How To Mark A Packet For Ip Traceback

Transcription

1 DDPM: Dynamic Deterministic Packet Marking for IP Traceback Reza Shokri, Ali Varshovi, Hossein Mohammadi, Nasser Yazdani, Babak Sadeghian Router Laboratory, ECE Department, University of Tehran, Tehran, Iran Data Security Research Laboratory, CE Department, Amir Kabir University of Technology, Tehran, Iran Abstract This paper introduces the concepts of Dynamic Marking and Mark-based Detection to the field of IP Traceback. In Dynamic Marking it is possible to find the attack agents in a large scale DDoS network. Moreover, in the case of a DRDoS it enables the victim to trace the attack one step further back to the source, to find a master machine or the real attacker with only a few numbers of packets. The proposed marking procedure increases the possibility of DRDoS attack detection at the victim through Mark-based Detection. In Mark-based method, the detection engine takes into account the marks of the packets to identify varying sources of a single site involved in a DDoS attack. This significantly increases the probability of detection. In order to satisfy the end-to-end arguments approach, fate-sharing and also respect to the need for scalable and applicable schemes, only edge routers implement our simple marking procedure. The delay and bandwidth overhead added to the edge routers is fairly negligible. Keywords- DDoS, DRDoS, IP Traceback, Dynamic Marking, Mark-Based Detection. I. INTRODUCTION Denial of Service (DoS) is a serious threat to the availability of services in computer networks and infrastructures. CERT coordination center defines a DoS attack as the prevention of authorized access to a system resource or the delaying of system operations and functions [1]. Amoroso defines a DoS attack more precisely as follows: the DoS [Denial of Service] threat will be defined to occur when a service associated with a maximum waiting time (denoted MWT) is requested by a user at time t and is not provided to that user by the time (t + MWT). [2]. DoS attacks may use semantic strategies to exploit a specific feature or implementation bug of some protocol or application installed at the victim or may initiate a vast amount of legitimate network traffic to the victim in a brute-force or frequently called flooding attacks [3]. In a Distributed DoS (DDoS) attack, an attacker compromises a number of other network plugged machines and forms a DoS attack network to send the attack traffic simultaneously to the victim from various machines. In this way the power of attack is multiplied and also using IP Spoofing techniques makes it more difficult to trace the real attacker machine. An effective technique that allows for amplification of the attack from a single source is a Distributed Reflected DoS (DRDoS) attack. The attacker would simply craft packets with the return address of the intended victim, and send those packets to the broadcast address of the reflector network. These packets would effectively reach all available and responsive hosts on that particular network and elicit a response from them. Since the return address of the requests was forged by the victim address, the response would be sent to the victim in the form of large volume network flow. The early versions of DRDoS attack use ICMP Echo or UDP Echo services (smurf, fraggle, and papasmurf [4]) but recently every responding protocol like TCP SYN or DNS replies is exploited to initiate this kind of DoS attack. Unfortunately there is no perfect defense against all flavors of DDoS and DRDoS, but there are several countermeasures that focus on either making the attack more difficult or on making the attacker accountable. Attack origin detection mechanisms try to find the attacker to stop it near the source. The source of the attack is defined as a device from which the flow of packets, constituting the attack, was initiated. Identifying the device from which the attack was initiated as well as the person(s) behind the attack is an ultimate challenge. But such problem is limited to identify the source of the offending packets whose addresses can be spoofed. This is called the IP Traceback problem. In this paper we propose a new deterministic packet marking approach, called DDPM, to find the source of DoS and DRDoS attacks, by deploying only edge routers in the Internet. The proposed algorithm not only is able to find the attacking agents in a DoS attack network but also in the case of a DRDoS attack, makes it possible to trace the attack one step further to the real origin. The proposed method also commences a new approach called Dynamic Marking to solve the problem of attack origin detection as it makes the routers more involved compare to just statically marking the packets, but as the algorithm needs to be implemented only in the edge routers and leaves the Internet core unchanged, the overhead is not considerable. We also propose a new method of detecting DRDoS attacks at the victim side based on the marks generated by DDPM. We believe that this Mark-based Detection can be extended to other types of DoS attacks and it is a task to be investigated in the future. The rest of paper is organized as follows: Section II summarizes previous works in the field of IP traceback; Section III explains some basic definitions and assumptions; Section IV presents DDPM in detail; Section V introduces mark-based detection and relating benefits of DDPM; Evaluation of the scheme is the subject of Section VI, while Section VII concludes the paper.

