Traceback DRDoS Attacks
|
|
- Charla Singleton
- 8 years ago
- Views:
Transcription
1 Journal of Information & Computational Science 8: 1 (2011) Available at Traceback DRDoS Attacks Yonghui Li, Yulong Wang, Fangchun Yang, Sen Su State Key Laboratory of Networking and Switching Technology Beijing University of Posts and Telecommunications, Beijing , China Abstract At present, researchers have already proposed many methods for tracing DoS or DDoS attack, but few attention is put on DRDoS (Distributed Reflector Denial of Service) traceback. In DRDoS, the slaves hide behind the innocent reflectors, which makes the general DoS or DDoS traceback methods be hard to apply to DRDoS traceback. In this paper, we propose a collaborative traceback method-adpm (Authenticated Deterministic Packet Marking) to trace DRDoS attack. In ADPM, routers mark request packets, log request packets mark information and add corresponding logging to response packets, so victims can locate slaves when suffered DRDoS attack. Analysis and simulation results show that ADPM has the following advantages: requires small memory to logs the mark information; be able to resist forging mark information; can be deployed conveniently and incrementally; both the false positive and the number of packets needed for path reconstruction are small. Keywords: IP Traceback; Deterministic Packet Marking (DPM); Denial of Service (DoS); Distributed Denial of Service (DDoS); Distributed Reflector Denial of Service (DRDoS) 1 Introduction Over the past decade, Internet has already penetrated into most industries and people are more and more dependent on it. Once a large-scale failure happens in Internet, the social life may suffer from serious confusion, so the network security has received much attention. And IP traceback plays an important role in network security because if we can find and punish the intruder, we could eliminate the attack fundamentally. In the various attack types, DoS (Denial of Service) attack is one of the most threatening patterns. At present, DDoS (Distributed Denial of Service) and DRDoS (Distributed Reflector Denial of Service), which derived from DoS, have already played important roles in network attacks. In DDoS attack, the attacker controls some master zombies and large number of slave zombies; it sends attack commands to master zombies, then the master zombies order slave zombies to flood the victim, as shown in Fig. 1. DRDoS is a more sophisticated type of attacks. It uses legitimate hosts called reflectors to flood the victim by making slaves spoof the victim s address. A reflector may be any IP Corresponding author. address: liyonghuibupt@gmail.com (Yonghui Li) / Copyright 2011 Binary Information Press January 2011
2 95 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) host that will respond to other request messages, like SYN, SYN/ACK, ICMP request, DNS queries and so on. Fig. 2 shows the procedure of DRDoS attack. An attacker first controls some zombies and locates a large number of reflectors. Then it sends attack commands to master zombies. When received attack commands, the master zombies let slaves send request packets with victim s address to the reflectors. And the reflectors will send response packets to the victim based on the forged source addresses in those request packets. At last, victim is flooded by the numerous unsolicited response packets. Fig. 1: Structure of DDoS attack Fig. 2: Structure of DRDoS attack The main features of DRDoS are: (1) The attacker is unable to make the reflectors forge IP addresses, so the source addresses in the response packets are the reflectors addresses. Victim can locate the reflectors directly;
3 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) (2) The source addresses in request packets sent by slaves are the victim s address. When the reflectors receive request packets, they will destroy the received packets and generate new response packets. Thus the victim can not get any information about slaves from the received response packets; (3) The request packets generated by one slave are distributed to some reflectors, thus each reflector produces a small number of response packets. At present, researchers already proposed many kinds of IP traceback methods for tracing (D)DoS attack, such as CenterTrack [1], controlled flooding [2], ICMP traceback [3, 4, 5], router logging [6, 7], packet marking [8, 9, 10, 11, 12, 13, 14, 15] and so on. Due to the characteristic 2) and 3) of DRDoS, the (D)DoS traceback methods are not suitable for tracing DRDoS attack. And as far as we know, the research to DRDoS traceback is still scarce. In the method proposed by Belenky et al. [16], it lets reflectors save the packets mark information. So when suffered DRDoS attack, victims can get mark information from reflectors logs and trace slaves. But this method has some deficiencies: it is hard for deployment and the mark information in packets may be covered by downstream routers (as analyzed in section 4.3); in DRDoS, reflectors can be any legitimate hosts, and network managers are hard to require the private hosts to log mark information. In view of these problems, we improve Belenky s scheme and propose a new traceback method named ADPM (Authenticated Deterministic Packet Marking), which uses packet marking and router logging to make victims be able to locate slaves quickly when suffered DRDoS attack. ADMP possesses the following features: (1) Prevent mark information from being covered; (2) Can resist forging mark information; (3) Save the request packets mark information in routers, so ensure the information about slaves is not lost; (4) Can be deployed conveniently and incrementally; (5) Needs a small number of marked packets to locate the slave; (6) Only generates small false positive. The rest of this paper is organized as follows: Section 2 introduces the existing (D)DoS and DRDoS traceback methods; Section 3 gives the detailed design of ADPM. In Section 4, we conduct a detailed theoretical analysis to ADPM. Section 5 shows the simulation environment and results. Finally, conclusions are presented in Section 6. 2 Related Work 2.1 (D)DoS Traceback Methods Stone [1] proposed CenterTrack scheme for tracking DoS floods. This scheme can quickly identify the ingress edge routers of packets by observing the tunnel which the packets through. But it
4 97 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) requires that all suspicious traffic converged into one or more tracking routers, which causes these routers to become the network bottlenecks. Burch et al. [2] introduced controlled flooding. In this method, the victim tests links by flooding them with large traffic, and observes the drop in the rates of packets to infer the attack path. Controlled flooding itself is a kind of DoS attack and can only be used in the ongoing phase of DoS attack; it is not suited for tracing DDoS and DRDoS attack. Bellovin et al. [3, 4] and Kuznetsov et al. [5] proposed to use ICMP messages to traceback the packet path. In this scheme, each router samples the packets at a certain probability, and respectively generates trace packets called itrace for each of the chosen packets. itrace contains the router s and chosen packet s information, and is forwarded to the same destination as the chosen packet. Victim can reconstruct the attack path after receiving enough itrace. The main problem of this scheme is that the receiver of itrace is unable to determine whether the itrace is sent from legitimate router or attacker. Moreover, the firewalls in the network often block itrace which causes the itrace cannot reach its destination. Sanchez et al. [6] and Snoeren et al. [7] proposed logging packets in the routers so as to find the path that packet passes through. Theoretically speaking, this method can almost trace any attack. But the ISPs in this scheme have to do much work which makes this scheme cannot be accepted widely in practice. Savage et al. [8] have introduced a promising solution which is referred to as probabilistic packet marking (PPM). In this scheme, routers select packets at a certain probability and mark the chosen packets with partial edge information. Song et al. [9] and Qu et al. [10] make improvements to PPM. We argue that PPM is mainly suitable for tracing DoS attack. In DDoS and single packet attack, the slavers or the attacker sends a small number of packets, which makes the victim be difficult to reconstruct the attack path due to the lack of enough marked packets. Belenky