Taxonomy of IP Traceback

Transcription

1 Journal of Information Assurance and Security 1 (2006) Taxonomy of IP Traceback Lakshmi Santhanam 1, Anup Kumar 2 and Dharma P. Agrawal 1 OBR Center for Distributed and Mobile Computing 1 Department of ECECS, Univ. of Cincinnati {santhal,dpa}@ececs.uc.edu Mobile Information Network and Distributed Systems (MINDS) Lab 2 Department of ECECS, University of Louisville, Louisville, KY, ak@louisville.edu Abstract: The internet is constantly plagued with various kinds of security threats amongst which Denial of Service (DoS) constitutes a huge umbrella of potent attacks. It s very important to understand the intricacies constituting these attacks and countermechanisms that exist in the literature. The best antidote to deal with these attacks would be to fix the problem at its root by identifying the source of the attacks. The technique of traceback performs such a forensic analysis of the internet traffic. In this paper, we classify and analyze various existing traceback schemes in detail. We provide a comprehensive comparison of these schemes in terms of various performance metrics. A thorough study of these schemes is very useful in exploring potential areas of future research. Keywords: Traceback, DoS attacks, Reactive, Pro-active, Spoofing, Out-of-band and In-band. 1. Introduction As the use of e-commerce and dot-coms continues to expand in various spheres of life; the security breaches in the systems are also expanding correspondingly. The DoS attack poses a potent threat to the internet security; primarily due to the fact that it can be launched easily and can go untraceable. A malicious intruder can deplete the system resources by overwhelming it with excess unwanted traffic which could result in a dysfunctional network or a disabled web server. The distributed DoS (DDoS) attack is more deviant as the attack is launched synchronously from multiple locations and is so massive that it s harder to detect and stop. The DoS attacks entail huge financial losses for companies which solely depend on the internet for their business. Some popular websites like Yahoo and Amazon were crippled in a major DoS attack in February Similarly, a more serious attack in October 2002 was targeted on the DNS root servers [1]. There are multitudes of DoS attacks varying in the degree of their sophistication and the level of impact [2]. Some of the common form of DoS attacks discussed here are Buffer overflow attacks, SYN attack, Teardrop attack, Smurf attacks. The SYN attacker misuses the TCP s 3-way handshake mechanism by opening many bogus connections with the server and then refusing to send TCP ACK. This results in exhausting the resources of the server. In Teardrop attack, the attacker exploits the fragmentation process at a router. When a router receives a large packet it can t handle; the attacker inserts an incorrect offset in the subsequent fragment, causing improper reassembly. Smurf, a more sophisticated kind of attack, involves an attacker spoofing as the victim node and sending ping echo request to large number of innocent hosts. These nodes would in turn unknowingly flood the network by responding back to the victim node. The baseline of many DoS defense mechanisms include route based packet filtering and distributed attack detection. The defense mechanisms collaboratively identify any deviant behavior in the traffic measurements and take immediate remedial steps to curb the attack. Ingress filtering is a popular preventive scheme followed by ISP managers to squelch DoS attacks [3]. But, it is not pragmatic to implement on all internet interfaces as it requires a large degree of cooperation between ISPs. A complete taxonomy of DoS attacks and existing defense mechanisms is discussed in [4]. The best possible defense against DoS attack lies not only in taking preventive measures but also in identifying the true origin of the attacker and in blocking further occurrences of such incidents. This boils down to the problem of IP traceback. IP traceback problem involves identifying the actual source of a packet across the Internet. It is however, a tough and challenging problem due to the rampant spoofing of source address of the packets by the attacker. The attackers, who in general enjoy their anonymity, can now be implicated by traceback and penalized for their malicious act. As the identity of an attacker could be exposed by traceback, the attacker would think twice before performing a DoS attack. Traceback also helps in a better implementation of filtering rules as the counter-measures can be taken near the originating point of the attacks. As per the yearly survey conducted by the Computer Security Institute (CSI) [1], the cyber crime is on the downward trend, indicating a better adoption and implementation of security tools. In the year 2001, 90% of the companies experienced DoS attack; while in 2005 the number tumbled down to a meager 50 %. This is a good indicator of the development of security schemes. With the wide deployment of traceback schemes and intrusion detection systems; comprehensive security architecture can be envisioned that would bring down this number even further. The plethora of traceback schemes in literature [5-14] would make us wonder if the solution to the traceback is already complete. But, every scheme has its merits and limitations. In this paper, we contrast these schemes. In order to provide detailed comparison, we have given a characteristic table for each class of traceback approach. While literature [15-18] gives a broad overview of the popular traceback scheme evaluated against a standard set of parameters, we present various new variants of traceback schemes along with the standard methodologies. In addition, the paper provides a list of comprehensive research issues on the IP traceback problem. Received December 27, $03.50 Dynamic Publishers, Inc.

2 80 The rest of the paper is structured as follows. Section 2 discusses the challenges and design issues in traceback scheme. Section 3 gives the topography of our classification scheme at various levels of details. Section 4 gives a brief discussion of each scheme and analyses its pros and cons as well as its application. Finally, section 5 concludes the paper. 2. Challenges and Design Issues of Traceback Schemes Traceback, universally known as IP traceback facilitates forensic analysis of packets by tracing the source of a packet. The IP header in all packets contains the source IP address. A simple traceback would be looking for the source IP address of each packet for obtaining the packet s origin. Unfortunately, due to the limited security features in TCP/IP, it s very easy to spoof a source address by any attacker [8][11][17][18][19]. Routing in IP depends only on the destination address and there is no authority in the internet that validates the source address inscribed in a packet. Due to this stateless nature of internet s routing mechanism it becomes incumbent on researchers to design a traceback scheme using other guidelines. As a traceback involves tracing through the route taken by the packet backwards from the victim node, it might pass through several ISP domains and necessitate inter-domain cooperation. An attacker at one end of the network, responsible for initiating an attack against a distant victim node could be buried behind several other entities. It depends upon the intelligence of a traceback scheme for identifying the true source of attack. A generalized attack model [20] is shown in Santhanam, Kumar & Agrawal Figure 1. It includes all possible disguise an attacker might use such as a stepping stone/ zombie / reflector. A simple attacker could issue packets stamped with a spoofed address. Apart from forging source address, a more potent attacker might be masked behind stepping stones, which are compromised hosts that act as laundering agents. The stepping stone are engineered in such a way that it overwrites its source address on the outgoing packet headers and also applies some packet transformation to conceal the true origin. Most of the traceback schemes are capable of tracing only till the stepping stone. The stepping stones can be identified using specialized techniques only that looks for causality relationship between packets entering and leaving a host [21]. An attacker can also conduct an attack through a zombie node by indirectly communicating via stepping stones or by directly installing trojan programs triggered to execute after certain delay to hide its association. Like a detonating time bomb, a single command from the attacker is later sufficient to start the attack. Last, in the chain of disguise used by an attacker, is the reflector node. Reflectors are innocent nodes that send response packets readily. Large number of zombie nodes with its packet source spoofed as victim s IP address, target a set of reflectors. The innocent reflectors, send their response, and cumulatively flood the victim s network. The malicious zombie may initiate a TCP SYN flooding. The SYN packets that are issued by the zombies to a set of reflector nodes contain their source address as the spoofed IP address of the victim. The reflectors would then send TCP ACK, second step in the 3 way handshake mechanism and create a deluge of packets in the victim s network. The use of reflectors in DDoS attack greatly complicates conducting any traceback[22]. Figure 1: Generalized Attack model

