Traceback DRDoS Attacks

Transcription

1 Journal of Information & Computational Science 8: 1 (2011) Available at Traceback DRDoS Attacks Yonghui Li, Yulong Wang, Fangchun Yang, Sen Su State Key Laboratory of Networking and Switching Technology Beijing University of Posts and Telecommunications, Beijing , China Abstract At present, researchers have already proposed many methods for tracing DoS or DDoS attack, but few attention is put on DRDoS (Distributed Reflector Denial of Service) traceback. In DRDoS, the slaves hide behind the innocent reflectors, which makes the general DoS or DDoS traceback methods be hard to apply to DRDoS traceback. In this paper, we propose a collaborative traceback method-adpm (Authenticated Deterministic Packet Marking) to trace DRDoS attack. In ADPM, routers mark request packets, log request packets mark information and add corresponding logging to response packets, so victims can locate slaves when suffered DRDoS attack. Analysis and simulation results show that ADPM has the following advantages: requires small memory to logs the mark information; be able to resist forging mark information; can be deployed conveniently and incrementally; both the false positive and the number of packets needed for path reconstruction are small. Keywords: IP Traceback; Deterministic Packet Marking (DPM); Denial of Service (DoS); Distributed Denial of Service (DDoS); Distributed Reflector Denial of Service (DRDoS) 1 Introduction Over the past decade, Internet has already penetrated into most industries and people are more and more dependent on it. Once a large-scale failure happens in Internet, the social life may suffer from serious confusion, so the network security has received much attention. And IP traceback plays an important role in network security because if we can find and punish the intruder, we could eliminate the attack fundamentally. In the various attack types, DoS (Denial of Service) attack is one of the most threatening patterns. At present, DDoS (Distributed Denial of Service) and DRDoS (Distributed Reflector Denial of Service), which derived from DoS, have already played important roles in network attacks. In DDoS attack, the attacker controls some master zombies and large number of slave zombies; it sends attack commands to master zombies, then the master zombies order slave zombies to flood the victim, as shown in Fig. 1. DRDoS is a more sophisticated type of attacks. It uses legitimate hosts called reflectors to flood the victim by making slaves spoof the victim s address. A reflector may be any IP Corresponding author. address: liyonghuibupt@gmail.com (Yonghui Li) / Copyright 2011 Binary Information Press January 2011

2 95 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) host that will respond to other request messages, like SYN, SYN/ACK, ICMP request, DNS queries and so on. Fig. 2 shows the procedure of DRDoS attack. An attacker first controls some zombies and locates a large number of reflectors. Then it sends attack commands to master zombies. When received attack commands, the master zombies let slaves send request packets with victim s address to the reflectors. And the reflectors will send response packets to the victim based on the forged source addresses in those request packets. At last, victim is flooded by the numerous unsolicited response packets. Fig. 1: Structure of DDoS attack Fig. 2: Structure of DRDoS attack The main features of DRDoS are: (1) The attacker is unable to make the reflectors forge IP addresses, so the source addresses in the response packets are the reflectors addresses. Victim can locate the reflectors directly;

3 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) (2) The source addresses in request packets sent by slaves are the victim s address. When the reflectors receive request packets, they will destroy the received packets and generate new response packets. Thus the victim can not get any information about slaves from the received response packets; (3) The request packets generated by one slave are distributed to some reflectors, thus each reflector produces a small number of response packets. At present, researchers already proposed many kinds of IP traceback methods for tracing (D)DoS attack, such as CenterTrack [1], controlled flooding [2], ICMP traceback [3, 4, 5], router logging [6, 7], packet marking [8, 9, 10, 11, 12, 13, 14, 15] and so on. Due to the characteristic 2) and 3) of DRDoS, the (D)DoS traceback methods are not suitable for tracing DRDoS attack. And as far as we know, the research to DRDoS traceback is still scarce. In the method proposed by Belenky et al. [16], it lets reflectors save the packets mark information. So when suffered DRDoS attack, victims can get mark information from reflectors logs and trace slaves. But this method has some deficiencies: it is hard for deployment and the mark information in packets may be covered by downstream routers (as analyzed in section 4.3); in DRDoS, reflectors can be any legitimate hosts, and network managers are hard to require the private hosts to log mark information. In view of these problems, we improve Belenky s scheme and propose a new traceback method named ADPM (Authenticated Deterministic Packet Marking), which uses packet marking and router logging to make victims be able to locate slaves quickly when suffered DRDoS attack. ADMP possesses the following features: (1) Prevent mark information from being covered; (2) Can resist forging mark information; (3) Save the request packets mark information in routers, so ensure the information about slaves is not lost; (4) Can be deployed conveniently and incrementally; (5) Needs a small number of marked packets to locate the slave; (6) Only generates small false positive. The rest of this paper is organized as follows: Section 2 introduces the existing (D)DoS and DRDoS traceback methods; Section 3 gives the detailed design of ADPM. In Section 4, we conduct a detailed theoretical analysis to ADPM. Section 5 shows the simulation environment and results. Finally, conclusions are presented in Section 6. 2 Related Work 2.1 (D)DoS Traceback Methods Stone [1] proposed CenterTrack scheme for tracking DoS floods. This scheme can quickly identify the ingress edge routers of packets by observing the tunnel which the packets through. But it

