Trace P Packets by Flexible Deterministic Packet Marking (F) Yang Xiang an Wanlei Zhou School of nformation Technology Deakin University Melbourne, Australia {yxi, wanlei}@eakin.eu.au Abstract- Currently a large number of the notorious Distribute Denial of Service (DDoS) attack incients make people aware of the importance of the P traceback technique. P traceback is the ability to trace the P packets to their origins. t provies a security system with the capability of ientifying the true sources of the attacking P packets. P traceback mechanisms have been researche for years, aiming at fining the sources of P packets quickly an precisely. n this paper, an P traceback scheme, Flexible Deterministic Packet Marking (F), is propose. t provies more flexible features to trace the P packets an can obtain better tracing capability over other P traceback mechanisms, such as link testing, messaging, logging, Probabilistic Packet Marking (PPM), an Deterministic Packet Marking (). The implementation an evaluation emonstrates that the F nees moerately a small number of packets to complete the traceback process an requires little computation work; therefore this scheme is powerful to trace the P packets. t can be applie in many security systems, such as DDoS efense systems, ntrusion Detection Systems (DS), forensic systems, an so on. Keywors-P traceback; security; Flexible Deterministic Packet Marking; DDoS; hash function. NTRODUCTON P traceback is to trace the P packets to their origins []; it provies a system with the ability to ientify true sources of the P packets. n recently years, the notorious Distribute Denial of Service (DDoS) attacks [] make people aware of the importance of proviing available ata an services securely to the users. An it also makes the P traceback technique more an more important, because the P traceback is to construct the path traverse by the attack packets on their journey from source to the victim [9], which is beneficial to control an punish the attacks. A DDoS attack is an availability attack, for it is characterize by an explicit attempt from an attacker to prevent legitimate users from using the esire resource [7] [5]. With the P aress spoofmg techniques, the source aress in an P heaer can be manipulate an falsifie by the attackers. Then the source P aresses in the attack packets are usually counterfeite an look like having nothing to o with the attackers themselves. Therefore, these P aresses are of no use to ientify the attackers. We must rely on some specific P traceback mechanisms to fin the source of attacker. P traceback mechanisms have been researche for years, aiming at quickly an precisely fining the sources of P packets. n this paper, an P traceback scheme base on Deterministic Packet Marking () [], is propose. This scheme, name Flexible Deterministic Packet Marking (F), provies more flexible features to trace the P packets than, an can obtain better tracing capability. Compare with other P traceback mechanisms, such as link testing, messaging, logging, an Probabilistic Packet Marking (PPM), F nees moerately a small number of packets to complete the traceback process an requires low computation loa. The rest of this paper is organize as follows. n section, the relate work is introuce. Then the basic iea of an hash-base are presente. The shortcomings of are also analyze. n section, the etails of F are introuce. Theoretical analysis is given later, an the implementation an evaluation shows that F improves the ability of traceback greatly. The comparison between F an others mechanisms is also analyze. Finally challenges an conclusions are iscusse.. RELATED WORK Current P traceback mechanisms can be classifie into four main categories as following, link testing, messaging, logging, an packet marking. F falls into the packet marking category. Link testing methos inclue input ebugging [3] an controlle flooing methos [6]. The main iea of it is to start from the victim to fin the attack from upstream links by testing possible routes, an then etermine which one carries the attack traffic. Although link testing has some avantages such as compatibility with existing protocols, routers an network infrastructure, it also has many significant limitations. First, it consumes a great eal of time to establish the attack path that may inclue multiple branch points. However, the attack oes not often last for an enough long time for traceback. Secon, if the attack comes from within the backbone itself, or, a backbone router is a victim, it is not suitable for this metho to reconstruct the 'attack path. Moreover, if some attacks are only compose of a few packets, this metho becomes less effective. -73-36-//$. C EEE. 6
