Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Taxonomy of IP Traceback - College of Engineering and Computing
Document related concepts
Point-to-Point Protocol over Ethernet wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Serial digital interface wikipedia , lookup
Distributed firewall wikipedia , lookup
Packet switching wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Deep packet inspection wikipedia , lookup
Transcript
Journal of Information Assurance and Security 1 (2006) 79-94
Taxonomy of IP Traceback
Lakshmi Santhanam1, Anup Kumar2 and Dharma P. Agrawal1
OBR Center for Distributed and Mobile Computing1
Department of ECECS, Univ. of Cincinnati
{santhal,dpa}@ececs.uc.edu
Mobile Information Network and Distributed Systems (MINDS) Lab2
Department of ECECS, University of Louisville,
Louisville, KY, 40292
[email protected]
The internet is constantly plagued with various
Abstract:
kinds of security threats amongst which Denial of Service (DoS)
constitutes a huge umbrella of potent attacks. It’s very important to
understand the intricacies constituting these attacks and countermechanisms that exist in the literature. The best antidote to deal
with these attacks would be to fix the problem at its root by
identifying the source of the attacks. The technique of traceback
performs such a forensic analysis of the internet traffic. In this
paper, we classify and analyze various existing traceback schemes
in detail. We provide a comprehensive comparison of these
schemes in terms of various performance metrics. A thorough study
of these schemes is very useful in exploring potential areas of future
research.
Keywords: Traceback, DoS attacks, Reactive, Pro-active,
Spoofing, Out-of-band and In-band.
1. Introduction
As the use of e-commerce and dot-coms continues to expand
in various spheres of life; the security breaches in the
systems are also expanding correspondingly. The DoS attack
poses a potent threat to the internet security; primarily due to
the fact that it can be launched easily and can go untraceable.
A malicious intruder can deplete the system resources by
overwhelming it with excess unwanted traffic which could
result in a dysfunctional network or a disabled web server.
The distributed DoS (DDoS) attack is more deviant as the
attack is launched synchronously from multiple locations and
is so massive that it’s harder to detect and stop. The DoS
attacks entail huge financial losses for companies which
solely depend on the internet for their business. Some
popular websites like Yahoo and Amazon were crippled in a
major DoS attack in February 2000. Similarly, a more
serious attack in October 2002 was targeted on the DNS root
servers [1].
There are multitudes of DoS attacks varying in the degree
of their sophistication and the level of impact [2]. Some of
the common form of DoS attacks discussed here are Buffer
overflow attacks, SYN attack, Teardrop attack, Smurf
attacks. The SYN attacker misuses the TCP’s 3-way
handshake mechanism by opening many bogus connections
with the server and then refusing to send TCP ACK. This
results in exhausting the resources of the server. In Teardrop
attack, the attacker exploits the fragmentation process at a
router. When a router receives a large packet it can’t handle;
the attacker inserts an incorrect offset in the subsequent
fragment, causing improper reassembly. Smurf, a more
sophisticated kind of attack, involves an attacker spoofing as
the victim node and sending ping echo request to large
number of innocent hosts. These nodes would in turn
Received December 27, 2005.
unknowingly flood the network by responding back to the
victim node. The baseline of many DoS defense mechanisms
include route based packet filtering and distributed attack
detection. The defense mechanisms collaboratively identify
any deviant behavior in the traffic measurements and take
immediate remedial steps to curb the attack. Ingress filtering
is a popular preventive scheme followed by ISP managers to
squelch DoS attacks [3]. But, it is not pragmatic to
implement on all internet interfaces as it requires a large
degree of cooperation between ISPs. A complete taxonomy
of DoS attacks and existing defense mechanisms is discussed
in [4].
The best possible defense against DoS attack lies not only
in taking preventive measures but also in identifying the
true origin of the attacker and in blocking further
occurrences of such incidents. This boils down to the
problem of IP traceback. IP traceback problem involves
identifying the actual source of a packet across the Internet.
It is however, a tough and challenging problem due to the
rampant spoofing of source address of the packets by the
attacker. The attackers, who in general enjoy their
anonymity, can now be implicated by traceback and
penalized for their malicious act. As the identity of an
attacker could be exposed by traceback, the attacker would
think twice before performing a DoS attack. Traceback also
helps in a better implementation of filtering rules as the
counter-measures can be taken near the originating point of
the attacks.
As per the yearly survey conducted by the Computer
Security Institute (CSI) [1], the cyber crime is on the
downward trend, indicating a better adoption and
implementation of security tools. In the year 2001, 90% of
the companies experienced DoS attack; while in 2005 the
number tumbled down to a meager 50 %. This is a good
indicator of the development of security schemes. With the
wide deployment of traceback schemes and intrusion
detection systems; comprehensive security architecture can
be envisioned that would bring down this number even
further. The plethora of traceback schemes in literature [514] would make us wonder if the solution to the traceback is
already complete. But, every scheme has its merits and
limitations. In this paper, we contrast these schemes. In order
to provide detailed comparison, we have given a
characteristic table for each class of traceback approach.
While literature [15-18] gives a broad overview of the
popular traceback scheme evaluated against a standard set of
parameters, we present various new variants of traceback
schemes along with the standard methodologies. In addition,
the paper provides a list of comprehensive research issues on
the IP traceback problem.
1554-1010 $03.50 © Dynamic Publishers, Inc.
80
Santhanam, Kumar & Agrawal
The rest of the paper is structured as follows. Section 2
discusses the challenges and design issues in traceback
scheme. Section 3 gives the topography of our classification
scheme at various levels of details. Section 4 gives a brief
discussion of each scheme and analyses its pros and cons as
well as its application. Finally, section 5 concludes the paper.
2. Challenges and Design Issues of Traceback
Schemes
Traceback, universally known as IP traceback facilitates
forensic analysis of packets by tracing the source of a packet.
The IP header in all packets contains the source IP address.
A simple traceback would be looking for the source IP
address of each packet for obtaining the packet’s origin.
Unfortunately, due to the limited security features in TCP/IP,
it’s very easy to spoof a source address by any attacker
[8][11][17][18][19] . Routing in IP depends only on the
destination address and there is no authority in the internet
that validates the source address inscribed in a packet. Due to
this stateless nature of internet’s routing mechanism it
becomes incumbent on researchers to design a traceback
scheme using other guidelines. As a traceback involves
tracing through the route taken by the packet backwards
from the victim node, it might pass through several ISP
domains and necessitate inter-domain cooperation.
An attacker at one end of the network, responsible for
initiating an attack against a distant victim node could be
buried behind several other entities. It depends upon the
intelligence of a traceback scheme for identifying the true
source of attack. A generalized attack model [20] is shown in
Figure 1. It includes all possible disguise an attacker might
use such as a stepping stone/ zombie / reflector.
A simple attacker could issue packets stamped with a
spoofed address. Apart from forging source address, a more
potent attacker might be masked behind stepping stones,
which are compromised hosts that act as laundering agents.
The stepping stone are engineered in such a way that it
overwrites its source address on the outgoing packet headers
and also applies some packet transformation to conceal the
true origin. Most of the traceback schemes are capable of
tracing only till the stepping stone. The stepping stones can
be identified using specialized techniques only that looks for
causality relationship between packets entering and leaving a
host [21]. An attacker can also conduct an attack through a
zombie node by indirectly communicating via stepping
stones or by directly installing trojan programs triggered to
execute after certain delay to hide its association. Like a
detonating time bomb, a single command from the attacker is
later sufficient to start the attack. Last, in the chain of
disguise used by an attacker, is the reflector node. Reflectors
are innocent nodes that send response packets readily. Large
number of zombie nodes with its packet source spoofed as
victim’s IP address, target a set of reflectors. The innocent
reflectors, send their response, and cumulatively flood the
victim’s network. The malicious zombie may initiate a TCP
SYN flooding. The SYN packets that are issued by the
zombies to a set of reflector nodes contain their source
address as the spoofed IP address of the victim. The
reflectors would then send TCP ACK, second step in the 3
way handshake mechanism and create a deluge of packets in
the victim’s network. The use of reflectors in DDoS attack
greatly complicates conducting any traceback[22].
Figure 1: Generalized Attack model
Taxonomy of IP Traceback
81
3. Classification of Traceback Schemes
There are umpteen schemes proposed for traceback in the
literature and can be classified primarily along two
dimensions as reactive and pro-active schemes. Figures 2
and 3 provide detailed classification of various schemes
according to their functionality.
