# 2-7 The Mathematics Models and an Actual Proof Experiment for IP Traceback System

Save this PDF as:

Size: px
Start display at page:

Download "2-7 The Mathematics Models and an Actual Proof Experiment for IP Traceback System"

## Transcription

1 2-7 The Mathematics Models and an Actual Proof Experiment for IP Traceback System SUZUKI Ayako, OHMORI Keisuke, MATSUSHIMA Ryu, KAWABATA Mariko, OHMURO Manabu, KAI Toshifumi, and NISHIYAMA Shigeru IP traceback is a technique that searches DDoS attackers. There are many kinds of IP traceback methods. The performance of IP traceback system can mainly evaluate using a race time and the error rate of the trace result. In this paper, we propose mathematical models of typical IP traceback methods, which are ICMP, IPPM, HASH, and an UDP and AS traceback method newly proposed. And, we estimate the time required to trace. And, we analyze reliability features of these. False positive rate are evaluation parameters of the reliability. And, we analyze mathematical models. Then we compare the predicted value with the measured values using the actual large network for verification. Keywords IP traceback, Inter AS(Autonomous System) traceback, An UDP method, Mathematical models, Analysis of FPR(False Positive Rate) 1 Introduction R&D is currently underway on the use of IP traceback to track down the sources of DDoS (distributed denial of service) attacks. Major intra-as IP traceback methods include the ICMP, IPPM, and HASH methods. More recently, hybrid methods have emerged consisting of combinations of these existing methods (e.g., HASH + newly developed UDP). A method is also available to perform traceback across ASs through coordination of intra-as traceback systems. Performance of an IP traceback system can be evaluated mainly by its traceback time and the false detection rate of its traceback results. In false detection, a traceback system cannot track down the source of attacks (attackers) perfectly, for a variety of reasons. In this context a false positive rate (FPR) is used as an index of false detection. In this paper, we will refer to this as a reliability index. To ensure efficient operation of IP traceback methods, it is necessary to understand traceback time and the reliability characteristics of the individual methods. In this paper we will present mathematical models that express the traceback times of the ICMP, IPPM, HASH, UDP and inter-as traceback methods. We will analyze the FPR characteristics of these methods in an anticipated environment of use. We will also conduct actual measurement on a large-scale verification network, and confirm the adequacy of these mathematical models through comparison with the measurement results. Section 2 will briefly describe the workings of intra-as and inter-as traceback and FPR. Section 3 will give definitions of mathematical models of individual methods. Section 4 will describe the verification environment used in actual measurement, comparison between predicted traceback time and actual measured values, and FPR analysis. Section 5 will summarize this research. SUZUKI Ayako et al. 65

2 2 IP traceback 2.1 Functions of IP traceback IP traceback methods are designed to track down the sources of attacks mainly within a single autonomous system (AS). In most cases, however, DDoS attack packets pass across several ASs to reach a victim. Therefore, in addition to performing traceback within each AS, it is necessary to execute traceback across ASs through coordination of the traceback systems used within these ASs. In this paper, we refer to the former as intra-as traceback and the latter as inter-as traceback Intra-AS IP traceback Major intra-as IP traceback methods include the ICMP, IPPM, and HASH methods. In the case of the ICMP and IPPM methods, routers generate traceback information on attack packets with a certain probability. Traceback paths to attackers are confirmed based on the generation of this information. One can therefore calculate the attacker-detection rate from the probability of generating traceback information on the edge of each attack route. In the case of the HASH method, the agent at each router saves a HASH value for every packet that passes through the router. The manager figures out traceback paths by making queries as to whether attack packets have passed through each router. Therefore, traceback time depends on the number of queries by the manager. In the case of the newly developed UDP method, the manager requests a nearby router to return information on the passage of attack packets, if any. The manager sends this request to one router after another Inter-AS traceback Border and internal traceback methods are used to perform traceback across ASs that employ different intra-as traceback methods. Border traceback only covers routers located on borders between ASs, while internal traceback covers all routers within each AS. An effective combination of these methods can enable high-speed traceback. Figure 1 shows an overview of border and internal traceback. Fig.1 Overview of border and internal traceback 2.2 Definition of reliability index, FPR Expression (1) defines FPR. Number of detected attackers is the total number of nodes detected as attackers at a given time. This includes some falsely identified nodes. To use FPR in prediction, both the denominator and numerator of Expression (2) are assigned expectation values. FPR = Number of falsely detected attackers / Number of detected attackers (1) FPR = Expectation value of number of falsely detected attackers / Expectation value of number of detected attackers (2) 2.3 Factors of FPR Table 1 shows anticipated factors of FPR during operation of the three traceback methods. There are four main factors of FPR. Other factors are related to errors in the IP traceback systems, but this paper does not address these. Table 1 Factors of FPR 66 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005