4 97 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) requires that all suspicious traffic converged into one or more tracking routers, which causes these routers to become the network bottlenecks. Burch et al. [2] introduced controlled flooding. In this method, the victim tests links by flooding them with large traffic, and observes the drop in the rates of packets to infer the attack path. Controlled flooding itself is a kind of DoS attack and can only be used in the ongoing phase of DoS attack; it is not suited for tracing DDoS and DRDoS attack. Bellovin et al. [3, 4] and Kuznetsov et al. [5] proposed to use ICMP messages to traceback the packet path. In this scheme, each router samples the packets at a certain probability, and respectively generates trace packets called itrace for each of the chosen packets. itrace contains the router s and chosen packet s information, and is forwarded to the same destination as the chosen packet. Victim can reconstruct the attack path after receiving enough itrace. The main problem of this scheme is that the receiver of itrace is unable to determine whether the itrace is sent from legitimate router or attacker. Moreover, the firewalls in the network often block itrace which causes the itrace cannot reach its destination. Sanchez et al. [6] and Snoeren et al. [7] proposed logging packets in the routers so as to find the path that packet passes through. Theoretically speaking, this method can almost trace any attack. But the ISPs in this scheme have to do much work which makes this scheme cannot be accepted widely in practice. Savage et al. [8] have introduced a promising solution which is referred to as probabilistic packet marking (PPM). In this scheme, routers select packets at a certain probability and mark the chosen packets with partial edge information. Song et al. [9] and Qu et al. [10] make improvements to PPM. We argue that PPM is mainly suitable for tracing DoS attack. In DDoS and single packet attack, the slavers or the attacker sends a small number of packets, which makes the victim be difficult to reconstruct the attack path due to the lack of enough marked packets. Belenky and Ansari [11] proposed deterministic packet marking (DPM) scheme, which lets the edge routers mark every packet that enters the protected network. Jin et al. [12] and Xiang et al. [13] also introduced similar schemes. However, all these methods [11, 12, 13] can only traceback to the entrance of the network where the victim locates in. Laufer et al. [14] introduced an enhancement scheme of DPM. They suggested that let the packet carry all the path information in Generalized Bloom Filter (GBF) [17]. This approach could traceback single packet attack and locates the attackers, but it requires a big space for the GBF to store path information and the IP packet header cannot offer such a large space. Castelucio et al. [15] improved the scheme proposed by Laufer. They reduced the false positive probability by constructing an overlay network at the Autonomous System (AS) level and integrating the time-to-live (TTL) to the path information. Compared with Laufer s method, Castelucio s scheme cuts down false positive probability when increases false negative probability. In DRDoS attack, mark information in request packets is lost when innocent reflectors process the request packets and send response packets to victim, so the traceback methods like PPM, DPM can not trace slaves in DRDoS. 2.2 DRDoS Traceback Methods Below we introduce the DRDoS traceback methods as far as we know: Lee et al. [18, 19] suggested that let routers generate itrace packets and send them to victim