Another traceback technique is messaging. Bellovin propose an CMP message to fin the source of forge P packets [3]. Allison Mankin moifie this metho by proposing an intension-riven CMP traceback []. However, if the attacking packets contribute only a small amount of the total attack traffic, it's ifficult for this metho to rebuil the real path. Moreover, CMP packets are often treate or filtere by routers with a low priority, thus it also causes this metho less effective. CMP traceback is vulnerable to attackers with the falsifie CMP messages. n general, the messaging traceback introuces aitional network traffic, an cannot hanle the highly istribute attacks. Logging is to store the traffic ata for analysis. Although to store all the ata in the network is impossible, probabilistic sampling or storing transforme infonnation is still feasible. For example, trajectory sampling is use to measure the network traffic [9], Alex C. Snoreren [9] propose a hashbase logging traceback metho, T. Baba an S. Matsua [] propose a scheme that the tracing agents (tracers) are eploye in the network to log the attack packets, an are coorinate by the managing agents. The main avantage of this metho is that it can even fin the source of a single packet in some situations [9], however, it nees excessive processing an storage requirements, which makes it ifficult to be wiely eploye. The iea of packet marking is to insert traceback ata into the P packet on its way through the various routers from the attack source to the estination. Then the marks in the P packets can be use to euce the path of the malicious traffic. Probabilistic Packet Marking (PPM) [] is one of the packet marking methos. The assumption of PPM is that the attacking packets are much more frequent than the normal packets. t lets routers mark the packets with path information probabilistically an lets the victim reconstruct the attack path by using the marke packets. The PPM encoes the information in rarely use fiel within the P heaer. n orer to save storage in P heaer fiel, compresse ege fragment sampling metho is use. t requires less traffic volume than CMP traceback, but it encounters computational ifficulties as the numbers of attack sources increases. Because the number of packets neee to reconstruct the attack path epens on the number of packets which are marke by the further router in the attack path. n orer to reuce the number of packets neee to reconstruct the attack path, [3] propose an ajuste PPM. To some egree it solve the problem of vulnerabilities of PPM [], which is easy to be affecte by spoofe marking fiel. Another stream of packet marking methos, which is not using the probabilistic assumption above, is the Deterministic Packet Marking () []. This scheme has many avantages over others, such as simple implementation, no banwith requirement, less computation overhea, free from the falsifie marking, etc. However, to perform a successful traceback, enough packets also must be collecte to reconstruct the attack path. F, an optimize version of, is iscusse in the later section. Other practical issues, for example, the maximum number of sources can be trace, the implementation, effectiveness of hash fimction, an the reuction of P packets require are analyze in etail as well. Other packet marking schemes inclue the Avance an Authenticate Marking Scheme [], Path entifier (Pi) [6], an the polynomial path reconstruction [].. HASH-BASED DETERMNSTC PACKET MARKNG () Deterministic Packet Marking [] utilizes a fixe length mark that consists of the 6-bit D fiel an the -bit Reserve Flag (RF) in the P heaer. When the packet enters the protecte network, it will be marke by the interface close to the source of the packet on an ege ingress router. The mark will not be change when the packet traverses the network. The source P aresses are store in the marks. At any point within the network, the source P aresses can be assemble when they are necessary. Because all the packets will be marke by the very first router the packet passes, mark-spoofmg by the attackers is not effective. So this scheme is naturally free of mark-spoofmg. At least packets are neee to carry the 3-bit source P aress information, because totally 7 bits in the P heaer are use for marking. Each ata packet holing the mark will be use to reconstruct the source P aress at any victim en within the network. A segment number is also assigne to the mark, because when reconstructing the packet, the segment orer of the source P aress shoul be known. After all the segments corresponing to the same ingress aress have arrive to the estination, the source P aress of the packets can be recovere by the reconstruction process. n orer to keep a track on a set of P packets that are use for reconstruction, the ientities shown the packets come from the same source must be given. The source P aress fiel in the P heaer is completely unreliable, because it can be easily forge by the attackers. The reconstruction process coul mismatch the packets using ifferent