and Ansari [11] proposed deterministic packet marking (DPM) scheme, which lets the edge routers mark every packet that enters the protected network. Jin et al. [12] and Xiang et al. [13] also introduced similar schemes. However, all these methods [11, 12, 13] can only traceback to the entrance of the network where the victim locates in. Laufer et al. [14] introduced an enhancement scheme of DPM. They suggested that let the packet carry all the path information in Generalized Bloom Filter (GBF) [17]. This approach could traceback single packet attack and locates the attackers, but it requires a big space for the GBF to store path information and the IP packet header cannot offer such a large space. Castelucio et al. [15] improved the scheme proposed by Laufer. They reduced the false positive probability by constructing an overlay network at the Autonomous System (AS) level and integrating the time-to-live (TTL) to the path information. Compared with Laufer s method, Castelucio s scheme cuts down false positive probability when increases false negative probability. In DRDoS attack, mark information in request packets is lost when innocent reflectors process the request packets and send response packets to victim, so the traceback methods like PPM, DPM can not trace slaves in DRDoS. 2.2 DRDoS Traceback Methods Below we introduce the DRDoS traceback methods as far as we know: Lee et al. [18, 19] suggested that let routers generate itrace packets and send them to victim
5 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) host when routers find suspicious packets. Thus victim can reconstruct the attack path between slaves and reflectors, and locates the slaves. Lee s scheme is very similar with the methods in [3, 4, 5] and has the shortcomings like [3, 4, 5], too. Kang et al. [20] proposed an intruder tracing algorithm based on connection traceback technology to detect the stepping-stones in detoured attacks. In this scheme, when the IDS (Intrusion Detection Systems) of a host reports a stepping-stone s IP address and Port number, the traceback algorithm goes to that stepping-stone host and finds the process that using the reported port. Then if the process has an inbound connection and the connection s IP address and Port number are not the information of an origin attacker, the traceback algorithm continues to find the parent process of current process, until finding the origin attacker. This scheme works when attack is in progress. Once attack finished and the related processes in stepping-stones have closed, this traceback algorithm can not carry on the tracing work. Meanwhile, this scheme needs to query processes in the hosts hop-by-hop, which is complex and bad in usability. Shokri et al. [21] proposed a approach named DDPM, which uses dynamic marking to locate slaves in DRDoS attack. DDPM needs to be implemented only in the edge routers of a domain. The edge routers store some information of every incoming packet in their own lists. When received an outgoing packet, the edge router queries its list for a corresponding record. If the desired record exists, the edge router adds the mark information of the record to that outgoing packet; otherwise it marks that packet with the address of the packet incoming interface. Thus, when received a certain number of marked attack packets, victim can find the domain where the slaves locate in. But DDPM had not considered that: a packet may pass through several domains before reaching its destination and the mark information may be covered by downstream edge routers. Thus actually victim using DDPM can only trace to its neighbor domain. Chen et al. [22] advanced a reflective algebraic marking scheme for tracing DRDoS. In this scheme, routers mark the forwarded packets with a certain probability. To resolve the information loss problem, Chen lets hosts store the received request packets mark information and copy the mark information to corresponding response packets, so victim can locate slaves according to the information in response packets. This scheme requires hosts to copy mark information to several corresponding response packets, which may fail in the one-to-one request-response relationship. And it also requires victim to know the precise network topology, which is often difficult for general victims. Zhang et al. [23] improved Chen s scheme, they suggested encoding and authenticating the mark information with Hash Message Authentication Code (HMAC) so as to reduce the influence of forging mark information. Victim in Zhang s scheme could reconstruct the attack path without knowing the network topology. However, the common shortcoming of these two schemes [22, 23] is that both of them require the hosts to realize the reflection algorithm. We argue that it is too hard to let the hosts, which act as reflectors, realize reflection algorithm because there no incentives for them to do that. Belenky et al. [16] improves the DPM [11] proposed by themselves. They suggested reflectors should have DPM logging enabled, so victim can get mark information from reflectors logs and trace slaves in DRDoS attack. The disadvantages of this method have been discussed in section 1 and we will improve it in this paper. From the above introduction, we can see that researchers mainly focus on how to trace (D)DoS attack; little attention is put on DRDoS traceback and the existing DRDoS traceback methods still have some flaws. Thus, we propose a scheme, named ADPM, for tracing DRDoS attack. Table 1 shows the notation we use in this paper.
6 99 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) Table 1: Notation used in this paper R RR qw pw MTable src det RRF RRL RRP A general router without ADPM running A router with ADPM running Request packet, like SYN, ICMP request, DNS queries and so on Response packet, like SYN/ACK, RST, DNS reply, SNMP response and so on Marking Table, which stores the mark information of qw The value of an IP packet s source address field The value of an IP packet s destination address field The first RR that qw passes through (about how to determine whether a RR is qw s RRF, please see section 3.4) The last RR that qw passes through (about how to determine whether a RR is qw s RRL, please see section 3.5) The first RR that pw passes through (about how to determine whether a RR is pw s RRP, please see section 3.4) In ADPM, qw s RRF inserts mark information to qw and qw s RRL saves qw s mark information in its MTable. Meanwhile, pw s RRP copies the corresponding mark information, which stored in MTable, to pw. So victim can locate slaves according to the mark information in pw (the reflector addresses can obtain directly from pw s source field). Before giving a detailed introduction of ADPM, we want to point out a fact: it is difficult for us to deploy traceback schemes on the slave hosts in advance, so most proposed traceback methods [3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 21, 22, 23] generally trace to the router that is nearest to the salves rather than the slaves. Therefore, below the slave actually refers to the RR that is nearest to the slave host. For example, when we say locate the slave, its true meaning is locate the RR that is nearest to the slave host. 3 ADPM 3.1 Assumptions ADPM is based on the following hypothesis: (1) There are a huge number of hosts in Internet and the network managers are hard to deploy reflection scheme on the private hosts for rights limited. However, the number of routers is much smaller than that of hosts and the network managers generally have rights to upgrade the routers, so it is more practical to make the routers have traceback methods deployed; (2) The host generally only connects to a router. Thus when a RR is qw s RRL, this RR may with great probability be the RRP of pw which is qw s response packet; (3) Router s resources are limited [8]; (4) Attackers are able to generate any packets [8]; (5) Attackers may forge mark information [9];