2 II. RELATED WORK Previous works are twofold: the methods that try to trace the attacks one step back toward the attackers, and the others which take into account distributed attacks (mostly DRDoS attacks) in their traceback procedures or filtering schemes. Firstly, we take a look at such traceback methods which can identify only direct DoS attackers or one step behind the sources of attack traffic generators in more complicated DDoS scenarios. In this field we consider five major classes of IP traceback mechanisms, Messaging, Information Appending, Link Testing, Log-based, and Marking. Messaging mechanisms such as ICMP traceback [5], [6] use explicit messages generated by routers to assist the receiver in constructing the traversed path of packets. Every router has to sample one of the packets it is forwarding, with low probability, and copy its contents into a special message (i.e. ICMP) including information about the adjacent routers along the path to the destination. These mechanisms must be deployed in most of the Internet core routers to be able to effectively construct attack path in flooding-style DoS attacks. In Information Appending methods, each router s address is appended to the end of the packet as it travels through the network from the source to the destination. Router stamping proposed in [7] is an instance of these methods. Because of large overhead on the network, such Information Appending methods are not practical in the Internet. In addition, Link Testing is another class of methods that start from the router closest to the victim and interactively test its upstream links to determine which one is used to carry the attacker s traffic for constructing the attack path. Controlled flooding [9] and Input debugging [8] are in this category, which are impractical with respect to their high network and router overhead, as analyzed by Savage in [10]. Log-based is a class of proactive methods which help the victim to construct the path even after the attack has completed. Basic concepts of this approach suggested in [8] and [11]. The contribution is to log packets or hash value of packet information ([12] and [13]) at key routers and then use data mining techniques to determine the path that the packets traversed. A victim can then locate the path of a given packet by querying routers within a domain for the set of hashes corresponding to the packet. This query should be sent soon enough after the packet was transmitted to ensure that the record of its presence is still available in the router. These schemes need enormous resources to be applicable in the Internet routers. Also, because of limited memory in routers, some table overflow and entry injection attacks, especially in core network routers, are possible to disable these traceback mechanisms. In Marking methods, first proposed in [10], reconstruction of path is done by merging the marks of the router. These can be categorized to Probabilistic and Deterministic marking methods. In probabilistic packet marking schemes such as [10], [14], [15] and [16] every router puts its identity or its link identity as a mark on the forwarded packets, selectively. The victim by receiving enough number of packets can construct the attack path. In the other hand, deterministic packet marking schemes need routers to mark every outbound packet. Algebraic marking [17] and DPM proposed in [18] and [19] use deterministic packet marking for IP traceback. Also, Pi [20] marks all packets and uses TTL of packets to accommodate identity of the router in IP identification field. In deterministic marking approaches the victim needs only few marked packets to identify the source of attack traffic. Secondly, some methods try to find the attacker in a DDoS attack and specially DRDoS, as one of the distributed DoS attacks, in the Internet. Moreover, most of the efforts are to mitigate the effect of distributed attacks using filtering. A deterministic packet marking method (DERM) presented in [21] uses multiple hash functions to mark and further identify the DDoS attack traffic and trace back the attacker from the victim. This method needs two modules, an IDS and a DERM module, to be implemented in every host of the Internet. This makes the method hard to deploy. Modified ICMP traceback mechanism proposed in [22] in which routers send an ICMP message to the source of the justprocessed packet rather than its destination, in a random manner. The net effect is that in reflector attacks the victim receives messages that help to construct the path between the slave and the reflector. It is worth nothing that the reverse ITrace method does not depend on number of reflectors, but only on the number of slaves. An altered IP traceback approach proposed in [23], where the victim not only tries to reconstruct the attack path but also attempts to guess if a new coming packet lies on this identified attack path or not. A filtering technique (StackPi) proposed in [24] uses Pi [20] marking method to sieve the attack traffic. To filter the attack traffic they use a threshold strategy on the maximum allowable ratio of attack packets bearing a Pi mark to the total number of packets arriving with that particular Pi mark. Some methods such as the one presented in [25] make an effort to characterize distributed DoS attacks in order to filter them at the victim. These approaches are very dependent to attack scenarios and special characteristics of them and proposing a uniform method is not attainable. III. DEFINITIONS AND ASSUMPTIONS In this section, we simply express our definitions and assumptions. A. Definitions As mentioned before, the proposed method seeks to find the real origin or the master of a typical DRDoS while it is capable of tracing flooding DDoS attacks back toward the zombie or slave machines. We consider DDoS attacks to be semantic or brute-force. There is not a considerable difference between them because semantic attacks also overwhelm the victim resources by excess amount of traffic to be more effective. In some studies, DRDoS is also categorized as a flooding DDoS attack ([3], [25]) but the proposed method treats DDoS and DRDoS attacks