5 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) host when routers find suspicious packets. Thus victim can reconstruct the attack path between slaves and reflectors, and locates the slaves. Lee s scheme is very similar with the methods in [3, 4, 5] and has the shortcomings like [3, 4, 5], too. Kang et al. [20] proposed an intruder tracing algorithm based on connection traceback technology to detect the stepping-stones in detoured attacks. In this scheme, when the IDS (Intrusion Detection Systems) of a host reports a stepping-stone s IP address and Port number, the traceback algorithm goes to that stepping-stone host and finds the process that using the reported port. Then if the process has an inbound connection and the connection s IP address and Port number are not the information of an origin attacker, the traceback algorithm continues to find the parent process of current process, until finding the origin attacker. This scheme works when attack is in progress. Once attack finished and the related processes in stepping-stones have closed, this traceback algorithm can not carry on the tracing work. Meanwhile, this scheme needs to query processes in the hosts hop-by-hop, which is complex and bad in usability. Shokri et al. [21] proposed a approach named DDPM, which uses dynamic marking to locate slaves in DRDoS attack. DDPM needs to be implemented only in the edge routers of a domain. The edge routers store some information of every incoming packet in their own lists. When received an outgoing packet, the edge router queries its list for a corresponding record. If the desired record exists, the edge router adds the mark information of the record to that outgoing packet; otherwise it marks that packet with the address of the packet incoming interface. Thus, when received a certain number of marked attack packets, victim can find the domain where the slaves locate in. But DDPM had not considered that: a packet may pass through several domains before reaching its destination and the mark information may be covered by downstream edge routers. Thus actually victim using DDPM can only trace to its neighbor domain. Chen et al. [22] advanced a reflective algebraic marking scheme for tracing DRDoS. In this scheme, routers mark the forwarded packets with a certain probability. To resolve the information loss problem, Chen lets hosts store the received request packets mark information and copy the mark information to corresponding response packets, so victim can locate slaves according to the information in response packets. This scheme requires hosts to copy mark information to several corresponding response packets, which may fail in the one-to-one request-response relationship. And it also requires victim to know the precise network topology, which is often difficult for general victims. Zhang et al. [23] improved Chen s scheme, they suggested encoding and authenticating the mark information with Hash Message Authentication Code (HMAC) so as to reduce the influence of forging mark information. Victim in Zhang s scheme could reconstruct the attack path without knowing the network topology. However, the common shortcoming of these two schemes [22, 23] is that both of them require the hosts to realize the reflection algorithm. We argue that it is too hard to let the hosts, which act as reflectors, realize reflection algorithm because there no incentives for them to do that. Belenky et al. [16] improves the DPM [11] proposed by themselves. They suggested reflectors should have DPM logging enabled, so victim can get mark information from reflectors logs and trace slaves in DRDoS attack. The disadvantages of this method have been discussed in section 1 and we will improve it in this paper. From the above introduction, we can see that researchers mainly focus on how to trace (D)DoS attack; little attention is put on DRDoS traceback and the existing DRDoS traceback methods still have some flaws. Thus, we propose a scheme, named ADPM, for tracing DRDoS attack. Table 1 shows the notation we use in this paper.

6 99 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) Table 1: Notation used in this paper R RR qw pw MTable src det RRF RRL RRP A general router without ADPM running A router with ADPM running Request packet, like SYN, ICMP request, DNS queries and so on Response packet, like SYN/ACK, RST, DNS reply, SNMP response and so on Marking Table, which stores the mark information of qw The value of an IP packet s source address field The value of an IP packet s destination address field The first RR that qw passes through (about how to determine whether a RR is qw s RRF, please see section 3.4) The last RR that qw passes through (about how to determine whether a RR is qw s RRL, please see section 3.5) The first RR that pw passes through (about how to determine whether a RR is pw s RRP, please see section 3.4) In ADPM, qw s RRF inserts mark information to qw and qw s RRL saves qw s mark information in its MTable. Meanwhile, pw s RRP copies the corresponding mark information, which stored in MTable, to pw. So victim can locate slaves according to the mark information in pw (the reflector addresses can obtain directly from pw s source field). Before giving a detailed introduction of ADPM, we want to point out a fact: it is difficult for us to deploy traceback schemes on the slave hosts in advance, so most proposed traceback methods [3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 21, 22, 23] generally trace to the router that is nearest to the salves rather than the slaves. Therefore, below the slave actually refers to the RR that is nearest to the slave host. For example, when we say locate the slave, its true meaning is locate the RR that is nearest to the slave host. 3 ADPM 3.1 Assumptions ADPM is based on the following hypothesis: (1) There are a huge number of hosts in Internet and the network managers are hard to deploy reflection scheme on the private hosts for rights limited. However, the number of routers is much smaller than that of hosts and the network managers generally have rights to upgrade the routers, so it is more practical to make the routers have traceback methods deployed; (2) The host generally only connects to a router. Thus when a RR is qw s RRL, this RR may with great probability be the RRP of pw which is qw s response packet; (3) Router s resources are limited [8]; (4) Attackers are able to generate any packets [8]; (5) Attackers may forge mark information [9];

7 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) The first two assumptions are based on the reality that network manager can not modify the private hosts and few hosts connect to two or more routers directly. The third assumption is quite easy to understand for no router can provide infinite processing speed and storage space. Attacker may use any method to attack the victim, so assumption 4 and assumption 5 reflect this consideration. 3.2 Overloading IP Head ADPM uses three fields of the IP header to store mark information like [24]: they are Type of Service (TOS) field, Identification field, and Reserved Flag (see the shaded area in Fig. 3). The TOS field is an 8-bit field which indicates the service type that the packet desires and it is rarely used at present. Durresi et al. [24] argued that overloading TOS field makes no measurable difference in packet delivery. 4 bit 4 bit 8 bit 3 bit 13 bit Version IHL TOS Total length Identification 0 DFMF Fragment offset Time to live Protocol Header checksum Fig. 3: The IP header fields (darkened) used in ADPM Savage et al. [8] pointed out that less than 0.25% of packets are fragmented in the actual network, so overloading Identification field and Reserved Flag field will not bring serious influence on IP network (To solve the rarely happened fragment/reassemble problem, we use the method proposed in [16], that is, let RR add the same mark information to the fragments that in the same series. Below we will not discuss this issue that rarely happens). Therefore ADPM uses a total of 25-bit IP header space as marking space to store mark information. 3.3 A Summary Statement of ADPM In ADPM, when RR receives a request packet qw (RR uses IDS to decide whether a received packet is qw or pw. At present, most IDS can identify request packet or response packet [25, 26]) and if RR is qw s RRF, RR will add its information to qw. Because the length of IP address is 32 bits and the available marking space is only 25-bit long, RR needs to split its IP address. For example, it could divide its IP address to two segments: IP seg 0 and IP seg 1, each of which is 16-bit long. And in order to differentiate IP seg 0 and IP seg 1, it needs to use a 1-bit flag to instruct the section number: flag is set to 0 if IP seg 0 is sent or set to 1 when IP seg 1 is sent. Therefore, the mark information s length is 17 bits. Fig. 4 gives a brief introduction of ADPM traceback process. From Fig. 4, we can see that ADPM can prevent mark information from being covered, because only qw s RRF or pw s RRP can add mark information to the packet. But ADPM still have some problems to be resolved: 1. How to determine whether RR i is qw s RRF, RRL or pw s RRP;