spoofe source P aresses if only source P an the segment number are store in the mark information. Therefore, the scheme coul prouce a high false positive rate. The hash of the P aress is kept in the mark to ientify that the packets come from the same source. The hash-base scheme is propose to be more efficient an accurate for the path reconstruction uner attacks than other schemes. Then the mark in nees another fiel to store the hash of the P aress, the igest. This igest will always remain the same for a interface from which the packets enter the network. t provies the victim en the ability to recognize the packets being analyze are from a same source, although the igest itself cannot tell the real aress. Mark Recoring an ngress Aress Recovery are two separate processes at the victim en to reconstruct P aresses. The source P aress can be recovere by the marks that inclue three parts, aress information, ingress aress igest an segment number,. This is the basic iea of hash-base scheme for tracing P packets. n the following section, the moifie version of, Flexible Deterministic Packet Marking (F) is iscusse in etail. 7
V. FLEXBLE DETERMNSTC PACKET MARKNG (F) A. P Heaer utilize fixe 7 bits in the P heaer to store the marking information. However, the length of the available fiels in P heaer still can be expane. Our thinking is to maximize the number of bits an at the same time to obtain goo backwars compatibility. The Type of Service (TOS) fiel is an -bit fiel that provies an inication of the abstract parameters of the quality of service esire []. The etails of hanling an specification of TOS values can be foun in [5]. The TOS parameters are to be use to guie the selection of the actual service parameters when transmitting a atagram through a particular network. However, this fiel has been rarely supporte by most routers in the past. Some propose stanars such as Differentiate Services in TOS [7] are still uner eveloping to inicate particular Quality of Service nees from the network. Therefore, in F scheme, the TOS fiel will be use to store the mark uner some circumstances. The other two fiels in the P heaer are also exploite, one is Fragment D, an the other is the Reserve Flag. An ientifying value is assigne to the D fiel by the sener to ai in assembling the fragments of a atagram. Because less than.5% of all nternet traffic is fragments [], this fiel coul be safely overloae without causing serious compatibility problems. An the packet coul be successfully transferre without regaring the value in the Reserve Flag fiel. As shown in figure, totally 5 bits are chosen to store the mark information in a maximum case. When consiering TOS fiel may be unavailable partly or totally, the minimum number of the bits in P heaer is 6. F scheme can ajust the length accoring to the protocols of the network in which F is eploye. Since in Pv6 [6] some of the fiels are not existe compare with the Pv, this selection may not suitable in an Pv6 network. However, F still can be eploye uner Pv6, only with some changes of marking fiel in the P heaer. n r 9 3t Verson TTL thl ags control purpose, which is introuce in the later part). After the mark is generate, it will be written to the ifferent fiels in the heaer ofthe P packet. The ingress P aress is ivie into k segments, which means these k parts are store into the marks to reconstruct one source P aress. The segment number keeps the orer of the aress bits. An the aress igest enables the reconstruction process to recognize the packets being analyze are from a same source. Without this part, the reconstruction process cannot trace multiple P packets, because it cannot ientify the packets come from ifferent sources. 3-bit ingress P aress Decie the mark length by ifferent protocols eploye in the network mpunbte igest by a hasl function H(x) Paing to aapt the length a-bit a-bit... a-bit a-bit -bit igest Aress bits l -, ~...L. K- Ranomselector nm k Segment number ~~~~F mark, flexible length Figure. F encoing. The pseuo coe of encoing is shown below. n the F scheme, before the encoing process begins, the length of the mark shoul be calculate. f the network oes not utilize the TOS fiel in P packet, the -bit Reserve Flag in the heaer is set to, an the length of mark is set to. Uner other situations the length of mark will be 9 or 6, with relevant bit in TOS marke. f the network supports TOS Preceence but not TOS Priority, th-6th bit of TOS is utilize for marking; an if the network supports TOS Priority but not TOS Preceence, st-3r bit of TOS is utilize for marking. Marking process at router R, ege interface A, in network N if N oes not utilize TOS Reserve Flag:=O 7th an %bit of TOS:= Lengthof Mark:= else Reserve Flag := if N utilizes Differentiate Services Fiel or N support Preceence an Priority 7fh an k" bit of TOS:= Lengthof Mark:=6 else if N support Preceence but not Priority 7.. bit of TOS:= h bit of TOS:= Lengthof Mark:=9 otl lengtth Fragment offset Heaer checksum Protocol Source P aress Destination F aress Options fiel (if any) P ate Figure. The P heaer fiels (arke) utilize in F. B. Encoing The main iea of F encoing of the mark is similar as the encoing of [], as it is shown in the following figure. However, before the F mark coul be generate, the length of mark shoul be ecie accoring to ifferent network protocols eploye within the protecte network. Accoring to the ifferent situations, the length of mark coul be bits long at most, 9 bits, an 6 bits at least (The -bit of the Reserve Flag is not inclue because this bit is use for