Taxonomy of reactive schemes is given in Figure 2. A
reactive approach is the one that carries out the IP traceback
on the fly once an attack is detected. In a reactive scheme,
traceback is executed in response to an ongoing attack like a
stimuli-response mechanism. It’s further classified as IDS
assisted and Non-IDS assisted schemes depending upon
whether they use an Intrusion Detection System (IDS) in
their traceback mechanism. Controlled flooding [8] and Input
debugging fall under the category of Non-IDS assisted
schemes and need manual intervention of an operator to
conduct the traceback.
Figure 3: Pro-Active Schemes Classification
Figure 2: Reactive Schemes Classification
The IDS assisted schemes can be partitioned into network
based and host based schemes. A reactive host based scheme
executes the traceback from the victim node which is
entrusted with this duty. The host based scheme fall into
either a logging or link testing scheme. A logging scheme
like Blackhole [23] maintains a log of the suspicious packets
in its database for scrutinizing. A link based testing scheme
like [19] performs traceback hop-by-hop at each upstream
router starting from the victim node to the source. A reactive
network based scheme is the one that is performed using
some special infrastructure of the network like special
routers/gateway or firmware installed on routers and is based
on network traffic monitoring [24]. Some network based
schemes like IPSec [5], IDIP [25], and Center Track [11] use
specialized routing mechanism to conduct traceback while
other schemes like DWARD [4], SWT [24] use normal
routing.
Figure 3 gives the topology of pro-active scheme
classification. A proactive approach takes a different
orientation in pinpointing the source by proactively
recording and logging the traffic packets as they flow
through the network. These records are useful indicators for
the victim in path reconstruction to the actual source and
provide timely response on the occurrence of an attack.
A pro-active scheme can be divided into two categories
depending on whether the trace information is sent as a
separate trace packet referred as out-of-band or within the
data packet header known as in-band information. The outof-band scheme like iTrace [7], Intension-driven ICMP [26]
and iCaddie [27] are all network based schemes where the
path information is collected in a separate trace packet.
While the out-of-band scheme incurs additional bandwidth
overhead due to the deluge of packets sent in the network;
the in-band scheme suffers from severe space constraint as
the trace payload is carried within the packet.
The in-band scheme again can be classified into network
or host based schemes. In a proactive host based scheme the
path information is encoded within the packet by the routers
through which the packet passes through and the victim
conducts hop-by-hop traceback. The Algebraic approach
[10] is one such host based scheme. In a proactive network
based approach, the router is actively involved in conducting
traceback either by logging packets as in SPIE [13] or by
proactively marking few or all packets that traverses through
the network. PPM, DPM, AAM, Adjusted PPM, SNITCH,
Huffman code, DDoS SCOUNTER, Randomize and link,
and Fast Internet Traceback are all marking scheme in which
router inscribes its initials on the packets flowing through the
network.
4. Analysis of Traceback Schemes Based on
Evaluation Metrics
This section gives a brief overview of various schemes under
different classes. For each class, we have given a comparison
of underlying features of various traceback approaches.
4.1 Reactive schemes
4.1.1
Non-IDS assisted Reactive Schemes:
These schemes are capable of carrying out a traceback
without the use of an Intrusion Detecting System (IDS).
a. Controlled Flooding
In the traceback proposed by Hal Burch et al. [8], traceback
is conducted by a network administrator by judiciously
applying burst of traffic systematically to each link, from the
victim to its upstream segment. The manual induction of load
is essential for reducing the chances of error. A conclusion
82
Santhanam, Kumar & Agrawal
on attack path is drawn based upon the disturbance created in
the attack stream. If the attack packets are dropped, this
segment lies along the attack path and its upstream paths are
again probed working backward hop by hop. This sword like
defense works successfully by inducing another DoS in the
reverse path but should be used prudently.
b. Input Debugging
It works by using the signature of the attack packets as a
distinguishing factor to trace its path backward from the
victim to its source [19] [17] [11] [16]. It’s a feature
available on many routers that helps in determining the
incoming link along which the attack packet must have
traversed, given its signature. This is repeated hop by hop at
every upstream router in the network till the source or
another ISP is reached. In the latter case, the subsequent ISP
is requested to carry out the task which necessitates
considerable inter-ISP cooperation that might be quite
demanding due to political and societal reasons.
Table 1 compares these two approaches based on some
important performance metrics. The metrics under
consideration are: number of packets generated during
traceback, how much cooperation between ISP is essential,
whether a prior knowledge about the network topology is
needed to conduct traceback, whether the scheme can be
deployed slowly in the network to conduct traceback known
as incremental deployment, capability to trace transformed
packets, the number of false positive alarms reported, and
misuse of the technique by an attacker.
Table 1: Non-IDS Reactive approaches
Evaluation Metric
# of packets
generated for
traceback
ISP cooperation
Controlled
Flooding
Large
Input Debugging
Large
High degree needed
at upstream routers
High
Map of network
needed
Support incremental
deployment
Yes
No
Yes
Yes
Duration of attack
for traceback
Should be long
Should be long
Handling packet
transformation
Good
Good
Misuse by attacker
Yes, when the
attacker is aware of
the technique. He
can thwart it.
No, performs poorly
Done manually by
an administrator
Large numbers
generated during
attack reconstruction
Yes, attacker alerted
by queries
DDoS handling
Operation of
traceback
False positives
No
Manually by operator
at each ISP
Large
Limitations of Non-IDS assisted Reactive Traceback
scheme
In both the schemes, the traceback needs to be conducted
manually by the administrator
The attack must be in progress for a long interval of time
before a traceback can be performed.
Open Research Issues in Non-IDS assisted Reactive
Traceback scheme
A non-IDS scheme necessitates the supervision of a
network administrator to conduct the traceback. This
supervision should incorporate certain amount of
automation especially in examining the traffic logs to
determine the attack prone areas.
As the community of the attackers grows and as the
internet is expanding, the need to mitigate DDoS is on the
rise. So the traceback schemes should be more adaptable to
DDoS attack.
4.1.2
IDS Assisted Reactive Schemes
These schemes work with the assistance of IDS which alerts
the system based on certain anomaly detection techniques
[28]. As a result, the system responds by conducting a
traceback with the help of host/network based schemes.
4.1.2.1. IDS assisted Reactive Network Based
Approaches
The first three schemes employ specialized routing protocols
for conducting tracing and the other two approaches use
normal routing.
a. CenterTrack
The scheme proposed by R. Stone et al. [11], is a centralized
scheme in which specialized trace router (TR) monitors all
the traffic in the network. In this scheme, all the traffic from
every edge router is rerouted through a generic route
encapsulation (GRE) tunnel terminating at TR. Thus all the
traffic from ingress to egress router has to pass through TR.
This star like topology with the TR and edge router forms an
overlay network. When an attack is detected, the traffic
under consideration is routed through TR from edge router.
The TR uses signature based intrusion detection scheme to
identify the source which would be only a maximum of 2 or
3 hops away from it. It is capable of tracking flows of
spurious traffic as in DoS.
b. IPSec Traceback
IP traceback using IPSec tunnels is a part of the framework
called DecIdUous (Decentralized source identification for
network based intrusion) [5]. The analysis is carried out by
establishing IPSec tunnels between an arbitrary router and
the victim. If the attack packets get authenticated by the
security association (SA), the attack originates at a point
further behind this router. Else the attacker lies in the path
between this router and the victim. Thus iteratively SA
tunnels are established between the intermediate router and
the victim. Here, the ISP involvement is essential as
knowledge of the topology is required for examining each
router. The system provides highest level of security, even in
the event of a router being compromised.
c. IDIP (Intrusion Detection and Identification Protocol)
The protocol CITRA [25] has been developed to
collaboratively exchange intrusion information like attack
signatures and provide real time tracking across several
network boundaries. Local IDS agents located within the
network perform neighborhood watch and send its local
reports to a boundary controller as an IDIP message.