3 differently. We consider a three-tier attack network composed of the attacker machine(s), master and zombie machines. In the case of Denial of Service an Attacker is a malicious entity whose aim is to prevent the users of the network from achieving their goal of using services. In order to hide his identity the attacker may deploy several layers of indirection between his machine and the attack agents called Zombies. In a DRDoS attacks this agents are called Reflectors. A reflector is any IP host that will return a packet if sent a packet and because it is not compromised by an attacker it cannot spoof its IP address [25]. The zombies are controlled by Master machines that may communicate to the attacker directly or through another layer of indirection sometimes called a Stepping stone. According to the above definitions the proposed approach is able to find the zombies of a DDoS attack network and master machines involved in a DRDoS attack. B. Assumptions The basic assumptions for DDPM are listed below. Almost all of them are borrowed from previous studies, largely from [10], [18] and [21]: An attacker may generate any packet; Multiple attackers may conspire; Attackers may be aware they are being traced; Packets my be lost or reordered; Attackers send numerous packets; Edge routers are both processing power and memory limited; Edge routers are not compromised. We suppose that some kind of Intrusion Detection mechanism is available at the victim side. So after detecting the DDoS or a DRDoS attack the defense mechanism would retrieve the information of the attacking sources using the proposed algorithm. It is also a true assumption that routers are able to distinguish between packets that are coming from the Internet to the local network, named inbound, and packets that leaves Figure 1. A simple DRDoS attack path. the local network towards the Internet, called outbound traffic. IV. DYNAMIC DETERMINISTIC PACKET MARKING The main objective of DDPM is to make it possible to approach one step further to the real attacker compare to other deterministic approaches. In other words, with DDPM not also it is possible to find sources of the attack traffic (zombie machines) but to trace the attack one more level back if needed (e.g. in DRDoS attacks). DDPM does not introduce a major change in Internet core and only edge routers implement a simple marking procedure. In other words, another objective of the protocol is fate-sharing. A. Dynamic Marking Here, we introduce the concept of Dynamic Marking as a new approach to the field of IP traceback. According to this new concept we classify previous solutions as Static approaches. It is important to clear the difference between Dynamic and Static marking. A static marking approach enforces the router to mark every outbound packet without deciding how to mark a packet. Simply every packet passing through router R will be marked with a marking procedure mark_proc_r(_) which does not depend on the packet or the state of connection. As a good example, DPM tries to solve the problem of IP Traceback by statically marking outbound packets with ingress address of the edge router closest to the source [18]. In dynamic marking and especially in DDPM as the first and only method introduced with dynamic approach, the marks generated in a router for outbound packets are not always identical. In other words routers are engaged more than just statically marking the packets. They are powered with a decision making algorithm to decide whether to mark the packet with the IP address of the incoming interface or just use a previously stored mark. B. Marking Procedure In our algorithm main functions of a router are: filtering, store/retrieve, and marking. Firstly, edge routers must filter (drop) incoming broadcast packets. The router stores some information of every incoming packet and may retrieve and use them when marking a new packet. So, the router marks the outgoing packets based on a simple algorithm and decides to generate a new mark or use a stored one. In this section we describe this process in detail. After receiving every inbound packet, p, the router stores some parts of the packet header information which are packet source address (src), packet destination address (dst), packet identification filed (ID_field) and header flags. Before adding this information to the list, the router checks to see if it is a new record or just stored before. The duplication is not allowed in the list and the previous record is overwritten. Because of the low traffic on edge routers the required capacity to generate and store the list in the router is not considerable. Also, the information of any packet does not stay in the list longer than the round trip time between the router and a host in the LAN.