3 Taxonomy of IP Traceback Classification of Traceback Schemes There are umpteen schemes proposed for traceback in the literature and can be classified primarily along two dimensions as reactive and pro-active schemes. Figures 2 and 3 provide detailed classification of various schemes according to their functionality. Taxonomy of reactive schemes is given in Figure 2. A reactive approach is the one that carries out the IP traceback on the fly once an attack is detected. In a reactive scheme, traceback is executed in response to an ongoing attack like a stimuli-response mechanism. It s further classified as IDS assisted and Non-IDS assisted schemes depending upon whether they use an Intrusion Detection System (IDS) in their traceback mechanism. Controlled flooding [8] and Input debugging fall under the category of Non-IDS assisted schemes and need manual intervention of an operator to conduct the traceback. Figure 3: Pro-Active Schemes Classification Figure 2: Reactive Schemes Classification The IDS assisted schemes can be partitioned into network based and host based schemes. A reactive host based scheme executes the traceback from the victim node which is entrusted with this duty. The host based scheme fall into either a logging or link testing scheme. A logging scheme like Blackhole [23] maintains a log of the suspicious packets in its database for scrutinizing. A link based testing scheme like [19] performs traceback hop-by-hop at each upstream router starting from the victim node to the source. A reactive network based scheme is the one that is performed using some special infrastructure of the network like special routers/gateway or firmware installed on routers and is based on network traffic monitoring [24]. Some network based schemes like IPSec [5], IDIP [25], and Center Track [11] use specialized routing mechanism to conduct traceback while other schemes like DWARD [4], SWT [24] use normal routing. Figure 3 gives the topology of pro-active scheme classification. A proactive approach takes a different orientation in pinpointing the source by proactively recording and logging the traffic packets as they flow through the network. These records are useful indicators for the victim in path reconstruction to the actual source and provide timely response on the occurrence of an attack. A pro-active scheme can be divided into two categories depending on whether the trace information is sent as a separate trace packet referred as out-of-band or within the data packet header known as in-band information. The outof-band scheme like itrace [7], Intension-driven ICMP [26] and icaddie [27] are all network based schemes where the path information is collected in a separate trace packet. While the out-of-band scheme incurs additional bandwidth overhead due to the deluge of packets sent in the network; the in-band scheme suffers from severe space constraint as the trace payload is carried within the packet. The in-band scheme again can be classified into network or host based schemes. In a proactive host based scheme the path information is encoded within the packet by the routers through which the packet passes through and the victim conducts hop-by-hop traceback. The Algebraic approach [10] is one such host based scheme. In a proactive network based approach, the router is actively involved in conducting traceback either by logging packets as in SPIE [13] or by proactively marking few or all packets that traverses through the network. PPM, DPM, AAM, Adjusted PPM, SNITCH, Huffman code, DDoS SCOUNTER, Randomize and link, and Fast Internet Traceback are all marking scheme in which router inscribes its initials on the packets flowing through the network. 4. Analysis of Traceback Schemes Based on Evaluation Metrics This section gives a brief overview of various schemes under different classes. For each class, we have given a comparison of underlying features of various traceback approaches. 4.1 Reactive schemes Non-IDS assisted Reactive Schemes: These schemes are capable of carrying out a traceback without the use of an Intrusion Detecting System (IDS). a. Controlled Flooding In the traceback proposed by Hal Burch et al. [8], traceback is conducted by a network administrator by judiciously applying burst of traffic systematically to each link, from the victim to its upstream segment. The manual induction of load is essential for reducing the chances of error. A conclusion

4 82 on attack path is drawn based upon the disturbance created in the attack stream. If the attack packets are dropped, this segment lies along the attack path and its upstream paths are again probed working backward hop by hop. This sword like defense works successfully by inducing another DoS in the reverse path but should be used prudently. b. Input Debugging It works by using the signature of the attack packets as a distinguishing factor to trace its path backward from the victim to its source [19] [17] [11] [16]. It s a feature available on many routers that helps in determining the incoming link along which the attack packet must have traversed, given its signature. This is repeated hop by hop at every upstream router in the network till the source or another ISP is reached. In the latter case, the subsequent ISP is requested to carry out the task which necessitates considerable inter-isp cooperation that might be quite demanding due to political and societal reasons. Table 1 compares these two approaches based on some important performance metrics. The metrics under consideration are: number of packets generated during traceback, how much cooperation between ISP is essential, whether a prior knowledge about the network topology is needed to conduct traceback, whether the scheme can be deployed slowly in the network to conduct traceback known as incremental deployment, capability to trace transformed packets, the number of false positive alarms reported, and misuse of the technique by an attacker. Table 1: Non-IDS Reactive approaches Evaluation Metric # of packets generated for traceback ISP cooperation Map of network needed Support incremental deployment Duration of attack for traceback Handling packet transformation Misuse by attacker Controlled Flooding Large High degree needed at upstream routers Yes Yes Should be long Good Yes, when the attacker is aware of the technique. He can thwart it. Input Debugging Large High No Yes Should be long Good DDoS handling No, performs poorly No Operation of traceback False positives Done manually by an administrator Large numbers generated during attack reconstruction Yes, attacker alerted by queries Manually by operator at each ISP Large Limitations of Non-IDS assisted Reactive Traceback scheme In both the schemes, the traceback needs to be conducted manually by the administrator The attack must be in progress for a long interval of time before a traceback can be performed. Santhanam, Kumar & Agrawal Open Research Issues in Non-IDS assisted Reactive Traceback scheme A non-ids scheme necessitates the supervision of a network administrator to conduct the traceback. This supervision should incorporate certain amount of automation especially in examining the traffic logs to determine the attack prone areas. As the community of the attackers grows and as the internet is expanding, the need to mitigate DDoS is on the rise. So the traceback schemes should be more adaptable to DDoS attack IDS Assisted Reactive Schemes These schemes work with the assistance of IDS which alerts the system based on certain anomaly detection techniques [28]. As a result, the system responds by conducting a traceback with the help of host/network based schemes IDS assisted Reactive Network Based Approaches The first three schemes employ specialized routing protocols for conducting tracing and the other two approaches use normal routing. a. CenterTrack The scheme proposed by R. Stone et al. [11], is a centralized scheme in which specialized trace router (TR) monitors all the traffic in the network. In this scheme, all the traffic from every edge router is rerouted through a generic route encapsulation (GRE) tunnel terminating at TR. Thus all the traffic from ingress to egress router has to pass through TR. This star like topology with the TR and edge router forms an overlay network. When an attack is detected, the traffic under consideration is routed through TR from edge router. The TR uses signature based intrusion detection scheme to identify the source which would be only a maximum of 2 or 3 hops away from it. It is capable of tracking flows of spurious traffic as in DoS. b. IPSec Traceback IP traceback using IPSec tunnels is a part of the framework called DecIdUous (Decentralized source identification for network based intrusion) [5]. The analysis is carried out by establishing IPSec tunnels between an arbitrary router and the victim. If the attack packets get authenticated by the security association (SA), the attack originates at a point further behind this router. Else the attacker lies in the path between this router and the victim. Thus iteratively SA tunnels are established between the intermediate router and the victim. Here, the ISP involvement is essential as knowledge of the topology is required for examining each router. The system provides highest level of security, even in the event of a router being compromised. c. IDIP (Intrusion Detection and Identification Protocol) The protocol CITRA [25] has been developed to collaboratively exchange intrusion information like attack signatures and provide real time tracking across several network boundaries. Local IDS agents located within the network perform neighborhood watch and send its local reports to a boundary controller as an IDIP message. Boundary controllers are located at strategic points in the network to exchange intrusion reports and audits and provide alert in advance to enforce filtering rules. On attack detection, the IDIP node decides upon the counter measure to