Boundary controllers are located at strategic points in the
network to exchange intrusion reports and audits and provide
alert in advance to enforce filtering rules. On attack
detection, the IDIP node decides upon the counter measure to
Taxonomy of IP Traceback
83
stop the proliferation of the attack. It sends the attack correlation is done without a watermark, we would have to
description and its action to its next hop neighbor node compare m incoming and n ongoing connections at each
which looks for similar malicious activity in its guardian gateway, a total of m x n possible matches to be
neighborhood and iteratively repeats the same hop by hop. scanned. But, with a watermark, the job is simplified to a
This way the complete attack path is detected. The spread of mere lookup for matching watermark in the connections.
attack is also stopped simultaneously by implementing filter SWT has excellent tracking capabilities and can track the
rules at other parts of the network. The main benefit of this attacker precisely.
scheme is the minimal dependency on the system e. D-WARD
infrastructure.
It’s a distributed defense against DDoS attacks. D-WARD
d. SWT (Sleepy Watermark Tracing)
program running on strategically located routers
It’s so called because the system wakes up only when an continuously monitors flows between a set of policed nodes
intrusion is detected and incurs some overhead only when and the internet [4]. It detects attack based on traffic flow
active. Tracing is conducted by injecting watermark (a piece measurements that is compared against normal flow models
of information uniquely identifying a connection) backward and regulates transgressing flows by throttling their rate. It’s
in the connection chain from the victim [24]. All hosts in the deployed at the ISP level near the source end. Flow statistics
network are connected directly or indirectly to its nearest that are monitored over certain observation period are
Guardian gateway that is SWT capable and such protected dumped into a flow hash table in the router and compared
host are called SWT guarded host. A guarded host consists against a flow model (TCP/UDP/ICMP). It’s a kind of
of a Watermarking component, Active Tracing (AT) unit and dynamically controlled ingress filtering that polices the flows
Sleepy Intrusion Response unit (SIR) that work together to instead of packets.
conduct traceback. On detecting an attack, IDS initiates SWT
tracing by triggering the watermarking component. The SIR The Table 2 provides a comparison between these schemes,
unit performs the duty of keeping a log of tracing using important performance metrics like overhead involved
information and the AT unit collaboratively works with other in implementing the scheme, required ISP cooperation,
entities in the network to trace packets. The SWT host scalability to large networks, the type of control in exercising
further contacts all its SWT guarded gateways and the the method, security of communication in the routing of trace
Watermark correlation unit in the gateways identifies the message, the ability of each method to track till the true
next leap gateway to be contacted based on the traffic origin, the visibility of the traceback scheme to the attackers
correlation. This continues iteratively at the next gateway and how much the attackers can misuse the scheme.
and trace information is reported back to the originator. If the
Table 2: IDS Assisted Reactive Network Based Approaches
Evaluation Metric
CenterTrack
IPSec
IDIP
SWT
DWARD
ISP Cooperation
High at trace
routers
Less within a
Single ISP ; to
trace beyond ISP
high Coop needed
High at Boundary
controllers
High at Guardian
gateways
High
Overhead
High, admin task
of encapsulating
packets at TR
High routing
overhead due to
use of IPSec
Minimal dependency
on n/w infrastructure
Inactive state-no
Active state-high
High at each
routers need to
maintain
connection and
routing hash tables
DDoS Handling
Incremental Deployment
Not so good
No
Yes, very good
No
Yes
Yes
Yes
Yes
Yes, very good
Yes
Scalability
Type of control
Poor
Partially
Centralized
Less
Decentralized
High
Centralized, discovery
controller gathers info
High
Autonomous
Less
Distributed &
Decentralized
Security in
communication
Less, tunnels
between TR and
edge router need to
be authenticated
Highly safe
High, IDIP Auth
header provides
integrity mechanism
High, watermarks are
auth
Not needed
because of
autonomous
operation
Can security of the router
be compromised
Edge router-no
Others-yes
Yes, can create
IPSec tunnels if
compromised
Yes, boundary
controllers can be
compromised
Yes, guardian gateways
can be compromised
Yes, compromised
routers would
apply its own rate
limit
Misuse by attacker
Yes by overloading
TR
No
No
No
Tracking till
Ingress edge router
True source
Stepping stone
Farthest trustworthy
gateway
Visibility to attackers
High because of
specialized routing
Not visible because
of SA
Less
High because watermarks
are diff to be hidden
Yes, attacker can
disguise attack
traffic
Deployed at source
end of network to
stop attacks from
network
Less
84
Limitations of IDS assisted Reactive Network based
approaches
All these schemes require a significant amount of
cooperation between ISP in performing the traceback.
CenterTrack is unsuitable for DDoS attack due to the
overhead of encapsulating packets at several edge routers
and scales poorly.
CenterTrack is also not capable of identifying attacks
originating from within the backbone network.
IPSEC is not scalable because of the authentication
schemes involved that uses digital certificate or shared
secret.
IPSEC incurs considerable processing overhead as the SA
tunnels are iteratively built to investigate links.
DWARD necessitates implementation of filter rules across
several network boundaries. It is difficult to deploy across
multiple domains.
SWT necessitates modification in the network application
at the host to implement water mark functionality which
might incur some cost overhead.
Open Research Issues in assisted Reactive Network based
approaches
The main security threat that looms over these kinds of
approaches is the robustness of the router security. The
reliability of the traceback scheme is only up to the extent to
which a router is secure to an attacker. Traceback scheme
should also be able to handle the case of a compromised
router. It should identify and adaptively quarantine such a
compromised router.
4.1.2.2 IDS assisted Reactive Host Based Approaches
The traceback is initiated by the victim node when it receives
an alarm from IDS about the occurrence of an attack.
a. Black Hole Back Scatter of UUNET ISP
When an attack is detected by the IDS, all packets flowing
towards the victim are rejected as a result of which ICMP
destination unreachable messages are generated [23]. These
error messages may not be routed correctly to its destination
because the source address in most attack packets would be
spoofed. Hence, they reach only till the border routers. Once
a DoS attack is detected, the routing is dynamically changed
such that all the attack packets with invalid source IP
address, including the error message are redirected to a sink
called black hole server preconfigured in the network. These
messages (backscatters) are inspected to determine their
origin which would be the same interface from where the
attack packets would have arrived. After identifying the
ingress points, the filter on victim is removed and the
upstream ISPs are requested to carry out the traceback.
b. Hop-by-Hop data link identification
In the hop-by-hop tracing, proposed by Tatsuya Baba et al.
[19], datalink identifier like MAC address is used to trace a
packet as opposed to the conventional use of the source
address. Routing is done such that its datalink identifier is
stamped with the router’s interface identifier when a packet
traverses through the routers. Router also maintains some
critical information of forwarded packets and their datalink
identifier in its buffer. This table is consulted during
traceback by comparing the attack packet to the table entries
of datalink identifier. The scheme is implemented as a
distributed protocol with an autonomous management
network (AMN) in every area that aggregates all trace
Santhanam, Kumar & Agrawal
information. An IDS detects attack and triggers a trace
process within the AMN for a given attack feature. Tracing
starts until the true source is detected or another AMN is
reached from where it is continued hop by hop. In this
approach, an attacker can’t forge this data link identifier
unlike source address and hence is secure.
Table 3 shows a comparison of the two reactive host based
approaches. The metric forming the basis for comparison
are: extent of ISP cooperation needed, whether incremental
deployment is allowed, whether the scheme supports
traceback of a single IP packet, overhead incurred in routing,
network, the minimum time for which the attack should be in
progress for successful traceback, scalability of the scheme
to large network.
Table 3: IDS Assisted Reactive Host Based Approaches
Evaluation Metric
ISP cooperation
Incremental
Deployment
DDoS Attack
Handling
Duration of attack
for trace back
Type of control
Single Packet
Tracing
Handle Packet
Transformation
Black Hole Back
Scatter
High, as each ISP
need to configure its
router to reject all
packets destined to
victim
Yes
Hop-by-Hop data
link identification
High across ISP but
Fair within a single
ISP
No, just DoS
Less suitable
Considerable amount
of time
Centralized
No
Should last for
sometime
Distributed
Yes
No
No, Difficult to
trace through
firewall
Forwarding node
changes data link
identifier to match
their interface
identifier
High
High resource
overhead along
attack path
Attack source which
can be stepping
stone
Modification to trace
packet
None, ICMP packet
generated
Scalability
Overhead
High
Routing overhead in
rerouting to black
hole server
Boundary of any
domain
administration
Tracking till
Yes
Limitations of IDS assisted Reactive Host Based scheme
In both the approaches, the attack should be in progress for
a considerable amount of time for successful traceback to be
conducted.