8 101 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) Fig. 4: A brief introduction of ADPM 2. How to resist forging mark information; 3. How the victim knows which IP segments are from the same IP address so as to reconstruct the slaves addresses exactly; 4. How to efficiently store the mark information in MTable; Following we will detail the solutions to these problems. 3.4 Determine RR is RRF or RRP and Resist Forging Mark Information Assume w is a request/response packet received by RR i, h is a HMAC function and k is the key shared by all the RR. ADPM uses h to generate authentication information Au: Au = h(w.src, w.dst, k). When RR i receives w, it computes the Au for w: Au = h(w.src, w.dst, k). If Au is not equal to the Au in w, we think RR i is w s RRF or RRP, and then adds mark information to w. Meanwhile, we can use Au to identify forging mark information. Because the attacker doesn t know HMAC function h and the key k, so the Au added by attacker is hard to the same with the Au computed by RR i. If w.au is not equal to Au, we think the mark information in w is counterfeit and let RR i add its mark information to w. 3.5 Determine RR is RRL We assign a destination address table named DTable to RR i. DTable is mainly used to store the destination addresses that RR i is responsible for, e.g. when RR i receives a request packet qw and qw.dst is in RR i s DTable, then qw will not pass through any other RR, it will be forwarded

9 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) directly to its destination by RR i or arrive at its destination after passing through some general routers R. The addresses in DTable can be derived from RR i s routing table, such as the destinations that are 1 hop away from RR i should be added to DTable. Users also can add specified addresses to DTable, for example, assume the path from host A to host B is (A, Router 1, Router 2, Router 3, B), Router 1 and Router 2 have ADPM deployed while Router 3 has not, then the user can add B s address to Router 2 so that the mark information in request pack qw sent from A to B can be saved in Router 2 (In this case, when A sends qw to B, Router 2 is qw s RRL). 3.6 Determine Which IP Segments are from the Same IP Address The received unsolicited response packets should be classified before reconstructing the slaves addresses, but it is hard for victim to do that due to lack of indication. To solve this problem, ADPM introduces IP address digest dg. Suppose f : IP dg is a hash function which compresses 32-bit IP address to g-bit dg (in ADPM, we let g=8, as shown in Fig. 5). When ADPM marks a packet qw, it adds dg to qw. So victims can classify the marked response packets according to dg. 8 bits 2 bits 8 bits 7 bits IPSeg IPSeg_Num Digest Fig. 5: ADPM encoding scheme HMAC Maybe someone would say the victim also can classify the response packets based on Au, so we don t need dg. But we argue that it would fail in some cases. For example, if several slaves send request packets with the victim Vm s address to the same reflector rf, then Au in those corresponding response packets generated by rf will be the same, thus Vm can not know which mark information in those response packets is from the same slave. And without dg, Vm also can not verify the reconstructed IP addresses (as shown in Fig. 7: Path reconstruction procedure). 3.7 ADPM Encoding Scheme Fig. 5 shows ADPM encoding scheme (the marking space is 25-bit long, as described in section 3.2). IPSeg field: 8 bits. It is used to store the IP segment. Because the length of this field is 8 bits, the 32-bit IP address has to be divided into four segments which are IPSeg 0, IPSeg 1, IPSeg 2, IPSeg 3 ; IPSeg Num field: 2 bits. It indicates the number of IP segment stored in IPSeg field; Digest field: 8 bits. It preserves the hash value dg of IP address; HMAC field: 7 bits. It is used to store the authentication code Au. For convenient, bellow we respectively use seg, sn, dg and Au represent the values of IPSeg field, IPSeg Num field, Digest field and HMAC field.