5 Taxonomy of IP Traceback 83 stop the proliferation of the attack. It sends the attack description and its action to its next hop neighbor node which looks for similar malicious activity in its neighborhood and iteratively repeats the same hop by hop. This way the complete attack path is detected. The spread of attack is also stopped simultaneously by implementing filter rules at other parts of the network. The main benefit of this scheme is the minimal dependency on the system infrastructure. d. SWT (Sleepy Watermark Tracing) It s so called because the system wakes up only when an intrusion is detected and incurs some overhead only when active. Tracing is conducted by injecting watermark (a piece of information uniquely identifying a connection) backward in the connection chain from the victim [24]. All hosts in the network are connected directly or indirectly to its nearest Guardian gateway that is SWT capable and such protected host are called SWT guarded host. A guarded host consists of a Watermarking component, Active Tracing (AT) unit and Sleepy Intrusion Response unit (SIR) that work together to conduct traceback. On detecting an attack, IDS initiates SWT tracing by triggering the watermarking component. The SIR unit performs the duty of keeping a log of tracing information and the AT unit collaboratively works with other entities in the network to trace packets. The SWT host further contacts all its SWT guarded gateways and the Watermark correlation unit in the gateways identifies the next leap gateway to be contacted based on the traffic correlation. This continues iteratively at the next gateway and trace information is reported back to the originator. If the correlation is done without a watermark, we would have to compare m incoming and n ongoing connections at each guardian gateway, a total of m x n possible matches to be scanned. But, with a watermark, the job is simplified to a mere lookup for matching watermark in the connections. SWT has excellent tracking capabilities and can track the attacker precisely. e. D-WARD It s a distributed defense against DDoS attacks. D-WARD program running on strategically located routers continuously monitors flows between a set of policed nodes and the internet [4]. It detects attack based on traffic flow measurements that is compared against normal flow models and regulates transgressing flows by throttling their rate. It s deployed at the ISP level near the source end. Flow statistics that are monitored over certain observation period are dumped into a flow hash table in the router and compared against a flow model (TCP/UDP/ICMP). It s a kind of dynamically controlled ingress filtering that polices the flows instead of packets. The Table 2 provides a comparison between these schemes, using important performance metrics like overhead involved in implementing the scheme, required ISP cooperation, scalability to large networks, the type of control in exercising the method, security of communication in the routing of trace message, the ability of each method to track till the true origin, the visibility of the traceback scheme to the attackers and how much the attackers can misuse the scheme. Table 2: IDS Assisted Reactive Network Based Approaches Evaluation Metric CenterTrack IPSec IDIP SWT DWARD ISP Cooperation High at trace routers Less within a Single ISP ; to trace beyond ISP high Coop needed High at Boundary controllers High at Guardian gateways High Overhead High, admin task of encapsulating packets at TR High routing overhead due to use of IPSec Minimal dependency on n/w infrastructure Inactive state-no Active state-high High at each routers need to maintain connection and routing hash tables DDoS Handling Not so good Yes, very good Yes Yes Yes, very good Incremental Deployment No No Yes Yes Yes Scalability Poor Less High High Less Type of control Partially Decentralized Centralized, discovery Autonomous Distributed & Centralized controller gathers info Decentralized Security in communication Less, tunnels between TR and edge router need to be authenticated Highly safe High, IDIP Auth header provides integrity mechanism High, watermarks are auth Not needed because of autonomous operation Can security of the router be compromised Edge router-no Others-yes Yes, can create IPSec tunnels if compromised Yes, boundary controllers can be compromised Yes, guardian gateways can be compromised Yes, compromised routers would apply its own rate limit Misuse by attacker Yes by overloading TR No No No Yes, attacker can disguise attack traffic Tracking till Ingress edge router True source Stepping stone Farthest trustworthy gateway Visibility to attackers High because of specialized routing Not visible because of SA Less High because watermarks are diff to be hidden Deployed at source end of network to stop attacks from network Less

6 84 Limitations of IDS assisted Reactive Network based approaches All these schemes require a significant amount of cooperation between ISP in performing the traceback. CenterTrack is unsuitable for DDoS attack due to the overhead of encapsulating packets at several edge routers and scales poorly. CenterTrack is also not capable of identifying attacks originating from within the backbone network. IPSEC is not scalable because of the authentication schemes involved that uses digital certificate or shared secret. IPSEC incurs considerable processing overhead as the SA tunnels are iteratively built to investigate links. DWARD necessitates implementation of filter rules across several network boundaries. It is difficult to deploy across multiple domains. SWT necessitates modification in the network application at the host to implement water mark functionality which might incur some cost overhead. Open Research Issues in assisted Reactive Network based approaches The main security threat that looms over these kinds of approaches is the robustness of the router security. The reliability of the traceback scheme is only up to the extent to which a router is secure to an attacker. Traceback scheme should also be able to handle the case of a compromised router. It should identify and adaptively quarantine such a compromised router IDS assisted Reactive Host Based Approaches The traceback is initiated by the victim node when it receives an alarm from IDS about the occurrence of an attack. a. Black Hole Back Scatter of UUNET ISP When an attack is detected by the IDS, all packets flowing towards the victim are rejected as a result of which ICMP destination unreachable messages are generated [23]. These error messages may not be routed correctly to its destination because the source address in most attack packets would be spoofed. Hence, they reach only till the border routers. Once a DoS attack is detected, the routing is dynamically changed such that all the attack packets with invalid source IP address, including the error message are redirected to a sink called black hole server preconfigured in the network. These messages (backscatters) are inspected to determine their origin which would be the same interface from where the attack packets would have arrived. After identifying the ingress points, the filter on victim is removed and the upstream ISPs are requested to carry out the traceback. b. Hop-by-Hop data link identification In the hop-by-hop tracing, proposed by Tatsuya Baba et al. [19], datalink identifier like MAC address is used to trace a packet as opposed to the conventional use of the source address. Routing is done such that its datalink identifier is stamped with the router s interface identifier when a packet traverses through the routers. Router also maintains some critical information of forwarded packets and their datalink identifier in its buffer. This table is consulted during traceback by comparing the attack packet to the table entries of datalink identifier. The scheme is implemented as a distributed protocol with an autonomous management network (AMN) in every area that aggregates all trace Santhanam, Kumar & Agrawal information. An IDS detects attack and triggers a trace process within the AMN for a given attack feature. Tracing starts until the true source is detected or another AMN is reached from where it is continued hop by hop. In this approach, an attacker can t forge this data link identifier unlike source address and hence is secure. Table 3 shows a comparison of the two reactive host based approaches. The metric forming the basis for comparison are: extent of ISP cooperation needed, whether incremental deployment is allowed, whether the scheme supports traceback of a single IP packet, overhead incurred in routing, network, the minimum time for which the attack should be in progress for successful traceback, scalability of the scheme to large network. Table 3: IDS Assisted Reactive Host Based Approaches Evaluation Metric Black Hole Back Scatter Hop-by-Hop data link identification ISP cooperation High, as each ISP need to configure its router to reject all High across ISP but Fair within a single ISP packets destined to victim Incremental Yes Yes Deployment DDoS Attack No, just DoS Less suitable Handling Duration of attack for trace back Considerable amount of time Should last for sometime Type of control Centralized Distributed Single Packet No Yes Tracing Handle Packet Transformation No No, Difficult to trace through Modification to trace packet None, ICMP packet generated Scalability High High Overhead Routing overhead in rerouting to black hole server Tracking till Boundary of any domain administration firewall Forwarding node changes data link identifier to match their interface identifier High resource overhead along attack path Attack source which can be stepping stone Limitations of IDS assisted Reactive Host Based scheme In both the approaches, the attack should be in progress for a considerable amount of time for successful traceback to be conducted. BlackHole back scatter approach is not suitable for DDoS as it has multiple entry points present. Open Research issues in IDS assisted Reactive Host Based scheme Many of the DDoS attacks are cleverly designed to be very effective in bringing the system down in a short duration of time. The IDS used in these systems should be efficient in raising an early alert so that the victim node can initiate a multihop query for traceback quickly at the upstream routers. 4.2 Proactive schemes A proactive approach monitors the records and logs of the current traffic packets as it flows through the network. We discuss in subsequent sections about in-band and out-of-band techniques that differ depending on whether the trace

