Classification and State of Art of IP Traceback Techniques for DDoS Defense

Classification and State of Art of IP Traceback Techniques for DDoS Defense Karanpreet Singh a, Krishan Kumar b, Abhinav Bhandari c,* a Computer Science & Engg.,Punjab Institute of Technology,Kapurthala, India b CSE, SBSSTC, Ferozepur, India * CSE, NIT, Jalandhar, India Abstract Distributed Denial of Service (DDoS) attacks are a major threat to Internet today. A DDoS attack depletes bandwidth, processing capacity, or memory of a targeted machine or network. Denial of Service has come to have an enormous impact on Internet and its intensity is growing at a much rapid rate year by year. The damage caused by DDoS attacks is progressively affecting Internet society. Due to the weakness present in IP protocol to spoof the source address of packets, it is challenging job to trace back the true origin of a packet. IP Traceback acts as a strong modus operandi for finding the attack source even when the source address is spoofed. Thus IP Traceback is a significant step towards defense against these types of Attacks. There have been number of IP Traceback schemes proposed till date. This review paper compares and contrasts existing IP Traceback schemes on some predefined metrics and helps the researchers to explore gaps to carry out the further research in this area. Keywords: IP Traceback, DDoS attacks, traceback schemes, packet marking, packet logging, DDoS defense 1. Introduction Distributed Denial of Service (DDoS) attacks are certainly a severe problem on Internet whose motive is to disrupt the network services or machines on Internet so that it is not able to serve the legitimate users. DDoS attack makes the resources unusable for some time or can even crash a resource or a machine [1]. These attacks do this by sending victim a stream of packets that drowns its network bandwidth or processing power thus blocking access to legitimate users. In recent years some large scale attacks have been directed on number of popular website [2]. DoS attacks can be categorized into flooding attacks and software exploits [3]. Flooding attacks are accomplished by sending packet in large number to the victim while software exploits sends packets as less as a single packet. DDoS attack starts with attack exploiting vulnerabilities on various machines to install bots on those machines to work according to him. These machines are known as compromised hosts. These compromised hosts are of two types: Stepping stone: These are the machines which merely act as intermediate nodes between the attacker and the victim. These machines just forwards the traffic sent by the attacker to the victim and makes it more difficult to locate back to it. Zombies: Attacker communicates with these machine the attack characteristics i.e. duration, victim, time of the attack, etc. Zombies then launch independent attack on the victim as per communicated by the attack. DDoS uses common protocols like TCP, ICMP, UDP, etc. which make it tough to make a distinction between legitimate traffic and attack traffic. The attacker can start communication with zombie, directly or through one or more stepping stones. In DDoS the attacker directly attacks the victim or through the reflectors. Reflector attack is conducted by attacker sending a large number of attack packets whose source address is spoofed to be of that of victim due to which the reflector machines send the reply back to a single victim. This large number of reply packets c Corresponding author. Tel: +91-9814529332 E-mail: bhandarinitj@gmail.com 36

from reflectors sent to victim which constitutes the DDoS attack. Fig 1 illustrates architecture of DDoS attack. Traceback. IP Traceback implies identifying the actual source of a packet [4]. It is rather a hard problem due to spoofing of packets on Internet. IP Traceback makes difficult for the attacker to hide its identity only by spoofing the source address and ultimately making executing an attack much more tough. Fig. 1. Architecture of DDoS Attack. DDoS attacks are possible due to vulnerability present in the architecture of Internet. Source address in packets are transformed (IP spoofing) which make it tough to trace the origin of packets. The stateless nature of IP makes it nearly impractical to identify the true origin of the attacks. This paper is organized as follows. Section 2 describes the need of IP Traceback. Section 3 classifies IP Traceback schemes according to their functionalities. Sections 4 discuss available methods for IP Traceback. Section 5 outlines metrics used to compare IP Traceback schemes and Section 6 provides this comparison according to those metrics. Finally, Section 7 presents our conclusions. 