BlackHole back scatter approach is not suitable for DDoS
as it has multiple entry points present.
Open Research issues in IDS assisted Reactive Host
Based scheme
Many of the DDoS attacks are cleverly designed to be very
effective in bringing the system down in a short duration of
time. The IDS used in these systems should be efficient in
raising an early alert so that the victim node can initiate a
multihop query for traceback quickly at the upstream routers.
4.2 Proactive schemes
A proactive approach monitors the records and logs of the
current traffic packets as it flows through the network. We
discuss in subsequent sections about in-band and out-of-band
techniques that differ depending on whether the trace
Taxonomy of IP Traceback
information is embedded in the packet or is emitted
separately.
4.2.1 Proactive approaches with out-of-band technique
In out-of-band proactive schemes, tracing is conducted with
the help of separate trace packet generated at the routers as
the packet traverses through them on its way to its
destination.
a. iTrace
In the scheme proposed by Bellovin et al. [7], as a packet
traverses through the network, each router probabilistically
generates a separate trace packet called Internet Message
Control Protocol (ICMP). To keep a control on the overhead
and the number of ICMP packets, the router generates an
ICMP packet for only one in 20,000 packets that passes
through it. As most of the DoS attacks are flooding type of
attacks, this marking probability is sufficient to ensure that
victim receives a considerable amount of trace packets. The
ICMP packet contains apart from the content of the chosen
data packet some useful information about adjacent routers
like generating router’s id, timestamp of its marking, forward
link element along which packet traverses, MAC address
pair of the link traversed, link identifier which is useful in
associating all ICMP packets originating from a given
neighborhood and some authentication data like HMAC [29].
As the packet traverses through routers, it collects useful
path information on its way to its destination.
The
destination tries to glean path information from all the ICMP
packets emitted by the chain of routers along a given path
and hence can infer the true source.
b. Intension-driven iTrace
As the name implies, the receiver intending to receive the
iTrace packet, expresses its interest to the upstream routers in
the network [26]. Usefulness of a packet is determined by the
type of packet (high if an attack packet) and the interest of
destination node in receiving it (intension bit). The scheme
divides the traceback task based on functionality, into two
main modules- decision and iTrace generation module. Once
an upstream router receives a trace request, the decision
module decides upon the type of packet for generating iTrace
and sets a bit in the packet forwarding table. The iTrace
module generates an iTrace message using the next packet
corresponding to this entry. The benefit of this scheme is that
it deduces the attack path more quickly because of this
intelligence provided by the intension bit. The number of
useful iTrace packets generated is greatly increased by 90%
and hence traceback is accomplished very quickly.
c. iCaddie ICMP
Bao-Tung Wang et al. [27], as an interim solution proposed
to decide upon the number of packets after which to generate
iTrace message. Each router is equipped with a timer that
indicates how long it hasn’t received a traceback message. If
this is greater than a certain threshold, the router randomly
chooses a ball packet and prepares for it an iCaddie packet,
which collects path information of all routers from this point
through destination. As the iCaddie packet passes through a
router, the routers’s IP address is appended to its router list
(RL) along with the incoming interface and next hop
information. Finally, the router authenticates the iCaddie
message by using a cryptographic primitive (HMAC) [29].
The attack path can be easily reconstructed by the victim by
simply looking at the markings inside a Caddie message. The
85
benefit of this approach is that it can handle transformation
well by changing the content of Caddie packet when the ball
packet undergoes transformation. The number of trace
packets produced is fewer. It is independent of the attack
path and is solely dependent on the number of attack sources.
The scheme produces lesser number of false positives as the
chances of two packets digest forwarded within a short gap
of time is much smaller.
Table 4 shows the comparison of out-of-band proactive
schemes. The metric under focus for these approaches are:
extent of ISP cooperation needed, support of incremental
deployment, number of packets generated as result of
traceback, the time required to conduct traceback, number of
false positives, whether an attacker can manipulate and
misuse the scheme, how far DDoS attacks can be handled
and finally how the 3 schemes use the ICMP field to
generate trace packet.
Table 4: Proactive Approaches with Out-of-Band
Technique
Evaluation
Metrics
iTrace
ISP cooperation
No, Not
required
Yes
Incremental
deployment
Number of
packets
generated
Time required
for traceback
Number of false
positives
Large as extra
packets
generated
Considerable
time needed,
suffers from
combinatorial
explosion
during attack
path
reconstruction
Large
Misuse by
attacker
Yes, attacker
can inject false
ICMP message
to hide true
origin
DDoS attack
handling
Poor, as there
are few ICMP
from distant
routers
Type,
Checksum and
Message body
Content of ICMP
Scalability
High
Intensiondriven
iTrace
No
iCaddie
ICMP
Yes
Yes
Less as
useless
iTrace
message are
reduced
Quickly
after attack
starts
Less, depends
on # of attack
source only
Few, very
precisely
locates the
attacker
No,
intensions
of packet
from BGP
cant be
modified
Good
Very few
Ident of
router
generating
packet :
iTr.rtr-ID
Dest addr of
packet :
iTr.dst-ID
Packet
picked :
iTr.pkt
High
Caddie ID
computed
from
invariant
portions of IP
header of ball
packet chosen
No
Quick by
looking at
caddie paths
inscribed in
caddie
message
No, caddie
packets auth
by
cryptographic
functions
Good
High
Limitations of Proactive approaches with out-of-band
technique
iTRACE is incapable of handling DDoS attack which span
a large area in the network. It’s crippled because useful trace
packets may not be obtained from far off nodes.
86
Santhanam, Kumar & Agrawal
These out-of-band schemes require more network
bandwidth in delivering the trace information.
Open Research Issues in Proactive approaches with outof-band technique
It is very important to keep a tab on the number of trace
packets generated due to bandwidth constraints. An attacker
shouldn’t be able to generate spurious packets and flood the
network. So, the generation of trace messages should be
authenticated by the router. A symmetric cryptographic
signature though faster than public key systems needs an
efficient way to distribute keys. A good key distribution
scheme is needed to distribute the shared keys amongst the
routers for HMAC authentication [29].
4.2.2
Proactive approaches with In-band technique
About 95% of the in-band approaches routers pro-actively
mark the packet that passes through them. Marking is done
either probabilistically or deterministically. Hence the trace
information for the packet is inscribed in it. The victim uses
this traceback information for attack path reconstruction. We
shall also look into the structure of marking fields in all of
these marking schemes. This will give a better insight of how
each marking scheme inscribes the markings of the router
and also the organization of various bits and flag.
Predominantly, the Identification field of IP header is used
for marking. It was primarily included in the IP header to
record the fragmentation of packets. As less than .25% of the
traffic is fragmented it remains mostly unused and hence can
be used for performing traceback [30].
4.2.2.1 Proactive network based approaches with Inband technique
The routers in the network proactively mark the packets that
pass through them. PPM, DPM, AAM, Adjusted PPM, FIT,
DDoS SCounter Randomize and link all belong to the family
of marking schemes while SPIE, SNICTH belong to the
logging family.
a. PPM (Probabilistic Packet Marking)
One of the pioneering works, in the series of innovative
marking schemes was proposed by Savage et al. [9] for
traceback. It uses the 16-bit IP identification field in the IP
header to store router markings and is shown in Figure 4.
Algorithm for PPM
A simplistic algorithm using edge sampling algorithm is
described below:
Each router probabilistically marks a packet that passes
through it with its IP address.
If a router chooses to mark the packet,
It inscribes its IP address in the Start Field and sets the
distance field to 0.
Else if a router doesn’t chose to mark the packet,
Check if the packet has been already marked,
o If Yes, dumps its IP address in the End field and increment
the value of distance bit
o If No, Just increment the distance field.
The victim node reconstructs an attack graph back to the
source using the edge sampled in the packets. The distance
field indicates the number of hops traversed since the
marking was inscribed. So, the victim node pairs the
received packets in the increasing order of the distance
element. First, packet with dist =1 and dist =0 are paired
together. If the value of start filed of dist=0 matches with the
end field of dist=1 packet, it represents an edge. This is
iteratively repeated at each hop by pairing sequential dist
packet. The number of packets required to reconstruct
depends upon the marking probability (ideally p <= 1/d) and
the attack path length. PPM though a novel approach is
handicapped due to the lack of authentication of the router
markings and a compromised router can forge incorrect
markings into the packet.