7 Taxonomy of IP Traceback 85 information is embedded in the packet or is emitted separately Proactive approaches with out-of-band technique In out-of-band proactive schemes, tracing is conducted with the help of separate trace packet generated at the routers as the packet traverses through them on its way to its destination. a. itrace In the scheme proposed by Bellovin et al. [7], as a packet traverses through the network, each router probabilistically generates a separate trace packet called Internet Message Control Protocol (ICMP). To keep a control on the overhead and the number of ICMP packets, the router generates an ICMP packet for only one in 20,000 packets that passes through it. As most of the DoS attacks are flooding type of attacks, this marking probability is sufficient to ensure that victim receives a considerable amount of trace packets. The ICMP packet contains apart from the content of the chosen data packet some useful information about adjacent routers like generating router s id, timestamp of its marking, forward link element along which packet traverses, MAC address pair of the link traversed, link identifier which is useful in associating all ICMP packets originating from a given neighborhood and some authentication data like HMAC [29]. As the packet traverses through routers, it collects useful path information on its way to its destination. The destination tries to glean path information from all the ICMP packets emitted by the chain of routers along a given path and hence can infer the true source. b. Intension-driven itrace As the name implies, the receiver intending to receive the itrace packet, expresses its interest to the upstream routers in the network [26]. Usefulness of a packet is determined by the type of packet (high if an attack packet) and the interest of destination node in receiving it (intension bit). The scheme divides the traceback task based on functionality, into two main modules- decision and itrace generation module. Once an upstream router receives a trace request, the decision module decides upon the type of packet for generating itrace and sets a bit in the packet forwarding table. The itrace module generates an itrace message using the next packet corresponding to this entry. The benefit of this scheme is that it deduces the attack path more quickly because of this intelligence provided by the intension bit. The number of useful itrace packets generated is greatly increased by 90% and hence traceback is accomplished very quickly. c. icaddie ICMP Bao-Tung Wang et al. [27], as an interim solution proposed to decide upon the number of packets after which to generate itrace message. Each router is equipped with a timer that indicates how long it hasn t received a traceback message. If this is greater than a certain threshold, the router randomly chooses a ball packet and prepares for it an icaddie packet, which collects path information of all routers from this point through destination. As the icaddie packet passes through a router, the routers s IP address is appended to its router list (RL) along with the incoming interface and next hop information. Finally, the router authenticates the icaddie message by using a cryptographic primitive (HMAC) [29]. The attack path can be easily reconstructed by the victim by simply looking at the markings inside a Caddie message. The benefit of this approach is that it can handle transformation well by changing the content of Caddie packet when the ball packet undergoes transformation. The number of trace packets produced is fewer. It is independent of the attack path and is solely dependent on the number of attack sources. The scheme produces lesser number of false positives as the chances of two packets digest forwarded within a short gap of time is much smaller. Table 4 shows the comparison of out-of-band proactive schemes. The metric under focus for these approaches are: extent of ISP cooperation needed, support of incremental deployment, number of packets generated as result of traceback, the time required to conduct traceback, number of false positives, whether an attacker can manipulate and misuse the scheme, how far DDoS attacks can be handled and finally how the 3 schemes use the ICMP field to generate trace packet. Table 4: Proactive Approaches with Out-of-Band Technique Evaluation Metrics ISP cooperation Incremental deployment Number of packets generated Time required for traceback Number of false positives Misuse by attacker DDoS attack handling Content of ICMP itrace Intensiondriven itrace No icaddie ICMP No, Not No required Yes Yes Yes Large as extra packets generated Considerable time needed, suffers from combinatorial explosion during attack path reconstruction Large Yes, attacker can inject false ICMP message to hide true origin Poor, as there are few ICMP from distant routers Type, Checksum and Message body Less as useless itrace message are reduced Quickly after attack starts Few, very precisely locates the attacker No, intensions of packet from BGP cant be modified Good Ident of router generating packet : itr.rtr-id Dest addr of packet : itr.dst-id Packet picked : itr.pkt Less, depends on # of attack source only Quick by looking at caddie paths inscribed in caddie message Very few No, caddie packets auth by cryptographic functions Good Scalability High High High Caddie ID computed from invariant portions of IP header of ball packet chosen Limitations of Proactive approaches with out-of-band technique itrace is incapable of handling DDoS attack which span a large area in the network. It s crippled because useful trace packets may not be obtained from far off nodes.

8 86 These out-of-band schemes require more network bandwidth in delivering the trace information. Open Research Issues in Proactive approaches with outof-band technique It is very important to keep a tab on the number of trace packets generated due to bandwidth constraints. An attacker shouldn t be able to generate spurious packets and flood the network. So, the generation of trace messages should be authenticated by the router. A symmetric cryptographic signature though faster than public key systems needs an efficient way to distribute keys. A good key distribution scheme is needed to distribute the shared keys amongst the routers for HMAC authentication [29] Proactive approaches with In-band technique About 95% of the in-band approaches routers pro-actively mark the packet that passes through them. Marking is done either probabilistically or deterministically. Hence the trace information for the packet is inscribed in it. The victim uses this traceback information for attack path reconstruction. We shall also look into the structure of marking fields in all of these marking schemes. This will give a better insight of how each marking scheme inscribes the markings of the router and also the organization of various bits and flag. Predominantly, the Identification field of IP header is used for marking. It was primarily included in the IP header to record the fragmentation of packets. As less than.25% of the traffic is fragmented it remains mostly unused and hence can be used for performing traceback [30] Proactive network based approaches with Inband technique The routers in the network proactively mark the packets that pass through them. PPM, DPM, AAM, Adjusted PPM, FIT, DDoS SCounter Randomize and link all belong to the family of marking schemes while SPIE, SNICTH belong to the logging family. a. PPM (Probabilistic Packet Marking) One of the pioneering works, in the series of innovative marking schemes was proposed by Savage et al. [9] for traceback. It uses the 16-bit IP identification field in the IP header to store router markings and is shown in Figure 4. Algorithm for PPM A simplistic algorithm using edge sampling algorithm is described below: Each router probabilistically marks a packet that passes through it with its IP address. If a router chooses to mark the packet, It inscribes its IP address in the Start Field and sets the distance field to 0. Else if a router doesn t chose to mark the packet, Check if the packet has been already marked, o If Yes, dumps its IP address in the End field and increment the value of distance bit o If No, Just increment the distance field. The victim node reconstructs an attack graph back to the source using the edge sampled in the packets. The distance field indicates the number of hops traversed since the marking was inscribed. So, the victim node pairs the received packets in the increasing order of the distance element. First, packet with dist =1 and dist =0 are paired together. If the value of start filed of dist=0 matches with the Santhanam, Kumar & Agrawal end field of dist=1 packet, it represents an edge. This is iteratively repeated at each hop by pairing sequential dist packet. The number of packets required to reconstruct depends upon the marking probability (ideally p <= 1/d) and the attack path length. PPM though a novel approach is handicapped due to the lack of authentication of the router markings and a compromised router can forge incorrect markings into the packet. Start Field (32-bits) b. DPM (Deterministic Packet Marking) As the name goes, the router deterministically marks every packet passing through it with its IP address [31]. The form of the router markings inscribed in a 16-bit ID field of IP header is shown in the Figure 5. Algorithm for DPM The IP address is split into two halves of 16-bit each and one randomly chosen segment is inscribed in the ID field of the IP header of a passing packet. The 1-bit Reserve flag indicates which fragment is marked in the ID field, 0 symbolizing first half and 1 for the second half. The victim performs path re-assembly easily when it gets the attack packets containing both halves from the same router. In the Compressed edge fragment sampling algorithm of PPM, as the attack path length increases number of packet needed to infer the attack path increases. It faces a combinatorial explosion in grouping the fragments of encoded edges during reconstruction phase which is avoided here. DPM is scalable and can tackle large-scale DDoS attacks. DPM schemes require only the ingress edge routers to do marking as all routers might not be capable of marking. Res Flag Field (1-bit) End Field (32-bits) ID field (16-bits) Dist Field (8- bits) Start field- IP address of marking router End Field- IP address of non-marking router Distance Field - Distance in hops from the marking router Figure 4: Structure of the PPM marking field Reserved Flag field- Indicates which half of fragment of IP address is present: 0 (First half contained) 1 (Second half contained) ID Field - Contains one half of the IP address of a Figure 5: Structure of the DPM marking field c. AAM (Advanced and Authenticated Packet Marking) It s an enhancement on PPM scheme proposed by Song et al. [6]. AAM has been designed keeping in mind to avoid the issue of spurious markings generated in PPM when a router