2. Need of IP Traceback Currently, there is no single effective mechanism to defend against DDoS attacks. Fig 2 shows the most frequent victims of DDoS attack as per data collected in second half of year 2011 by Kaspersky Labs [2]. Fig. 2. Breakdown of attacked sites by areas of activity H2 2011. The best possible defense against DDoS attack lies not only in preventive measures but also in identifying true origin of the attacker to block further DDoS attacks and catch those attackers. This leads to problem of IP Fig. 3. DoS attack on victim. IP Traceback is accountable to discover attack path i.e. the path through which the attack packet travels from attacker to victim. Attack path consists of ordered list of routers from Attacker to victim. In Fig 3, the attack path would be P = { a, R1, R2, R3, R9, v } ;where a is attacker and v is victim. 2. Classification of IP Traceback Techniques IP Traceback methods can be categorized as preventive and reactive approach [1]. In reactive scheme, traceback is performed when an attack is detected and only works on an ongoing attack. It needs to be completed before attack. It can further be categorised as IDS assisted and Non- IDS assisted schemes as shown in Fig 4 depending upon whether an Intrusion Detection System (IDS) is being used in traceback mechanism or not. The IDS assisted schemes can be categorised into network and host based schemes. A reactive host based scheme carry out traceback from the victim node. The reactive host based scheme fall into either a logging or link testing scheme. A reactive network based uses some special infrastructure of the network likes routers/gateway or firmware installed on routers and is based on network traffic monitoring. A proactive approach does proactive recording and logging traffic packets as they flow through the network which may be used for post attack analysis. Traceback process may continue even after attack is over. A pro-active scheme can be divided into two categories as shown in Fig 5 depending on whether the trace information is sent as 37

Fig. 4. Reactive Approach. capability to find ingress port through which attack packet is coming using attack signature generated by victim. This process is recursively conducted upstream till source is identified. Difficulty with this is that there is no infrastructure provided for communicating and coordinating between multiple ISPs. Controlled Flooding: Hal Burch et al. [11] has proposed an IP Traceback scheme known as controlled flooding which does not require any support from ISPs. Victim is known with the topology of Internet. It floods upstream links iteratively with large burst of traffic and monitors its effect on attack packets. As router shares buffers, attack packets travelling across overloaded link will start dropping. 2.2 Messaging Fig. 5. Proactive Approach. a separate trace packet referred as out-of-band or within the data packet header known as in-band information. In out of-band scheme the path information is collected in a separate trace packet. While the out-of-band scheme incurs additional bandwidth overhead due to the deluge of packets sent in the network; the in-band scheme suffers from severe space constraint as the trace payload is carried within the packet. The in-band scheme again can be classified into network or host based schemes. In a proactive host based scheme the path information is encoded within the packet by the routers through which the packet passes through and the victim conducts hop-by-hop IP Traceback. In a proactive network based approach, the router is actively involved in conducting IP Traceback either by logging packets as in SPIE [5] or by proactively marking few or all packets that traverse through the network. PPM [6], Dynamic PPM [7], AAM [8], DPM [9] and SNITCH [10] are all marking scheme in which router inscribes its initials on the packets flowing through the network. 2. Available Existing Methods for IP Traceback The existing IP Traceback schemes falls in these following classes: 2.1 Link Testing This scheme performs a recursive analysis of all upstream links to determine which of them carries attack packets until the source is reached. It starts from router closest to victim till the source router is identified. Two techniques fall under this scheme, input debugging and controlled flooding. Input Debugging: When an attack is detected at victim site, it creates signature of attack packet. Routers have the In Internet Control Message Protocol (ICMP) based technique proposed by Bellovin et al. [12], each router probabilistically generates an ICMP packet known as trace packet corresponding to selected packet directed to same destination as that of selected packet. A router generates this message for only one in every 20,000 packets passing through it. It contains next and previous hop information, timestamp, MAC address, etc. During DoS attack thousands of these itrace packets facilitate successful traceback operation. 