Improved Technique of IP Address Fragmentation Strategies for DoS Attack Traceback
Defending against denial-of-service(DoS) attacks is one of the hardest security problems on the Internet today. One difficulty to thwart these attacks is totrace the source of the attacks because they often use incorrect, or spoofed IP source addresses to disguise the true origin Traceback mechanisms are a critical part of the defense against IP spoofing and DoS attacks, as well as being of forensic value to law enforcement. Currently proposed IP traceback mechanisms are inadequate to address the traceback. problem for the following reasons: they require DoS victims to gather thousands of packets to reconstruct a single attack path; they do not scale to large scale Distributed DoS attacks; and they do not support incremental deployment. This study suggests to find the attack origin through MAC address marking of the attack origin. It is based on an IP trace algorithm, called Marking Algorithm. It modifies the Marking Algorithm so that we can convey the MAC address of the intervening routers, and as a result it can trace the exact IP address of the original attacker. To improve the detection time, our algorithm also contains a technique to improve the packet arrival rate. By adjusting marking probability according to the distance from the packet origin, we were able to decrease the number of needed packets to traceback the IP address.
KeywordsArrival Rate Distance Data Packet Arrival Rate Attack Path Router Data
Unable to display preview. Download preview PDF.
- 1.Adler, M.: Tradeoffs in probabilistic packet marking for IP traceback. In: Proceedings of 34th ACM Symposium on Theory of Computing (STOC) (2002)Google Scholar
- 2.Bellovin, S., Leech, M., Taylor, T.: The ICMP traceback message. Internet-Draft, draft-ietf-itrace-01.txt (October 2001), Work in progress, available at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
- 3.Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source (unpublished paper) (December 1999)Google Scholar
- 4.Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. ACM Transactions on Information and System Security (May 2002)Google Scholar
- 5.Goodrich, M.: Efficient packet marking for large-scale IP traceback. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, November 2001, pp. 117–126 (2001)Google Scholar
- 6.Lee, H., Park, K.: On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. In: Proceedings IEEE Infocomm 2001 (April 2001)Google Scholar
- 7.Li, J., Sung, M., Xu, J., Li, L.: Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2004)Google Scholar
- 8.Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. Computer Communication Review 31(3) (July 2001)Google Scholar
- 9.Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of ACM SIGCOMM 2000 (August 2000)Google Scholar
- 10.Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Timothy Strayer, W.: Hash-based IP traceback. In: Proceedings of ACM SIGCOMM 2001, August 2001, pp. 3–14 (2001)Google Scholar
- 11.Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings IEEE Infocomm 2001 (April 2001)Google Scholar