4 for each inbound packet P store the P header info into the start of the list. for each outbound packet P if P is not in any list I the incoming interface of P x random [0, 1) if x < ½ then P.ID_field I 0-15 P.flags[0] 0 P.flags[1] 0 else P.ID_field I P.flags[0] 1 P.flags[1] 0 else let r be the corresponding record for p in the list P.ID_field r.id_field P.flags[0] r.flags[0] P.flags[1] 1 Figure 2. Packet Marking Procedure. Every outbound packet is marked by the edge router. The mark is generated on the fly or retrieved from the stored information of inbound packets. First, the router seeks for a packet p which p.src = p.dst and p.dst=p.src and uses the mark of p for the received outbound packet p (p.id_field=p.id_field). If the there was no packet p in the list with the desired characteristics, the packet p is marked with the ingress address of the incoming interface. With this procedure and in the case of an attack the router provides the victim with the edge router address of the attacking agent. In a DDoS attack all the zombies directly flood the victim with attack traffic so the marks are generated in the edge router closest to the attacking agent and in a DRDoS attack since triggering packet is sent to the reflector network with the source address spoofed with the address of the victim machine, the router uses this mark for the whole attack traffic. In other words as shown in Figure 1 the attacker initiates the attack by sending packet p, the trigger packet, to the reflector network with source address p.src (victim address spoofed) and destination address p.dst. As illustrated by pseudo code in Figure 2 based on this trigger packet, all the generated attack packets have the source address p.dst and destination address p.src. So, respecting to defined procedure the marks on attack traffic packets will be identical to the mark of attacker s trigger packet. C. Packet Mark Encoding Since the scheme proposes a deterministic marking procedure, mark spoofing and mark validating problems are relaxed here. Here we propose a very simple marking procedure based on the DPM. Simply a 32-bit address of an interface is divided into two 16-bit parts and is transmitted in the ID_field of the IP packet. With a probability of 0.5, every incoming packet will be marked with part one of the IP address (bits 0 through 15) or the second part (bits 16 through 31). This randomness prevents the sophisticated attacker from creating a situation when only one part of the address is available to the victim. for each inbound packet p if P.dst == broadcast_addr then drop P else if P.src or P.ID_field is suspect to be part of attack traffic if detected_src[p.src] is not defined then create detected_src[p.src] if p.flags[0] equals to 0 then detected_src[p.src] 0-15 p.id_field else detected_src[p.src] p.id_field Figure 3. Reconstruction and filtering. Besides the 16 bits of the ID_field two bits of flag field are also deployed (p.flags[0] and p.flags[1]). The fist bit, p.flags[0] is set to 1 if the upper half of the IP address is sent or set to 0 for the lower half. The other flag bit, p.flags[1] is set to 1 if the mark on the packet is not generated by edge router and has just been copied form a previously stored record. It is obvious that using this procedure conflicts with the IP fragmentation and reassembly process because the ID_field and fragmentation flags are used. Accordingly, to address the fragmentation/reassembly problem we suggest the method presented in [19] in which the DDPM-enabled routers can suspend the random behavior in assigning the bits to the ID field. The ID field for all fragments of a given series has to be assigned the same address bits. By doing so, the destination would be able to successfully reassemble the original fragmented datagram. D. Reconstruction Here we explain two processes of Reconstruction of DDPM. As detailed in Figure 3, after detection of the attack the reconstruction procedure of our scheme will create a list, detected_src. The list is used to store the marks populated in ID_field of the inbound packets. The edge routers must also drop incoming broadcast packets to prevent the network behind from participating in a reflected attack. V. MARK-BASED DETECTION Design of intelligent