2.3 Marking The key idea behind packet marking is to record the route information through which packet travelled in the packets. Marked information could consist of router identity or any other information which could distinguish that route on the Internet. This information is used by victim to resolve the path packet traversed. Packet could not contain the whole route information or it probabilistically marks the packet with some partial path information. Victim collects the packets marked with partial information of route to construct full path back to source of packet. The probabilistic marking of partial information is also known as probabilistic packet marking (PPM) [6]. 2.4. Logging Packet logging aims to log packets at some crucial routers. The network path is then determined using logged information at those routers. This approach is more powerful as it could trace path using a single packet. This approach incorporates enormous storage overhead at routers therefore its deployment has been a challenging task. But Snoeren et al. proposed a hash-based IP Traceback approach, called Source Path Isolation Engine (SPIE) [10], to implement log-based IP Traceback in practice. Their approach uses a space-efficient data structure known as Bloom filter to considerably reduce storage overhead at routers for storing digests of packets. 38

3. Metrics for Evaluating IP Traceback Schemes A. Belenky and N. Ansari proposed metrics essential in comparing IP traceback approaches in [4] which are described below: a) ISP Involvement: An Ideal IP Traceback scheme does not require ISPs involvement. But most of existing IP Traceback techniques involves some little or more intervention of ISPs. This may include additional hardware/ software installation. b) Number of Attacking Packets Needed for IP Traceback: IP Traceback involves analysing trace packets to perform traceback operation. IP Traceback techniques demands few or large number of trace packets. An Ideal IP traceback scheme should traceback to attack with a single packet only. c) The Effect of Partial Deployment: Any new scheme introduced cannot be deployed on whole Internet in one go. IP Traceback process should even when not installed on all ISPs. This deployment gradually increases to more ISPs with time. d) Processing Overhead: Every traceback scheme incurs additional processing overhead associated with it at either ISP level and/or subscriber level. e) Bandwidth Overhead: Traffic that network has to carry incurs bandwidth consumption. The scheme should not consume bandwidth beyond a limit as it could affect whole Internet. f) Memory Requirements: IP Traceback schemes may demand some additional storage at either ISP network and/or the client site. This should be as less as possible for both ISPs and victim. g) Ease of Evasion: The scheme is said to be easy to evade if the attacker aware of the scheme can devise an attack which could deny traceback to it. So, the scheme should definitely not be easy to evade. h) Protection: It may be possible for an attacker to subvert some of the network elements involved in an IP Traceback scheme. Protection refers to the ability of the traceback scheme to produce meaningful traces even if attacker does that. i) Scalability: Scalability refers to ease with which scheme would be configurable with increase in network size. IP Traceback process should easily be extended to more devices. j) Ability to Trace Transformed Packets: Attacker could transform attack packets to obstruct schemes. It is essential that scheme should be able to handle these transformations to produce suitable traceback results. 4. Comparison of Existing IP Traceback Schemes This section provides a comparison of the various IP Traceback techniques and evaluates them against the above metrics. Overview of various IP Traceback techniques is given below: 4.1. Probabilistic Packet Marking Savage et al. [6] proposed probabilistic packet marking (PPM) algorithm to solve the IP Traceback problem. The idea is to mark packets passing through router with its identities (IP address) with some fixed probability. Packet could be marked with complete or partial path information of the route. Victim uses these marked packets to construct full attack path. Due to limited marking space present in IP header partial path information is generally used to mark the packets. Packet marking field on this packet marking algorithm consists of 16 bit IP identification field in IP header. It