Start Field
(32-bits)
End Field
(32-bits)
Dist
Field (8bits)
Start field- IP address of marking router
End Field- IP address of non-marking router
Distance Field - Distance in hops from the
marking router
Figure 4: Structure of the PPM marking field
b. DPM (Deterministic Packet Marking)
As the name goes, the router deterministically marks every
packet passing through it with its IP address [31]. The form
of the router markings inscribed in a 16-bit ID field of IP
header is shown in the Figure 5.
Algorithm for DPM
The IP address is split into two halves of 16-bit each and one
randomly chosen segment is inscribed in the ID field of the
IP header of a passing packet.
The 1-bit Reserve flag indicates which fragment is marked in
the ID field, 0 symbolizing first half and 1 for the second
half. The victim performs path re-assembly easily when it
gets the attack packets containing both halves from the same
router.
In the Compressed edge fragment sampling algorithm of
PPM, as the attack path length increases number of packet
needed to infer the attack path increases. It faces a
combinatorial explosion in grouping the fragments of
encoded edges during reconstruction phase which is avoided
here. DPM is scalable and can tackle large-scale DDoS
attacks. DPM schemes require only the ingress edge routers
to do marking as all routers might not be capable of marking.
Res Flag
Field (1-bit)
ID field
(16-bits)
Reserved Flag field- Indicates which half of
fragment of IP address is present:
0 (First half contained)
1 (Second half contained)
ID Field - Contains one half of the IP address of a
Figure 5: Structure of the DPM marking field
c. AAM (Advanced and Authenticated Packet Marking)
It’s an enhancement on PPM scheme proposed by Song et al.
[6]. AAM has been designed keeping in mind to avoid the
issue of spurious markings generated in PPM when a router
Taxonomy of IP Traceback
is compromised. We look into two schemes presented in the
paper- Advanced marking scheme and Authenticated
marking scheme.
Algorithm for Advanced Marking Scheme
As in PPM, each router marks the packets probabilistically.
If a router chooses to mark,
It inscribes instead of just its address, the hash of its IP
address in the 11 bit Edge field of IP header and sets the 5bit Distance field to zero.
87
probability can be tuned to be a function of the distance of
the packet since it was last marked or distance from present
router to the destination based on routing protocol
information. Figure 7 shows how the various probabilities
are set based upon the distance measure. It significantly
reduces the computational time for reconstruction over the
basic PPM scheme by making sure that the markings of far
away routers reach the victim.
Trace Information Recorded in 16-bit identification
field of IP Header + IP Option field records the
distance (d1) - number of hops traversed by the packet
Else a non-marking router checks if the packet has been
already marked by an upstream router
If yes, it overwrites the Edge field with the XOR of hash
of its IP address with old content and increments the
Distance field count.
If no, just increment the Distance field count.
Algorithm for Advanced and Authenticated Marking Scheme
An Advanced Authenticated Marking scheme assumes each
routers shares with the victim a secret key Ki and uses
message authentication code like HMAC [29] to authenticate
the markings of a router. Each router applies HMAC
function (rather than a plain hash function) to its IP address
in order to authenticate the validity of the markings. Thus,
AAM provides strong authentication of router markings.
This authenticated marking prevents generation of spoofed
marking by any compromised router.
AAM overcomes the primary disadvantage of PPM in
reconstructing the attack path with the knowledge of
upstream routers. The network map facilitates as a road map
during the reassembly phase. After assembling the edgefragments at each hop, they are grouped according to the
distance field and AAM matches their hashes with hashes of
router in the upstream network to construct the attack path.
Distance
Field
(5-bit)
Edge field
(11-bis)
Distance field-Distance in hops from the marking
router
Edge Field-Contains the hash of the IP address of a
marking router XoR-ed with the hash of
the IP address of the downstream
Figure 6: Structure of the AAM marking field
d. Adjusted PPM(Adjusted Probabilistic Packet Marking)
As the name suggests, it uses an adjusted probability to mark
the packets based on the position of the node in the attack
path. It overcomes the major shortcoming of the basic PPM
scheme proposed by Savage et al. [9] in which the
probability of a packet received at the victim from farther
routers are very less. It also resolves the issue of spurious
packet by marking all packets as soon as they enter the
network.
Algorithm for APPM
An additional field in the IP header called IP Option field is
used to record the number of hops traversed by the packet
and packet is marked probabilistically proportional to the
inverse of this distance [32]. The adjusted marking
Probability of marking a packet is adjusted based
on distance measures.
Three schemes are
Number of hops traversed by the packet from the
source till current router p (d1) = 1/d1
Number of hops traversed since the packet was last
marked p (d2) = 1 / 2(d2 + 1)
Number of hops from the current router to the
destination p (d3) = 1 / (c+1-d3) where c is a constant
calculated s.t c+1-d3 > 0 , safely taken as 30
Figure 7: The various probabilities used in
Adjusted PPM Scheme
e.
SNITCH (Simple, Novel IP Traceback using
Compressed Header)
SNITCH [33] targets to increase the number of bits available
for recording trace back data by using compression
techniques as in a IP header compression scheme [34]. It
evades the tight space constraint prevalent in all marking
schemes that prohibit to record full path information within a
packet. As a result, the total number of packets required for
traceback as well as the time needed is drastically cut down.
The Figure 8 shows the structure of IP header marking as
done by a router implementing SNITCH. The marking at
each router continues as in PPM edge sampling algorithm.
The only difference being the extra room available for
marking. Initially frame is sent with full header and a context
identifier. The subsequent frames are sent without the
invariant fields so that the room made available (144 bits)
can be utilized for sending traceback data.
Algorithm for SNITCH
Each router marks the packet probabilistically.
If a router chooses to mark the packet,
Store the IP address in Left Field and set the Distance
Field to 0.
Else a non-marking router checks if the packet is already
marked
If yes, dumps its IP address in the Right Field and
increments the distance bit.
If No, increment the distance field alone.
As the context changes, a new context identifier (CID) and a
full header is sent. In order to differentiate between SNITCH
and IP header compression, ID field of IP header is set to all
88
Santhanam, Kumar & Agrawal
1s in SNITCH. The CID found in full header is later used for
decompression of packets with its matching CID.
It has negligible false positives in attack path building for
DDoS attacks. A DDoS attack has multiple overlapping
attack paths owing to the multiple attack sources. This might
result in ambiguities and make the attack reconstruction
more challenging. SNITCH cleverly resolves such
ambiguities by encoding multiple edge information into the
packet which helps in the better resolution of attack sources.
The system can however trace only till a stepping stone /
zombie.
Saved
flag (sf)
(1-bit)
Link sequence Field (ls)
(31-bits)
Saved Flag - Stores the IP address of marking
route initiating marking
Link Sequence Flag - Contains appended list of
Huffman code of links through which packet
passed since marking router
Figure 9: Structure of the Huffman code marking
Left
Field
(32-bits)
Right
Field
(32-bits)
Dist
Field
(8-bits)
Left field- Stores the IP address of marking
route initiating marking
Right Field- Stores the IP address of non-marking
router
Distance Field- Distance in hops from the marking
router
CID- Context Identifier of the packet
Figure 8: Structure of the SNITCH marking
f. Marking Scheme using Huffman Code
This scheme [35] is an amalgamation of logging and
marking scheme. It marks every packet deterministically
with the interface of the router through which the packet has
arrived. As the length of the attack path increases, the space
available in the packet is insufficient to record all the
markings for traceback. It gets around this problem of
overflow by storing the markings in the local memory of the
intermediate routers and is accessed by message digest of the
packet.
Algorithm for Huffman Code
Huffman codes efficiently represent the link number of the
interfaces of the router. The Huffman code of the link gets
appended to the 31-bits link sequence field (ls) and a 1-bit
saved flag (sf). sf indicates if the marking has been saved in
the local router’s memory. The marking scheme format is
shown in Figure 9. Flag 1 is used as a delimiter with leading
zeros to indicate start of valid bit in ls and space available for
marking is determined by counting the number of leading
zeros before the delimiter in ls. The victim reconstructs the
path by examining the ls field and decoding it with the help
of link table to find the next hop upstream router. ls is right
shifted according to the length of the decoded word. If sf is 1,
the marking has to be retrieved from the router via the
message digest of the packet. The traceback is repeated
iteratively at each router until ls becomes 1 and sf is 0.