else if N support Priority but not Preceence 7t bit of TOS:= th bit of TOS:= Lengthof Mark:=9 en if en if Decie the lengths of each part in the mark Digest:=H(A) loop i=o to k- Mark[ij.Digest:=Digest Mark[iJ.Segment number:=i Mark ij.aress bit:=af[i en loop for each incoming packet p j:=ranom integer from to k- write Markfl] into w.mark C. Reconstruction The reconstruction process inclues two steps, one is mark recognition, an the other is aress recovery. Compare to, the reconstruction process is simpler an more flexible. When each packet that is use to reconstruct the source P aress arrives to the victim, it is put into a cache, because the in some cases the processing spee is lower than the arrival spee of the incoming packets. The cache can also output the packet infornation to another process unit, by this esign the ifferent reconstruction methos can be applie an compare with each other. By ifferentiating the fiels in the P heaer, the length of the mark an which fiels in the P heaer can be recognize. The secon step, the aress recovery, will analyze the mark an store the mark into a recovery table. The column of the table is k, which means how many segments are use to carry the source aress in the packets. Each column in the same row stores the bits in the same P aress which is carrie by ifferent coming packets. The row of the table means the entry; usually each igest owns one entry. However, the same igest may have several entries. Because the igest is the information of hashe source P aress, but is shorter than the P aress, ifferent source P aresses may have the same igest. When this collision occurs, more than one entry may be create in orer to keep as much as possible infornation, although many of the source P aresses reconstructe are invali. The reconstruction uses a fix size recovery table, which is unable to hanle the situation of igest collision. Figure 3 shows the reconstruction scheme. When all fiels in one entry are fille accoring the segment number, this source P aress is then recovere an the entry is elete. f still more fiels nee to be fille, next packet is processe. To simplify the problem, the serial process is shown in the figure, actually parallel processing is also achievable, an thus it saves computation time. The pseuo coe is shown below. - "] fiels are tiele,--all oring to seg nu Ot Output the P aressx renconstrute Figure 3. F reconstruction. Reconstruction at victim V, in network N for each attacking packet p mark recognition (length an fiels) if all fiels in one entry are fille output the source P elete the entry else exist if same igest an segment number them else en if 9 en ff create new entsy fil a the aress bits into ril the aress bits into entry
V. ANALYSS AND EVALUATON A. Theoretical Analysis One limitation of is the maximum number of the attacker sources is only. This means in the network, only ege routers are permitte in orer to trace the P aresses, otherwise the system cannot precisely reconstruct the source P aresses. Moreover, this number is obtaine without consiering other factors such as the igest collision, network traffic conition, P packet fragment, an so on. Because of the increase mark length, the F scheme offers a efense system much stronger capability to trace multiple attacker sources. The relationship between the number of packet(s) that carry one P aress k, the bit of fragment s, the aress bits a, the igest bits, maximum number of attacker source N uner ifferent situations of F, which coul be affecte by the igest bits, an the same relationship of the parameters in the, are shown in table. RELATONSHP BETWEEN THE PARAMETERS N F AND TABLE. k 6 3 3 5 6 9 5 96 7 37 S a 6 N N N 7 -N F-6 F-9 F- 6 7 9 5 63 3 9 6 3 9 6 Number of attackers cot be trace F-6 * Cl F-9 * F- * Ln(N) Number of segments 3 Figure. Comparison of maximum number of sources can be trace uner ifferent situations. From this table we can see uner the optimal situation, the maximum number of sources which can be trace in by F is 6. Theoretically, it is times of that of, although in the worst case, the maximum number by F is / of that of. Figure shows the comparison of maximum number of sources can be trace uner