is divided into 3 start field, end field and distance field as shown in Fig 6. Fig. 6. Structure of PPM field. Instead of recording the whole path information through which the packet traversed, router records only the edge information selected for marking. The start and end field stores the IP addresses of routers at the end points of the marked edge. The distance field records the number of hops between the marked edge and the victim. Victim collects marked packets and examines the packets header to construct a complete traversed path of the packet. It suffers from the problem of leftover packets which could lead to unmarked packets to travel to victim. Attacker can transform attack packets such that the unmarked packets which reaches victim could lead to unpredictable traceback result. 4.2. Deterministic Packet Marking (DPM) DPM [9] is based on marking all packets at ingress interfaces with its IP address. Marking is done when a packet enters network by router closest to source. This mark remains unchanged, not overwritten by any other router. This eliminates the issue of mark spoofing. Router only marks the incoming packet, not outgoing packets. Fig. 7. Structure of DPM field. The marking field is divided into ID field (16 bits) and Reserve Flag field (1 bit) as shown in Fig 7. IP address is split into two halves of 16 bit each and one of then randomly chosen is marked into ID field. Reserve Flag field specifies which part of IP address is marked into ID field, 0 means first half and 1 means second half. The victim gets complete IP address of ingress router of that packet by simply re- assembling the two halves of IP address. 39

4.3. Dynamic Probabilistic Packet Marking (DPPM) PPM uses a fixed probability in marking packets due to which there is some probability of leftover packets. Dynamic probabilistic packet marking (DPPM) [7] is a new packet marking scheme in which dynamic probability replaces fixed probability of marking as in Savage et al. [6]. This dynamic probability is a function of travelling distance of packet as shown in Fig 8. It removes the problem of leftover packets as probability is such adjusted that none of packet is left unmarked. It enables the victim to correctly identify attacker s origin even under spoofed marking DoS. The probability of marking is the highest as packet enters the network and least close to destination. For a given attack path, let i (1 i D) be the traveling distance of a packet w from its source. Router r i chooses its marking probability p i = 1/i to mark packet. itrace message corresponding to selected packet with probability as low as 1/20000 destined to the same destination as the packet. itrace message consists of the next and previous hop information and a time stamp. Thousands of these messages help victim to construct attack path. 4.5. Advanced and Authenticated Packet Marking (AAM) D.X. Song and A. Perrig [8] introduced two new packet marking techniques for IP Traceback, The Advanced and Authenticated Marking Scheme. Advanced marking scheme allows path reconstruction more accurate and efficient. Authenticated Marking Scheme supports authentication of markings by routers. This allows victim to avoid the issue of spurious markings. It assumes that routers and victim shares a secret key Ki and uses message authentication code applied on its IP address to authenticate marking by the router. Fig. 10. Structure of AAM field. Instead of marking packet with routers IP address, the hash of its address is marked using some authentication code in fields shown in Fig 10. It allows authenticated attack path reconstruction. The network map backs accurate and efficient reassembly phase. Fig. 8. DPPM mechanism. The victim has an equal probability to obtain each routers information along the path despite their distance from the victim. This is a subtle feature of our DPPM, which is referred to as constant leftover probability. Formal analysis indicates that DPPM outperforms PPM in most aspects. 4.4. itrace 4.6. Simple, Novel IP Traceback using Compressed Header (SNITCH) SNITCH, proposed by Aljifri et al. [10] uses same principle as that of header compression for making more space available for traceback information. To differentiate between header compression and SNITCH scheme, 1 s are inserted in IP identification field. It aims at increasing the number of bits available for marking traceback data. Initial packet is sent with a full header, subsequent packets can be sent without the static content in the header. In fig 11 shaded potion of IP header remains constant which could be utilised to store the traceback information. Fig. 9. itrace mechanism. This approach was introduced by Bellovin [12].The key idea behind this scheme is that every router generates an ICMP traceback message as shown in Fig 9 known as Fig. 11. Fields of IPv4 header logged. 40