The advantage of this scheme over other schemes is that it
can efficiently handle any packet transformation. A pair of
message digests of the packet, before and after it undergoes
transformation is stored in the router’s local memory along
with the marking fields. The system can efficiently trace
reactively or pro-actively which is quite unique.
g. DDoS SCOUNTER (Defense against Distributed DoS)
It’s an on-demand probabilistic multi-edge marking scheme
proposed by Kai et al. [36] with the sole motivation to
provide high precision in tracking with low false positives.
It’s a comprehensive defense suite consisting of detection
unit, traceback system and packet filtering. The marking is
initiated at the request of the administrator to reduce
overhead. It uses unlike other schemes Record Route option
of the IP header which is hardly used in the internet now-adays. Record Route option has been originally designed to
trace the route of an IP datagram. It has enough space to
register several IP addresses (up to 9) during the journey of
the packet. The scheme doesn’t necessitate any changes to
the IP protocol. The data format of the Record route IP
option is showed in Figure 10.
Algorithm for DDoS SCOUNTER
There are two schemes for marking the trace informationuncovered and covered scheme. In the uncovered scheme
each router probabilistically appends to the Record route
field its IP address and once router marks a packet, all subsequent routers append their IP address till overflow. A
maximum of up to 9 IP addresses can be appended. To
prevent the infiltration of spurious packets from a
compromised router, the markings are authenticated by using
cryptographic HMAC computations [29]. In the covered
marking scheme, if a later router chooses to mark and finds
the IP option full, the first stored IP address is shifted out to
make room for the new one.
0000011
Length
Pointer
Route
data
Length: Total variable length of options in bytes
Pointer: Pointer to route data indicating next byte to
store route address
Route data: Series of 32 bit internet address
0000011:
last 3 LSB indicate option number (Set to 7 here)
Next 2 bits indicates it’s a control option (Set to 0)
First 2 MSB indicates option is not copied into all
fragments (Set to 0)
Figure 10: Data Format of Record Route IP
h. Randomize and link
It’s a very good scheme for performing large-scale IP
traceback involving thousands of routers. The path re-
Taxonomy of IP Traceback
generation when compared to PPM is made very simple in
this scheme.
Algorithm for Randomize and link
Each router fragments its message Mx (the router’s IP
address/topology information) into several non-overlapping
word fragments and creates a large checksum cord on the
whole message [12]. The cord is a very useful entity as it is
an associative address for the message and links together all
the fragments in the path reconstruction phase. The
checksum cord makes the job of inserting a false message by
an intruder that collides with correct ones tough. This group
of word fragment forms a set of blocks. They are chosen
randomly to be marked in the packets that pass through the
router. The scheme using special authentication dictionaries
facilitates strong authentication of messages inscribed by
routers. The dictionary provides the secret keys for HMAC
authentication [29] and makes the job of router easy as they
are not required to sign setup messages individually. The
scheme is highly robust even in the presence of an attacker
falsely injecting spurious packets and is highly scalable.
i. FIT (Fast Internet Traceback)
As the name suggest, the scheme [14] conducts traceback in
a relatively short time with just few packets. As in AAM, it
uses the knowledge of the network topology that is gleaned
from packet markings; to piece together the attack path
quickly.
Algorithm for FIT
Routers deterministically mark packets by node-sampling
algorithm storing the following information in the 16-bit
Identification field of the IP header. Router pre-computes the
hash of IP address and splits it into n fragments of bfrag- bits
each. One of these is randomly chosen to be stored in the 13bit hash fragment with the fragment number in a 2-bit
fragment field. The 1-bit distance field is set to zero by the
marking router and is incremented by every FIT-enabled
router. The structure of the packet marking is shown in
Figure 11.
It has conceivable power to scale to large scale DDoS
attacks. The salient feature of the method is the ability to
function even in presence of legacy routers and its ability to
precisely identify the distance from the victim.
b
(1-bit)
Frag#
(2-bits)
Hash Fragment Field
(13-bits)
b
- Distance field
Frag#
- Fragment number selected
for marking by the marking router
Hash Fragment - a random fragment of precomputed hash of IP address of marking router
Figure 11: Structure of the FIT Marking
j.
SPIE (Source Path Isolation Engine or Hash based IP
Traceback)
The system proposed by Snoeren et al. [13] performs low
volume traceback by Data Generation Agent (DGA) present
in routers. It uses a data structure called bloom filters which
deterministically log critical information of each packet
traversing through it. It is called Hash Based scheme as a
89
hash of the invariants fields in the IP header is stored in each
router as a 32-bit digest. This hash digest is stored in a space
efficient data structure called bloom filters. It is stored only
for certain duration of time due to the limited space
constraint.
Algorithm for SPIE
The framework consists of an DGS (Data Generation
Agent), IDS, SCAR (SPIE Collection And Reducing Agent)
and STM (SPIE Traceback Manager). DGA is responsible
for producing packet digest at each router. On detecting an
attack, IDS alerts the STM about it and provides attack
signatures. STM is the official central authority that handles
all trace requests and conducts the task of tracing. STM
dispatches the signature information to the appropriate
SCARs which analyze their logs. If any match is found, the
SCAR constructs a sub-path of the attack involving routers
that forwarded such a packet. The STM constructs an attack
path from the sub-path reported by the SCARS.
The salient feature of SPIE is its ability to trace a single
packet. It can handle even complex transformations like
NAT (Network Address Translations) and can handle
fragmentation in which case only the first fragment can be
traced.
Limitations of Proactive network based approaches with
In-band technique
The traceback data is carried in-band within the packet and
as a result number of bits available to store this
information is constrained.
In PPM, the markings of a packet farther away from the
victim have very less chances of surviving as it might get
overwritten by a downstream router closer to the victim.
Most of the schemes like PPM, AAM and DPM don’t
support traceback for fragmented traffic.
FIT and AAM requires a map of the upstream router for
traceback which might not be possible to fetch always.
Adjusted PPM adapts poorly for a DDoS attack.
The Huffman code marking scheme is prone to 1-bit error
in marking. In such instances, the Huffman code is
impossible to decode correctly.
Due to the sheer size of the packet header, DDoS
SCOUNTER faces serious problems of repeated
fragmentation of the trace packet. It also suffers from the
problem of unfairly treating a distant router like ICMP
traceback. The markings of distant routers get overwritten.
PPM and Randomize and link are two schemes that face
the problem of combinatorial explosion during attack path
reconstruction.
Logging scheme like SPIE, can only trace packets that
have been delivered only in the recent past as the packet
digest are made to expire after a certain period of time due
to the limited space constraint.
Open Research Issue in Proactive Network based
approaches with In-band technique
Most of the pro-active marking schemes suffer from the
problem of path reconstruction overhead. An efficient
traceback should quickly retrace the path of a packet.
Strong and good collision free hashes like MD5, SHA-1
and SHA-2 [29] need to be used when router uses hash
functions to inscribe their IP address in the trace packet.
90
Santhanam, Kumar & Agrawal
DPM
AAM
Adjusted
PPM
SNITCH
Huffman
Code
DDoS
Scounter
Randomize and
link
Fast Internet
Trace back
SPIE
Incremental
deployment
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Number of
packets for
tracing
1000s
1000s
1000s
Less ;
compare
to PPM
Only 1,
Tracing
doesn’t
depend on
# packets
Less
1000s
Only few
(in 10s)
packets
needed
Less
ISP
Involvement
Low
Low
Low
Low
Less; Due
to space
in each
packet to
store
traceback
Fair
Fair
Low
Low
Fair;
Corr.
queries
Fragmentation
handling
No
No
No
No
No
Yes;
good
Fair;
admin
initiates
marking
Yes
Yes
Yes
Yes very
good
Scalable
High
High
High
Low
Fair
High
Very high
Very
low
Very high
Bad
Path
construction
Overhead
Very High
High
Less
Less
Very Less
Less
Less
Very Less
Less
Knowledge of
topology
No
No
No
No
No
No
Yes, upstream
routers
No
DDoS handling
Small
Scale
DDoS
Large
Good esp
reflector
attacks
Less than
PPM
Yes,
upstream
routers
Fair
High to
build
attack
graph
No
Bad
Fair
Good
Very good
Very good
Good
Very
Low
Fair
Fair due
to XoR of
IP
addresses
Less
Less
Small
Scale
DDoS
Large
Very few
Less
Misuse by
attacker
Yes; can
generate
false
marking
Yes;
can use
diff
source IP
address
No;
uses
Auth
MAC
No
No
Yes;
Trace
back fails
for even a
1bit error
in
marking
No, router
marking
auth
No; All
messag
eauth
with
HMAC
Yes; If
attacker
changes
initial
contents
of ID
No
Bits used for
marking
IP’s 16 bit
ID field
IP’s 16 bit
ID field
and 1 bit
reserve
field
IP’s 16
bit ID
field
IP’s 16 bit
ID field
compress
invariant
fields of
IP’s
header
Option
field in IP
Record
Route IP
Option
field
IP’s 16
bit ID
field
IP’s 16 bit
ID field
32 bit
packet
digest
stored in
each fwd
node
Marking
packets
Prob.
