Identifying DOS and DDOS Attack Origin: IP Traceback Methods Comparison and Evaluation for IoT

  • Brian CusackEmail author
  • Zhuang Tian
  • Ar Kar Kyaw
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 190)


Society is faced with the ever more prominent concerns of vulnerabilities including hacking and DoS or DDoS attacks when migrating to new paradigms such as Internet of Things (IoT). These attacks against computer systems result in economic losses for businesses, public organizations and privacy disclosures. The IoT presents a new soft surface for attack. Vulnerability is now found in a multitude of personal and private devices that previously lacked connectivity. The ability to trace back to an attack origin is an important step in locating evidence that may be used to identify and prosecute those responsible. In this theoretical research, IP traceback methods are compared and evaluated for application, and then consolidated into a set of metrics for potential use against attackers.


Attack origins DoS DDoS TTL Traceback IoT security 


  1. 1.
    Specht, S., Lee, R.: Distributed denial of service: taxonomies of attacks, tools and countermeasures. In: International Conference on Parallel and Distributed Computing Systems, pp. 543–550. San Francisco, CA, USA: CiteSeerX (2004)Google Scholar
  2. 2.
    Kumar, K., Sngal, A., Bhandari, A.: Traceback techniques against DDoS attacks: a comprehensive review. In: 2011 2nd International Conference on Computer and Communication Technology (ICCCT), pp. 491–498. IEEE, Allahabad, India (2011)Google Scholar
  3. 3.
    CERT Coordination Center.: Cert Advisories: CA-2000-01 denial of service developments. CERT Software Engineering Institute. (2015)
  4. 4.
    Chen, T., Tsai, J., Gerla, M.: QoS routing performance in multihop, multimedia, wireless networks. In: IEEE 96th International Conference on Universal Personal Communications Record, vol. 2, pp. 557–561. IEEE, San Diego (1997)Google Scholar
  5. 5.
    Eddy, W.: TCP SYN flooding attacks and common mitigations, RFC4987. IETF: (2007)
  6. 6.
    Lemon, J.: Resisting SYN flood DoS attacks with a SYN cache. In: 2nd European BSD Conference, pp. 89–98. Amsterdam, The Netherlands: USENIX (2002)Google Scholar
  7. 7.
    Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)CrossRefGoogle Scholar
  8. 8.
    Gilad, Y., Herzberg, A.: LOT: a defense against IP spoofing and flooding attacks. ACM Trans. Inf. Syst. Secur. 15(2), 6 (2012)CrossRefGoogle Scholar
  9. 9.
    Kashyap, H., Bhattacharyya, D.: A DDos attack detection mechanism based on protocol specific traffic features. In: Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology, CCSEIT 2012, pp. 194–200. ACM, New York (2012)Google Scholar
  10. 10.
    Yao, G., Bi, J., Vasilakos, A.: Passive IP traceback: disclosing the locations of IP spoofers from path backscatter. IEEE Trans. Inf. Forensics Secur. 10(3), 471–484 (2015)CrossRefGoogle Scholar
  11. 11.
    Ho, C.: Email forensics: tracing and mapping digital evidence from my address. Unpublished Master’s Thesis (2010)Google Scholar
  12. 12.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP tracback. IEEE/ACM Trans. Netw. 9(3), 226–237 (2001)CrossRefGoogle Scholar
  13. 13.
    Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proceedings of the 14th USENIX conference on System Administration, LISA 2000, pp. 319–328. Berkeley, CA, USA: USENIX Association Berkeley (2002)Google Scholar
  14. 14.
    Bellovin, S.: ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt (2002)Google Scholar
  15. 15.
    Lee, H.C.J., Thing, V.L.L., Xu, Y., Ma, M.: ICMP traceback with cumulative path, an efficient solution for IP traceback. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 124–135. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-39927-8_12 CrossRefGoogle Scholar
  16. 16.
    Izaddoost, A., Othman, M, Rasid, M.: Accurate ICMP traceback model under DoS/DDoS attack. In: Proceedings of the 15th International Conference on Advanced Computing and Communications, ADCOM 2007, pp. 441–446. IEEE Computer Society, Washington, DC, USA (2007)Google Scholar
  17. 17.
    Sager, G.: Security fun with OCxmon and cflowd. Presentation at the Internet 2 Working Group (1998)Google Scholar
  18. 18.
    Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies, INFOCOM 2001, vol. 2, pp. 878–886. IEEE, Anchorage, AK, USA (2001)Google Scholar
  19. 19.
    Snoeren, A., Partridge, C., Sanchez, L., Jones, S., Tchakountio, F., Schwartz, B., Kent, S., Strayer, W.: Single-packet IP traceback. IEEE/ACM Trans. Netw. 10(6), 721–734 (2002)CrossRefGoogle Scholar
  20. 20.
    Ponec, M., Giura,P., Brönnimann, H., Wein, J.: Highly efficient techniques for network forensics. In: Proceedings of the 14th ACM Conference on Computer and Communication Security, CCS 2007, pp. 150–160. ACM, New York (2007)Google Scholar
  21. 21.
    Sung, M., Xu, J.J., Li, J., Li, L.E.: Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation. (2008)
  22. 22.
    Devasundaram, S.: Performance evaluation of a TTL-based dynamic marking scheme in IP traceback. University of Akron, Akron (2006)Google Scholar
  23. 23.
    Wang, H., Jin, C., Shin, K.: Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15(1), 40–53 (2007)CrossRefGoogle Scholar
  24. 24.
    KrishnaKumar, B., Kumar, P., Sukanesh.: Hop count based packet processing approach to counter DDoS attacks. In: International Conference on Recent Trends in Information, Telecommunication and Computing (ITC), pp. 271–273. IEEE, Kochi (2010)Google Scholar
  25. 25.
    Yang, M., Luo, J.: High accuracy and low storage hybrid IP traceback. In: 2014 International Conference on Computer, Information and Telecommunication Systems (CITS), pp. 1–5. IEEE, Jeju (2014)Google Scholar
  26. 26.
    Park, P., Yi. H., Hong, S., Ryu, J.: An effective defense mechanism against DoS/DDoS attacks in flow-based routers. In: The 8th International Conference on Advances in Mobile Computing and Multimedia, pp. 442–446. ACM, Paris (2010)Google Scholar
  27. 27.
    Dang, X., Albright, E., Abonamah, A.: Performance analysis of probabilistic packet marking in IPv6. Comput. Commun. 30(16), 3193–3202 (2007)CrossRefGoogle Scholar
  28. 28.
    Michiko, H., Naoyuki, K., Daisaku, T.: Implementation of probabilistic packet marking for IPv6 traceback. IPSI BgD Trans. Internet Res. 1(1), 54–58 (2005)Google Scholar
  29. 29.
    Amin, S., Hong, C., Kwak, D., Lee, J.: IPv6 traceback using policy based management system. Korean Netw. Oper. Manag. 9(2), 1–7 (2006)Google Scholar
  30. 30.
    Yan, Q., He, X., Ning, T.: An improved dynamic probabilistic packet marking for IP traceback. Int. J. Comput. Netw. Inf. Secur. 2(2), 47–53 (2010)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2017

Authors and Affiliations

  1. 1.Digital Forensic Research Laboratory, School of Engineering Computer and Mathematical ScienceAuckland University of TechnologyAucklandNew Zealand
  2. 2.Facuty of Business and Information TechnologyWhitireia Community Polytechnic – Auckland CampusAucklandNew Zealand

Personalised recommendations