A context identifier is inserted into full and compressed headers to associate subsequent packets of same session. If session changes i.e. content of IP header then new context identifier is transmitted with full header. SNITCH is able to determine 100% of the attackers with an extremely low percentage of false positive paths (maximum of 0.43% for 5067 simultaneous attackers) using significantly fewer packets than present techniques. 4.7. Source Path Isolation Engine (SPIE) Snoeren et al. [5] proposed a system for traceback of a single attack packet. It is a Hash Based scheme as hash of the invariants fields present in IP header is stored in each router as a 32-bit digest. This hash digest is stored in a space efficient data structure called bloom filters. An iterative lookup of an attack packet signature reveals the attack path. SPIE infrastructure consists of a Data Generations Agent (DGA), SPIE Collection and Reducing Agent (SACR), IDS, SPIE Traceback Manager (STM) as shown in Fig 12. Fig. 12. SPIE Architecture. STM centrally manages all other parts and is responsible for initiating traceback process. Packet digest is created by DGA at each router. IDS communicate with STM in case of any attack and provide it with attack signatures. Attack path is then constructed by STM in case of match with signature is found. SPIE provides single packet IP Traceback and can even handle complex transformations and fragmentation of packets. 4.8. Marking Scheme using Huffman Code K. H. Choi and H. K. Dai [13] proposed a scheme which is an amalgamation of logging and marking scheme. It marks every packet deterministically with the interface of the router through which the packet has arrived. As the length of the attack path increases, the space available in the packet is insufficient to record all the markings for traceback. It gets around this problem of overflow by storing the markings in the local memory of the intermediate routers and is accessed by message digest of the packet. Huffman codes efficiently represent the link number of the interfaces of the router. The Huffman code of the link gets appended to the 31- bits link sequence field (ls) and a 1-bit saved flag (sf). sf indicates if the marking has been saved in the local routers memory. The marking scheme format is shown in Figure 13. Flag 1 is used as a delimiter with leading zeros to indicate start of valid bit in ls and space available for marking is determined by counting the number of leading zeros before the delimiter in ls. The victim reconstructs the path by examining the ls field and decoding it with the help of link table to find the next hop upstream router. ls is right shifted according to the length of the decoded word. If sf is 1, the marking has to be retrieved from the router via the message digest of the packet. The traceback is repeated iteratively at each router until ls becomes 1 and sf is 0. The advantage of this scheme over other schemes is that it can efficiently handle any packet transformation. A pair of message digests of the packet, before and after it undergoes transformation is stored in the routers local memory along with the marking fields. 4.9. RIHT: A Novel Hybrid IP Traceback Scheme Ming-Hour Yang and Ming-Chien Yang [14] proposed an IP Traceback scheme that integrates packet logging and marking. RIHT is a hybrid IP Traceback scheme and provides fixed storage requirement, zero false positive and negative rates, and higher efficiency in path construction. The interface numbers of routers are used for marking. The degree of a router is used as a parameter in their marking schemes where the degree is the number of interfaces of the router excluding ports connected to local networks. In this an interface table is maintained on each router in advance. This table maps a unique number to each interface of a router along which the router is connected to another router. The interface numbers of a router are between 0 and Degeree-1. The upstream interface number of a router is marked. This scheme has a fixed storage requirement in packet logging without the need to refresh the logged tracking information. 4.10. PPM for IPv6 In PPM for IPv6 [15], router en route probabilistically marks the incoming packets with the Global unicast IPv6 address of that router. Hop-by-Hop Header is used to store a mark. Fig. 13. Structure of Huffman coding field. Fig. 14. Marking field proposed in IPv6 PPM. 41