7 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) The first two assumptions are based on the reality that network manager can not modify the private hosts and few hosts connect to two or more routers directly. The third assumption is quite easy to understand for no router can provide infinite processing speed and storage space. Attacker may use any method to attack the victim, so assumption 4 and assumption 5 reflect this consideration. 3.2 Overloading IP Head ADPM uses three fields of the IP header to store mark information like [24]: they are Type of Service (TOS) field, Identification field, and Reserved Flag (see the shaded area in Fig. 3). The TOS field is an 8-bit field which indicates the service type that the packet desires and it is rarely used at present. Durresi et al. [24] argued that overloading TOS field makes no measurable difference in packet delivery. 4 bit 4 bit 8 bit 3 bit 13 bit Version IHL TOS Total length Identification 0 DFMF Fragment offset Time to live Protocol Header checksum Fig. 3: The IP header fields (darkened) used in ADPM Savage et al. [8] pointed out that less than 0.25% of packets are fragmented in the actual network, so overloading Identification field and Reserved Flag field will not bring serious influence on IP network (To solve the rarely happened fragment/reassemble problem, we use the method proposed in [16], that is, let RR add the same mark information to the fragments that in the same series. Below we will not discuss this issue that rarely happens). Therefore ADPM uses a total of 25-bit IP header space as marking space to store mark information. 3.3 A Summary Statement of ADPM In ADPM, when RR receives a request packet qw (RR uses IDS to decide whether a received packet is qw or pw. At present, most IDS can identify request packet or response packet [25, 26]) and if RR is qw s RRF, RR will add its information to qw. Because the length of IP address is 32 bits and the available marking space is only 25-bit long, RR needs to split its IP address. For example, it could divide its IP address to two segments: IP seg 0 and IP seg 1, each of which is 16-bit long. And in order to differentiate IP seg 0 and IP seg 1, it needs to use a 1-bit flag to instruct the section number: flag is set to 0 if IP seg 0 is sent or set to 1 when IP seg 1 is sent. Therefore, the mark information s length is 17 bits. Fig. 4 gives a brief introduction of ADPM traceback process. From Fig. 4, we can see that ADPM can prevent mark information from being covered, because only qw s RRF or pw s RRP can add mark information to the packet. But ADPM still have some problems to be resolved: 1. How to determine whether RR i is qw s RRF, RRL or pw s RRP;
8 101 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) Fig. 4: A brief introduction of ADPM 2. How to resist forging mark information; 3. How the victim knows which IP segments are from the same IP address so as to reconstruct the slaves addresses exactly; 4. How to efficiently store the mark information in MTable; Following we will detail the solutions to these problems. 3.4 Determine RR is RRF or RRP and Resist Forging Mark Information Assume w is a request/response packet received by RR i, h is a HMAC function and k is the key shared by all the RR. ADPM uses h to generate authentication information Au: Au = h(w.src, w.dst, k). When RR i receives w, it computes the Au for w: Au = h(w.src, w.dst, k). If Au is not equal to the Au in w, we think RR i is w s RRF or RRP, and then adds mark information to w. Meanwhile, we can use Au to identify forging mark information. Because the attacker doesn t know HMAC function h and the key k, so the Au added by attacker is hard to the same with the Au computed by RR i. If w.au is not equal to Au, we think the mark information in w is counterfeit and let RR i add its mark information to w. 3.5 Determine RR is RRL We assign a destination address table named DTable to RR i. DTable is mainly used to store the destination addresses that RR i is responsible for, e.g. when RR i receives a request packet qw and qw.dst is in RR i s DTable, then qw will not pass through any other RR, it will be forwarded
9 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) directly to its destination by RR i or arrive at its destination after passing through some general routers R. The addresses in DTable can be derived from RR i s routing table, such as the destinations that are 1 hop away from RR i should be added to DTable. Users also can add specified addresses to DTable, for example, assume the path from host A to host B is (A, Router 1, Router 2, Router 3, B), Router 1 and Router 2 have ADPM deployed while Router 3 has not, then the user can add B s address to Router 2 so that the mark information in request pack qw sent from A to B can be saved in Router 2 (In this case, when A sends qw to B, Router 2 is qw s RRL). 3.6 Determine Which IP Segments are from the Same IP Address The received unsolicited response packets should be classified before reconstructing the slaves addresses, but it is hard for victim to do that due to lack of indication. To solve this problem, ADPM introduces IP address digest dg. Suppose f : IP dg is a hash function which compresses 32-bit IP address to g-bit dg (in ADPM, we let g=8, as shown in Fig. 5). When ADPM marks a packet qw, it adds dg to qw. So victims can classify the marked response packets according to dg. 8 bits 2 bits 8 bits 7 bits IPSeg IPSeg_Num Digest Fig. 5: ADPM encoding scheme HMAC Maybe someone would say the victim also can classify the response packets based on Au, so we don t need dg. But we argue that it would fail in some cases. For example, if several slaves send request packets with the victim Vm s address to the same reflector rf, then Au in those corresponding response packets generated by rf will be the same, thus Vm can not know which mark information in those response packets is from the same slave. And without dg, Vm also can not verify the reconstructed IP addresses (as shown in Fig. 7: Path reconstruction procedure). 3.7 ADPM Encoding Scheme Fig. 5 shows ADPM encoding scheme (the marking space is 25-bit long, as described in section 3.2). IPSeg field: 8 bits. It is used to store the IP segment. Because the length of this field is 8 bits, the 32-bit IP address has to be divided into four segments which are IPSeg 0, IPSeg 1, IPSeg 2, IPSeg 3 ; IPSeg Num field: 2 bits. It indicates the number of IP segment stored in IPSeg field; Digest field: 8 bits. It preserves the hash value dg of IP address; HMAC field: 7 bits. It is used to store the authentication code Au. For convenient, bellow we respectively use seg, sn, dg and Au represent the values of IPSeg field, IPSeg Num field, Digest field and HMAC field.
10 103 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) MTable s Format MTable is usually stayed in memory and Fig. 6 shows its format. When RR i is the request packet qw s RRL, RR i extracts src, dst, seg, sn and dg from qw, then inserts these values and the current time to MTable. The function of Insert Time is to help transfer the out-of-date records to disk so as to save memory space. The out-of-date records means the records that haven t been added to corresponding response packets and stay in MTable over a certain time T (T is user-specified). For example, assume the current time is t 1 and let t 2 = t 1 T, then the records whose Insert Time are earlier than t 2 would be removed from MTable and archived in disk. Generally speaking, the number of transferred records will not be large, because most of records would have been inserted to response packets. For saving disk space, we also can delete the records in disk periodically (the cycle can be determined by users based on the disk space). Src(32 bits)dst(32 bits) IPSeg(8 bits) SN(2 bits) dg(8 bits) Insert time(48 bits) Fig. 6: MTable s format 3.9 The Algorithm of ADPM Based on the above analyses, we give ADPM algorithm in this section. It can be divided into three major parts: Marking procedure at RR, Reconstruction procedure at victim and Transferring procedure at RR (as shown in Fig. 7). Fig. 7: ADPM s algorithm