9 Taxonomy of IP Traceback 87 is compromised. We look into two schemes presented in the paper- Advanced marking scheme and Authenticated marking scheme. Algorithm for Advanced Marking Scheme As in PPM, each router marks the packets probabilistically. If a router chooses to mark, It inscribes instead of just its address, the hash of its IP address in the 11 bit Edge field of IP header and sets the 5- bit Distance field to zero. Else a non-marking router checks if the packet has been already marked by an upstream router If yes, it overwrites the Edge field with the XOR of hash of its IP address with old content and increments the Distance field count. If no, just increment the Distance field count. Algorithm for Advanced and Authenticated Marking Scheme An Advanced Authenticated Marking scheme assumes each routers shares with the victim a secret key K i and uses message authentication code like HMAC [29] to authenticate the markings of a router. Each router applies HMAC function (rather than a plain hash function) to its IP address in order to authenticate the validity of the markings. Thus, AAM provides strong authentication of router markings. This authenticated marking prevents generation of spoofed marking by any compromised router. AAM overcomes the primary disadvantage of PPM in reconstructing the attack path with the knowledge of upstream routers. The network map facilitates as a road map during the reassembly phase. After assembling the edgefragments at each hop, they are grouped according to the distance field and AAM matches their hashes with hashes of router in the upstream network to construct the attack path. Distance Field (5-bit) Edge field (11-bis) Distance field-distance in hops from the marking router Edge Field-Contains the hash of the IP address of a marking router XoR-ed with the hash of the IP address of the downstream Figure 6: Structure of the AAM marking field d. Adjusted PPM(Adjusted Probabilistic Packet Marking) As the name suggests, it uses an adjusted probability to mark the packets based on the position of the node in the attack path. It overcomes the major shortcoming of the basic PPM scheme proposed by Savage et al. [9] in which the probability of a packet received at the victim from farther routers are very less. It also resolves the issue of spurious packet by marking all packets as soon as they enter the network. Algorithm for APPM An additional field in the IP header called IP Option field is used to record the number of hops traversed by the packet and packet is marked probabilistically proportional to the inverse of this distance [32]. The adjusted marking probability can be tuned to be a function of the distance of the packet since it was last marked or distance from present router to the destination based on routing protocol information. Figure 7 shows how the various probabilities are set based upon the distance measure. It significantly reduces the computational time for reconstruction over the basic PPM scheme by making sure that the markings of far away routers reach the victim. Trace Information Recorded in 16-bit identification field of IP Header + IP Option field records the distance (d 1 ) - number of hops traversed by the packet Probability of marking a packet is adjusted based on distance measures. Three schemes are Number of hops traversed by the packet from the source till current router p (d 1 ) = 1/d 1 Number of hops traversed since the packet was last marked p (d 2 ) = 1 / 2(d 2 + 1) Number of hops from the current router to the destination p (d 3 ) = 1 / (c+1-d 3 ) where c is a constant calculated s.t c+1-d 3 > 0, safely taken as 30 Figure 7: The various probabilities used in Adjusted PPM Scheme e. SNITCH (Simple, Novel IP Traceback using Compressed Header) SNITCH [33] targets to increase the number of bits available for recording trace back data by using compression techniques as in a IP header compression scheme [34]. It evades the tight space constraint prevalent in all marking schemes that prohibit to record full path information within a packet. As a result, the total number of packets required for traceback as well as the time needed is drastically cut down. The Figure 8 shows the structure of IP header marking as done by a router implementing SNITCH. The marking at each router continues as in PPM edge sampling algorithm. The only difference being the extra room available for marking. Initially frame is sent with full header and a context identifier. The subsequent frames are sent without the invariant fields so that the room made available (144 bits) can be utilized for sending traceback data. Algorithm for SNITCH Each router marks the packet probabilistically. If a router chooses to mark the packet, Store the IP address in Left Field and set the Distance Field to 0. Else a non-marking router checks if the packet is already marked If yes, dumps its IP address in the Right Field and increments the distance bit. If No, increment the distance field alone. As the context changes, a new context identifier (CID) and a full header is sent. In order to differentiate between SNITCH and IP header compression, ID field of IP header is set to all