Intrusion Detection Systems (IDS) with low false alarm and high detection rate is still an open problem in the field of network security. The sources of information to identify and detect network attacks are hostbased logs, traffic flow or combination of both. Because the IDS sensors are deployed at the victim side sub-network, some useful information about the network flow are lost before the packets enter the IDS sensors. DWARD [26], tries to detect the attacks and stop them at the source but as discussed before DDoS attacks may deploy several sub-networks to initiate an attack and this makes the source side detection more challenging. We believe that to solve the problem of network attack detection, like the IP traceback approaches, majority of network infrastructure nodes need to collaborate. As a practical example here we introduce and describe Mark-based Detection based on our marking approach which facilitates the detection of DRDoS attacks at the victim side.

5 Suppose the attacker deploys N reflection sites to orchestrate the attack. Here we analyze three possible cases: 1. There is no marking procedure implemented in the edge routers. In this case the detection of attack at the victim side is based on the traffic load of a specific protocol or traffic from a single host. Since the attacker locates a large number of reflectors to initiate the attack (say on the order of 1 million [25]), and a reflector does not send a large volume of traffic, detection based on the source IP will fail. It is also obvious that detection based on the traffic load of a specific protocol may fail because the attack traffic is not always discernible at the victim side. For example the victim may be a web server and the attack may use TCP SYN packets. 2. A static marking procedure like DPM has been implemented in the edge routers. In this case since all the packets are marked in the edge routers all the attack packets from a single reflector site have identical marks. So detection based on packet marks empowers the IDS to reduce the ambiguity we stated in the first case. To be optimistic it is also possible to completely detect the attack if the attacking rate of a single reflector site pass the threshold T of some statistical methods used in the IDS. Now consider R e as the effective attacking rate which states the rate that should be reached in order to affect the victim by the DRDoS attack. In other words, let R be the attack traffic rate generated by reflector site i then i N i= 1 if Ri Re, then the initiated attack would be effective at the victim. If N is large enough so that N ; R N << Re then the detection based on marks will also fail. To minimize this problem threshold T can be set to a lower value instead of R. 3. Implementing DDPM in the edge routers. As we stated before the attacker deploys as much of reflector sites to avoid passing the threshold of IDS at the victim side. By implementing DDPM, all the packets of a DRDoS attack have the same mark and this characteristic does not depend on the site the packet comes from. In the worst case all the packets from a reflector domain controlled by a slave machine have identical marks and if the threshold has been set to a lower value than R e the probability of detecting the attack increases significantly. VI. EVALUATION We have evaluated DDPM with respect to the most important metrics presented in previous works such as [21] and [24]. Processing and memory overhead on routers must be minimal for the practical deployment of the scheme. Since bandwidth is one of the bottlenecks during flooding attacks, the scheme must not introduce additional bandwidth overhead. Due to the principle of fate-sharing [27] as well as end-toend arguments the protocol should put as less overhead as possible on routers. Here we analyze the effect of our protocol on an edge router. Fortunately, edge routers are less sensitive to the overhead than cores. e From an abstract point of view, the work should be done within an IP router upon our protocol is to find the appropriate tuple (S,D) in the table constructed by the protocol. A straight implementation of Multi-dimensional B-Tree [28] can solve the problem with logarithmic time complexity. Using more sophisticated methods