Effcet Traceback of DoS Attacks usg Small Worlds MANET Yog Km, Vshal Sakhla, Ahmed Helmy Departmet. of Electrcal Egeerg, Uversty of Souther Calfora, U.S.A {yogkm, sakhla, helmy}@ceg.usc.edu Abstract Moble Ad hoc NETwork (MANET) s a creasgly promsg area of research wth may practcal applcatos. However, MANET s vulerable to a umber of attacks cludg Dealof-Servce (DoS) attacks due to ts autoomous ature. DoS attacker traceback s challegg ssue MANET sce each ode works as a autoomous termal, actg as both host ad router. Moblty of odes MANET makes problem eve worse sce t s hard to trace back attacker whe they are movg aroud frequetly chagg etwork topology. We propose to use a effcet o-the-fly search techque to trace back DoS attackers. Our scheme s based o small world cocept ad effectvely exteds Cotacts [3] for MANET utlzg locato formato. I addto, to deal wth address spoofg problems DoS attacks, we use Traffc Patters Matchg (TPM) [5] ad propose to use Traffc Volume Matchg (TVM) as matchg-depth to detfy a attacker. We also processg etwork processg ad drectoal expaded rg search to reduce commucato overhead attacker traceback. We show that our scheme successfully trace back attacker usg both TPM ad TVM. I addto, we show our scheme curs very low commucato overhead. INTRODUCTION Deal-of-servce (DoS) attacks cosume the resources of a remote host or etwork, thereby deyg or degradg servce to legtmate users. Such attacks are amog the most trcate securty problems to address because they are easy to mplemet, dffcult to prevet, ad very dffcult to trace. The most commo DoS clude attacks smlar SYN Flood, Smurf, UDP Flood. Determg the source geeratg attack traffc s especally dffcult whe usg stateless routg protocols (as the Iteret or geographc routg). Attackers routely dsguse ther locato usg correct, or spoofed, source address. Ahmed Helmy was supported by NSF Career, Itel ad Pratt & Whtey PWICE Isttute There are may IP traceback scheme proposed for the Iteret such as lk testg, packet markg, loggg, ICMP traceback, etc [],[5],[6],[7]. Such traceback schemes are ot drectly applcable to Moble Ad Hoc NETwork (MANET) due to the followg reasos. I MANET, there s o fxed frastructure. Each ode works as a autoomous termal, actg as both host ad a router. Each ode moves ad out, frequetly chagg etwork topology. Network badwdth ad battery power are lmted. To perform effcet DoS attacker traceback uder such a harsh evromet MANET, we propose to use a effcet o-the-fly search techque. For that, we propose to use the small world cocept. Establshg a small world reduces the degrees of separato betwee the attacked ode (vctm) ad the attacker ad provdes a effcet traceback mechasm. Helmy et,.al [3] establshed the applcablty of small world graphs to wreless etworks. I ths paper, we effectvely exted Cotacts [3] for MANET utlzg locato formato. By usg locato formato, we ca optmally select Cotacts reducg coverage overlap ad costruct a small world to detfy ad trace attackers wth reduced commucato overhead. I addto, to deal wth address spoofg problems, we use traffc patters [5] to detfy a attacker. We also propose traffc volume matchg to complemet the traffc patter matchg. We call ths matchg-depth. A traffc patter s defed by the sequece of umber of packet a tme slot at each ode. We also use -etwork processg ad drectoal expaded rg search to reduce commucato overhead. Our paper s orgazed as follows. I secto, we provde related work o DoS attack traceback the Iteret. I secto 3, we troduce our Cotact-based DoS traceback archtecture. We show smulato result secto 4. I secto 5, we coclude our paper preset future works. -783-85-7/4/$. 4 IEEE 3979 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.
