attacking bots, respectively. Our analysis and simulation demonstrate that the proposed traceback method is effective and feasible, and it can identify every possible attacking mobile in the current mobile Internet environment with single packet marking.

Phishing detection and traceback mechanism

 Isredza Rahmi A Hamid’s thesis entitled Phishing Detection and Trackback Mechanism. The thesis investigates detection of phishing attacks through email, novel method to profile the attacker and tracking the attack back to the origin.

Catabolism attack and anabolism defense: a novel attack and traceback mechanism in opportunistic networks

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense.A packet dropping attack is one of the major security threats in OppNets since neither source nodes nor destination nodes have the knowledge of where or when the packet will be dropped. In this paper, we present a novel attack and traceback mechanism against a special type of packet dropping where the malicious node drops one or more packets and then injects new fake packets instead. We call this novel attack a Catabolism Attack and we call our novel traceback mechanism against this attack Anabolism Defense. Our novel detection and traceback mechanism is very powerful and has very high accuracy. Each node can detect and then traceback the malicious nodes based on a solid and powerful idea that is, hash chain techniques. In our defense techniques we have two stages. The first stage is to detect the attack, and the second stage is to find the malicious nodes. Simulation results show this robust mechanism achieves a very high accuracy and detection rate.

Malicious node traceback in opportunistic networks using merkle trees

Security is a major challenge in Opportunistic Networks because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense. A packet dropping attack is one of the major security threats in OppNets since neither source nodes nor destination nodes have the knowledge of where or when the packet will be dropped. In this paper, we present a malicious nodes detection mechanism against a special type of packet dropping attack where the malicious node drops one or more packets and then injects new fake packets instead. Our novel detection and traceback mechanism is very powerful and has very high accuracy. Each node can detect and then traceback the malicious nodes based on a solid and powerful idea that is, Merkle tree hashing technique. In our defense techniques we have two stages. The first stage is to detect the attack, and the second stage is to find the malicious nodes. We have compared our approach with the acknowledgement based mechanisms and the networks coding based mechanism which are well known approaches in the literature. Simulation results show this robust mechanism achieves a very high accuracy and detection rate.

A feasible IP traceback framework through dynamic deterministic packet marking

DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.

Defense and traceback mechanisms in opportunistic wireless networks

 In this thesis, we have identified a novel attack in OppNets, a special type of packet dropping attack where the malicious node(s) drops one or more packets (not all the packets) and then injects new fake packets instead. We name this novel attack as the Catabolism attack and propose a novel attack detection and traceback approach against this attack referred to as the Anabolism defence. As part of the Anabolism defence approach we have proposed three techniques: time-based, Merkle tree based and Hash chain based techniques for attack detection and malicious node(s) traceback. We provide mathematical models that show our novel detection and traceback mechanisms to be very effective and detailed simulation results show our defence mechanisms to achieve a very high accuracy and detection rate.

Mobile agent based TCP attacker identification in MANET using the traffic history (MAITH)

TCP attacks are the major problem faced by Mobile Ad hoc Networks (MANETs) due to its limited network and host resources. Attacker traceback is a promising solution which allows a victim to identify the exact location of the attacker and hence enables the victim to take proper countermeasure near attack origins, for forensics and to discourage attackers from launching the attacks. However, attacker traceback in MANET is a challenging problem due to dynamic network topology, limited network and host resources such as memory, bandwidth and battery life. We introduce a novel method of TCP attacker Identification in MANET using the Traffic History - MAITH. Based on the comprehensive evaluation based on simulations, we showed that MAITH can successfully track down the attacker under diverse mobile multi-hop network environment with low communication, computation, and memory overhead.

Generalized distributive law for ML decoding of STBCs: further results

The problem of designing good Space-Time Block Codes (STBCs) with low maximum-likelihood (ML) decoding complexity has gathered much attention in the literature. All the known low ML decoding complexity techniques utilize the same approach of exploiting either the multigroup decodable or the fast-decodable (conditionally multigroup decodable) structure of a code. We refer to this well known technique of decoding STBCs as Conditional ML (CML) decoding. In [1], we introduced a framework to construct ML decoders for STBCs based on the Generalized Distributive Law (GDL) and the Factor-graph based Sum-Product Algorithm, and showed that for two specific families of STBCs, the Toepltiz codes and the Overlapped Alamouti Codes (OACs), the GDL based ML decoders have strictly less complexity than the CML decoders. In this paper, we introduce a `traceback' step to the GDL decoding algorithm of STBCs, which enables roughly 4 times reduction in the complexity of the GDL decoders proposed in [1]. Utilizing this complexity reduction from `traceback', we then show that for any STBC (not just the Toeplitz and Overlapped Alamouti Codes), the GDL decoding complexity is strictly less than the CML decoding complexity. For instance, for any STBC obtained from Cyclic Division Algebras that is not multigroup or conditionally multigroup decodable, the GDL decoder provides approximately 12 times reduction in complexity compared to the CML decoder. Similarly, for the Golden code, which is conditionally multigroup decodable, the GDL decoder is only about half as complex as the CML decoder.