3 3 Mathematical models 3.1 Intra-AS traceback systems ICMP method (1) Overview of evaluated system s processing procedure We evaluated an itrace system described in a different paper as an ICMP method. In this system, each router monitors in-transit packets passing through each router and generates itrace packets with a probability of 1/20,000. To prevent false detection, we set the threshold value to two; i.e., we stipulated that the collector must receive two itrace packets from the same router before a traceback path to an edge can be confirmed. (2) Detection rate of attackers Calculate the probability Pr(ei) that a router will generate two itrace packets for an edge ei. When the probability of generation of itrace packets is p, and N (number) packets pass through that router, Pr(ei) can be calculated by Expression (3). In this case (1-p) N is the probability of sending no itrace packet, and Np(1-p) N-1 is the probability of sending one itrace packet. Pr(ei) = 1 - (Np(1 - p) N-1 + (1 - p) N ) (3) (3) FPR In Table 1, a and b are possible factors of FPR within this system. In the case of a single attack route, the rate of false detection due to a can be calculated by subtracting the detection rate of the attacker from the detection rate of the victim s immediate router. In the case of multiple attackers, one can approximately calculate the false detection rate by subtracting the detection rate of the attackers from the detection rate of the router that is detected first. For the number of falsely detected attackers due to b, you can calculate an expectation value from the probability of generation of traceback information on normal packets to the edge IPPM method (1) Overview of evaluated system s processing procedure As an IPPM method, we evaluated an AMS- II system described in a different paper. In this system, each router samples in-transit packets with a probability of 1/20, and divides a 64- bit HASH value into eight fragments to be marked on eight packets. To prevent false detection, we set the threshold value at 16; i.e., the collector needs to receive 16 marked packets from the same router before a traceback path to an edge can be confirmed. (2) Detection rate of attackers Suppose that d (number) routers are located linearly between the victim and an attacker. Calculate the probability Fd that a router marks a value on a packet and that other routers do not replace this value. Fig.2 Route map used for calculation by mathematical models of IPPM method In Fig.2, the probability that a router R1 marks a value on a packet passing through an edge e1 and other routers do not mark a value (replace the above value) is p(1 - p) d-1. This value is randomly selected from eight fragments of a HASH value. Therefore, the probability of generation of marked packets is p/8, and the probability Fd can be calculated by Expression (4). Fd = p(1 - p) d-1 /8 (4) Expression (5) defines the probability Pr(ei) that the collector receives two or more marked packets passing through an edge ei. Expression (7) can be used to define Expression (5). Here, N is the number of attacker s packets, N * Fd(1 - Fd) N-1 is the probability of receiving one marked packet, and (1 - Fd) N is the probability of receiving no packet. The calculation result is raised to the eighth power because the packets must contain the whole HASH value in order for the traceback path to be identified. Pr(ei) = (1 -(N * Fd(1 - Fd) N-1 +(1 - Fd) N )) 8 (5) SUZUKI Ayako et al. 67

4 (3) FPR In Table 1, a and b are possible factors of FPR by this system. The rate of false detection due to a or b can be calculated in the same manner as in the ICMP method HASH method (1) Overview of evaluated system s processing procedure As a HASH method, we evaluated an SPIE system described in a different paper. In this system, the agent at each router saves a HASH value for every packet that passes through the router. The manager performs traceback by performing queries as to whether attack packets have passed through each router. We used a system that generates 14-bit HASH values. (2) Detection rate of attackers Expression (6) defines attacker detection time T, where n is the total number of queries from the manager to the agent at each router. We obtained an approximate expression by regression analysis. T = 0.004n (6) (3) FPR In Table 1, c is a possible factors of FPR by the system, but we did not include this item in our evaluation UDP method (1) Overview of evaluated system s processing procedure As a UDP method, we evaluated a utrace system described in a different paper. In this system, the manager provides the victim terminal s immediate router with information on intended packets (created in part from data on attacks detected by IDS). If traffic matches this information, the router will send a UDP packet to the manager. This packet includes, among other data, information on which router is to be monitored next. Based on UDP packets sent from the series of routers, the manager identifies the attack route and tracks down attackers. The information on intended packets includes protocol types, port numbers, and packet destinations. To prevent false detection, we set the threshold value to 2 in this test; i.e., the manager needs to receive two trace packets that include edge information on the end node before a traceback path can be confirmed. (2) Attacker detection time Expression (7) defines attacker detection time T, where d is the number of routers on the attack route and A is the attack speed [packets/sec]. hop T= + (7) i Ai Ae (3) FPR In Table 1, a, b, and e are possible factors of FPR by this system. We studied b using the configuration shown in Fig. 7. Before the victim s immediate router R1 is detected, FPR is 0. When R1 is detected, the FPR value will change to 1 and will remain at that value until the attacker s immediate router R10 sends two trace packets. When the attacker is detected, FPR will become 0. Then, after detection of R11, FPR will continue to hover around 0.5 and will not stabilize at a smaller value. In Figure 4, merging of traffic flows occurs, and detection time is shorter at confluences (R1 to R6). Expression (7) can be used to calculate attacker detection time at confluences. Table 2 shows mathematical models that express the traceback times of intra-as traceback methods. 3.2 Inter-AS traceback systems In most cases, DDoS attack packets pass across several ASs to reach a victim. Therefore, it is necessary to track down attackers through coordination among the ISPs that manage the individual ASs. Border and internal traceback methods are used to facilitate traceback across ASs. Border traceback only covers routers located on the border between ASs, while internal traceback covers all routers within each AS. High-speed traceback is enabled through the effective combination of these methods. It is possible to select and operate traceback methods independently on each AS. A 68 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005