RELATED WORKS There are two exstg approaches to the problem of determg the route of a packet flow the Iteret: oe ca audt [5],[6],[7] the flow as t traverses the etwork, or oe ca attempt to fer the route based upo ts mpact o the state of the etwork []. Route ferece was poeered by Burch ad Cheswck who cosdered the restrcted problem of large packet flows ad proposed a ovel techque that systematcally floods caddate etwork lks. By watchg for varatos the receved packet flow due to the restrcted lk badwdth, they are able to fer the flow s route. Ths requres cosderable kowledge of etwork topology ad the ablty to geerate large packet floods o arbtrary etwork lk. Oe ca categorze audtg techques to two classes accordg to the way whch they balace resource requremet across the etwork compoets. Some techques requre resources at both the ed host ad the routg frastructure; others requre resources oly wth the etwork tself. Of those that requre oly frastructure support, some add packet processg to the forwardg ege of the routers whle others offload the computato to the cotrol path of the routers. Both approaches are ot feasble ad effcet MANET sce they cosume sgfcat badwdth/power ad each ode moves aroud frequet chagg etwork topology. 3 CONTACT-BASED TRACEBACK ARCHITECUTRE 3. Desg Requremets The desg requremets for effcet traceback MANET clude: (I) (II) (III) (IV) Robustess to moblty: The mechasm should be robust to hadle frequet moblty. That s, we should be able to trace a attacker despte of frequet termedate ode moblty. Robustess to address spoofg: It s a commo attackg techque to spoof addresses. We should be able to trace a attacker spte of address spoofg. Scalablty: Applcatos of large-scale ad hoc etworks volve mltary ad sesor etwork evromets that may clude thousads of odes. Hece traceback mechasm should be scalable term of commucato overhead wth crease etwork sze. Effcecy: Ad hoc etworks clude portable devces wth lmted battery power. (V) Traceback mechasm should be powereffcet. Decetralzed operato: For the etwork to be rapdly deployable, t should ot requre ay cetralzed cotrol. 3. Archtecture ad Deftos Each ode matas formato oly about ts Vcty usg very lmted broadcasts wth square from the ode. Ulke [3], a ode does ot eed to mata formato about a set of odes, called Cotacts, beyod the vcty. I our scheme, Cotact s selected usg locato formato, whch further reduces commucato overhead. Ideal locato of Cotacts s selected frst. The, odes closest to the deal Cotacts are selected as Cotacts. For stace, fg., there are 8 deal locatos of Cotacts ad odes whch are the closest to the each deal Cotact locatos each rectagle are selected as actual Cotacts. Cotacts of a ode are called level- Cotacts. Cotacts of the Cotacts are called level- Cotacts, ad so o. Durg a search for the attack traffc patter the wreless etwork a ode queres ts Cotacts, ad ther Cotacts, so o, up to level-d Cotacts. D s called the depth-of-search. Whe each Cotact performs lmted broadcast, they sed queres to eghbor odes specfyg ts rectagle rego. Whe, eghbor odes receve the query, they check whether they are the square rego or they have already receved the same query from other odes. If they are outsde the square rego or they have already receved the same query, they dscard the query. Otherwse, they broadcast the query to ther eghbors. The attack Traffc patter s defed by the varato of packet umber over tme. For stace, whe the umber of data s m for a tme wdow, traffc patter s expressed as A (A,A,A 3,,A m ). I DoS attack, large amout of packets s geerated towards the vctm. For stace, -5 pps of SYN packets are geerated []. However, ormal case, oly oe SYN packet s geerated per coecto. Accordgly, a large amout of SYN packets ca be suspected as attack. The quered odes are asked to perform a TPM to determe the correlato coeffcet betwee two traffc patter (A,B). I case correlato coeffcet of (A,B) s hgh (greater tha.7), the traffc A s sad to match traffc B (fg.). For stace, whe traffc patter observed at ode s gve as L (,,, N ), ad traffc patter observed at ode s L (m,m,,m N ), correlato coeffcet s obtaed as follows. -783-85-7/4/$. 4 IEEE 398 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.