The reasons were two folds; first, the Hop-by-Hop option is processed by every router en route. Second, it provides the larger space to store a mark. Proposed option in Hop-by- Hop option header is shown in Figure 14. Use of extension headers gave it the great flexibility to pass the information to the victim. As it marks the packet with complete address, this scheme is not vulnerable to state explosion problem. On victim side, a data structure called Reverse Lookup Table (RLT) is used to trace back to the source of the attack packets from the markings received. 4.11. IPv6 Traceback Using Policy Based Management System Syed Obaid Amin et al. [16], proposed PBIT using Policy-based management. It is an administrative approach that is used to simplify the management of a given endeavour by establishing policies to deal with situations that are likely to occur. It consists of two basic building blocks of Policy Based Management architecture i.e. Policy Decision Point (PDP) and Policy Enforcement Point (PEP). PDP is a resource manager or policy server that is accountable for handling events and making decisions based on those events (for instance; at time t do x), and updating the PEP configuration appropriately. Most of the IDSs detect an attack after observing a huge traffic volume, and then starts probabilistic packet marking after this point therefore not having large amount of marked packets to construct the complete path. So, this scheme deterministically mark the packets so one packet would be enough to get the entire path. It does not provide complete path of the attack packets but provide only the injection point of an attack but finding the address of an ingress point is as good as full path traceback. Table 1 compares the above traceback techniques against the metrics defined in section 3. Traceback Schemes Metrics PPM [6] DPM [9] Dynamic PPM [7] Table 1 Comparison of existing IP Traceback schemes itrace [12] AAM [8] SNITCH [10] SPIE [5] Huffman Coding [13] RIHT [14] PPM for IPV6 [15] IPv6 Traceback Using Policy Based Management System [16] ISP Involvement Low Low Low Low Low Medium Medium Medium Low Low Low Number of Attacking Packets required for IP Traceback Vendor involvement Many Many Many Many Many Not Many Single Single Single Many Few High Low Low Low High High Low Low Low Low Low Bandwidth Overhead Low Low Low Low Low Low Low Low Low Fair Low Memory Requirement The Effect of Partial Deployment Low Low Low High for vendor High for vendor High for vendor High Low Low Low Low Ease of Evasion Medium Low Low High Low Low Low High Low Low High Not Not Processing Overhead Low Low Low High Medium High High Low Low Medium Medium Protection Low Low High Low High Medium High Low Low Low High Scalability Good Good Good Good Good Good Poor Good Good Fair Fair Ability to Trace Transformed Packets Poor Yes Yes Poor Yes Yes Yes Poor Poor Poor Poor Routing in IP depends only on the destination address and there is no authority in the internet that validates the source address inscribed in a packet [17]. Number of traceback schemes exists in literature which possesses its own merits and de-merits. An ideal scheme is not possible which eliminates all the gaps. Packets could be marked with some information as in [6-10] [13-15] or logged [5] [14] on routers according to traceback mechanism. Packet logging proposed schemes [5] [14] incur storage overhead due to limited memory on routers. Long marking field as in [10] provides fast and efficient traceback but increase the router marking complexity whereas short marking fields 42

as in [6-9] [14] decreases the marking overhead of router but prolong the traceback process. Higher false positive rate in number of schemes could degrade the overall performance of traceback process. In itrace [12] produces additional messages which create network/bandwidth overhead on internet. Marking validity can be ensured using security protocols as in [8] but this causes computational overhead on routers. Some techniques require a fair amount of ISP involvement [5] [10] [13]. Protection is another big issue in which if a router is compromised even then traceback scheme is able to work or not. [6] [7] [9] [12] [13] [15] does not have the capability to deal with this problem. Table 2 summarizes Pros/Cons of various existing IP Traceback Schemes. Table 2 Pros/Cons of existing IP Traceback schemes S.No. IP Traceback Scheme Advantage Disadvantage 1. PPM [6] Less Overhead Scalable Easy to implement High probability of leftover packets Not protected against transformed packets Not effective for distributed DoS attack 2. DPM [9] Scalable Simple to implement No bandwidth No mark spoofing Produces high false positive rate Reconstruction procedure fails in some cases of DDoS Attacker if got control of trusted router can forge any path up to that router 3. Dynamic PPM [7] No unmarked packets