5 combined system performs border traceback first, and then executes internal traceback to track down the attackers (e.g., AS1 border AS2 border AS3 border AS3 internal). Border traceback time increases with an increase in the number of ASs involved while internal traceback time is determined by the number of ASs in which attackers are present. When there are multiple attackers, these are traced back in parallel. In this case, traceback time T depends on the time required to trace a route with the maximum hop count within the AS. If UDP method is used in internal traceback, traceback time T can be calculated by Expression (8). T = MAX (Time required to finish internal traceback on ASn) T = MAX (Border traceback time from start to ASn + internal traceback time on ASn) hop T = + k + (8) Aj i Ai Ae Here, Aj is the average volume of attack packets at each edge of the border router, Ai is the average volume of attack packets at SUZUKI Ayako et al. 69

6 each edge, hop is the number of routers on the attack route with the maximum hop count within that AS, and Ae is the average volume of attack packets at the attacker. If merging of attack routes occurs, this value is 2; if not, this value is 1. Table 4 Verification tools 4 Verification testing 4.1 Configuration of verification environment (1) Objective of verification network We established a verification network to assess the reliability characteristics of the above-mentioned traceback methods in a close approximation of an actual environment. We used only part of this verification environment in this test, but we also conducted verification testing on hop counts and the number of attackers using the entire environment. (2) Specifications of verification network Tables 3 and 4 show the specifications of the network and tools used for verification. We used virtual OS technology to create a large network with a small number of machines. Since all traceback systems under test supported Linux, we selected the Linux operating system and UML (User-Mode Linux) virtualization technique. 4.2 Verification results Traceback time (1) Intra-AS traceback A) Verification procedure Measure traceback time using different numbers of attackers. B) Verification conditions Vary the number of attackers: 1, 10, 20, 50, and 100. The speed of attacks is constant at the victim s location. Table 5 shows measurement conditions, and Fig.3 shows a configuration of the verification network. C) Results Figure 4 shows the measurement results. As can be seen from the figure, the actual Table 3 Specifications of verification network Fig.3 Configuration of verification network for intra-as traceback Table 5 Verification conditions for intra- AS traceback 70 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005

7 measured values are almost the same as the predicted values, and the newly developed UDP method is faster than the other methods. When performing traceback against 100 terminals, the ICMP method exceeded the measurement time limit (10 minutes); the measured value is thus not shown in the figure. (2) Inter-AS traceback A) Verification procedure Measure traceback time using different numbers of ASs, attackers, and different topologies. B) Verification conditions The speed of attacks per attacker is constant at 10 pps. Figure 5 shows the measurement conditions and network configuration. C) Results Figure 6 shows the verification results. As can be seen from the figure, the actual measured values are almost the same as the predicted values, and traceback time is determined by the maximum hop count between the victim and attackers; it is not dependent on the topology or the number of attacks False detection rate A) Verification objective Suspects detected by IP traceback are not always attackers. This is because attack packets and normal packets may be of the same type; if this is the case it becomes impossible to distinguish between them after a certain period of time. We studied the possibility of identifying attackers according to volumes of attack and normal packets. B) Verification conditions To check FPR, change the proportion of attack packets and normal packets: from 50/50 to 10/90. Compare the IPPM and UDP methods. Measure FPR using the configuration shown in Fig.7. Table 6 shows the measurement conditions. C) Results Figure 8 shows the measurement results. As can be seen from the figure, while UDP can identify suspects quickly, it is difficult for UDP to distinguish between attackers and normal users based on the flow or ratio of attack packets. On the other hand, while IPPM is slower than UDP, it can effectively improve FPR based on the flow or ratio of attack packets. In order for UDP to reduce FPR and improve accuracy in the detection of attackers, it is necessary to set a threshold value greater than 2. It seems possible for IPPM to reduce FPR by gauging the attack time in the event of Fig.4 Traceback time of intra-as traceback methods SUZUKI Ayako et al. 71