r( A, B) S S where, S S A)( L A) B) ( k) B) (Eq.) (Eq.3), ad A & B s the average of data, L ad L. Cotact3(X3,Y3) Cotact4(X4,Y4) Cotact5(X5,Y5) [Fgure.] Locato-based Cotact selecto (Eq.) We propose to use TVM to complemet the traffc patter matchg. We defe that traffc volume s matchg betwee two pots, whe L ad L shows smlar traffc volume sze. Mathematcally, we use the followg equato (least-squares method) to kow the matchg level. a N k N k Cotact(X,Y) (Eq.4) Whe, the a s close to, the traffc volume s matchg. Traffc volume matchg s ecessary for correct traceback MANET sce other ode ca show hgh correlato coeffcet uder heavy backgroud traffc. By checkg TVM level as well as TPM level (we call ths matchg--depth), we ca reduce false postves our trace back. Note that mere traffc volume matchg s also ot eough sce traffc volume ca fluctuate showg dfferet traffc volume each ode depedg o backgroud traffc. Cotact(X,Y) Cotact8(X8,Y8) Cotact7(X7,Y7) Cotact6(X6,Y6) 3.3 Mechasm Descrpto Each ode motors the traffc patter/volume for a certa tme wdow. The tme vares based o the attack type. A ode keeps oly the varace of packet umber over tme, whch reduces the processg load. attacker vctm [Fgure.] Traffc patter based traceback We descrbe the traceback scheme as follows: () Whe a vctm ode, s, detects attack such as SYN floodg applcato level, t seds query to odes wth vcty ad level- Cotact specfyg depth of search (D) whch s large eough to detect a attacker. We use greedy forwardg to sed a query to Cotact. I case of local maxmum, permeter mode [3] s used to take a detour. () I case a traffc patter/volume matchg report s observed by vctm ad other odes, frst step of trace s competed. For stace, we sed query to 3 level- Cotacts aroud the vctm. (Fg.3.) The, oe level- Cotact reports that some of ts vcty odes observed matchg traffc patter/volume. Level- Level- Attack route Route of X [Fgure.3] Queres to level- Cotacts (3) Next, oly the Cotacts that observe matchg traffc patters ther vcty sed ext level query to level- Cotacts wth the path from vctm after reducg D by. Other Cotacts stop forwardg the query (I-etwork processg). I dog so, we ca perform drectoal expaded rg search. (4) Whe there are o more Cotact reports, last Cotact report to the vctm the complete attack route (Fg.4.). Our scheme s based o maorty ode report. That s, eve f some odes move out from the attack route, we ca stll fd a attack route. Respose -783-85-7/4/$. 4 IEEE 398 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.
after tracg back the attacker may clude flterg, rate lmtg, re-orgazg to preclude the compromsed ode, or blacklstg. Attack route um ber of packets 5 5 5 3 4 5 6 attacker traffc vctm traffc tme(s) [Fgure.5] Sample traffc patter comparso betwee attacker ad vctm [Fgure.4] Attack route 4 SIMULATION RESULTS We performed smulato to vestgate the desg space parameters ad evaluate the performace of our protocol. We put odes m x m areas ad trasmsso rage s take as 5m. We used greedy forwardg as a routg protocol. Note that our scheme s geerally applcable to other adhoc routg protocols (e.g., DSR, AODV). As attack traffc, we used SYN packets ad pps traffc was geerated from attacker to vctm. Geographc locatos of all odes are radomly chose sde the rego. Backgroud traffc s geerated radomly amog [,] pps. Sce backgroud traffc ca mpact o the correct traceback of attacker, we vared the umber of seders that geerate SYN packet a gve tme wdow ad evaluated the mpact of backgroud traffc o correct traceback. Fgure 5 shows the traffc patter take at the attacker ad vctm ode. Radom umber of backgroud SYN traffc s geerated by radomly chose 5% of total odes (.e, 5 odes) at every secod. Traffc sample s take every secod. At secod, we ca observe sudde SYN packet crease. We have sampled the traffc patter whe t goes up more tha packets (Th up ) per secod. Whe, the traffc goes dow below (Th up /), we stopped samplg traffc patter. I fgure 4, we ca observe very smlar traffc patter betwee vctm ode ad attacker ode. Fgure 6 shows successful traceback rate wth small backgroud traffc (e.g., up to 4% of odes geerates backgroud traffc). It shows % traceback success rate wth oly TPM method. The correlato coeffcet of termedate odes located betwee attacker ad vctm ode shows hgh value over.9 (fg.7.). I ths case, backgroud traffc volume s very low, so we could obta hgh correlato amog vctm ode ad termedate ode. I addto, o other ode vctes showed hgh correlato coeffcet (greater tha.7) except the odes whch attacker s packet have traversed. [Fgure.6] Success rate wth low backgroud traffc [Fgure.7] Correlato coeffcet wth low backgroud traffc -783-85-7/4/$. 4 IEEE 398 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.