11 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) Analysis 4.1 Memory Size Needed for MTable When RR i is qw s RRL, RR i needs to insert qw.src, qw.dst, qw.seg, qw.sn, qw.dg and current time to its MTable. Because the length of packet is generally 576 bytes (RFC 879), then for an OC-192 link whose speed is 1.25 GB/s, it transmits about 2.2 M packets per second. In MTable, the length of each entry is 130 bits (as show in Fig. 6), then the quantity of data needed to be saved per second for an OC-192 link is: 2.2 α β αβ MB(α represents the ratio of request packets, β represents the ratio of RR i is qw s RRL). Shakkottai et al. [27] has analyzed the Round Trip Time (RTT) of TCP packets, and pointed out that the value of RTT generally is 100 ms and the max value is about 100 s. For avoiding doing premature transfer for the entries in MTable, we make the value of T to be 100 s. So for an entry En, if there is not a corresponding response packet arrives in 100 s, En will be transferred from MTable to disk. Thus, the total quantity of data needed to be saved in MTable for an OC-192 link is about: 35.8 αβ 100 = 35.8 αβ MB. Since the ratio of request packets to all packets is small, such as TCP SYN is invoked only if we need to initiate a TCP connection. Without loss of generality, we make the value of α to be 10%. And for RR i, it is hard to know the probability of RR i would be qw s RRL, so we can not obtain the exact value of β. Without loss of generality, we assume the value of β to be 50%. So it needs 179 MB ( % 50% = 179 MB) memory space for an OC-192 link. Therefore, for a core router with 32 OC-192 links, it would require about 5728 MB (approximately 5.7 GB) memory space to store request packets information. The memory size of current ordinary servers has reached dozens of GB, so we think the core router is fully able to provide 5.7 GB space for MTable. 4.2 Number of Packets Required for Path Reconstruction (N rq ) The IP address of RR i is divided into 4 segments, and RR i randomly selects a segment to fill into the request packet, so victim needs to receive N rq mark information from RR i to reconstruct RR i s IP address. This is similar to the famous Coupon Collection problem: repeated random sampling from an n elements set S={1, 2,..., n}, the expected number of trials needed to collect n different elements is nln(n) + O(n). Therefore, the theoretical expected value of N rq in ADPM is about Resist Forging Mark Information and Prevent Mark from Being Covered In DPM [16], the forging mark information will be covered when the packet passes through a DPM-enabled edge router, thus DPM obviates the issue of mark spoofing. But DPM has the mark overwritten problem: the marks added by upstream routers may be overwritten by downstream routers, which makes victim only can traceback to the last routers that the packets traversed. In order to solve this problem, the DPM deployment requires starting with the tier-1 ISPs. When a tier-2 ISP deploys DPM on its edge routers, it must inform its upstream tier-1 ISP(s) to disable DPM on the interfaces that connect to the tier-2 ISP. That is: when DPM is enabled on an n-tier
12 105 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) ISP, the upstream (n 1)-tier must disable DPM on the corresponding interfaces. From the description, we can see that DPM needs collaboration and sharing information among ISPs, but even so, DPM still has not solved the mark overwritten problem completely: in this deployment scheme, if the packet has to pass through several ISPs that are in the same tier, the mark added by upstream n-tier ISP still may be covered by the downstream n-tier ISPs. In ADPM, we use the 7-bit HMAC Au to determine whether a RR is qw s RRF or pw s RRP and to check the mark information. For example, when RR i receives qw, it computes Au for qw. If Au is equal to qw.au, then RR i thinks the upstream RR has marked qw and it will not mark qw, thus the legitimate mark information will not be covered. If Au is not equal to qw.au, RR i thinks itself is the qw s RRF and will mark qw so that the forging mark information will be covered. When a slave host h sl adds forging mark information to qw, if the added Au happens to be the same with Au calculated by RR, then RR can not identify the forging mark information, so h sl can protect itself from tracing, but the probability of this case occurring is 1/2 7. And if one slave host forges RR i s marking information and hopes the innocent RR i to be identified as a slave, then the forging mark information must meet two prerequisites: the forging Au must be the same with the Au calculated by RR on the packet s path; and the forging dg must be the same with the dg calculated by victim when reconstructing RR i s address. Thus, the success rate of making RR i to be wrongly identified as a slave is (1/2 7 ) (1/2 8 ). Generally speaking, ADPM has good scalability; it could guarantee the legitimate mark information will not be covered and can identify forging mark information based on Au. 4.4 The Incremental Deployment Problem ADPM does not need to be deployed on all the routers, when only parts of the routers have ADPM deployed, ADPM can still work properly. For example, as shown in Fig. 8, the route from slave S 1 to reflector rf is (S 1, Router 1, Router 2, Router 3, rf ) and the path from rf to victim Vm is (rf, Router 3, Router 4, Vm). Suppose Router 3 has not deployed ADPM, then the mark information in qw, which is sent to rf from S 1, will be lost. Fig. 8: The attack path from slave S 1 to the victim Vm To avoid this situation, we could inform Router 2 the rf s address, then when Router 2 received qw that is sent to rf, it will store qw s mark information. Vm may be unable to obtain Router 1 s information from the received response packet pw sent by rf, but he/she can know rf from pw.src directly. Through rf, Vm can find Router 3 which connects to rf and locates Router 2. Then, Vm seeks Router 2 s MTable for the corresponding records rd to pw (rd.src = pw.dst, rd.dst = pw.src).
13 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) And at last, Vm locates Router 1 based on the mark information in rd. 5 Experiments Results In order to assess the performance of ADPM in network, we established a simulation environment which is based on network simulation framework OMNET++ and network simulation toolkit INET Framework. We modified some procedures in INET so that routers can fill mark information to packets, and realized DPM [16] and ADPM. Our simulations were run on a server with Intel(R) Xeon(R) CPU 2.27 GHz, 2.26 GHz and 23.9 GB RAM. 5.1 Number of Packets Required for Path Reconstruction (N rq ) We let the slave S send request packets with the victim Vm s address to the reflector rf, then rf sends corresponding response packets to Vm. If Vm has received all the distinct IP segments of S, we let S stop sending packets, so that we could get the number of packets required for path reconstruction. To ensure the credibility of simulation results, we did experiments respectively for ADPM and DPM [16] (In DPM, we let f =4, a=8, d=5) and took the mean values of N rq as the simulation results of ADPM and DPM. Fig. 9 shows the N rq s simulation value and theoretical expected value in ADPM and DPM. From Fig. 9 we can see that the N rq s theoretical expected value in ADPM is basically the same with its simulation result, and DPM presents the similar situation. We also can find ADPM s N rq is much smaller than DPM s, no matter the theoretical expected value or the simulation value. So ADPM can locate the slaves more quickly than DPM ADPM theoretical value ADPM simulation value DPM theoretical value DPM simulation value Fig. 9: N rq of ADPM and DPM 5.2 False Positive (FP) In the reconstruction procedure of ADPM, victim first classifies the attack response packets to corresponding group according to the dg, Au and sn in the packets; then victim extracts the IP segment from the corresponding packets and reconstructs the IP address slaaddr. If the hash value of slaaddr is equal to the specified packet s dg, we think slaadd is one slave s address. In this procedure, we may incorrectly identify a reconstructed slaaddr as a slave s address. For example, if the hash values of two RRs (RR 1 and RR 2 ) IP addresses are the same, then the victim will be unable to determine which IP segment belongs to RR 1 or RR 2. In this case, several IP addresses may be reconstructed. If one of those reconstructed IP addresses is wrongly identified as a slave s