10 88 Santhanam, Kumar & Agrawal 1s in SNITCH. The CID found in full header is later used for decompression of packets with its matching CID. It has negligible false positives in attack path building for DDoS attacks. A DDoS attack has multiple overlapping attack paths owing to the multiple attack sources. This might result in ambiguities and make the attack reconstruction more challenging. SNITCH cleverly resolves such ambiguities by encoding multiple edge information into the packet which helps in the better resolution of attack sources. The system can however trace only till a stepping stone / zombie. Left Field (32-bits) Right Field (32-bits) Dist Field (8-bits) Left field- Stores the IP address of marking route initiating marking Right Field- Stores the IP address of non-marking router Distance Field- Distance in hops from the marking router CID- Context Identifier of the packet Figure 8: Structure of the SNITCH marking f. Marking Scheme using Huffman Code This scheme [35] is an amalgamation of logging and marking scheme. It marks every packet deterministically with the interface of the router through which the packet has arrived. As the length of the attack path increases, the space available in the packet is insufficient to record all the markings for traceback. It gets around this problem of overflow by storing the markings in the local memory of the intermediate routers and is accessed by message digest of the packet. Algorithm for Huffman Code Huffman codes efficiently represent the link number of the interfaces of the router. The Huffman code of the link gets appended to the 31-bits link sequence field (ls) and a 1-bit saved flag (sf). sf indicates if the marking has been saved in the local router s memory. The marking scheme format is shown in Figure 9. Flag 1 is used as a delimiter with leading zeros to indicate start of valid bit in ls and space available for marking is determined by counting the number of leading zeros before the delimiter in ls. The victim reconstructs the path by examining the ls field and decoding it with the help of link table to find the next hop upstream router. ls is right shifted according to the length of the decoded word. If sf is 1, the marking has to be retrieved from the router via the message digest of the packet. The traceback is repeated iteratively at each router until ls becomes 1 and sf is 0. The advantage of this scheme over other schemes is that it can efficiently handle any packet transformation. A pair of message digests of the packet, before and after it undergoes transformation is stored in the router s local memory along with the marking fields. The system can efficiently trace reactively or pro-actively which is quite unique. Saved flag (sf) (1-bit) Link sequence Field (ls) (31-bits) Saved Flag - Stores the IP address of marking route initiating marking Link Sequence Flag - Contains appended list of Huffman code of links through which packet passed since marking router Figure 9: Structure of the Huffman code marking g. DDoS SCOUNTER (Defense against Distributed DoS) It s an on-demand probabilistic multi-edge marking scheme proposed by Kai et al. [36] with the sole motivation to provide high precision in tracking with low false positives. It s a comprehensive defense suite consisting of detection unit, traceback system and packet filtering. The marking is initiated at the request of the administrator to reduce overhead. It uses unlike other schemes Record Route option of the IP header which is hardly used in the internet now-adays. Record Route option has been originally designed to trace the route of an IP datagram. It has enough space to register several IP addresses (up to 9) during the journey of the packet. The scheme doesn t necessitate any changes to the IP protocol. The data format of the Record route IP option is showed in Figure 10. Algorithm for DDoS SCOUNTER There are two schemes for marking the trace informationuncovered and covered scheme. In the uncovered scheme each router probabilistically appends to the Record route field its IP address and once router marks a packet, all subsequent routers append their IP address till overflow. A maximum of up to 9 IP addresses can be appended. To prevent the infiltration of spurious packets from a compromised router, the markings are authenticated by using cryptographic HMAC computations [29]. In the covered marking scheme, if a later router chooses to mark and finds the IP option full, the first stored IP address is shifted out to make room for the new one Length Pointer Route data Length: Total variable length of options in bytes Pointer: Pointer to route data indicating next byte to store route address Route data: Series of 32 bit internet address : last 3 LSB indicate option number (Set to 7 here) Next 2 bits indicates it s a control option (Set to 0) First 2 MSB indicates option is not copied into all fragments (Set to 0) Figure 10: Data Format of Record Route IP h. Randomize and link It s a very good scheme for performing large-scale IP traceback involving thousands of routers. The path re-

11 Taxonomy of IP Traceback 89 generation when compared to PPM is made very simple in this scheme. Algorithm for Randomize and link Each router fragments its message M x (the router s IP address/topology information) into several non-overlapping word fragments and creates a large checksum cord on the whole message [12]. The cord is a very useful entity as it is an associative address for the message and links together all the fragments in the path reconstruction phase. The checksum cord makes the job of inserting a false message by an intruder that collides with correct ones tough. This group of word fragment forms a set of blocks. They are chosen randomly to be marked in the packets that pass through the router. The scheme using special authentication dictionaries facilitates strong authentication of messages inscribed by routers. The dictionary provides the secret keys for HMAC authentication [29] and makes the job of router easy as they are not required to sign setup messages individually. The scheme is highly robust even in the presence of an attacker falsely injecting spurious packets and is highly scalable. i. FIT (Fast Internet Traceback) As the name suggest, the scheme [14] conducts traceback in a relatively short time with just few packets. As in AAM, it uses the knowledge of the network topology that is gleaned from packet markings; to piece together the attack path quickly. Algorithm for FIT Routers deterministically mark packets by node-sampling algorithm storing the following information in the 16-bit Identification field of the IP header. Router pre-computes the hash of IP address and splits it into n fragments of b frag- bits each. One of these is randomly chosen to be stored in the 13- bit hash fragment with the fragment number in a 2-bit fragment field. The 1-bit distance field is set to zero by the marking router and is incremented by every FIT-enabled router. The structure of the packet marking is shown in Figure 11. It has conceivable power to scale to large scale DDoS attacks. The salient feature of the method is the ability to function even in presence of legacy routers and its ability to precisely identify the distance from the victim. b (1-bit) Frag# (2-bits) Hash Fragment Field (13-bits) b - Distance field Frag# - Fragment number selected for marking by the marking router Hash Fragment - a random fragment of precomputed hash of IP address of marking router Figure 11: Structure of the FIT Marking j. SPIE (Source Path Isolation Engine or Hash based IP Traceback) The system proposed by Snoeren et al. [13] performs low volume traceback by Data Generation Agent (DGA) present in routers. It uses a data structure called bloom filters which deterministically log critical information of each packet traversing through it. It is called Hash Based scheme as a hash of the invariants fields in the IP header is stored in each router as a 32-bit digest. This hash digest is stored in a space efficient data structure called bloom filters. It is stored only for certain duration of time due to the limited space constraint. Algorithm for SPIE The framework consists of an DGS (Data Generation Agent), IDS, SCAR (SPIE Collection And Reducing Agent) and STM (SPIE Traceback Manager). DGA is responsible for producing packet digest at each router. On detecting an attack, IDS alerts the STM about it and provides attack signatures. STM is the official central authority that handles all trace requests and conducts the task of tracing. STM dispatches the signature information to the appropriate SCARs which analyze their logs. If any match is found, the SCAR constructs a sub-path of the attack involving routers that forwarded such a packet. The STM constructs an attack path from the sub-path reported by the SCARS. The salient feature of SPIE is its ability to trace a single packet. It can handle even complex transformations like NAT (Network Address Translations) and can handle fragmentation in which case only the first fragment can be traced. Limitations of Proactive network based approaches with In-band technique The traceback data is carried in-band within the packet and as a result number of bits available to store this information is constrained. In PPM, the markings of a packet farther away from the victim have very less chances of surviving as it might get overwritten by a downstream router closer to the victim. Most of the schemes like PPM, AAM and DPM don t support traceback for fragmented traffic. FIT and AAM requires a map of the upstream router for traceback which might not be possible to fetch always. Adjusted PPM adapts poorly for a DDoS attack. The Huffman code marking scheme is prone to 1-bit error in marking. In such instances, the Huffman code is impossible to decode correctly. Due to the sheer size of the packet header, DDoS SCOUNTER faces serious problems of repeated fragmentation of the trace packet. It also suffers from the problem of unfairly treating a distant router like ICMP traceback. The markings of distant routers get overwritten. PPM and Randomize and link are two schemes that face the problem of combinatorial explosion during attack path reconstruction. Logging scheme like SPIE, can only trace packets that have been delivered only in the recent past as the packet digest are made to expire after a certain period of time due to the limited space constraint. Open Research Issue in Proactive Network based approaches with In-band technique Most of the pro-active marking schemes suffer from the problem of path reconstruction overhead. An efficient traceback should quickly retrace the path of a packet. Strong and good collision free hashes like MD5, SHA-1 and SHA-2 [29] need to be used when router uses hash functions to inscribe their IP address in the trace packet.