Fgure 8 shows traceback success rate whe varyg rather hgh volume of backgroud traffc. I ths case, traffc volume matchg becomes ecessary sce other odes show hgh correlato due to heavy backgroud traffc. I case of usg oly TPM method, traceback success rate goes dow as backgroud traffc crease. Traceback success rate.8.6.4. 5 7 9 Seder umber [Fgure.8] Success rate wth hgh backgroud traffc It s because of clusterg effect as show fgure 9. Both clusterg show hgh correlato coeffcet. traffc patter at termedate odes 5 5 5 3 4 traffc patter at vctm [Fgure.9] Traffc volume correlato We ca separate the clusterg by traffc volume matchg usg equato (4). We set.5<r<.5 (Proper value of low boud ad hgh boud depeds o backgroud traffc volume). Note that ths s much computatoally lghter compared to clusterg algorthms such as K-meas method []. Our smulato showed that by usg both TPM ad TVM, traceback success rate becomes %. We compared our proposed scheme to floodg terms of query overhead. Fgure shows query traffc geerated. m x m area, odes, ad 8 meter trasmsso rage was used the smulato. Overhead cludes trasmsso as well as recepto packet umber. As we ca expect, our query scheme curs much less overhead sce our scheme performs drectoal expaded rg search. As etwork sze becomes bgger, the dfferece becomes sgfcat. Overhead(T x+rx p kts) 5 5 5 6 4 Network Sze(odes) Floodg Drectoal expaded rg [Fgure.] Overhead comparso 5 CONCLUSIONS AND FUTURE WORK Our Cotact-based DoS attacker traceback mechasm MANET has the followg advatages: (I) By usg Cotacts/drectoal expaded-rgsearch/-etwork processg, we ca effectvely reduce commucato overhead to trace a attacker. (II) Usg the traffc patter eables us to fd attack routes effcetly wth reduced processg load eve f the ode address s spoofed. (III) Eve uder moblty of termedate odes, we ca trace back by utlzg less moble odes alog the attack route. I the future, we wll perform smulato wth dfferet moblty model to verfy the effcecy of our scheme uder dyamc topology chage. [REFERENCES] [] H. Burch, et al, Tracg Aoymous Packets to Ther Approxmate Source, Proc. USENIX LISA Cof., pp.39-37, Dec. [] V. Guralk ad G. Karyps, Workshop o Data Mg Boformatcs () 73-8 [3] A.Helmy, et al, A Cotact-based Archtecture for Resource Dscovery Ad Hoc Networks, ACM Baltzer MONET Joural, 4 [4] B. Karp, T. Kug, GPSR: Greedy Permeter Stateless Routg for Wreless Networks ACM Mobcom, Aug. [5] G.Masfeld, et al., Towards trappg wly truders the large, Computer Networks, Vol.34, pp.65-67, [6] Alex C. Soere, et al, Hash-Based IP Traceback, ACM SIGCOMM, [7] Stefa Savage, et al., Practcal Network Support for IP Traceback, ACM SIGCOMM, -783-85-7/4/$. 4 IEEE 3983 Authorzed lcesed use lmted to: Uversty of Florda. Dowloaded o November 8, 8 at 3: from IEEE Xplore. Restrctos apply.