14 107 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) address, we call false positive (FP) occurred. FP is used to describe the number of innocent IP address incorrectly identified as slaves addresses. Below we analyze the FP of ADPM and DPM through experiments. In the simulation, we find that victim in DPM had to take a long time to reconstruct the IP addresses. For example, when m=2000 (In DPM, m represents the number of edge routers, and in ADPM, m represents the number of RR whose regions have slaves), DPM spent about 7 minutes in path reconstruction while ADPM only needs about 0.38 seconds. So, in DPM, if we want to do 100 trials for each value of m (m= ), the simulation time may surpass 500 days. Thus we did simulations for DPM when m=100, 500, 1000, 1500, 2000, 2500, 3000 and did simulations when m= for ADPM. To ensure the credibility of simulation results, we did 100 trials and calculated the mean FP for each value of m. In all these trials, the IP addresses assigned to each RR in ADPM or the edge routers in DPM were randomly selected in [0, ] so as to make our simulation environment correspond with the real world. Fig. 10 shows ADPM s FP in simulation and DPM s FP in theory (Because it is difficult to obtain DPM s FP for each value of m (m= ) through simulation, we calculate DPM s FP based on the formula in A.2. of ref [16]. And in that formula, we let f =4, a=8, d=5, N =m). From Fig. 10, we can see that: when m> 2500, ADPM s FP still grows slowly, while DPM s FP grows swiftly; and when 0 <m< 2700, ADPM s FP is little bigger than that of DPM, but when m> 2700, ADPM s FP is much less than DPM s. Thus, ADPM is more stable than DPM ADPM s simulation results DPM s theoretical value Fig. 10: The FP of ADPM and DPM Table 2 shows ADPM s FP and DPM s FP when m=100, 500, 1000, 1500, 2000, 2500, From Table 2, we can see that the change situation of DPM s FP in simulation is the same with that in theory, for example, when m> 2500, FP grows swiftly no matter in simulation or in theory. But we also can see that DPM s FP in simulation is much larger than its theoretical values. We argue that the reason is that when calculating DPM s FP, the formula in [16] thinks the number of ingress address having the same digest is N/E[H] but in fact the digests may Table 2: The FP of ADPM and DPM Method m DPM Theoretical Value E E DPM Simulation Results ADPM Simulation Results
15 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) have different address numbers, which makes theoretical values of DPM s FP smaller than that in simulation. Table 2 also shows that DPM s FP in simulation is much larger than ADPM s when m> 2500, for example, when m=3000, DPM s FP in simulation is , while ADPM s is 7.73, so we think that ADPM has a higher accuracy in locating the slaves. 5.3 The Reconstruction Time (T r ) and the Number of Permutation (N p ) When we did the experiments for getting DPM and ADPM s FP, we found the DPM s experiment time was long, which make us hard to obtain the mean FP of DPM. Faced with this situation, we were interesting to know the gaps between DPM s T r and ADPM s T r, and tried to find the reasons that lead to those differences (after many trials, we found that the number of permutations, N p, generated in reconstruction process has the greatest impact on the reconstruction time). We did 100 experiments for each value of m (m=100, 500, 1000, 1500, 2000, 3000) and calculated the average T r and the average N p in the IP addresses reconstruction. Fig. 11 shows the T r of DPM and ADPM in simulation. From Fig. 11, we can see that DPM s T r is much larger than ADPM s. For example, when m=3000, the T r of DPM is about 1630 s, while in ADPM is only about 0.46 s. Fig. 12 shows N p of ADPM and DPM. DPM s N p is much ADPM (second) ADPM 0.2 DPM Fig. 11: T r of ADPM and DPM DPM (second) ADPM DPM 1.20E E E+08 ADPM E E+08 DPM E E Fig. 12: N p of ADPM and DPM
16 109 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) larger than ADPM s, for example, when m=3000, DPM s N p is about 1.07 E+9, while ADPM s N p is about 5027, which makes DPM s reconstruction time much longer than ADPM s. From these analysis, we can see that ADPM s reconstruction time and the number of permutation are much smaller than DPM s, which makes ADPM can locate the slaves more quickly. 6 Conclusion In this article, we have improved DPM [16] and presented ADPM-a novel DRDoS traceback method, which is scalable and quick to locate the slaves. Furthermore, it can identify the forging mark information and has small FP. As the work on ADPM continues, we plan to investigate the traceback effects while only parts of the routers have ADPM deployed. Generally speaking, in a large network, different deployment strategies may bring different traceback effects, so how to choose some routers to run ADPM is a crucial matter. And we also plan to deploy ADPM in the real routers to observe its traceback effects in the future. Acknowledgement This work is supported by the National Key Basic Research Program of China (973 Program) under Grant Nos. 2009CB320504, Innovative Research Groups of the National Natural Science Foundation of China under Grant Nos , and Research Fund for the Doctoral Program of Higher Education of China under Grant Nos References [1] R. Stone, Centertrack: an ip overlay network for tracking dos floods, in: Proceedings of the 9th conference on USENIX Security Symposium, USENIX Association, Berkeley, 2000, pp [2] H. Burch, B. Cheswick, Tracing anonymous packets to their approximate source, in: Proceedings of the 14th USENIX conference on System administration, Proc USENIX LISA Conference, USENIX Association, Berkeley, 2000, pp [3] S. M. Bellovin, M. D. Leech, Icmp traceback messages, internet Draft: draft-bellovin-itrace-00.txt (2000) [4] S. Bellovin, M. Leech, T. Taylor, Icmp traceback messages, internet Draft: draft-ietf-itrace-04.txt (2003) [5] V. Kuznetsov, H. Sandstrom, A. Simkin, An evaluation of different ip traceback approaches, in: 4th International Conference on Information and Communications Security (ICICS 2002), Springer- Verlag Berlin, Singapore, Singapore, 2002, pp [6] L. Sanchez, W. Milliken, A. Snoeren, F. Tchakountio, C. Jones, S. Kent, C. Partridge, W. Strayer, Hardware support for a hash-based ip traceback, in: DARPA Information Survivability Conference & Exposition II, Vol. 2, Citeseer, 2001, pp [7] A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, W. T. Strayer, Single-packet ip traceback, in: ACM SIGCOMM 2001 Conference, Ieee-Inst Electrical Electronics Engineers Inc, San Diego, California, 2001, pp
17 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) [8] S. Savage, D. Wetherall, A. Karlin, T. Anderson, Network support for ip traceback, Ieee-Acm Transactions on Networking 9(3) (2001) [9] D. X. Song, A. Perrig, Advanced and authenticated marking schemes for ip traceback, in: Proceedings - IEEE INFOCOM, Vol. 2, Institute of Electrical and Electronics Engineers Inc., 2001, pp [10] H. P. Qu, D. G. Feng, P. R. Su, Ip traceback scheme based on marking-in-order, Tien Tzu Hsueh Pao/Acta Electronica Sinica 34(1) (2006) [11] A. Belenky, N. Ansari, Ip traceback with deterministic packet marking, Ieee Communications Letters 7(4) (2003) [12] G. Jin, J. Y. Zhao, Y. M. Zhao, X. H. Wang, Study on ip traceback of ddos attack ingress within an autonomous system, Dianzi Yu Xinxi Xuebao/Journal of Electronics and Information Technology 27(3) (2005) [13] Y. Xiang, W. L. Zhou, M. Y. Guo, Flexible deterministic packet marking: An ip traceback system to find the real source of attacks, Ieee Transactions on Parallel and Distributed Systems 20(4) (2009) [14] R. P. Laufer, P. B. Velloso, D. d. O. Cunha, I. M. Moraes, M. D. D. Bicudo, M. D. D. Moreira, O. C. M. B. Duarte, Towards stateless single-packet ip traceback, in: 32nd IEEE Conference on Local Computer Networks, IEEE Computer Society, Washington, 2007, pp [15] A. Castelucio, A. Ziviani, R. M. Salles, An as-level overlay network for ip traceback, Ieee Network 23(1) (2009) [16] A. Belenky, N. Ansari, On deterministic packet marking, Computer Networks 51(10) (2007) [17] R. P. Laufer, P. B. Velloso, O. C. M. B. Duarte, Generalized bloom filters, Tech. rep. (2005) [18] H. W. Lee, S. H. Yun, T. Kwon, J. S. Kim, H. U. Park, N. H. Oh, Reflector attack traceback system with pushback based itrace mechanism, in: J. Lopez, S. Qing (Eds.), 6th International Conference on Information and Communications Security, Springer-Verlag Berlin, Malaga, SPAIN, 2004, pp [19] H. W. Lee, T. Kwon, H. J. Kim, Ns-2 based ip traceback simulation against reflector based ddos attack, in: T. G. Kim (Ed.), 13th International Conference on Artificial Intelligence, Simulation and Planning in High Autonomy Systems (AIS 2004), Springer-Verlag Berlin, Cheju Isl, SOUTH KOREA, 2004, pp [20] H. W. Kang, S. J. Hong, D. H. Lee, Matching connection pairs, in: 5th International Conference, PDCAT 2004, December 8, 2004-December 10, 2004, Vol of Lecture Notes in Computer Science, Springer Verlag, Singapore, 2004, pp [21] R. Shokri, A. Varshovi, H. Mohammadi, N. Yazdani, B. Sadeghian, Ddpm: Dynamic deterministic packet marking for ip traceback, in: 2006 IEEE International Conference on Networks, ICON 2006-Networking-Challenges and Frontiers, Vol. 2, Inst. of Elec. and Elec. Eng. Computer Society, Singapore, 2006, pp [22] Z. Chen, M. Lee, An ip traceback technique against denial-of-service attacks, in: 19th Annual Computer Security Applications conference (ACSAC 2003), 2003, pp [23] J. Zhang, S. Q. Chen, Research on authentication scheme for ddos attack source traceback, Application Research of Computers 24(10) (2007) [24] A. Durresi, V. Paruchuri, L. Barolli, Fast autonomous system traceback, Journal of Network and Computer Applications 32(2) (2009)