10 103 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) MTable s Format MTable is usually stayed in memory and Fig. 6 shows its format. When RR i is the request packet qw s RRL, RR i extracts src, dst, seg, sn and dg from qw, then inserts these values and the current time to MTable. The function of Insert Time is to help transfer the out-of-date records to disk so as to save memory space. The out-of-date records means the records that haven t been added to corresponding response packets and stay in MTable over a certain time T (T is user-specified). For example, assume the current time is t 1 and let t 2 = t 1 T, then the records whose Insert Time are earlier than t 2 would be removed from MTable and archived in disk. Generally speaking, the number of transferred records will not be large, because most of records would have been inserted to response packets. For saving disk space, we also can delete the records in disk periodically (the cycle can be determined by users based on the disk space). Src(32 bits)dst(32 bits) IPSeg(8 bits) SN(2 bits) dg(8 bits) Insert time(48 bits) Fig. 6: MTable s format 3.9 The Algorithm of ADPM Based on the above analyses, we give ADPM algorithm in this section. It can be divided into three major parts: Marking procedure at RR, Reconstruction procedure at victim and Transferring procedure at RR (as shown in Fig. 7). Fig. 7: ADPM s algorithm

11 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) Analysis 4.1 Memory Size Needed for MTable When RR i is qw s RRL, RR i needs to insert qw.src, qw.dst, qw.seg, qw.sn, qw.dg and current time to its MTable. Because the length of packet is generally 576 bytes (RFC 879), then for an OC-192 link whose speed is 1.25 GB/s, it transmits about 2.2 M packets per second. In MTable, the length of each entry is 130 bits (as show in Fig. 6), then the quantity of data needed to be saved per second for an OC-192 link is: 2.2 α β αβ MB(α represents the ratio of request packets, β represents the ratio of RR i is qw s RRL). Shakkottai et al. [27] has analyzed the Round Trip Time (RTT) of TCP packets, and pointed out that the value of RTT generally is 100 ms and the max value is about 100 s. For avoiding doing premature transfer for the entries in MTable, we make the value of T to be 100 s. So for an entry En, if there is not a corresponding response packet arrives in 100 s, En will be transferred from MTable to disk. Thus, the total quantity of data needed to be saved in MTable for an OC-192 link is about: 35.8 αβ 100 = 35.8 αβ MB. Since the ratio of request packets to all packets is small, such as TCP SYN is invoked only if we need to initiate a TCP connection. Without loss of generality, we make the value of α to be 10%. And for RR i, it is hard to know the probability of RR i would be qw s RRL, so we can not obtain the exact value of β. Without loss of generality, we assume the value of β to be 50%. So it needs 179 MB ( % 50% = 179 MB) memory space for an OC-192 link. Therefore, for a core router with 32 OC-192 links, it would require about 5728 MB (approximately 5.7 GB) memory space to store request packets information. The memory size of current ordinary servers has reached dozens of GB, so we think the core router is fully able to provide 5.7 GB space for MTable. 4.2 Number of Packets Required for Path Reconstruction (N rq ) The IP address of RR i is divided into 4 segments, and RR i randomly selects a segment to fill into the request packet, so victim needs to receive N rq mark information from RR i to reconstruct RR i s IP address. This is similar to the famous Coupon Collection problem: repeated random sampling from an n elements set S={1, 2,..., n}, the expected number of trials needed to collect n different elements is nln(n) + O(n). Therefore, the theoretical expected value of N rq in ADPM is about Resist Forging Mark Information and Prevent Mark from Being Covered In DPM [16], the forging mark information will be covered when the packet passes through a DPM-enabled edge router, thus DPM obviates the issue of mark spoofing. But DPM has the mark overwritten problem: the marks added by upstream routers may be overwritten by downstream routers, which makes victim only can traceback to the last routers that the packets traversed. In order to solve this problem, the DPM deployment requires starting with the tier-1 ISPs. When a tier-2 ISP deploys DPM on its edge routers, it must inform its upstream tier-1 ISP(s) to disable DPM on the interfaces that connect to the tier-2 ISP. That is: when DPM is enabled on an n-tier