Deter.
Prob.
Adjusted
Prob.
Prob.
Deter.
Prob.
Prob.
Deter with
a marking
predicate
Deter.
store
packet
digest at
each fwd
node
Evaluation
Metrics
PPM
Also the markings of a router need to be authenticated to
prevent misbehaving routers, for which it is very important The Table 5 shown below gives an extensive comparison of
the various pro-active network based marking schemes. The
to incorporate authentication mechanisms.
In case of pro-active logging scheme like SPIE, efficient parameters under consideration are number of packets
data structure to store packet digest are required. A blend needed for traceback, the extent of involvement of ISP,
of both logging and marking scheme as in Marking fragment handling ability, scalability of the system, the
Scheme using Huffman code [35] needs to be developed to overhead incurred in the path reconstruction, DDoS
handling,
number
of
false
positives
generated
overcome the disadvantages in both the approaches.
.
Table 5: Proactive Network Based Approaches with In-Band Technique
# of false
positives
Taxonomy of IP Traceback
4.2.2.2 Proactive host based approaches with In-band
technique
The traceback function in a host based scheme is entrusted
with victim node which pro-actively performs its duty. The
only scheme in this category is explained below.
Algebraic Approach
It’s a slight modification of the PPM method. It uses the
concepts of coding theory and learning theory to encode the
path information as points on polynomials. The encoded path
information is stored in Fragment ID field. The victim
reconstructs the path using polynomial and algebraic
methods. The authors Dean et al. [10] uses several encoding
scheme like deterministic path encoding, randomized path
encoding and edge encoding algorithm. In deterministic path
encoding, each packet has a random value that’s multiplied
with the router’s IP address to cumulatively add to the full
path value. Decoding is then done by Vondermonde matrix
[37]. A randomized path encoding algorithm functions is
similar to its deterministic counterpart but has a certain
element of randomness included. This is included at each
router by flipping a coin to decide if the router is the initiator
of marking process. An edge encoding algorithm functions
by presetting a maximum distance value denoted by l that is
decremented by each marking router. The addition of IP
address stops when it reaches zero. The algebraic approach is
robust to attacks generated by stray noise which can be
efficiently filtered out. It can track multiple attack paths
originating from several attackers and is suitable for tracking
DDoS attacks. It can also be incrementally deployed. But all
the overhead of mathematical calculations in decoding the
points of the polynomial is done by the victim node.
Disadvantage of Algebraic Approach
It’s difficult to store the path information represented as
polynomial in the packet header.
Due to the lack of authentication mechanisms and the lack
of information about the order of routers lying along an
attack path, an attacker can forge and encode incorrect
path information in the packet.
Open Research Issue in Pro-active Host based Scheme
with In-band technique
A host based scheme has the fundamental problem of
trusting each monitored host involved in the connection
chain and hence is very difficult to implement in a public
network where any node could be compromised. It is
important to introduce some authentication mechanisms to
prevent forged router markings and replay of stale messages.
5 Conclusion and Future Work
After examining the various IP traceback schemes we can
conclude that traceback combined with IDS and filtering
schemes, can work together to form a collaborative defense
suite against all security threats in the internet. Attack
detection, prevention and traceback present a reinforced
platform for a complete security. We have not presented all
existing traceback schemes in literature, but have given a
summary of major techniques, and their evolution from their
basic scheme. Controlled flooding, PPM, ICMP, Overlay
network, Logging schemes are the main research thrust that
exist in literature that gets classified under logging, marking
and link testing. All the other schemes have evolved from its
91
fundamentals, differing a little bit in its execution style,
overcoming the shortcomings that the researchers had
focused on. Some are more prone to security vulnerabilities
than other or require additional infrastructure or might scale
better or is able to tackle DDoS attacks. A scheme that
satisfies all the evaluation metric can never be envisioned.
Focus should not be in designing a scheme overcoming all of
these shortcomings but to identify the potential areas of
improvements in many of the existing scheme like finding
ways to reduce the network/ bandwidth/router overhead,
improve upon the time taken in identifying attacker, ways to
automate the trace process, identifying new ways of tackling
new stealthy attacks that are constantly on the rise in the
internet. “Precision, accuracy and timeliness” are the three
most important characteristics that measure the ingenuity of
a traceback technique. As we have seen from our analysis,
the methods that are capable of tracking all the way till true
source even in the presence of stepping stones, zombies /
reflectors are very few in number. A clever attacker might
mask behind several layers, an intelligent traceback should
tear down this masquerade of the attacker and catch the
intruder red-handed in their act. Traceback however involves
other political, economic and legal issues which pose a
serious challenge in their deployment in the real world.
Reference
[1]
“Good/Bad News in DoS Struggle,” IT Architect,
2002;
http://www.itarchitect.com/article/NMG20020701S0003
[2]
CERT Advisory CA-2000-01 Denial-of-Service
Developments, CERT, 2000; www.cert.org/advisories/CA2000-01.html.
[3]
P. Ferguson and D. Senie, “Network ingress
Filtering: Defeating Denial of Service Attacks which Employ
IP Source Address Spoofing”. In Internet Eng. Task Force
RFC 2827, May 2000; www.ietf.org/rfc/rfc2827.txt.
[4]
J. Mirkovic, G. Prier, and P. Reiher, “Attacking
DDOS at the Source”. In Proceedings of the 10th IEEE
International Conference on Network Protocols, pp. 312321, 2002.
[5]
H. Y. Chang, R. Narayanan, S. F. Wu, B. M. Vetter,
X. Wang, M. Brown, J. J Yuill, C. Sargor, F. Jou, and F.
Gong, “Deciduous: Decentralized Source Identification for
Network-Based Intrusions”. In Proceeding of the 6th
IFIP/IEEE Int’l. Symp. Integrated Net. Mgmt., pp. 701-714,
1999.
[6]
Dawn Xiaodong Song and Adrian Perrig,
“Advanced and Authenticated Marking Schemes for IP
Traceback”. In Proceedings of the IEEE INFOCOM, IEEE
CS Press, pp. 878-886, 2001.
[7]
S. M. Bellovin, “ICMP Traceback Messages”. In
Network Working Group Internet Draft, March 2000.
[8]
H. Burch and B. Cheswick, “Tracing Anonymous
Packets to Their Approximate Source”. In Proceedings of the
14th Conf. Systems Administration, Usenix Assoc., pp. 313322, Dec 2000.
[9]
S. Savage, D. Wetherall, A. Karlin, and T.
Anderson, “Practical Network Support for IP Traceback”. In
Proceedings of the ACM SIGCOM 2000, IEEE/ACM Trans.
Networking, Vol. 9, No. 3, pp. 226-237, 2001.
[10]
D. Dean, M. Franklin, and A. Stubblefield, "An
Algebraic Approach to IP Traceback”. In Proceedings of the
ACM Trans. Information and System Security, Vol. 5, No. 2,
pp. 119-137, 2002.
92
[11]
R. Stone, “CenterTrack: An IP Overlay Network for
Tracking DoS Floods”. In Proceedings of the 9th Usenix
Security Symp., Usenix Assoc., pp. 199-212, 2000.
[12]
M. Goodrich, “Efficient Packet Marking for LargeScale IP Traceback”. In Proceedings of the 9th ACM Conf.
Computer and Communication Security, ACM Press, pp.
117-126, 2002.