18 111 Y. Li et al. /Journal of Information & Computational Science 8: 1 (2011) [25] H. Tsunoda, K. Ohta, A. Yamamoto, N. Ansari, Y. Waizumi, Y. Nemoto, Detecting drdos attacks by a simple response packet confirmation mechanism, Computer Communications 31(14) (2008) [26] B. Al-Duwairi, G. Manimaran, Distributed packet pairing for reflector based ddos attack mitigation, Computer Communications 29(12) (2006) [27] S. Shakkottai, R. Srikant, N. Brownlee, A. Broido, K. Claffy, The rtt distribution of tcp flows in the internet and its impact on tcp-based flow control, Tech. rep., Technical report, Cooperative Association for Internet Data Analysis (CAIDA) (2004)
Packet-Marking Scheme for DDoS Attack Prevention
Abstract Packet-Marking Scheme for DDoS Attack Prevention K. Stefanidis and D. N. Serpanos {stefanid, serpanos}@ee.upatras.gr Electrical and Computer Engineering Department University of Patras Patras,
More informationFlexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks
Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks Prashil S. Waghmare PG student, Sinhgad College of Engineering, Vadgaon, Pune University, Maharashtra, India. prashil.waghmare14@gmail.com
More informationA Novel Packet Marketing Method in DDoS Attack Detection
SCI-PUBLICATIONS Author Manuscript American Journal of Applied Sciences 4 (10): 741-745, 2007 ISSN 1546-9239 2007 Science Publications A Novel Packet Marketing Method in DDoS Attack Detection 1 Changhyun
More informationA Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet
A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet Marcelo D. D. Moreira, Rafael P. Laufer, Natalia C. Fernandes, and Otto Carlos M. B. Duarte Universidade Federal
More informationA Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks
A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks SHWETA VINCENT, J. IMMANUEL JOHN RAJA Department of Computer Science and Engineering, School of Computer Science and Technology
More informationA Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks
A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks ALI E. EL-DESOKY 1, MARWA F. AREAD 2, MAGDY M. FADEL 3 Department of Computer Engineering University of El-Mansoura El-Gomhoria St.,
More informationAn IP Trace back System to Find the Real Source of Attacks
An IP Trace back System to Find the Real Source of Attacks A.Parvathi and G.L.N.JayaPradha M.Tech Student,Narasaraopeta Engg College, Narasaraopeta,Guntur(Dt),A.P. Asso.Prof & HOD,Dept of I.T,,Narasaraopeta
More informationDr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview
DDoS and IP Traceback Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu Louisiana State University DDoS and IP Traceback - 1 Overview Distributed Denial of Service
More informationEfficient Detection of Ddos Attacks by Entropy Variation
IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727 Volume 7, Issue 1 (Nov-Dec. 2012), PP 13-18 Efficient Detection of Ddos Attacks by Entropy Variation 1 V.Sus hma R eddy,
More informationTackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism
Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism Srinivasan Krishnamoorthy and Partha Dasgupta Computer Science and Engineering Department Arizona State University
More informationForensics Tracking for IP Spoofers Using Path Backscatter Messages
Forensics Tracking for IP Spoofers Using Path Backscatter Messages Mithun Dev P D 1, Anju Augustine 2 1, 2 Department of Computer Science and Engineering, KMP College of Engineering, Asamannoor P.O Poomala,
More informationHow To Mark A Packet For Ip Traceback
DDPM: Dynamic Deterministic Packet Marking for IP Traceback Reza Shokri, Ali Varshovi, Hossein Mohammadi, Nasser Yazdani, Babak Sadeghian Router Laboratory, ECE Department, University of Tehran, Tehran,
More informationDenial of Service. Tom Chen SMU tchen@engr.smu.edu
Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types
More informationAnalysis of Automated Model against DDoS Attacks
Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie
More informationA Practical Method to Counteract Denial of Service Attacks
A Practical Method to Counteract Denial of Service Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked System Security Research Division of Information and Communication Sciences
More informationNEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS
NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS Iustin PRIESCU, PhD Titu Maiorescu University, Bucharest Sebastian NICOLAESCU, PhD Verizon Business, New York, USA Rodica NEAGU, MBA Outpost24,
More informationClassification and State of Art of IP Traceback Techniques for DDoS Defense
Classification and State of Art of IP Traceback Techniques for DDoS Defense Karanpreet Singh a, Krishan Kumar b, Abhinav Bhandari c,* a Computer Science & Engg.,Punjab Institute of Technology,Kapurthala,
More informationInternet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking
Internet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking 1 T. Ravi Kumar, 2 T Padmaja, 3 P. Samba Siva Raju 1,3 Sri Venkateswara Institute
More informationTowards Stateless Single-Packet IP Traceback
Towards Stateless Single-Packet IP Traceback Rafael P. Laufer, Pedro B. Velloso, Daniel de O. Cunha, Igor M. Moraes, Marco D. D. Bicudo, Marcelo D. D. Moreira, and Otto Carlos M. B. Duarte University of
More informationTracing Network Attacks to Their Sources
Tracing Network s to Their Sources Security An IP traceback architecture in which routers log data about packets and adjacent forwarding nodes lets us trace s to their sources, even when the source IP
More informationAnnouncements. No question session this week
Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being
More informationAnalysis of Traceback Techniques
Analysis of Traceback Techniques Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of ICS, Macquarie University North Ryde, NSW-2109, Australia {udaya,
More informationOn Evaluating IP Traceback Schemes: A Practical Perspective
2013 IEEE Security and Privacy Workshops On Evaluating IP Traceback Schemes: A Practical Perspective Vahid Aghaei-Foroushani Faculty of Computer Science Dalhousie University Halifax, NS, Canada vahid@cs.dal.ca
More informationAnalysis of IP Spoofed DDoS Attack by Cryptography
www..org 13 Analysis of IP Spoofed DDoS Attack by Cryptography Dalip Kumar Research Scholar, Deptt. of Computer Science Engineering, Institute of Engineering and Technology, Alwar, India. Abstract Today,
More informationInternational Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS) www.iasir.net
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Emerging Technologies in Computational
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationDDoS Attack Traceback
DDoS Attack Traceback and Beyond Yongjin Kim Outline Existing DDoS attack traceback (or commonly called IP traceback) schemes * Probabilistic packet marking Logging-based scheme ICMP-based scheme Tweaking
More informationProvider-Based Deterministic Packet Marking against Distributed DoS Attacks
Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Vasilios A. Siris and Ilias Stavrakis Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH)
More informationTowards Improving an Algebraic Marking Scheme for Tracing DDoS Attacks
International Journal of Network Security, Vol.9, No.3, PP.204 213, Nov. 2009 204 Towards Improving an Algebraic Marking Scheme for Tracing DDoS Attacks Moon-Chuen Lee, Yi-Jun He, and Zhaole Chen (Corresponding
More informationLarge-Scale IP Traceback in High-Speed Internet
2004 IEEE Symposium on Security and Privacy Large-Scale IP Traceback in High-Speed Internet Jun (Jim) Xu Networking & Telecommunications Group College of Computing Georgia Institute of Technology (Joint
More information2-7 The Mathematics Models and an Actual Proof Experiment for IP Traceback System
2-7 The Mathematics Models and an Actual Proof Experiment for IP Traceback System SUZUKI Ayako, OHMORI Keisuke, MATSUSHIMA Ryu, KAWABATA Mariko, OHMURO Manabu, KAI Toshifumi, and NISHIYAMA Shigeru IP traceback
More informationAnalysis of Methods Organization of the Modelling of Protection of Systems Client-Server
