Abstract
A denial-of-service (DoS) / distributed-denial-of-service (DDoS) attack may result in rapid resource depletion along the attack path. For stepping-stone and masquerading techniques typically used in DoS/DDoS attacks such as internet protocol (IP) or Media Access Control (MAC) address spoofing, tracing the intrusion back to the true attacker becomes a challenging task for network security engineers. Although the Internet Engineer Task Force (IETF) has proposed an Internet Control Message Protocol (ICMP) based Traceback solution, it faces severe difficulties in practice in regard to justifying the interoperability of deployed routers as well as the correctness of Traceback with multiple attack paths. This research proposes a novel approach to embed the essence of a management information base (MIB) into iTrace messages, named MIB-ITrace-CP, in order to improve the accuracy and efficiency of the original ICMP-based Traceback. Through our implementations on a Testbed@TWISC platform, we validated our approach and demonstrated the feasibility of practical network forensics.
Keywords
- DoS
- Spoofing
- Forensics
- Traceback
- ITrace-CP
Download conference paper PDF
References
US-CERT, Computer Forensics (2008), http://www.us-cert.gov/reading_room/forensics.pdf
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-Based IP Traceback. In: SIGCOMM 2001 (August 2001)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network Support for IP Traceback. IEEE/ACM Transactions on Networking (TON) 9(3), 226–237 (2001)
Bellovin, S., Leech, M., Taylor, T.: ICMP Traceback Messages. Internet Draft (February 2003), http://www.ietf.org/proceedings/03mar/I-D/draft-ietf-itrace-04.txt
Internet Engineer Task Force (IETF), http://www.ietf.org/
Lee, H.C.J., Thing, V.L.L., Xu, Y., Ma, M.: ICMP Traceback with Cumulative Path, An Efficient Solution for IP Traceback. In: 5th International Conference on Information and Communications Security, pp. 124–135 (October 2003)
Thing, V.L.L., Lee, H.C.J., Sloman, M., Zhou, J.: Enhanced ICMP Traceback with Cumulative Path. In: IEEE 61st Vehicular Technology Conference (VTC 2005-Spring), vol. 4, pp. 2415–2419 (2005)
Tsunoda, H., Tochiori, T., Waizumi, Y., Kato, N., Nemoto, Y.: Improving the Efficiency of DoS Traceback Based on the Enhanced ITrace-CP Method for Mobile Environment (Invited Paper). In: Third International Conference on Communications and Networking in China (ChinaCom 2008), pp. 680–685 (2008)
Mankin, A., Massey, D., Wu, C.L., Wu, S.F., Zhang, L.: On Design and Evaluation of Intention-Driven ICMP Traceback. In: IEEE Int’ 10th Conf. Computer Communications and Networks, pp. 159–165. IEEE CS Press (2001)
Izaddoost, A., Othman, M., Rasid, M.F.A.: Accurate ICMP Traceback Model under DoS/DDoS ATTACK. In: 15th International Conference on Advanced Computing and Communications (ADCOM 2007), pp. 441–446 (December 2007)
IEEE Draft Standard for Management Information Base (MIB) Definitions for Ethernet. P802.3.1/D3.0 (November 2010)
Testbed@TWISC, Network Emulation Testbed, http://testbed.ncku.edu.tw/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cheng, BC., Liao, GT., Lin, CK., Hsu, SC., Hsu, PH., Park, J.H. (2012). MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis. In: Park, J.J., Zomaya, A., Yeo, SS., Sahni, S. (eds) Network and Parallel Computing. NPC 2012. Lecture Notes in Computer Science, vol 7513. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35606-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-35606-3_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35605-6
Online ISBN: 978-3-642-35606-3
eBook Packages: Computer ScienceComputer Science (R0)