8 Fig.5 Verification conditions and configuration of verification network for inter-as traceback Fig.7 Configuration of verification network for mixed (attack and normal) traffic Table 6 Verification conditions for mixed (attack and normal) traffic Fig.6 Traceback time of inter-as traceback fairly high-speed DDoS attacks. D) Proposals related to operation Based on the FPR verification results of traceback systems we suggest the following three approaches: Measure Synflood attacks in real time in order to distinguish between normal data and attack flows. When an attack is detected by the above procedure, use a traceback system to generate a suspect list. Generate a suspect list periodically (e.g., every second at the time of attacks) and judge frequently listed nodes as highly suspicious. 5 Conclusions In this study, we put forward mathematical models that express traceback time of intra- AS traceback methods such as ICMP, IPPM, HASH, and UDP, as well as inter-as traceback. Based on these models, we then predicted traceback time in the event of multiple attackers. We also conducted actual measurement of traceback time and compared the measurement results with our predictions. By testing intra-as traceback, we verified that the actual measured values are almost the same as the predicted values, and that the newly developed UDP method is faster than the other methods. By testing inter-as traceback, we verified that the actual measured values are almost the same as the predicted values, and that traceback time is determined by the maximum hop count between the victim and attackers and is not dependent on topology or number of attacks. Moreover, we analyzed FPR reliability characteristics in a mixed (attack and normal) traffic environment, comparing the UDP and IPPM methods. The results indicate that it is 72 Journal of the National Institute of Information and Communications Technology Vol.52 Nos.1/2 2005

9 the event of fairly high-speed DDoS attacks. We verified that it is possible to predict traceback time of traceback methods using the mathematical models we put forward in this paper, and we used reliability indexes, FPRs, to analyze the reliability characteristics of these methods. Acknowledgements Fig.8 Change in FPR necessary to set a threshold value greater than 2 in order for the UDP method to reduce FPR and improve accuracy in the detection of attackers, and that it seems possible for IPPM to reduce FPR by gauging the attack time in This research was carried out based on the Research and Development on Security of Large-Scale Networks project commissioned by the National Institute of Information and Communications Technology. We would like to express our gratitude to NICT for its guidance and support. References 01 StevenM. Bellovin, ICMPTracebackMessage, InternetDraft: draft-vellovin-itrace-00.txt, submitted Mar S. Savage et al., Practical Network Support for IP Traceback, Proc. of the ACM SIGCOMM conference, Aug. 2000, Stockholm, Sweden. 03 Alex C. Snoeren et al., Hash-Based IP Traceback, Proc. of the ACM SIGCOMM 2001 Conf., Sandi ego, CA, Oct Naohiro Fukuda et al., Research and Development for Traceback System in Large-Scale Networks, IEICE2004 General Conference, Mar Toshifumi Kai et al., Efficient Traceback Method for Detecting DDoS, Internet conference2004 collected papers, pp , Oct Toshifumi Kai et al., Inter AS Traceback Method for Detecting DDoS Attacks, IPSJ CSEC Group, Toshifumi Kai et al., Efficient Traceback Method for Detecting DDoS Attacks, IPSJ CSEC Group, D.Song et al., Advanced and Authenticated Marking Schemes for IP Trace back Proc. IEEE INFO- COM, Apr SUZUKI Ayako et al. 73

### Large-Scale IP Traceback in High-Speed Internet

2004 IEEE Symposium on Security and Privacy Large-Scale IP Traceback in High-Speed Internet Jun (Jim) Xu Networking & Telecommunications Group College of Computing Georgia Institute of Technology (Joint

### Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview

DDoS and IP Traceback Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu Louisiana State University DDoS and IP Traceback - 1 Overview Distributed Denial of Service

### A Novel Packet Marketing Method in DDoS Attack Detection

SCI-PUBLICATIONS Author Manuscript American Journal of Applied Sciences 4 (10): 741-745, 2007 ISSN 1546-9239 2007 Science Publications A Novel Packet Marketing Method in DDoS Attack Detection 1 Changhyun

### RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

: Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty 22 October 2002 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations,

### A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks

A Survey of IP Traceback Mechanisms to overcome Denial-of-Service Attacks SHWETA VINCENT, J. IMMANUEL JOHN RAJA Department of Computer Science and Engineering, School of Computer Science and Technology

### Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks Prashil S. Waghmare PG student, Sinhgad College of Engineering, Vadgaon, Pune University, Maharashtra, India. prashil.waghmare14@gmail.com

### Forensics Tracking for IP Spoofers Using Path Backscatter Messages

Forensics Tracking for IP Spoofers Using Path Backscatter Messages Mithun Dev P D 1, Anju Augustine 2 1, 2 Department of Computer Science and Engineering, KMP College of Engineering, Asamannoor P.O Poomala,

### A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks

A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks ALI E. EL-DESOKY 1, MARWA F. AREAD 2, MAGDY M. FADEL 3 Department of Computer Engineering University of El-Mansoura El-Gomhoria St.,

### DDoS Attack Traceback and Beyond. Yongjin Kim

DDoS Attack Traceback and Beyond Yongjin Kim Outline Existing DDoS attack traceback (or commonly called IP traceback) schemes * Probabilistic packet marking Logging-based scheme ICMP-based scheme Tweaking

### Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System Ho-Seok Kang and Sung-Ryul Kim Konkuk University Seoul, Republic of Korea hsriver@gmail.com and kimsr@konkuk.ac.kr