ifferent situations by F an. The vertical axis is Ln(N) instea of N, for better illustration. B. mplementation an Evaluation To buil a real testing traceback network environment is expensive, since thousans of hosts cost much. So we i the simulation work by a network simulator, SSFNet, an gathere the experimental ata for analysis. The test results show F can efficiently trace P packets with better reliability than others. SSFNet (Scalable Simulation Framework) is a collection of Java components for moeling an simulation of ntemet protocols an networks at an above the P packet level of etail []. The SSFNet moels are self-configuring, that means by querying a configuration atabase, each SSFNet class instance can autonomously configure. The network configuration can be written in the Domain Moeling Language (DML) format. We can escribe a network environment by using a simple, stanarize syntax of all configuration files. The DML syntax specifies a hierarchy of lists of attributes (key-value pairs), that can be store as ASC files which are easy to rea an interpret. With this capability to buil large scale network environments, many experiments are one to test the F. Two Java packages embee into SSFNet are evelope, one is Encoing sub-system an the other is Reconstruction sub-system. The Encoing sub-systems are eploye at the ege of the protecte network, an the Reconstruction subsystem is eploye at the victim en that will analyze the sources of P packets. n the Encoing sub-system, Hash Function shoul be carefully selecte because we fin hash collision is one of the main factors affect the traceback performance. Hashing is useful to store a wie range of possible values in a small amount of space an be retrieve with simple, near-ranom access. Because all accesses in F must be one through the hash function, the function must fulfill two requirements: t must be fast an it must have a goo ability to istribute keys throughout the hash table. The latter requirement minimizes collisions an prevents ata items with similar values from hashing to just one part of the hash table. Two general-purpose hash functions are selecte to test the effectiveness of hashing in F. PJW Hash function [5] is base on work by Peter J. Weinberger of AT&T Bell Labs, an is in use wiely. Another hash function, BKDR Hash Function [] is also chosen. These algorithms are very popular because they can be implemente in any programming language an are quite fast. Figure 5 shows the average non-collision rate of the hashe igest in the traceback experiments. When the number of segments use increases, the non-collision rates are stable below.5. Uner the most circumstances tuning hash functions coul be ifficultly one because hash tuning requires consierable empirical testing, an it largely epens on what ata set is use. Unless the hash table is set up in a pre-set manner, the non-collision rate coul harly be improve. That means the possible hash value is subjectively chosen beforehan an cannot fit for the general network environments. 5
Non-collision rate.95 +-- F- F-9 F-6.5.75.65 os55.5.35 6 3 Number of segments use (k) theoretical value. An this scheme is unable to hanle the fragmentation of the P packet, because it utilizes the 6-bit D fiel in the P heaer. n particular, on DDoS efense issue current research proves traceback is an effective countermeasure against the attacks. However, the prevalent traceback methos can only probabilistically trace every attack host, but not the real attacker. An if there are thousans of zombies launch a single attack, the traceback will become less effective. Therefore, at present it nees further research to provie a solution to traceback to the real attacker. Figure 5. Non-collision rate. TABLE. The average maximum numbers of sources can be trace uner ifferent situations are shown Figure 6. Although in the reconstruction process, all possible source aresses are recore by creating the new igest entries, it also brings the false positive. f the amenment for the collision of the igest is ignore, it brings the high missing probability. Compare with the theoretical analysis in the section before, although in the practical experiments the maximum source number is not as large as the theoretical value, in F with bits igest, it still can trace more than, ifferent sources. J Criterion Compatibility mplementation Scalability Computation loa Number of packets neee for traceback Logging PPM F Meium Thousan Sma Easy N/A Difficult High Easy High No comsume Huge Application DDoS DDoS, DDoS, DDoS DDoS, others Small others s others V. CONCLUSON n this paper, an P packet traceback scheme, Flexible Deterministic Packet Marking (F) is presente. t provies more flexible features to trace the sources of P packets an can obtain better tracing capability over other P traceback mechanisms. The implementation an evaluation