Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Policies promoting wireless broadband in the United States wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Airborne Networking wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
A Logless Fast IP Traceback Scheme Against DDoS Attacks in Wireless Ad-hoc Network Yinan Jing, Xueping Wang, Xiaochun Xiao, Gendu Zhang School of Information Science & Engineering, Fudan University, Shanghai, 200433, P.R. China Wireless, Mobile and Multimedia Networks, 2006 IET International Conference Advisor : I-Long Lin, Han-Chieh Chao Student : Shih-Hao Peng Date : 2011/04/26 1 Outline • • • • • • Abstract Introduction Logless Fast IP traceback scheme Simulation Result Discussion Conclusions 2 Abstract • Distributed denial-of-service(DDoS) attacks have become the major threat to wireless ad-hoc network • There are some problems with the nodes of wireless ad-hoc networks – Limited bandwidth – Computational resource – Unpredictable routing behaviors • The author propose a Logless Fast IP Traceback(LFIT) scheme which can be applicable to source traceback in wireless ad-hoc networks base on Probabilistic Packet Marking(PPM) 3 • The scheme has faster traceback speed than previous work Introduction • IP traceback allows the victim to identify the attack sources even in the presence of IP spoofing • There are some traceback schemes have been proposed for Internet: – – – – Link Testing Log-based schemes ICMP-based iTrace Probabilistic Packet Marking (PPM) • PPM might be most promising for attack source traceback in wireless ad-hoc networks, because it has more advantages on network and node overhead than other 4 schemes Logless Fast IP traceback scheme • The main reason for slow traceback speed(PPM) is that the old marking information might be easily overwritten by the downstream routing nodes due to limited marking information space in packets. • The author propose a distributed-log-based scheme which uses logs in routing nodes to conserve the old marking information before the downstream node overwriting it • The log-based scheme can not be applicable to wireless adhoc environment, because it requires log storage space at traceback-enabled nodes and infrastructure support for log collection 5 Logless Fast IP traceback scheme(Cont.) Marking Information Hash Table structure • Each traceback-enabled node has a hash table called Marking Information Hash Table(MIHashTable) • This table is used to manage Marking Information Queues(MIQueue) for different destinations • TimeStamp: record the latest access time of the MIQueue 6 Logless Fast IP traceback scheme(Cont.) • LFIT sheme uses a MIQueue to reserve the old marking information in the packet momentarily before remarking • The traceback-enabled nodes would convey the marking information in the MIQueue towards the victim preferentially • The marking information reserved in the MIQueue can be conveyed to the victim by producing new packets • Author still follow the idea of PPM schemes and use the free space in the packets to transmit the marking information 7 Logless Fast IP traceback scheme(Cont.) • The author assume the marking information space in one packet is enough to store a piece of marking information <oldTTL, nodeid, FlowMark, flag> – oldTTL: Obtain the distance (Hops) between the original marking node and the current node – nodeid: the node identity of the marking node – FlowMark: hash value of one packet's flow information, which is usually denoted by <source IP,source port, destination IP, destination port, protocol type> of one packet – The l-bit flag is used to denote whether one packet has been marked 1: the packet has been marked 0: the packet hasn’t been marked 8 Logless Fast IP traceback scheme(Cont.) 9 Logless Fast IP traceback scheme(Cont.) 10 Logless Fast IP traceback scheme(Cont.) 11 Logless Fast IP traceback scheme(Cont.) • The MIQueue has enqueue() and dequeue() two functions to implement writing and reading marking information • A piece of marking information reserved in the MIQueue can be represented as <Hops, nodeid, FlowMark> • The marking information in the MIQueue will be conveyed forward as quickly as possible in a higher priority • After the victim received a modest number of marking packets, it can reconstruct the attack paths by the marking information 12 Logless Fast IP traceback scheme(Cont.) • First, victim can identify those attack packets by the intrusion detection system • Second, victim uses a hash table called as FlowMarkHashTable (FMhtbl_ is a pointer to this table) Data structure for attack paths reconstructiOn In terms of the Hops of the marking information, author can 13 sort different nodeid in order and yield a NodeList Logless Fast IP traceback scheme(Cont.) 14 Simulation Result • The author have implemented LFIT and Advance Marking Scheme(AMS) schemes on NS-2 • The number of packets required to reconstruct all paths is a linear function of the number of attackers • There are 14 traceback-enabled nodes between the attacker and the victim • The author used following two performance metrics to evaluate the performance of LFIT: – Convergence time of the traceback algorithm – Average queue length under various parameters 15 Simulation Result(Cont.) Average convergence time ofAMS and LFIT • Table shows that the average convergence time of LFIT and AMS schemes • X :the number of packets which required to reconstruct an attack path • p :be the marking probability 16 Simulation Result(Cont.) • In order to evaluate the utilization of MIQueue at different position under different p, author let 200 packets pass through this path towards to a same destination Utilization ofMIQueue under various d 17 Simulation Result(Cont.) • The picture shows the utilization of MIQueue at the same position (same d) when we let p be different values 18 Utilization of MIQueue under various p Simulation Result(Cont.) • AQL is defined as the average queue length per packet, 0<=AQL<=1 0.4 0.3 0.2 0.1 0.07 0.05 Average Queue Length under various parameters 19 Discussion • Although traceback-enabled nodes in LFIT scheme need neither store nor transmit logs, they have some computational and storage overhead – When one packet arrives at a node, there is a table query operation – MIQueues at one node need storage space • LFIT scheme can periodically clean up overdue entries from MIHashTable by TimeStamp 20 Conclusions • The author proposed a logless fast IP traceback scheme, which not only has faster traceback speed than previous traditional PPM schemes, but also has little network and node overhead • LFIT is a fast and lightweight traceback scheme can be applicable to wireless ad-hoc environment 21