### Proving Distributed Denial of Service Attacks in the Internet

Proving Distributed Denial of Service Attacks in the Internet Prashanth Radhakrishnan, Manu Awasthi, Chitra Aravamudhan {shanth, manua, caravamu}@cs.utah.edu Abstract In this course report, we present

### Packet-Marking Scheme for DDoS Attack Prevention

Abstract Packet-Marking Scheme for DDoS Attack Prevention K. Stefanidis and D. N. Serpanos {stefanid, serpanos}@ee.upatras.gr Electrical and Computer Engineering Department University of Patras Patras,

### Tracing Network Attacks to Their Sources

Tracing Network s to Their Sources Security An IP traceback architecture in which routers log data about packets and adjacent forwarding nodes lets us trace s to their sources, even when the source IP

### packet retransmitting based on dynamic route table technology, as shown in fig. 2 and 3.

Implementation of an Emulation Environment for Large Scale Network Security Experiments Cui Yimin, Liu Li, Jin Qi, Kuang Xiaohui National Key Laboratory of Science and Technology on Information System

### Inter-provider Coordination for Real-Time Tracebacks

Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and

### An IP Trace back System to Find the Real Source of Attacks

An IP Trace back System to Find the Real Source of Attacks A.Parvathi and G.L.N.JayaPradha M.Tech Student,Narasaraopeta Engg College, Narasaraopeta,Guntur(Dt),A.P. Asso.Prof & HOD,Dept of I.T,,Narasaraopeta

### A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet

A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet Marcelo D. D. Moreira, Rafael P. Laufer, Natalia C. Fernandes, and Otto Carlos M. B. Duarte Universidade Federal

### NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS

NEW TECHNIQUES FOR THE DETECTION AND TRACKING OF THE DDOS ATTACKS Iustin PRIESCU, PhD Titu Maiorescu University, Bucharest Sebastian NICOLAESCU, PhD Verizon Business, New York, USA Rodica NEAGU, MBA Outpost24,

### Denial of Service. Tom Chen SMU tchen@engr.smu.edu

Denial of Service Tom Chen SMU tchen@engr.smu.edu Outline Introduction Basics of DoS Distributed DoS (DDoS) Defenses Tracing Attacks TC/BUPT/8704 SMU Engineering p. 2 Introduction What is DoS? 4 types

### Efficient Detection of Ddos Attacks by Entropy Variation

IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727 Volume 7, Issue 1 (Nov-Dec. 2012), PP 13-18 Efficient Detection of Ddos Attacks by Entropy Variation 1 V.Sus hma R eddy,

### Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism

Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism Srinivasan Krishnamoorthy and Partha Dasgupta Computer Science and Engineering Department Arizona State University

### Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

### Defenses against Distributed Denial of Service Attacks. Internet Threat: DDoS Attacks

Defenses against Distributed Denial of Service Attacks Adrian Perrig, Dawn Song, Avi Yaar CMU Internet Threat: DDoS Attacks Denial of Service (DoS) attack: consumption (exhaustion) of resources to deny

### Distributed Denial of Service (DDoS)

Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by

### 2-6 Log Management System Based on Distributed Database Using P2P Network

2-6 Log Management System Based on Distributed Database Using P2P Network KAMIO Masakazu, ISHIDA Tsunetake, and HAKODA Takahisa It is necessary to investigate the phenomena in order to perform the countermeasures

### Analysis of Automated Model against DDoS Attacks

Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie

### Analysis of IP Spoofed DDoS Attack by Cryptography

www..org 13 Analysis of IP Spoofed DDoS Attack by Cryptography Dalip Kumar Research Scholar, Deptt. of Computer Science Engineering, Institute of Engineering and Technology, Alwar, India. Abstract Today,

### EFFICIENT DETECTION IN DDOS ATTACK FOR TOPOLOGY GRAPH DEPENDENT PERFORMANCE IN PPM LARGE SCALE IPTRACEBACK

EFFICIENT DETECTION IN DDOS ATTACK FOR TOPOLOGY GRAPH DEPENDENT PERFORMANCE IN PPM LARGE SCALE IPTRACEBACK S.Abarna 1, R.Padmapriya 2 1 Mphil Scholar, 2 Assistant Professor, Department of Computer Science,

### Internet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking

Internet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking 1 T. Ravi Kumar, 2 T Padmaja, 3 P. Samba Siva Raju 1,3 Sri Venkateswara Institute

### Strategies to Protect Against Distributed Denial of Service (DD

Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

### 3-7 Reproduction and Emulation Technologies for Researches on Secure Networking

3-7 Reproduction and Emulation Technologies for Researches on Secure Networking Mechanisms of various attacks must be analyzed in detail for clarifying and defining targets of research and development

### Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

### An apparatus for P2P classification in Netflow traces

An apparatus for P2P classification in Netflow traces Andrew M Gossett, Ioannis Papapanagiotou and Michael Devetsikiotis Electrical and Computer Engineering, North Carolina State University, Raleigh, USA