emonstrates that the F nees moerately small number of packets to complete the traceback process an requires little computation work; therefore this scheme is powerful to trace the P packets. t can be applie in many security systems, such as DDoS efense systems, ntrusion Detection Systems (DS), an forensic systems, etc. F 6 Number of segments use (k) CMP traceba Huge Network onoe Huge Banwith Comparison of maximum number of sources trace (N) l--lfw E ~ l--~ } F-9 l lli COMPARSON WTH OTHER TRACEBACK MECHANSMS Controlle 3 Figure 6. Maximum number of sources trace in experiments. C. Comparison with other traceback mechanisms The analysis above shows F offers more flexibility an capability to trace the ifferent P sources than from the points of view of both theoretical an practical issues. n this section, F is compare with other categories of traceback schemes such as controlle flooing, CMP traceback, logging, an Probabilistic Packet Marking as the following table. The major avantages of F is that it can trace the P sources with low computation loa, while it nees a small number of packets to accomplish the traceback process, without knowing the topology of the protect network. Moreover, it can trace much more sources at a single traceback process than other schemes. ACKNOWLEDGMENT The authors woul like to thank the anonymous reviewers for their constructive suggestions that helpe improve the quality of this paper. REFERENCES [] H. Aljifri, "P Traceback: A New Denial-of-Service Deterrent?", EEE Security & Privacy, Vol., No.3, 3, pp.-3. [] T. Baba an S. Matsua, "Tracing Network Attacks to Their Sources", EEE nternet Computing, Vol.6, No.3,, pp.-6. [3] S. M. Bellovin, "CMP Traceback Messages", ntemet Draft, Network Working Group,. [] A. Belenky an N. Ansari, "Tracing Multiple Attackers with Deterministic Packet Marking ()", Proc. of EEE Pacific Rim Conference on Communications, Computers an Signal Processing, 3. [5] A. Binstock an J. Rex, Practical Algorithms for Programmers, Pearson Eucation, 995. D. Challenges Although the F provies many avantages to trace the sources of P packets, there are still many challenges. For example, the igest collision makes the practical number of maximum sources that can be trace is lower than the 5
[6] H. Burch an B. Cheswick, "Tracing Anonymous Packets to Their Approximate Source", Proc. of the th Systems Aministration Conference (LSA ). [7] Computer Emergency Response Team, CERT, http://www.cert.org. [] D. Dean, M. Franklin, an A. Stubblefiel, "An Algebraic Approach to P Traceback", Proc. of Network an Distribute System Security Symposium (NDSS ), pp.3-. [9] N. G. Duffiel an M. Grossglauser, "Trajectory sampling for irect traffic observation", ACM SGCOMM, pp.7-. [] B. W. Kernighan an Dennis M. Ritchie, Language, Secon Eition, Prentice Hall, 9. The C Programming [] A. Mankin, D. Massey, C.-L. Wu, S. F. Wu an L. Zhang, "On Design an Evaluation of ntention-driven CMP Traceback", Proc. of Computer Communications an Networks,. [] K. Park an H. Lee, "On the Effectiveness of Probabilistic Packet Marking for P Traceback uner Denial of Service Attack", EEE NFOCOM, pp.33-37. [3] T. Peng, C. Leckie, an R. Kotagiri, "Ajuste Probabilistic Marking for P Traceback", Networking. Packet [] RFC79, nternet Protocol, DARPA, 9. [5] RFC39, Type of Service Working Group, 99. in the nternet Protocol Suite, Network [6] RFC6, nternet Protocol, Version 6 (Pv6) Specification, Network Working Group, 99. [7] RFC7, Definition of the Differentiate Services Fiel (DS Fiel) in the Pv an Pv6 Heaers, Network Working Group, 99. [] S. Savage, D. Wetherall, A. Karlin an T. Anerson, "Network Support for P Traceback", ACM/EEE Transactions on Networking, Vol.9, No.3,, pp.6-37. [9] A. C. Snoeren, C. Partrige, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, an W. T. Strayer, "Single-Packet P Traceback", EEE/ACM Transactions on Networking, December,, pp.7-73. [] D. Song an A. Perrig, "Avance an Authenticate Marking Schemes for P Traceback", EEE NFOCOM, pp.7-6. [] Scalable Simulation Framework, http://www.ssfnet.org. []. Stocia an H. Zhang, "Proviing Guarantee Services Without Per Flow Management", ACM SGCOMM99, 999, pp. -9. [3] R. Stone, "CenterTrack: An P Overlay Network for Tracking DoS Floos", 9th Usenix Security Symposium,, pp.99-. [] Y. Xiang, W. Zhou, an M. Chowhury, "A Survey of Active an Passive Defence Mechanisms against DDoS Attacks", Technical Report, TR C/, School of nformation Technology, Deakin University, Australia, March,. [5] Y. Xiang, an W. Zhou, "An Active Distribute Defense System to Protect Web Applications from DDoS Attacks", Proc. of the 6th nternational Conference on nformation ntegration an Web Base Application & Services (iiwas). [6] A. Yaar, A. Perrig, an D. Song, "Pi: A Path entification Mechanism to Defen against DDoS Attacks", 3 EEE Symposium on Security an Privacy. 5