12 105 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) ISP, the upstream (n 1)-tier must disable DPM on the corresponding interfaces. From the description, we can see that DPM needs collaboration and sharing information among ISPs, but even so, DPM still has not solved the mark overwritten problem completely: in this deployment scheme, if the packet has to pass through several ISPs that are in the same tier, the mark added by upstream n-tier ISP still may be covered by the downstream n-tier ISPs. In ADPM, we use the 7-bit HMAC Au to determine whether a RR is qw s RRF or pw s RRP and to check the mark information. For example, when RR i receives qw, it computes Au for qw. If Au is equal to qw.au, then RR i thinks the upstream RR has marked qw and it will not mark qw, thus the legitimate mark information will not be covered. If Au is not equal to qw.au, RR i thinks itself is the qw s RRF and will mark qw so that the forging mark information will be covered. When a slave host h sl adds forging mark information to qw, if the added Au happens to be the same with Au calculated by RR, then RR can not identify the forging mark information, so h sl can protect itself from tracing, but the probability of this case occurring is 1/2 7. And if one slave host forges RR i s marking information and hopes the innocent RR i to be identified as a slave, then the forging mark information must meet two prerequisites: the forging Au must be the same with the Au calculated by RR on the packet s path; and the forging dg must be the same with the dg calculated by victim when reconstructing RR i s address. Thus, the success rate of making RR i to be wrongly identified as a slave is (1/2 7 ) (1/2 8 ). Generally speaking, ADPM has good scalability; it could guarantee the legitimate mark information will not be covered and can identify forging mark information based on Au. 4.4 The Incremental Deployment Problem ADPM does not need to be deployed on all the routers, when only parts of the routers have ADPM deployed, ADPM can still work properly. For example, as shown in Fig. 8, the route from slave S 1 to reflector rf is (S 1, Router 1, Router 2, Router 3, rf ) and the path from rf to victim Vm is (rf, Router 3, Router 4, Vm). Suppose Router 3 has not deployed ADPM, then the mark information in qw, which is sent to rf from S 1, will be lost. Fig. 8: The attack path from slave S 1 to the victim Vm To avoid this situation, we could inform Router 2 the rf s address, then when Router 2 received qw that is sent to rf, it will store qw s mark information. Vm may be unable to obtain Router 1 s information from the received response packet pw sent by rf, but he/she can know rf from pw.src directly. Through rf, Vm can find Router 3 which connects to rf and locates Router 2. Then, Vm seeks Router 2 s MTable for the corresponding records rd to pw (rd.src = pw.dst, rd.dst = pw.src).

13 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) And at last, Vm locates Router 1 based on the mark information in rd. 5 Experiments Results In order to assess the performance of ADPM in network, we established a simulation environment which is based on network simulation framework OMNET++ and network simulation toolkit INET Framework. We modified some procedures in INET so that routers can fill mark information to packets, and realized DPM [16] and ADPM. Our simulations were run on a server with Intel(R) Xeon(R) CPU 2.27 GHz, 2.26 GHz and 23.9 GB RAM. 5.1 Number of Packets Required for Path Reconstruction (N rq ) We let the slave S send request packets with the victim Vm s address to the reflector rf, then rf sends corresponding response packets to Vm. If Vm has received all the distinct IP segments of S, we let S stop sending packets, so that we could get the number of packets required for path reconstruction. To ensure the credibility of simulation results, we did experiments respectively for ADPM and DPM [16] (In DPM, we let f =4, a=8, d=5) and took the mean values of N rq as the simulation results of ADPM and DPM. Fig. 9 shows the N rq s simulation value and theoretical expected value in ADPM and DPM. From Fig. 9 we can see that the N rq s theoretical expected value in ADPM is basically the same with its simulation result, and DPM presents the similar situation. We also can find ADPM s N rq is much smaller than DPM s, no matter the theoretical expected value or the simulation value. So ADPM can locate the slaves more quickly than DPM ADPM theoretical value ADPM simulation value DPM theoretical value DPM simulation value Fig. 9: N rq of ADPM and DPM 5.2 False Positive (FP) In the reconstruction procedure of ADPM, victim first classifies the attack response packets to corresponding group according to the dg, Au and sn in the packets; then victim extracts the IP segment from the corresponding packets and reconstructs the IP address slaaddr. If the hash value of slaaddr is equal to the specified packet s dg, we think slaadd is one slave s address. In this procedure, we may incorrectly identify a reconstructed slaaddr as a slave s address. For example, if the hash values of two RRs (RR 1 and RR 2 ) IP addresses are the same, then the victim will be unable to determine which IP segment belongs to RR 1 or RR 2. In this case, several IP addresses may be reconstructed. If one of those reconstructed IP addresses is wrongly identified as a slave s