### Preventing Resource Exhaustion Attacks in Ad Hoc Networks

Preventing Resource Exhaustion Attacks in Ad Hoc Networks Masao Tanabe and Masaki Aida NTT Information Sharing Platform Laboratories, NTT Corporation, 3-9-11, Midori-cho, Musashino-shi, Tokyo 180-8585

### TTL based Packet Marking for IP Traceback

TTL based Packet Marking for IP Traceback Vamsi Paruchuri, Aran Durresi and Sriram Chellappan* Abstract Distributed Denial of Service Attacks continue to pose maor threats to the Internet. In order to

### Analysis of Internet Topologies

Analysis of Internet Topologies Ljiljana Trajković ljilja@cs.sfu.ca Communication Networks Laboratory http://www.ensc.sfu.ca/cnl School of Engineering Science Simon Fraser University, Vancouver, British

### An Efficient Filter for Denial-of-Service Bandwidth Attacks

An Efficient Filter for Denial-of-Service Bandwidth Attacks Samuel Abdelsayed, David Glimsholt, Christopher Leckie, Simon Ryan and Samer Shami Department of Electrical and Electronic Engineering ARC Special

### Port Hopping for Resilient Networks

Port Hopping for Resilient Networks Henry C.J. Lee, Vrizlynn L.L. Thing Institute for Infocomm Research Singapore Email: {hlee, vriz}@i2r.a-star.edu.sg Abstract With the pervasiveness of the Internet,

### Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks

Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks Krishnamoorthy.D 1, Dr.S.Thirunirai Senthil, Ph.D 2 1 PG student of M.Tech Computer Science and Engineering, PRIST University,

### Analysis of Methods Organization of the Modelling of Protection of Systems Client-Server

Available online at www.globalilluminators.org GlobalIlluminators Full Paper Proceeding MI-BEST-2015, Vol. 1, 63-67 FULL PAPER PROCEEDING Multidisciplinary Studies ISBN: 978-969-9948-10-7 MI-BEST 2015

### A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of

### TRAFFIC REDIRECTION ATTACK PROTECTION SYSTEM (TRAPS)

TRAFFIC REDIRECTION ATTACK PROTECTION SYSTEM (TRAPS) Vrizlynn L. L. Thing 1,2, Henry C. J. Lee 2 and Morris Sloman 1 1 Department of Computing, Imperial College London, 180 Queen s Gate, London SW7 2AZ,

### Classification and State of Art of IP Traceback Techniques for DDoS Defense

Classification and State of Art of IP Traceback Techniques for DDoS Defense Karanpreet Singh a, Krishan Kumar b, Abhinav Bhandari c,* a Computer Science & Engg.,Punjab Institute of Technology,Kapurthala,

### Network Traceability Technologies for Identifying Performance Degradation and Fault Locations for Dependable Networks

Network Traceability Technologies for Identifying Performance Degradation and Fault Locations for SHIMONISHI Hideyuki, YAMASAKI Yasuhiro, MURASE Tsutomu, KIRIHA Yoshiaki Abstract This paper discusses the

### EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science

EINDHOVEN UNIVERSITY OF TECHNOLOGY Department of Mathematics and Computer Science Examination Computer Networks (2IC15) on Monday, June 22 nd 2009, 9.00h-12.00h. First read the entire examination. There

### A Passive Method for Estimating End-to-End TCP Packet Loss

A Passive Method for Estimating End-to-End TCP Packet Loss Peter Benko and Andras Veres Traffic Analysis and Network Performance Laboratory, Ericsson Research, Budapest, Hungary {Peter.Benko, Andras.Veres}@eth.ericsson.se

### Firewalls and Intrusion Detection

Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

### A Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds

International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial

### Analysis of Traceback Techniques

Analysis of Traceback Techniques Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of ICS, Macquarie University North Ryde, NSW-2109, Australia {udaya,

### Analysis of Internet Topologies: A Historical View

Analysis of Internet Topologies: A Historical View Mohamadreza Najiminaini, Laxmi Subedi, and Ljiljana Trajković Communication Networks Laboratory http://www.ensc.sfu.ca/cnl Simon Fraser University Vancouver,

### The Internet provides a wealth of information,

IP Traceback: A New Denial-of-Service Deterrent? The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social

### Prevention, Detection and Mitigation of DDoS Attacks. Randall Lewis MS Cybersecurity

Prevention, Detection and Mitigation of DDoS Attacks Randall Lewis MS Cybersecurity DDoS or Distributed Denial-of-Service Attacks happens when an attacker sends a number of packets to a target machine.

### Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Vasilios A. Siris and Ilias Stavrakis Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH)

### A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks

A Real-Time Network Traffic Based Worm Detection System for Enterprise Networks Long-Quan Zhao 1, Seong-Chul Hong 1, Hong-Taek Ju 2 and James Won-Ki Hong 1 1 Dept. of Computer Science and Engineering,

### Experimentation driven traffic monitoring and engineering research

Experimentation driven traffic monitoring and engineering research Amir KRIFA (Amir.Krifa@sophia.inria.fr) 11/20/09 ECODE FP7 Project 1 Outline i. Future directions of Internet traffic monitoring and engineering

### An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh

### SBSCET, Firozpur (Punjab), India

Volume 3, Issue 9, September 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Layer Based

### Outline. Outline. Outline

Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather

### Multi-layer traffic engineering in photonic-gmpls-router networks

Multi-layer traffic engineering in photonic-gmpls-router networks Naoaki Yamanaka, Masaru Katayama, Kohei Shiomoto, Eiji Oki and Nobuaki Matsuura * NTT Network Innovation Laboratories * NTT Network Service

### Performance of networks containing both MaxNet and SumNet links

Performance of networks containing both MaxNet and SumNet links Lachlan L. H. Andrew and Bartek P. Wydrowski Abstract Both MaxNet and SumNet are distributed congestion control architectures suitable for

### Oblivious DDoS Mitigation with Locator/ID Separation Protocol

Oblivious DDoS Mitigation with Locator/ID Separation Protocol Kazuya Okada, Hiroaki Hazeyama, Youki Kadobayashi Nara Institute of Science and Technology, Japan {kazuya-o, hiroa-ha, youki-k}@is.naist.jp

### Tracers Placement for IP Traceback against DDoS Attacks

Tracers Placement for IP Traceback against DDoS Attacks Chun-Hsin Wang, Chang-Wu Yu, Chiu-Kuo Liang, Kun-Min Yu, Wen Ouyang, Ching-Hsien Hsu, and Yu-Guang Chen Department of Computer Science and Information

### Secure Attack Measure Selection and Intrusion Detection in Virtual Cloud Networks. Karnataka. www.ijreat.org

Secure Attack Measure Selection and Intrusion Detection in Virtual Cloud Networks Kruthika S G 1, VenkataRavana Nayak 2, Sunanda Allur 3 1, 2, 3 Department of Computer Science, Visvesvaraya Technological

### International Journal of Emerging Technologies in Computational and Applied Sciences (IJETCAS) www.iasir.net

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Emerging Technologies in Computational

### Securing Ad Hoc Wireless Networks Against Data Injection Attacks Using Firewalls

Securing Ad Hoc Wireless Networks Against Data Injection Attacks Using Firewalls Jun Cheol Park and Sneha Kumar Kasera School of Computing, University of Utah Email: {jcpark, kasera}@cs.utah.edu Abstract

### SWAT: Small World-based Attacker Traceback in Ad-hoc Networks

SWAT: Small World-based Attacker Traceback in Ad-hoc Networks Yongjin Kim, 2 Ahmed Helmy,2 Electrical Engineering Dept. Systems University of Southern California, California, U.S.A. yongjkim@usc.edu, 2

### Based on Computer Networking, 4 th Edition by Kurose and Ross

Computer Networks Internet Routing Based on Computer Networking, 4 th Edition by Kurose and Ross Intra-AS Routing Also known as Interior Gateway Protocols (IGP) Most common Intra-AS routing protocols:

### Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

### A Practical Method to Counteract Denial of Service Attacks

A Practical Method to Counteract Denial of Service Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked System Security Research Division of Information and Communication Sciences

### Announcements. No question session this week

Announcements No question session this week Stretch break DoS attacks In Feb. 2000, Yahoo s router kept crashing - Engineers had problems with it before, but this was worse - Turned out they were being

### Quality of Service Routing Network and Performance Evaluation*

Quality of Service Routing Network and Performance Evaluation* Shen Lin, Cui Yong, Xu Ming-wei, and Xu Ke Department of Computer Science, Tsinghua University, Beijing, P.R.China, 100084 {shenlin, cy, xmw,

### EFFICIENT AND SECURE AUTONOMOUS SYSTEM BASED TRACEBACK

Journal of Interconnection Networks c World Scientific Publishing Company EFFICIENT AND SECURE AUTONOMOUS SYSTEM BASED TRACEBACK ARJAN DURRESI 1,VAMSI PARUCHURI 1, LEONARD BAROLLI 2, RAJGOPAL KANNAN 1,

### Testing Network Security Using OPNET

Testing Network Security Using OPNET Agustin Zaballos, Guiomar Corral, Isard Serra, Jaume Abella Enginyeria i Arquitectura La Salle, Universitat Ramon Llull, Spain Paseo Bonanova, 8, 08022 Barcelona Tlf:

### On Evaluating IP Traceback Schemes: A Practical Perspective

2013 IEEE Security and Privacy Workshops On Evaluating IP Traceback Schemes: A Practical Perspective Vahid Aghaei-Foroushani Faculty of Computer Science Dalhousie University Halifax, NS, Canada vahid@cs.dal.ca

### Tracking and Tracing Spoofed IP Packets to Their Sources

Tracking and Tracing Spoofed IP Packets to Their Sources Alaaeldin A. Aly, College of IT, aly@uaeu.ac.ae Ezedin Barka, College of IT, ebarka@uaeu.ac.ae U.A.E. University, Al-Ain, P.O. Box: 17555, U.A.E.