like HASIL [29] and multiway multicolumn search [30], we can introduce better results. HASIL reports a throughput of 40Gbps for prefix matching within a large routing table (e.g. 150K prefixes). Of course in the case of exact matching, it can support even faster lines (Theoretically two times faster). [30] reports supporting high line speeds (actually depends on the running processor) for prefix matching. Besides, our job is to perform exact tuple matching which is a subset of general prefix (pattern) matching problem. Therefore, the proposed methods could be applied to our problem directly. We have employed similar technique to find the time requirements and consequently supported bandwidth of our method. Table I shows the average bandwidth by assuming a 2000 bits length for mean packet. TABLE I. SUPPORTED BANDWIDTH IN GBPS FOR DIFFERENT TABLE SIZES (NO. OF ENTRIES 1000) Table Size Bandwidth According the table and the issue of packet-level pipelining in an IP router [31] the time overhead of our method will be fully covered by the time consumption of the forwarding engine. Therefore, our method will not put any considerable time (and consequently bandwidth) overhead on the edge routers. Of course as many entries we have in the flow table we achieve higher attack detection rate. Space overhead is unavoidable but nowadays routers are equipped with large amount of physical memories which makes the space overhead of our method ignorable. On the other hand, since our implementation relies on employing similar data structure like HASIL, its memory space utilization will be 54%~65% for tables of size 1K~100K. Considering a sample table size of 20K tuples of IP addresses, the worst case of memory requirement will be as shown in equation 1. Mem = Utilization Size TupleLength = = bits = 84 KB The estimated sample indicates that memory consumption will be negligible for rule tables with an order of magnitude larger size. Once the attack has been identified, the traceback scheme should require very few packets to identify the attacker. Because the proposed approach uses the DPM mark encoding principles it needs only ten marked packets to obtain the address of corresponding edge router with a probability higher than 99.9% [18]. An ideal traceback scheme also must be inserted with little infrastructure and operational changes and the actual traceback process must involve little or no burden on the ISP. As stated before DDPM only needs to be implemented in the (1)

6 edge router and obviously keeps this characteristic. An ideal scheme should be easily scalable. Our scheme is simply scalable by implementing DDPM in every edge router newly connected to the Internet. The proposed scheme marks every outbound packet, so mark spoofing is not possible and it is very difficult for an attacker who is aware of the scheme to orchestrate an attack that is untraceable. VII. CONCLUSION In this paper, we have introduced a new method to solve the problem of IP traceback named DDPM. It is based on Dynamic Marking, as a new approach to packet marking, to help us finding the real source of distributed reflector DoS attacks in addition to zombies of a DDoS in the Internet. Also, to facilitate the detection of DRDoS at the victim, we have proposed a novel detection approach based on marks of packets, named Mark-based Detection. With respect to end-toend argument we put only a negligible overhead on edge routers without any changes on the core of the Internet. We have employed the same manner of DRDoS attacks to detect the source of attack traffic one step further back to the real origin. The evaluation shows the benefits of DDPM and proves it is applicable. The main drawback of DDPM is that the reconstruction process relies on the source address of packets to merge two halves of a particular edge router address. It is not a problem in the case of a DRDoS attack, since reflectors are not compromised and can not spoof their IP addresses but the problem remains to address in the future for a DDoS attack. Using more sophisticated marking methods might leads to detection of more complicated DDoS attacks by means of DDPM and Dynamic Marking approach. REFERENCES [1] K. J. Houle and G. M. Weaver, Trends in Denial of Service Attack