Download Subtle Waves Template

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Policies promoting wireless broadband in the United States wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

RapidIO wikipedia , lookup

CAN bus wikipedia , lookup

Airborne Networking wikipedia , lookup

IEEE 802.1aq wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Deep packet inspection wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Kademlia wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Routing in delay-tolerant networking wikipedia , lookup

Transcript
A Logless Fast IP Traceback
Scheme Against DDoS Attacks in
Wireless Ad-hoc Network
Yinan Jing, Xueping Wang, Xiaochun Xiao, Gendu Zhang
School of Information Science & Engineering, Fudan University,
Shanghai, 200433, P.R. China
Wireless, Mobile and Multimedia Networks, 2006 IET
International Conference
Advisor : I-Long Lin, Han-Chieh Chao
Student : Shih-Hao Peng
Date
: 2011/04/26
1
Outline
•
•
•
•
•
•
Abstract
Introduction
Logless Fast IP traceback scheme
Simulation Result
Discussion
Conclusions
2
Abstract
• Distributed denial-of-service(DDoS) attacks have become
the major threat to wireless ad-hoc network
• There are some problems with the nodes of wireless ad-hoc
networks
– Limited bandwidth
– Computational resource
– Unpredictable routing behaviors
• The author propose a Logless Fast IP Traceback(LFIT)
scheme which can be applicable to source traceback in
wireless ad-hoc networks base on Probabilistic Packet
Marking(PPM)
3
• The scheme has faster traceback speed than previous work
Introduction
• IP traceback allows the victim to identify the attack sources
even in the presence of IP spoofing
• There are some traceback schemes have been proposed for
Internet:
–
–
–
–
Link Testing
Log-based schemes
ICMP-based iTrace
Probabilistic Packet Marking (PPM)
• PPM might be most promising for attack source traceback
in wireless ad-hoc networks, because it has more
advantages on network and node overhead than other 4
schemes
Logless Fast IP traceback scheme
• The main reason for slow traceback speed(PPM) is that the
old marking information might be easily overwritten by
the downstream routing nodes due to limited marking
information space in packets.
• The author propose a distributed-log-based scheme which
uses logs in routing nodes to conserve the old marking
information before the downstream node overwriting it
• The log-based scheme can not be applicable to wireless adhoc environment, because it requires log storage space at
traceback-enabled nodes and infrastructure support for log
collection
5
Logless Fast IP traceback scheme(Cont.)
Marking Information Hash Table structure
• Each traceback-enabled node has a hash table called
Marking Information Hash Table(MIHashTable)
• This table is used to manage Marking Information
Queues(MIQueue) for different destinations
• TimeStamp: record the latest access time of the MIQueue
6
Logless Fast IP traceback scheme(Cont.)
• LFIT sheme uses a MIQueue to reserve the old marking
information in the packet momentarily before remarking
• The traceback-enabled nodes would convey the marking
information in the MIQueue towards the victim
preferentially
• The marking information reserved in the MIQueue can be
conveyed to the victim by producing new packets
• Author still follow the idea of PPM schemes and use the
free space in the packets to transmit the marking
information
7
Logless Fast IP traceback scheme(Cont.)
• The author assume the marking information space in one
packet is enough to store a piece of marking information
<oldTTL, nodeid, FlowMark, flag>
– oldTTL: Obtain the distance (Hops) between the original marking
node and the current node
– nodeid: the node identity of the marking node
– FlowMark: hash value of one packet's flow information, which is
usually denoted by <source IP,source port, destination IP,
destination port, protocol type> of one packet
– The l-bit flag is used to denote whether one packet has been
marked
 1: the packet has been marked
 0: the packet hasn’t been marked
8
Logless Fast IP traceback scheme(Cont.)
9
Logless Fast IP traceback scheme(Cont.)
10
Logless Fast IP traceback scheme(Cont.)
11
Logless Fast IP traceback scheme(Cont.)
• The MIQueue has enqueue() and dequeue() two functions
to implement writing and reading marking information
• A piece of marking information reserved in the MIQueue
can be represented as <Hops, nodeid, FlowMark>
• The marking information in the MIQueue will be
conveyed forward as quickly as possible in a higher
priority
• After the victim received a modest number of marking
packets, it can reconstruct the attack paths by the marking
information
12
Logless Fast IP traceback scheme(Cont.)
• First, victim can identify those attack packets by the
intrusion detection system
• Second, victim uses a hash table called as
FlowMarkHashTable (FMhtbl_ is a pointer to this table)
Data structure for attack paths reconstructiOn
In terms of the Hops of the marking information, author can
13
sort different nodeid in order and yield a NodeList
Logless Fast IP traceback scheme(Cont.)
14
Simulation Result
• The author have implemented LFIT and Advance Marking
Scheme(AMS) schemes on NS-2
• The number of packets required to reconstruct all paths is a
linear function of the number of attackers
• There are 14 traceback-enabled nodes between the attacker
and the victim
• The author used following two performance metrics to
evaluate the performance of LFIT:
– Convergence time of the traceback algorithm
– Average queue length under various parameters
15
Simulation Result(Cont.)
Average convergence time ofAMS and LFIT
• Table shows that the average convergence time of LFIT
and AMS schemes
• X :the number of packets which required to reconstruct an
attack path
• p :be the marking probability
16
Simulation Result(Cont.)
• In order to evaluate the utilization of MIQueue at different
position under different p, author let 200 packets pass
through this path towards to a same destination
Utilization ofMIQueue under various d
17
Simulation Result(Cont.)
• The picture shows the utilization of MIQueue at the same
position (same d) when we let p be different values
18
Utilization of MIQueue under various p
Simulation Result(Cont.)
• AQL is defined as the average queue length per
packet, 0<=AQL<=1
0.4
0.3
0.2
0.1
0.07
0.05
Average Queue Length under various parameters
19
Discussion
• Although traceback-enabled nodes in LFIT scheme need
neither store nor transmit logs, they have some
computational and storage overhead
– When one packet arrives at a node, there is a table query
operation
– MIQueues at one node need storage space
• LFIT scheme can periodically clean up overdue entries
from MIHashTable by TimeStamp
20
Conclusions
• The author proposed a logless fast IP traceback
scheme, which not only has faster traceback speed
than previous traditional PPM schemes, but also has
little network and node overhead
• LFIT is a fast and lightweight traceback scheme can
be applicable to wireless ad-hoc environment
21