### Research on Errors of Utilized Bandwidth Measured by NetFlow

Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic

### DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,

### Application of Netflow logs in Analysis and Detection of DDoS Attacks

International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in

### A Brief Survey of IP Traceback Methodologies

Acta Polytechnica Hungarica Vol. 11, No. 9, 2014 A Brief Survey of IP Traceback Methodologies Vijayalakshmi Murugesan, Mercy Shalinie, Nithya Neethimani Department of Computer Science and Engineering,Thigarajar

### An Efficient Load Balancing Technology in CDN

Issue 2, Volume 1, 2007 92 An Efficient Load Balancing Technology in CDN YUN BAI 1, BO JIA 2, JIXIANG ZHANG 3, QIANGGUO PU 1, NIKOS MASTORAKIS 4 1 College of Information and Electronic Engineering, University

### CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

### III. Our Proposal ASOP ROUTING ALGORITHM. A.Position Management

Secured On-Demand Position Based Private Routing Protocol for Ad-Hoc Networks Ramya.R, Shobana.K, Thangam.V.S ramya_88@yahoo.com, k shobsi@yahoo.co.in,thangam_85@yahoo.com Department of Computer Science,

### Active Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds

Active Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds S.Saranya Devi 1, K.Kanimozhi 2 1 Assistant professor, Department of Computer Science and Engineering, Vivekanandha Institute

### Towards Improving an Algebraic Marking Scheme for Tracing DDoS Attacks

International Journal of Network Security, Vol.9, No.3, PP.204 213, Nov. 2009 204 Towards Improving an Algebraic Marking Scheme for Tracing DDoS Attacks Moon-Chuen Lee, Yi-Jun He, and Zhaole Chen (Corresponding

### Datagram-based network layer: forwarding; routing. Additional function of VCbased network layer: call setup.

CEN 007C Computer Networks Fundamentals Instructor: Prof. A. Helmy Homework : Network Layer Assigned: Nov. 28 th, 2011. Due Date: Dec 8 th, 2011 (to the TA) 1. ( points) What are the 2 most important network-layer

### Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

### A Novel Technique for Detecting DDoS Attacks at Its Early Stage

A Novel Technique for Detecting DDo Attacks at Its Early tage Bin Xiao 1, Wei Chen 1,2, and Yanxiang He 2 1 Department of Computing, The Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong {csbxiao,

### Source-domain DDoS Prevention

bhattacharjee, LTS S 05 Page: 0 Source-domain DDoS Prevention Bobby Bhattacharjee Christopher Kommareddy Mark Shayman Dave Levin Richard La Vahid Tabatabaee University of Maryland bhattacharjee, LTS S

### Assignment #3 Routing and Network Analysis. CIS3210 Computer Networks. University of Guelph

Assignment #3 Routing and Network Analysis CIS3210 Computer Networks University of Guelph Part I Written (50%): 1. Given the network graph diagram above where the nodes represent routers and the weights

### Filtering Based Techniques for DDOS Mitigation

Filtering Based Techniques for DDOS Mitigation Comp290: Network Intrusion Detection Manoj Ampalam DDOS Attacks: Target CPU / Bandwidth Attacker signals slaves to launch an attack on a specific target address

### Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

### CS 5480/6480: Computer Networks Spring 2012 Homework 4 Solutions Due by 1:25 PM on April 11 th 2012

CS 5480/6480: Computer Networks Spring 2012 Homework 4 Solutions Due by 1:25 PM on April 11 th 2012 Important: The solutions to the homework problems from the course book have been provided by the authors.

### Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs

APAN Network Research Workshop 2010 at the 30th APAN Meeting August 9, 2010 Hanoi, Vietnam i-path Project Extended UDP Multiple Hole Punching Method to Traverse Large Scale NATs Kazuhiro Tobe, Akihiro

### Exterior Gateway Protocols (BGP)

Exterior Gateway Protocols (BGP) Internet Structure Large ISP Large ISP Stub Dial-Up ISP Small ISP Stub Stub Stub Autonomous Systems (AS) Internet is not a single network! The Internet is a collection

### Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

Detection of DDoS Attack Using Virtual Security N.Hanusuyakrish, D.Kapil, P.Manimekala, M.Prakash Abstract Distributed Denial-of-Service attack (DDoS attack) is a machine which makes the network resource

### DETECTION OF DDOS ATTACKS USING IP TRACEBACK AND NETWORK CODING TECHNIQUE

DETECTION OF DDOS ATTACKS USING IP TACEBACK AND NETWOK CODING TECHNIQUE J.SATHYA PIYA 1, M.AMAKISHNAN 2, S.P.AJAGOPALAN 3 1 esearch Scholar, Anna University, Chennai, India 2Professor,Velammal Engineering

### WON (Wireless Overlay Network) for Traceback of Distributed Denial of Service

WON (Wireless Overlay Network) for Traceback of Distributed Denial of Service Yan Sun, Anup Kumar, S. Srinivasam * Mobile Information Network and Distributed Systems (MINDS) Lab Computer Engineering and