Technology, CERT Coordination Center, October [2] E. Amoroso, Fundamentals of Computer Security, Prentice Hall, New Jersey, l994. [3] J. Mirkovic and P. Reiher, A Taxonomy of DDoS Attacks and Defense Mechanisms, ACM SIGCOMM Computer Communications Review, Volume 34, pp , April [4] CERT Advisory CA Smurf IP Denial-of-Service Attacks, available at: [5] S. M. Bellovin. ICMP Traceback Messages. Internet Draft: draftbellovin-itrace-00.txt, Mar [6] A. Mankin, D. Massey, C.L. Wu, S.F. Wu, L. Zhang. On design and evaluation of intention-driven ICMP traceback in Proceedings of the IEEE International Conference on computer Communications and Networks, Oct [7] T. Doeppner, P. Klein, A. Koyfman. Using Router Stamping to Identify the Source of IP Packets, in Proceedings of ACM Computer and Communication Security Symposium, Nov [8] R. Stone, CenterTrack: An IP Overlay Network for Tracking DoS Floods, Proc. 9th Usenix Security Symp., Usenix Assoc., Berkeley, Calif. [9] H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source, In Usenix LISA, December [10] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Practical Network Support for IP Traceback, in Proceedings of the 2000 ACM SIGCOMM Conference, Aug [11] G. Sager. Security Fun with OCxmon and cflowd, Presentation at the Internet 2 Wording Group, Nov [12] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, W.T. Strayer, Hash-Based IP Traceback, in Proceedings of the ACM SIGCOMM 2001, Conference on Applications, Technologies, 4 Architectures, and Protocols for Computer Communication, Aug [13] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, B. Schwartz, S.T. Kent, W.T. Strayer, Single-Packet IP Traceback, IEEE/ACM Transactions on Networking (ToN), Dec [14] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, Network support for IP traceback, IEEE/ACM Trans. Networking, vol. 9, pp , June [15] D.X. Song, A. Perrig, Advanced and Authenticated Marking Schemes for IP Traceback, in Proceedings of IEEE Infocomm 2001, Apr [16] T. Peng, C. Leckie, and R. Kotagiri, Adjusted Probabilistic Packet Marking for IP Traceback, Proc. Conf. Networking, May [17] D. Dean, M. Franklin, A. Stubblefield. An Algebraic Approach to IP Traceback, ACM Transaction on Information and System Security, May [18] A. Belenky and N. Ansari, IP Traceback With Deterministic Packet Marking, IEEE Commun. Lett., vol. 7, no. 4, pp , Apr [19] A. Belenky and N. Ansari, Accommodating Fragmentation in Deterministic Packet Marking for IP Traceback, GLOBECOM IEEE Global Telecommunications Conference, no. 1, Dec pp [20] A. Yaar, A. Perrig, D. Song. Pi: A path identification mechanism to defend against DDoS attacks in IEEE Symposium on Security and Privacy, May [21] S.K. Rayanchu, G. Barua, Defending Against Slave and Reflector Attacks With Deterministic Edge Router Marking (DERM), Invited Lecture, Proceedings of the National Conference on Communications, NCC-2005, Kharagpur, January [22] C. Barros, [LONG] A Proposal for ICMP Traceback Messages, Sep. 18, [23] M. Sung, J. Xu. IP Traceback-based Intelligent Packet Filtering: A Novel Technique for Defending Against Internet DDoS Attacks, in Proceedings of IEEE ICNP 2002, Nov [24] A. Yaar, A. Perrig, D. Song. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense, Technical Report CMU-CS , Carnegie Mellon University, February [25] V. Paxson, "An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks", CCR vol. 31, no. 3, July [26] J. Mirkovic, G. Prier and P. Reiher, Attacking DDoS at the source, Proceedings of ICNP 2002, pp , Paris, France, November [27] J.H. Saltzer, D.P. Reed, D.D Clark. End-to-end arguments in system design, ACM Transactions on Computer Systems 2, 4. Nov. 1984, [28] T.H. Cormen, C.E. Leiserson, R.L. Rivest. Introduction to Algorithms. MIT Press, [29] H. Mohammadi, N. Yazdani, B. Robatmili, M. Nourani. "HASIL: Hardware Assisted Software-based IP Lookup for Large Routing Tables", in Proceedings of the 11th IEEE International conference on networks (ICON) 2003, Australia. [30] B.Lampson, V.Srinivasan, and G.Varghese, "IP Lookups Using Multiway and Multicolumn Search", Proceeding of IEEE Infocom`98 Conf., pp , San Francisco, CA. [31] S. Keshav and R. Sharma. "Issues and Trends in Router Design," IEEE Communications Magazines, May 1998.