14 107 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) address, we call false positive (FP) occurred. FP is used to describe the number of innocent IP address incorrectly identified as slaves addresses. Below we analyze the FP of ADPM and DPM through experiments. In the simulation, we find that victim in DPM had to take a long time to reconstruct the IP addresses. For example, when m=2000 (In DPM, m represents the number of edge routers, and in ADPM, m represents the number of RR whose regions have slaves), DPM spent about 7 minutes in path reconstruction while ADPM only needs about 0.38 seconds. So, in DPM, if we want to do 100 trials for each value of m (m= ), the simulation time may surpass 500 days. Thus we did simulations for DPM when m=100, 500, 1000, 1500, 2000, 2500, 3000 and did simulations when m= for ADPM. To ensure the credibility of simulation results, we did 100 trials and calculated the mean FP for each value of m. In all these trials, the IP addresses assigned to each RR in ADPM or the edge routers in DPM were randomly selected in [0, ] so as to make our simulation environment correspond with the real world. Fig. 10 shows ADPM s FP in simulation and DPM s FP in theory (Because it is difficult to obtain DPM s FP for each value of m (m= ) through simulation, we calculate DPM s FP based on the formula in A.2. of ref [16]. And in that formula, we let f =4, a=8, d=5, N =m). From Fig. 10, we can see that: when m> 2500, ADPM s FP still grows slowly, while DPM s FP grows swiftly; and when 0 <m< 2700, ADPM s FP is little bigger than that of DPM, but when m> 2700, ADPM s FP is much less than DPM s. Thus, ADPM is more stable than DPM ADPM s simulation results DPM s theoretical value Fig. 10: The FP of ADPM and DPM Table 2 shows ADPM s FP and DPM s FP when m=100, 500, 1000, 1500, 2000, 2500, From Table 2, we can see that the change situation of DPM s FP in simulation is the same with that in theory, for example, when m> 2500, FP grows swiftly no matter in simulation or in theory. But we also can see that DPM s FP in simulation is much larger than its theoretical values. We argue that the reason is that when calculating DPM s FP, the formula in [16] thinks the number of ingress address having the same digest is N/E[H] but in fact the digests may Table 2: The FP of ADPM and DPM Method m DPM Theoretical Value E E DPM Simulation Results ADPM Simulation Results

15 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) have different address numbers, which makes theoretical values of DPM s FP smaller than that in simulation. Table 2 also shows that DPM s FP in simulation is much larger than ADPM s when m> 2500, for example, when m=3000, DPM s FP in simulation is , while ADPM s is 7.73, so we think that ADPM has a higher accuracy in locating the slaves. 5.3 The Reconstruction Time (T r ) and the Number of Permutation (N p ) When we did the experiments for getting DPM and ADPM s FP, we found the DPM s experiment time was long, which make us hard to obtain the mean FP of DPM. Faced with this situation, we were interesting to know the gaps between DPM s T r and ADPM s T r, and tried to find the reasons that lead to those differences (after many trials, we found that the number of permutations, N p, generated in reconstruction process has the greatest impact on the reconstruction time). We did 100 experiments for each value of m (m=100, 500, 1000, 1500, 2000, 3000) and calculated the average T r and the average N p in the IP addresses reconstruction. Fig. 11 shows the T r of DPM and ADPM in simulation. From Fig. 11, we can see that DPM s T r is much larger than ADPM s. For example, when m=3000, the T r of DPM is about 1630 s, while in ADPM is only about 0.46 s. Fig. 12 shows N p of ADPM and DPM. DPM s N p is much ADPM (second) ADPM 0.2 DPM Fig. 11: T r of ADPM and DPM DPM (second) ADPM DPM 1.20E E E+08 ADPM E E+08 DPM E E Fig. 12: N p of ADPM and DPM

16 109 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) larger than ADPM s, for example, when m=3000, DPM s N p is about 1.07 E+9, while ADPM s N p is about 5027, which makes DPM s reconstruction time much longer than ADPM s. From these analysis, we can see that ADPM s reconstruction time and the number of permutation are much smaller than DPM s, which makes ADPM can locate the slaves more quickly. 6 Conclusion In this article, we have improved DPM [16] and presented ADPM-a novel DRDoS traceback method, which is scalable and quick to locate the slaves. Furthermore, it can identify the forging mark information and has small FP. As the work on ADPM continues, we plan to investigate the traceback effects while only parts of the routers have ADPM deployed. Generally speaking, in a large network, different deployment strategies may bring different traceback effects, so how to choose some routers to run ADPM is a crucial matter. And we also plan to deploy ADPM in the real routers to observe its traceback effects in the future. Acknowledgement This work is supported by the National Key Basic Research Program of China (973 Program) under Grant Nos. 2009CB320504, Innovative Research Groups of the National Natural Science Foundation of China under Grant Nos , and Research Fund for the Doctoral Program of Higher Education of China under Grant Nos References [1] R. Stone, Centertrack: an ip overlay network for tracking dos floods, in: Proceedings of the 9th conference on USENIX Security Symposium, USENIX Association, Berkeley, 2000, pp [2] H. Burch, B. Cheswick, Tracing anonymous packets to their approximate source, in: Proceedings of the 14th USENIX conference on System administration, Proc USENIX LISA Conference, USENIX Association, Berkeley, 2000, pp [3] S. M. Bellovin, M. D. Leech, Icmp traceback messages, internet Draft: draft-bellovin-itrace-00.txt (2000) [4] S. Bellovin, M. Leech, T. Taylor, Icmp traceback messages, internet Draft: draft-ietf-itrace-04.txt (2003) [5] V. Kuznetsov, H. Sandstrom, A. Simkin, An evaluation of different ip traceback approaches, in: 4th International Conference on Information and Communications Security (ICICS 2002), Springer- Verlag Berlin, Singapore, Singapore, 2002, pp [6] L. Sanchez, W. Milliken, A. Snoeren, F. Tchakountio, C. Jones, S. Kent, C. Partridge, W. Strayer, Hardware support for a hash-based ip traceback, in: DARPA Information Survivability Conference & Exposition II, Vol. 2, Citeseer, 2001, pp [7] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, W. T. Strayer, Single-packet ip traceback, in: ACM SIGCOMM 2001 Conference, Ieee-Inst Electrical Electronics Engineers Inc, San Diego, California, 2001, pp