Available online at www.globalilluminators.org GlobalIlluminators Full Paper Proceeding MI-BEST-2015, Vol. 1, 63-67 FULL PAPER PROCEEDING Multidisciplinary Studies ISBN: 978-969-9948-10-7 MI-BEST 2015
More informationHow To Mark A Packet With A Probability Of 1/D
TTL based Packet Marking for IP Traceback Vamsi Paruchuri, Aran Durresi and Sriram Chellappan* Abstract Distributed Denial of Service Attacks continue to pose maor threats to the Internet. In order to
More informationA Novel Passive IP Approach for Path file sharing through BackScatter in Disclosing the Locations
A Novel Passive IP Approach for Path file sharing through BackScatter in Disclosing the Locations K.Sudha Deepthi 1, A.Swapna 2, Y.Subba Rayudu 3 1 Assist.Prof of cse Department Institute of Aeronautical
More informationAttack Diagnosis: Throttling Distributed Denialof-Service Attacks Close to the Attack Sources
Attack Diagnosis: Throttling Distributed Denialof-Service Attacks Close to the Attack Sources Ruiliang Chen and Jung-Min Park Bradley Department of Electrical and Computer Engineering Virginia Polytechnic
More informationEntropy-Based Collaborative Detection of DDoS Attacks on Community Networks
Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks Krishnamoorthy.D 1, Dr.S.Thirunirai Senthil, Ph.D 2 1 PG student of M.Tech Computer Science and Engineering, PRIST University,
More informationProving Distributed Denial of Service Attacks in the Internet
Proving Distributed Denial of Service Attacks in the Internet Prashanth Radhakrishnan, Manu Awasthi, Chitra Aravamudhan {shanth, manua, caravamu}@cs.utah.edu Abstract In this course report, we present
More informationTRACK: A Novel Approach for Defending Against. Distributed Denial-of-Service Attacks
TRACK: A Novel Approach for Defending Against Distributed Denial-of-Service Attacks Ruiliang Chen *, Jung-Min Park *, and Randy Marchany * Bradley Department of Electrical and Computer Engineering Virginia
More informationAn Efficient Filter for Denial-of-Service Bandwidth Attacks
An Efficient Filter for Denial-of-Service Bandwidth Attacks Samuel Abdelsayed, David Glimsholt, Christopher Leckie, Simon Ryan and Samer Shami Department of Electrical and Electronic Engineering ARC Special
More informationHow To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa
Defenses against Distributed Denial of Service Attacks Adrian Perrig, Dawn Song, Avi Yaar CMU Internet Threat: DDoS Attacks Denial of Service (DoS) attack: consumption (exhaustion) of resources to deny
More informationA Novel Technique for Detecting DDoS Attacks at Its Early Stage
A Novel Technique for Detecting DDo Attacks at Its Early tage Bin Xiao 1, Wei Chen 1,2, and Yanxiang He 2 1 Department of Computing, The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong {csbxiao,
More informationThe Internet provides a wealth of information,
IP Traceback: A New Denial-of-Service Deterrent? The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social
More informationFiltering Based Techniques for DDOS Mitigation
Filtering Based Techniques for DDOS Mitigation Comp290: Network Intrusion Detection Manoj Ampalam DDOS Attacks: Target CPU / Bandwidth Attacker signals slaves to launch an attack on a specific target address
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationProceedings of the UGC Sponsored National Conference on Advanced Networking and Applications, 27 th March 2015
A New Approach to Detect, Filter And Trace the DDoS Attack S.Gomathi, M.Phil Research scholar, Department of Computer Science, Government Arts College, Udumalpet-642126. E-mail id: gomathipriya1988@gmail.com
More informationMONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN
MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India
More informationTracing the Origins of Distributed Denial of Service Attacks
Tracing the Origins of Distributed Denial of Service Attacks A.Peart Senior Lecturer amanda.peart@port.ac.uk University of Portsmouth, UK R.Raynsford. Student robert.raynsford@myport.ac.uk University of
More informationTracers Placement for IP Traceback against DDoS Attacks
Tracers Placement for IP Traceback against DDoS Attacks Chun-Hsin Wang, Chang-Wu Yu, Chiu-Kuo Liang, Kun-Min Yu, Wen Ouyang, Ching-Hsien Hsu, and Yu-Guang Chen Department of Computer Science and Information
More informationYou Can Run, But You Can t Hide: An Effective Methodology to Traceback DDoS Attackers
You Can Run, But You Can t Hide: An Effective Methodology to Traceback DDoS Attackers K.T. Law Department of Computer Science & Engineering The Chinese University of Hong Kong ktlaw@cse.cuhk.edu.hk John
More information用 于 IP 追 踪 的 包 标 记 的 注 记
1000-9825/2004/15(02)0250 2004 Journal of Software 软 件 学 报 Vol.15, No.2 用 于 IP 追 踪 的 包 标 记 的 注 记 李 德 全 +, 苏 璞 睿, 冯 登 国 ( 中 国 科 学 院 软 件 研 究 所 信 息 安 全 国 家 重 点 实 验 室, 北 京 100080) Notes on Pacet Maring for
More informationA Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
More informationForNet: A Distributed Forensic Network
ForNet: A Distributed Forensic Network Kulesh Shanmugasundaram Polytechnic University 1 Problem and Motivation Security fails. Thousands of reported security breaches, worms, and viruses attest to this
More informationA Brief Survey of IP Traceback Methodologies
Acta Polytechnica Hungarica Vol. 11, No. 9, 2014 A Brief Survey of IP Traceback Methodologies Vijayalakshmi Murugesan, Mercy Shalinie, Nithya Neethimani Department of Computer Science and Engineering,Thigarajar
More informationEFFICIENT AND SECURE AUTONOMOUS SYSTEM BASED TRACEBACK
Journal of Interconnection Networks c World Scientific Publishing Company EFFICIENT AND SECURE AUTONOMOUS SYSTEM BASED TRACEBACK ARJAN DURRESI 1,VAMSI PARUCHURI 1, LEONARD BAROLLI 2, RAJGOPAL KANNAN 1,
More informationPi: A Path Identification Mechanism to Defend against DDoS Attacks
Pi: A Path Identification Mechanism to Defend against DDoS Attacks Abraham Yaar Adrian Perrig Dawn Song Carnegie Mellon University {ayaar, perrig, dawnsong}@cmu.edu Abstract Distributed Denial of Service
More informationATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS
ATTACK PATTERNS FOR DETECTING AND PREVENTING DDOS AND REPLAY ATTACKS A.MADHURI Department of Computer Science Engineering, PVP Siddhartha Institute of Technology, Vijayawada, Andhra Pradesh, India. A.RAMANA
More informationDesign and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System
Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System Ho-Seok Kang and Sung-Ryul Kim Konkuk University Seoul, Republic of Korea hsriver@gmail.com and kimsr@konkuk.ac.kr
More informationTracing Cyber Attacks from the Practical Perspective
TOPICS IN INTERNET TECHNOLOGY Tracing Cyber Attacks from the Practical Perspective Zhiqiang Gao and Nirwan Ansari ABSTRACT The integrity of the Internet is severely impaired by rampant denial of service
More informationFinding the real source of Internet crimes
Finding the real source of Internet crimes Professor Wanlei Zhou Chair of Information Technology and Head School of Information Technology, Deakin University, Melbourne campus at Burwood, Victoria, Australia
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationOnline Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling
Online Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling Yong Tang Shigang Chen Department of Computer & Information Science & Engineering University of Florida, Gainesville,
More informationTECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS
TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor
More informationPort Hopping for Resilient Networks
Port Hopping for Resilient Networks Henry C.J. Lee, Vrizlynn L.L. Thing Institute for Infocomm Research Singapore Email: {hlee, vriz}@i2r.a-star.edu.sg Abstract With the pervasiveness of the Internet,
More informationAn Improved IPv6 Trace-Back technique to uncover Denial of Service (DoS) attacks
An Improved IPv6 Trace-Back technique to uncover Denial of Service (DoS) attacks Thesis submitted in partial fulfillment of the requirements for the award of degree of Master of Engineering in Computer
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More informationA novel approach to detecting DDoS attacks at an early stage
J Supercomput (2006) 36:235 248 DOI 10.1007/s11227-006-8295-0 A novel approach to detecting DDoS attacks at an early stage Bin Xiao Wei Chen Yanxiang He C Science + Business Media, LLC 2006 Abstract Distributed
More informationpacket retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.