Less number of attack packet required for IP Traceback as compared to PPM Efficient for DDoS attacks Marking generated by DPPM costs more than one generated by PPM High overhead of routers close to source 4. itrace [12] Easy deployment Scalable Compatible with existing networking infrastructure Additional traffic leads to bandwidth overhead ICMP message filters present on firewalls 5. AAM [8] Provides authentication Efficient against spurious marking More accurate attack path reconstruction Requires router and victim to have secret shared key Router slow down as it have to perform additional functionality 6. SNITCH [10] Provides more space to store traceback information Negligible false positives in attack path building for DDoS attacks Less number of packets required for traceback Increases complexity as routers have to perform additional tasks Certain combinations of numbers can XOR to the same value, thus leading to false packet matches during path reconstruction 7. SPIE [5] Could perform single packet traceback Can handle even complex transformations like NAT Can handle fragmentation Can only trace packets in the recent past as the packet digest expires after a certain period of time Requires high ISP involvement 8. Huffman codes based scheme [13] Handle any packet transformation Less number of packets required for traceback Suffers from problem of false positive when routers refresh logged data Exhaustive search required for traceback 9. RIHT [14] Fixed storage requirement on the router Zero false positive and false negative in path reconstruction Gives false result if marking router is subverted 10. PPM for IPv6 using Hop by Hop extension header [15] Provides complete path from victim to source No packet fragmentation problem Overhead of marking long fields by the routers 11. IPv6 Traceback Using Policy Based Management System [16] s on IPv6 network Removes drawbacks of PPM for IPv6 Compromised edge host degrades performance 43

5. Conclusion This review paper reveals a number of existing IP Traceback schemes in literature and depicts its merits and demerits. PPM is simplest of all techniques but has a number of drawbacks which are further diminished by more advanced techniques like DPPM, AAM, SNITCH, SPIE, etc. But all those advanced IP Traceback techniques bring with them more storage or computational overheads. So far none of them has been qualified as an ideal IP Traceback scheme. A scheme that satisfies all the evaluation metric can never be envisioned. Emphasis should be in identifying the areas of improvements in existing schemes and ways of tackling new stealthy attacks that are constantly rising on the internet along with automation of the traceback process. References [1] S.M. Specht, in:, Proceedings of the International shop on Security in Parallel and Distributed Systems, 2004, 2004, pp. 543 550. [2] Kaspersky. DDoS attacks in H2 2011. [serial online] 2012 Feb [cited 2013 Jun 21]. Available from: URL: http://www.securelist.com/en/analysis/204792221/ddos_attacks_in_ H2_2011#p22. [3] A. Hussain, J. Heidemann, C. Papadopoulos, in:, Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, ACM, New York, NY, USA (2003) 99. [4] A. Belenky, N. Ansari, IEEE Communications Magazine 41 (2003) 142. [5] A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S.T. Kent, W.T. Strayer, SIGCOMM Comput. Commun. Rev. 31 (2001) 3. [6] K. Park, H. Lee, in:, IEEE INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings (2001) 338. [7] K.P. Chaudhari, A.V. Turukmane, in:, V.V. Das, Y. Chaba (Eds.), Mobile Communication and Power Engineering, Springer Berlin Heidelberg (2013) 381. [8] D.X. Song, A. Perrig, in:, IEEE INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings (2001) 878. [9] A. Belenky, N. Ansari, IEEE Communications Letters 7 (2003) 162. [10] H. Aljifri, M. Smets, A. Pons, Computers & Security 22 (2003) 136. [11] H. Burch, in:, Proceedings of the 14th USENIX Conference on System Administration, USENIX Association, Berkeley, CA, USA (2000) 319. [12] M. Leech, S. Bellovin, (n.d.). [cited 2013 Jun 25]. Available from: URL: http://tools.ietf.org/html/draft-bellovin-itrace-00. [13] K.H. Choi, H.K. Dai, in:, 7th International Symposium on Parallel Architectures, Algorithms and Networks, 2004. Proceedings (2004) 421. [14] M.-H. Yang, M.-C. Yang, IEEE Transactions on Information Forensics and Security 7 (2012) 789. [15]X.-H. Dang, E. Albright, A.A. Abonamah, Computer Communications 30 (2007) 3193. [16] S.O. Amin, C.S. Hong, K.Y. Kim, in:, Y.-T. Kim, M. Takano (Eds.), Management of Convergence Networks and Services, Springer Berlin Heidelberg (2006) 263. [17] L. Santhanam, A. Kumar, D.P. Agrawal, in:, J. Info. Assurance and Security 1 (2006) 79. 44