17 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) [8] S. Savage, D. Wetherall, A. Karlin, T. Anderson, Network support for ip traceback, Ieee-Acm Transactions on Networking 9(3) (2001) [9] D. X. Song, A. Perrig, Advanced and authenticated marking schemes for ip traceback, in: Proceedings - IEEE INFOCOM, Vol. 2, Institute of Electrical and Electronics Engineers Inc., 2001, pp [10] H. P. Qu, D. G. Feng, P. R. Su, Ip traceback scheme based on marking-in-order, Tien Tzu Hsueh Pao/Acta Electronica Sinica 34(1) (2006) [11] A. Belenky, N. Ansari, Ip traceback with deterministic packet marking, Ieee Communications Letters 7(4) (2003) [12] G. Jin, J. Y. Zhao, Y. M. Zhao, X. H. Wang, Study on ip traceback of ddos attack ingress within an autonomous system, Dianzi Yu Xinxi Xuebao/Journal of Electronics and Information Technology 27(3) (2005) [13] Y. Xiang, W. L. Zhou, M. Y. Guo, Flexible deterministic packet marking: An ip traceback system to find the real source of attacks, Ieee Transactions on Parallel and Distributed Systems 20(4) (2009) [14] R. P. Laufer, P. B. Velloso, D. d. O. Cunha, I. M. Moraes, M. D. D. Bicudo, M. D. D. Moreira, O. C. M. B. Duarte, Towards stateless single-packet ip traceback, in: 32nd IEEE Conference on Local Computer Networks, IEEE Computer Society, Washington, 2007, pp [15] A. Castelucio, A. Ziviani, R. M. Salles, An as-level overlay network for ip traceback, Ieee Network 23(1) (2009) [16] A. Belenky, N. Ansari, On deterministic packet marking, Computer Networks 51(10) (2007) [17] R. P. Laufer, P. B. Velloso, O. C. M. B. Duarte, Generalized bloom filters, Tech. rep. (2005) [18] H. W. Lee, S. H. Yun, T. Kwon, J. S. Kim, H. U. Park, N. H. Oh, Reflector attack traceback system with pushback based itrace mechanism, in: J. Lopez, S. Qing (Eds.), 6th International Conference on Information and Communications Security, Springer-Verlag Berlin, Malaga, SPAIN, 2004, pp [19] H. W. Lee, T. Kwon, H. J. Kim, Ns-2 based ip traceback simulation against reflector based ddos attack, in: T. G. Kim (Ed.), 13th International Conference on Artificial Intelligence, Simulation and Planning in High Autonomy Systems (AIS 2004), Springer-Verlag Berlin, Cheju Isl, SOUTH KOREA, 2004, pp [20] H. W. Kang, S. J. Hong, D. H. Lee, Matching connection pairs, in: 5th International Conference, PDCAT 2004, December 8, 2004-December 10, 2004, Vol of Lecture Notes in Computer Science, Springer Verlag, Singapore, 2004, pp [21] R. Shokri, A. Varshovi, H. Mohammadi, N. Yazdani, B. Sadeghian, Ddpm: Dynamic deterministic packet marking for ip traceback, in: 2006 IEEE International Conference on Networks, ICON 2006-Networking-Challenges and Frontiers, Vol. 2, Inst. of Elec. and Elec. Eng. Computer Society, Singapore, 2006, pp [22] Z. Chen, M. Lee, An ip traceback technique against denial-of-service attacks, in: 19th Annual Computer Security Applications conference (ACSAC 2003), 2003, pp [23] J. Zhang, S. Q. Chen, Research on authentication scheme for ddos attack source traceback, Application Research of Computers 24(10) (2007) [24] A. Durresi, V. Paruchuri, L. Barolli, Fast autonomous system traceback, Journal of Network and Computer Applications 32(2) (2009)

18 111 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) [25] H. Tsunoda, K. Ohta, A. Yamamoto, N. Ansari, Y. Waizumi, Y. Nemoto, Detecting drdos attacks by a simple response packet confirmation mechanism, Computer Communications 31(14) (2008) [26] B. Al-Duwairi, G. Manimaran, Distributed packet pairing for reflector based ddos attack mitigation, Computer Communications 29(12) (2006) [27] S. Shakkottai, R. Srikant, N. Brownlee, A. Broido, K. Claffy, The rtt distribution of tcp flows in the internet and its impact on tcp-based flow control, Tech. rep., Technical report, Cooperative Association for Internet Data Analysis (CAIDA) (2004)