12 90 Santhanam, Kumar & Agrawal Also the markings of a router need to be authenticated to prevent misbehaving routers, for which it is very important to incorporate authentication mechanisms. In case of pro-active logging scheme like SPIE, efficient data structure to store packet digest are required. A blend of both logging and marking scheme as in Marking Scheme using Huffman code [35] needs to be developed to overcome the disadvantages in both the approaches.. The Table 5 shown below gives an extensive comparison of the various pro-active network based marking schemes. The parameters under consideration are number of packets needed for traceback, the extent of involvement of ISP, fragment handling ability, scalability of the system, the overhead incurred in the path reconstruction, DDoS handling, number of false positives generated Table 5: Proactive Network Based Approaches with In-Band Technique Evaluation Metrics PPM DPM AAM Adjusted PPM SNITCH Huffman Code DDoS Scounter Randomize and link Fast Internet Trace back SPIE Incremental deployment Yes Yes No Yes Yes Yes Yes Yes Yes Yes Number of packets for tracing ISP Involvement Fragmentation handling 1000s 1000s 1000s Less ; compare to PPM Less; Due to space in each packet to store traceback Only 1, Tracing doesn t depend on # packets Low Low Low Low Fair Fair Fair; admin initiates marking No No No No No Yes; good Less 1000s Only few (in 10s) packets needed Scalable High High High Low Fair High Very high Very low Less Low Low Fair; Corr. queries Yes Yes Yes Yes very good Very high Bad Path construction Overhead Knowledge of topology DDoS handling # of false positives Misuse by attacker Very High High Less Less Very Less Less Less High to build attack graph No No Yes, upstream routers Small Scale DDoS Large Yes; can generate false marking Good esp reflector attacks Less than PPM Yes; can use diff source IP address Very Less No No No No No Yes, upstream routers Fair Bad Fair Good Very good Small Scale DDoS Very Low No; uses Auth MAC Fair Fair due to XoR of IP addresses No No Yes; Trace back fails for even a 1bit error in marking Very good Less No Good Less Less Large Very few Less No, router marking auth No; All messag eauth with HMAC Yes; If attacker changes initial contents of ID No Bits used for marking IP s 16 bit ID field IP s 16 bit ID field and 1 bit reserve field IP s 16 bit ID field IP s 16 bit ID field compress invariant fields of IP s header Option field in IP Record Route IP Option field IP s 16 bit ID field IP s 16 bit ID field 32 bit packet digest stored in each fwd node Marking packets Prob. Deter. Prob. Adjusted Prob. Prob. Deter. Prob. Prob. Deter with a marking predicate Deter. store packet digest at each fwd node

13 Taxonomy of IP Traceback Proactive host based approaches with In-band technique The traceback function in a host based scheme is entrusted with victim node which pro-actively performs its duty. The only scheme in this category is explained below. Algebraic Approach It s a slight modification of the PPM method. It uses the concepts of coding theory and learning theory to encode the path information as points on polynomials. The encoded path information is stored in Fragment ID field. The victim reconstructs the path using polynomial and algebraic methods. The authors Dean et al. [10] uses several encoding scheme like deterministic path encoding, randomized path encoding and edge encoding algorithm. In deterministic path encoding, each packet has a random value that s multiplied with the router s IP address to cumulatively add to the full path value. Decoding is then done by Vondermonde matrix [37]. A randomized path encoding algorithm functions is similar to its deterministic counterpart but has a certain element of randomness included. This is included at each router by flipping a coin to decide if the router is the initiator of marking process. An edge encoding algorithm functions by presetting a maximum distance value denoted by l that is decremented by each marking router. The addition of IP address stops when it reaches zero. The algebraic approach is robust to attacks generated by stray noise which can be efficiently filtered out. It can track multiple attack paths originating from several attackers and is suitable for tracking DDoS attacks. It can also be incrementally deployed. But all the overhead of mathematical calculations in decoding the points of the polynomial is done by the victim node. Disadvantage of Algebraic Approach It s difficult to store the path information represented as polynomial in the packet header. Due to the lack of authentication mechanisms and the lack of information about the order of routers lying along an attack path, an attacker can forge and encode incorrect path information in the packet. Open Research Issue in Pro-active Host based Scheme with In-band technique A host based scheme has the fundamental problem of trusting each monitored host involved in the connection chain and hence is very difficult to implement in a public network where any node could be compromised. It is important to introduce some authentication mechanisms to prevent forged router markings and replay of stale messages. 5 Conclusion and Future Work After examining the various IP traceback schemes we can conclude that traceback combined with IDS and filtering schemes, can work together to form a collaborative defense suite against all security threats in the internet. Attack detection, prevention and traceback present a reinforced platform for a complete security. We have not presented all existing traceback schemes in literature, but have given a summary of major techniques, and their evolution from their basic scheme. Controlled flooding, PPM, ICMP, Overlay network, Logging schemes are the main research thrust that exist in literature that gets classified under logging, marking and link testing. All the other schemes have evolved from its fundamentals, differing a little bit in its execution style, overcoming the shortcomings that the researchers had focused on. Some are more prone to security vulnerabilities than other or require additional infrastructure or might scale better or is able to tackle DDoS attacks. A scheme that satisfies all the evaluation metric can never be envisioned. Focus should not be in designing a scheme overcoming all of these shortcomings but to identify the potential areas of improvements in many of the existing scheme like finding ways to reduce the network/ bandwidth/router overhead, improve upon the time taken in identifying attacker, ways to automate the trace process, identifying new ways of tackling new stealthy attacks that are constantly on the rise in the internet. Precision, accuracy and timeliness are the three most important characteristics that measure the ingenuity of a traceback technique. As we have seen from our analysis, the methods that are capable of tracking all the way till true source even in the presence of stepping stones, zombies / reflectors are very few in number. A clever attacker might mask behind several layers, an intelligent traceback should tear down this masquerade of the attacker and catch the intruder red-handed in their act. Traceback however involves other political, economic and legal issues which pose a serious challenge in their deployment in the real world. Reference [1] Good/Bad News in DoS Struggle, IT Architect, 2002; [2] CERT Advisory CA Denial-of-Service Developments, CERT, 2000; html. [3] P. Ferguson and D. Senie, Network ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing. In Internet Eng. Task Force RFC 2827, May 2000; [4] J. Mirkovic, G. Prier, and P. Reiher, Attacking DDOS at the Source. In Proceedings of the 10th IEEE International Conference on Network Protocols, pp , [5] H. Y. Chang, R. Narayanan, S. F. Wu, B. M. Vetter, X. Wang, M. Brown, J. J Yuill, C. Sargor, F. Jou, and F. Gong, Deciduous: Decentralized Source Identification for Network-Based Intrusions. In Proceeding of the 6 th IFIP/IEEE Int l. Symp. Integrated Net. Mgmt., pp , [6] Dawn Xiaodong Song and Adrian Perrig, Advanced and Authenticated Marking Schemes for IP Traceback. In Proceedings of the IEEE INFOCOM, IEEE CS Press, pp , [7] S. M. Bellovin, ICMP Traceback Messages. In Network Working Group Internet Draft, March [8] H. Burch and B. Cheswick, Tracing Anonymous Packets to Their Approximate Source. In Proceedings of the 14th Conf. Systems Administration, Usenix Assoc., pp , Dec [9] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical Network Support for IP Traceback. In Proceedings of the ACM SIGCOM 2000, IEEE/ACM Trans. Networking, Vol. 9, No. 3, pp , [10] D. Dean, M. Franklin, and A. Stubblefield, "An Algebraic Approach to IP Traceback. In Proceedings of the ACM Trans. Information and System Security, Vol. 5, No. 2, pp , 2002.