Implementation of an Emulation Environment for Large Scale Network Security Experiments Cui Yimin, Liu Li, Jin Qi, Kuang Xiaohui National Key Laboratory of Science and Technology on Information System
More informationDETECTION OF DDOS ATTACKS USING IP TRACEBACK AND NETWORK CODING TECHNIQUE
DETECTION OF DDOS ATTACKS USING IP TACEBACK AND NETWOK CODING TECHNIQUE J.SATHYA PIYA 1, M.AMAKISHNAN 2, S.P.AJAGOPALAN 3 1 esearch Scholar, Anna University, Chennai, India 2Professor,Velammal Engineering
More informationHow To Understand A Network Attack
Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationStackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense
1 StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense Abraham Yaar Adrian Perrig Dawn Song Carnegie Mellon University {ayaar, perrig, dawnsong}@cmu.edu Abstract Today
More informationDistributed Denial of Service
Distributed Denial of Service Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@Csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc7502_04/ Louisiana
More informationDistributed Denial of Service Attacks & Defenses
Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources:
More informationIP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks
IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks Minho Sung and Jun Xu College of Computing Georgia Institute of Technology Atlanta, GA 30332-0280
More informationECE 578 Term Paper Network Security through IP packet Filtering
ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationMalice Aforethought [D]DoS on Today's Internet
Malice Aforethought [D]DoS on Today's Internet Henry Duwe and Sam Mussmann http://bit.ly/cs538-ddos What is DoS? "A denial of service (DoS) attack aims to deny access by legitimate users to shared services
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationDetecting and Preventing IP-spoofed Distributed DoS Attacks
International Journal of Network Security, Vol.7, No.1, PP. 81, July 28 Detecting and Preventing IP-spoofed Distributed DoS Attacks Yao Chen 1, Shantanu Das 1, Pulak Dhar 2, Abdulmotaleb El Saddik 1, and
More informationA Source Identification Scheme against DDoS Attacks in Cluster Interconnects
A Source Identification Scheme against DDoS Attacks in Cluster Interconnects Manhee Lee* Eun Jung Kim* Cheol Won Lee *Department of Computer Science Texas A&M University College Station, TX-77840 manheelee@tamu.edu,
More informationDepth-in-Defense Approach against DDoS
6th WSEAS International Conference on Information Security and Privacy, Tenerife, Spain, December 14-16, 2007 102 Depth-in-Defense Approach against DDoS Rabia Sirhindi, Asma Basharat and Ahmad Raza Cheema
More informationAdaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback
Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow Correlation Coeff icient with Collective Feedback N.V.Poorrnima 1, K.ChandraPrabha 2, B.G.Geetha 3 Department of Computer
More informationA Little Background On Trace Back
CSC 774 Network Security Spring 2003 A Little Background On Trace Back Two network tracing problems are currently being studied: IP traceback and traceback across stepping-stones (or a connection chain).
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationSurvey on DDoS Attack in Cloud Environment
Available online at www.ijiere.com International Journal of Innovative and Emerging Research in Engineering e-issn: 2394-3343 p-issn: 2394-5494 Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita
More informationDetecting Service Violations and DoS Attacks
Detecting Service Violations and DoS Attacks Ahsan Habib, Mohamed M. Hefeeda, and Bharat K. Bhargava CERIAS and Department of Computer Sciences Purdue University, West Lafayette, IN 47907 {habib, mhefeeda,
More informationProtecting Mobile Devices From TCP Flooding Attacks
Protecting Mobile Devices From TCP Flooding Attacks Yogesh Swami % and Hannes Tschofenig* % Nokia Research Center, Palo Alto, CA, USA. * Siemens Corporate Technology, Munich, DE. 1 Motivation Anatomy of
More informationSurvey on DDoS Attack Detection and Prevention in Cloud
Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform
More informationHow To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme
Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi
More informationDetection of Distributed Denial of Service Attack with Hadoop on Live Network
Detection of Distributed Denial of Service Attack with Hadoop on Live Network Suchita Korad 1, Shubhada Kadam 2, Prajakta Deore 3, Madhuri Jadhav 4, Prof.Rahul Patil 5 Students, Dept. of Computer, PCCOE,
More informationA Novel Protocol for IP Traceback to Detect DDoS Attack
www.ijcsi.org 284 A Novel Protocol for IP Traceback to Detect DDoS Attack Yogesh Kumar Meena 1, Aditya Trivedi 2 1 Hindustan Institute of Technology and Management, Agra, UP, India 2 ABV-Indian Institute
More informationA Flow-based Method for Abnormal Network Traffic Detection
A Flow-based Method for Abnormal Network Traffic Detection Myung-Sup Kim, Hun-Jeong Kang, Seong-Cheol Hong, Seung-Hwa Chung, and James W. Hong Dept. of Computer Science and Engineering POSTECH {mount,
More informationDiDDeM: A System for Early Detection of TCP SYN Flood Attacks
DiDDeM: A System for Early Detection of TCP SYN Flood Attacks J. Haggerty, T. Berry, Q. Shi and M. Merabti School of Computing and Mathematical Sciences, Liverpool John Moores University, Liverpool, UK,
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationNetwork Attacks Detection Based on Multi Clustering and Trace back Methods
Network Attacks Detection Based on Multi Clustering and Trace back Methods C.Navamani MCA.,M.Phil.,ME., S.Naveen Assistant professor, Final MCA Dept of computer applications, Nandha engineering college,
More information