14 92 [11] R. Stone, CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the 9th Usenix Security Symp., Usenix Assoc., pp , [12] M. Goodrich, Efficient Packet Marking for Large- Scale IP Traceback. In Proceedings of the 9th ACM Conf. Computer and Communication Security, ACM Press, pp , [13] Alex C. Snoeren, Craig Patridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer, Hash-Based IP Traceback, Journal of IEEE/ACM Trans. Networking, Vol. 10, No. 6, pp , [14] Abraham Yaar, Adrian Perrig, and Dawn Song, FIT: Fast Internet Traceback. In Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications, INFOCOM 2005, Vol. 2, pp , March [15] Vadim Kuznetsov, Helena Sandstrom, and Andrei Simkin, An Evaluation of Different IP Traceback Approaches. In Proceedings of the 4th international conference on Information and Communications security (ICICS), Springer LNCS, Vol. 2513, pp , [16] Hassan Aljifri, IP Traceback: A New Denial-of- Service Deterrent?, Journal of IEEE Security & Privacy, Vol. 1, No. 3, pp , May/June [17] Andrey Belenky and Nirwan Ansari, On IP Traceback, IEEE Communication Magazine, Vol. 41, No. 7, pp , July [18] Zhiqiang Gao and Nirwan Ansari, Tracing Cyber Attacks from the Practical Perspective, IEEE Communications Magazine, Vol. 43, No. 5, pp , May [19] Tatsuya Baba and Shigeyuki Matsuda, Tracing Network Attacks to their Sources, IEEE Internet Computing Magazine, Vol. 6, No. 3, pp , March/April [20] S.C. Lee and C. Shields, Tracing the Source of Network Attack: A Technical, Legal and Societal Problem. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, IEEE Press, pp , [21] Y. Zhang and V. Paxson, Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, pp , [22] Vern Paxson, An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks, In Proceedings of the ACM Comp. Commun. Rev., Vol. 31, No. 3, pp. 3-14, July [23] Howard F. Lipson, Tracking and Tracing Cyber- Attacks: Technical Challenges and Global Policy Issues. CERT Coordination Center, Special Report CMU/SEI SR-009. [24] X. Wang, Douglas S. Reeves, Shyhtsun Felix Wu and Jim Yuill, Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework. In Proceedings of the IFIP Conf. on Security, Paris, pp , 2001, June [25] J. Rowe, Intrusion Detection and Isolation Protocol: Automated Response to Attacks. In Proceedings of the Recent Advances in Intrusion Detection (RAID), University of California Davis, USA, [26] Allison Mankin, Dan Massey, Chien-Long Wu, S. Felix Wu, and Lixia Zhang, "On Design and Evaluation of 'Intention-Driven' ICMP Traceback. In Proceedings of the IEEE Int'l Conf. Computer Comm. and Networks, IEEE CS Press, pp , Santhanam, Kumar & Agrawal [27] Bao-Tung Wang and Henning Schulzrinne, A Denial-of-Service-Resistant IP Traceback Approach, In Proceedings of the IEEE 9 th international symposium on Computers and Communication, (ISCC), Vol. 1, pp , June/July [28] A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava, and V. Kumar, A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection. In Proceedings of the SIAM Conf. Data Mining, [29] Hash Algorithms, [30] I. Stoica and H. Zhang, "Providing Guaranteed Services without Per-Flow Management. In Proceedings of the ACM SIGCOMM, pp , Aug [31] Andrey Belenky and Nirwan Ansari, IP Traceback with Deterministic Packet Marking, IEEE Communication letters, Vol. 7, No. 4, pp , [32] Teo Peng, Christopher Lecki amd Kotairi Ramamohanroa, Adjusted Probabilistic Packet Marking. In Proceedings of the IFIP-TC6 Networking Conference 2002, Pisa, Italy, May [33] H. Aljifri, M. Smets, and A. Pons, IP Traceback Using Header Compression, Journal of IEEE Computers & Security, Vol. 22, No. 2, pp , [34] Effnet Holding, An Introduction to IP Header Compression, February [35] K. H. Choi and H. K. Dai, A Marking Scheme Using Huffman Codes for IP Traceback, In Proceedings of the 7 th International Symposium on Parallel Architectures, Algorithms and Networks, pp , [36] Chen Kai, Hu Xiaoxin, and Hao Ruibing, DDoS Scounter: A Simple IP Traceback Scheme, In Progress on Cryptography: 25 years of Cryptography in China, Kluwer Academic Publishers, [37] Vondermonde Matrix, MATH world, Author Biographies Lakshmi Santhanam received her B.E. degree in Computer Science and Engineering from University of Madras, India, in She is currently a doctoral student working as a research assistant in the Center for Distributed and Mobile Computing (CDMC) Lab at the University of Cincinnati. Her research interests include detection of selfish behavior in Wireless Mesh Networks, IP Traceback, Intrusion detection in Ad hoc Networks, and other security concerns in Wireless Ad hoc Networks and Wireless Mesh Networks. Anup Kumar completed his Ph.D. from North Carolina State University and is currently a professor in the Computer Engineering and Computer Science Department at the University of Louisville. He is also the director of the Mobile Information Network and Distributed System Laboratory. His research interests include wireless networks, distributed system modeling and simulation, and multimedia systems. He is currently Chair of the IEEE Computer Society Technical Committee on Simulation (TCSIM). He was Vice Chair of IEEE TCSIM, He has published and presented over 150 papers. Some of his papers have appeared in ACM Multimedia Systems Journal, IEEE Transactions on Computers, Wireless Communication and Mobile Computing, Journal of Parallel and Distributed Computing,

15 Taxonomy of IP Traceback 93 IEEE Transactions on Reliability, IEEE JSAC Journal of Computer and Software Engineering, and others. He was Associate Editor of International Journal of Engineering Design and Automation He has served on many conference program and organizing committees such as MASS 2004, CIT 2004, IEEE Symposium on Parallel and Distributed Systems, 7th International Conference on Parallel and Distributed Computer Systems, IEEE MASCOTS, and ADCOM 97 and 98. He has also edited Special Issues of International Journal on Computers and Operations Research. He is listed in Who s Who Among America s Teachers, Dharma P. Agrawal is the Ohio Board of Regents Distinguished Professor of Computer Science and Engineering and the founding director for the Center for Distributed and Mobile Computing in the Department of ECECS, University of Cincinnati, OH. He has been a faculty member at the N.C. State University, Raleigh, NC ( ) and the Wayne State University, Detroit ( ). His current research interests energy efficient routing and information retrieval in ad hoc and sensor networks, QoS in integrated wireless networks, use of smart multi-beam directional antennas for enhanced QoS, various aspects of sensor networks including environmental monitoring and secured communication in ad hoc and sensor networks. His co-authored textbook on Introduction to Wireless and Mobile Systems, published by Thomson has been adopted throughout the world and revolutionized the way the course is taught. His latest co-authored book Ad hoc & Sensor Networks - Theory and Applications will be published in Spring 2006 by the World Scientific Publishing. Dr. Agrawal is an editor for the Journal of Parallel and Distributed Systems and the International Journal of High Speed Computing. He has served as an editor of the IEEE Computer magazine, and the IEEE Transactions on Computers. Recently, he has been invited to serve as a founding member of the editorial board of three new journals, International Journal on Distributed Sensor Networks, International Journal of Ad Hoc and Ubiquitous Computing (IJAHUC), International Journal of Ad Hoc & Sensor Wireless Networks, and the Journal of Information Assurance and Security (JIAS), Dynamic Publishers Inc.. He has served as an editor of the IEEE Computer magazine, and the IEEE Transactions on Computers. He has been the Program Chair and General Chair for numerous international conferences and meetings. He has received numerous certificates and awards from the IEEE Computer Society. He was awarded a Third Millennium Medal, by the IEEE for his outstanding contributions. He has also delivered keynote speech for five international conferences. He also has 4 patents and 17 patent disclosures in wireless networking area. He has been selected as a Fulbright Senior Specialist for duration of five years. He is a Fellow of the IEEE, the ACM, the AAAS, and WIF.

16 94 Santhanam, Kumar & Agrawal