[13]
Alex C. Snoeren, Craig Patridge, Luis A. Sanchez,
Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent,
and W. Timothy Strayer, “Hash-Based IP Traceback”,
Journal of IEEE/ACM Trans. Networking, Vol. 10, No. 6,
pp. 721-734, 2002.
[14]
Abraham Yaar, Adrian Perrig, and Dawn Song,
“FIT: Fast Internet Traceback”. In Proceedings of the 24th
Annual Joint Conference of the IEEE Computer and
Communications, INFOCOM 2005, Vol. 2, pp. 1395-1406,
March 2005.
[15]
Vadim Kuznetsov, Helena Sandstrom, and Andrei
Simkin, “An Evaluation of Different IP Traceback
Approaches”. In Proceedings of the 4th international
conference on Information and Communications security
(ICICS), Springer LNCS, Vol. 2513, pp. 37-48, 2002.
[16]
Hassan Aljifri, “IP Traceback: A New Denial-ofService Deterrent?”, Journal of IEEE Security & Privacy,
Vol. 1, No. 3, pp. 24-31, May/June 2003.
[17]
Andrey Belenky and Nirwan Ansari, “On IP
Traceback”, IEEE Communication Magazine, Vol. 41, No. 7,
pp. 142-153, July 2003.
[18]
Zhiqiang Gao and Nirwan Ansari, “Tracing Cyber
Attacks from
the Practical
Perspective”, IEEE
Communications Magazine, Vol. 43, No. 5, pp. 123-131,
May 2005.
[19]
Tatsuya Baba and Shigeyuki Matsuda, “Tracing
Network Attacks to their Sources”, IEEE Internet Computing
Magazine, Vol. 6, No. 3, pp. 20-26, March/April 2002.
[20]
S.C. Lee and C. Shields, “Tracing the Source of
Network Attack: A Technical, Legal and Societal Problem”.
In Proceedings of the 2001 IEEE Workshop on Information
Assurance and Security, IEEE Press, pp. 239–246, 2001.
[21]
Y. Zhang and V. Paxson, “Detecting Stepping
Stones”. In Proceedings of the 9th USENIX Security
Symposium, pp. 171-184, 2000.
[22]
Vern Paxson, “An Analysis of Using Reflectors for
Distributed Denial-of-Service Attacks,” In Proceedings of
the ACM Comp. Commun. Rev., Vol. 31, No. 3, pp. 3-14,
July 2001.
[23]
Howard F. Lipson, “Tracking and Tracing CyberAttacks: Technical Challenges and Global Policy Issues”.
CERT Coordination Center, Special Report CMU/SEI-2002SR-009.
[24]
X. Wang, Douglas S. Reeves, Shyhtsun Felix Wu
and Jim Yuill, “Sleepy Watermark Tracing: An Active
Network-based Intrusion Response Framework”. In
Proceedings of the IFIP Conf. on Security, Paris, pp. 369384, 2001, June 11-13.
[25]
J. Rowe, “Intrusion Detection and Isolation
Protocol: Automated Response to Attacks”. In Proceedings
of the Recent Advances in Intrusion Detection (RAID),
University of California Davis, USA, 1999.
[26]
Allison Mankin, Dan Massey, Chien-Long Wu, S.
Felix Wu, and Lixia Zhang, "On Design and Evaluation of
'Intention-Driven' ICMP Traceback”. In Proceedings of the
IEEE Int'l Conf. Computer Comm. and Networks, IEEE CS
Press, pp. 159-165, 2001.
Santhanam, Kumar & Agrawal
[27]
Bao-Tung Wang and Henning Schulzrinne, “A
Denial-of-Service-Resistant IP Traceback Approach,” In
Proceedings of the IEEE 9th international symposium on
Computers and Communication, (ISCC), Vol. 1, pp. 351356, June/July 2004.
[28]
A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava, and
V. Kumar, “A Comparative Study of Anomaly Detection
Schemes in Network Intrusion Detection”. In Proceedings of
the SIAM Conf. Data Mining, 2003.
[29]
Hash Algorithms,
http://www.securitytechnet.com/crypto/algorithm/hash.html
[30]
I. Stoica and H. Zhang, "Providing Guaranteed
Services without Per-Flow Management”. In Proceedings of
the ACM SIGCOMM, pp. 81-94, Aug. 1999.
[31]
Andrey Belenky and Nirwan Ansari, “IP Traceback
with Deterministic Packet Marking”, IEEE Communication
letters, Vol. 7, No. 4, pp. 162-164, 2003.
[32]
Teo Peng, Christopher Lecki amd Kotairi
Ramamohanroa, “Adjusted Probabilistic Packet Marking”. In
Proceedings of the IFIP-TC6 Networking Conference 2002,
Pisa, Italy, May 2002.
[33]
H. Aljifri, M. Smets, and A. Pons, “IP Traceback
Using Header Compression”, Journal of IEEE Computers &
Security, Vol. 22, No. 2, pp. 136-151, 2003.
[34]
Effnet Holding, “An Introduction to IP Header
Compression,” February 2004.
[35]
K. H. Choi and H. K. Dai, “A Marking Scheme
Using Huffman Codes for IP Traceback,” In Proceedings of
the 7th International Symposium on Parallel Architectures,
Algorithms and Networks, pp. 421-428, 2004.
[36]
Chen Kai, Hu Xiaoxin, and Hao Ruibing, “DDoS
Scounter: A Simple IP Traceback Scheme,” In Progress on
Cryptography: 25 years of Cryptography in China, Kluwer
Academic Publishers, 2004.
[37]
Vondermonde Matrix , MATH world,
http://mathworld.wolfram.com/VandermondeMatrix.html
Author Biographies
Lakshmi Santhanam received her B.E. degree in Computer
Science and Engineering from University of Madras, India,
in 2003. She is currently a doctoral student working as a
research assistant in the Center for Distributed and Mobile
Computing (CDMC) Lab at the University of Cincinnati.
Her research interests include detection of selfish
behavior in Wireless Mesh Networks, IP Traceback,
Intrusion detection in Ad hoc Networks, and other security
concerns in Wireless Ad hoc Networks and Wireless Mesh
Networks.
Anup Kumar completed his Ph.D. from North Carolina
State University and is currently a professor in the Computer
Engineering and Computer Science Department at the
University of Louisville. He is also the director of the Mobile
Information Network and Distributed System Laboratory.
His research interests include wireless networks, distributed
system modeling and simulation, and multimedia systems.
He is currently Chair of the IEEE Computer Society
Technical Committee on Simulation (TCSIM). He was Vice
Chair of IEEE TCSIM, 1995-1998. He has published and
presented over 150 papers. Some of his papers have appeared
in ACM Multimedia Systems Journal, IEEE Transactions on
Computers, Wireless Communication and Mobile
Computing, Journal of Parallel and Distributed Computing,
Taxonomy of IP Traceback
IEEE Transactions on Reliability, IEEE JSAC Journal of
Computer and Software Engineering, and others. He was
Associate Editor of International Journal of Engineering
Design and Automation 1995-1998. He has served on many
conference program and organizing committees such as
MASS 2004, CIT 2004, IEEE Symposium on Parallel and
Distributed Systems, 7th International Conference on
Parallel and Distributed Computer Systems, IEEE
MASCOTS, and ADCOM ’97 and ’98. He has also edited
Special Issues of International Journal on Computers and
Operations Research. He is listed in Who’s Who Among
America’s Teachers, 1994.
Dharma P. Agrawal is the Ohio Board of Regents
Distinguished Professor of Computer Science and
Engineering and the founding director for the Center for
Distributed and Mobile Computing in the Department of
ECECS, University of Cincinnati, OH. He has been a
faculty member at the N.C. State University, Raleigh, NC
(1982-1998) and the Wayne State University, Detroit (19771982). His current research interests energy efficient routing
and information retrieval in ad hoc and sensor networks, QoS
in integrated wireless networks, use of smart multi-beam
directional antennas for enhanced QoS, various aspects of
sensor networks including environmental monitoring and
secured communication in ad hoc and sensor networks. His
co-authored textbook on Introduction to Wireless and Mobile
Systems, published by Thomson has been adopted throughout
the world and revolutionized the way the course is taught.
His latest co-authored book Ad hoc & Sensor Networks Theory and Applications will be published in Spring 2006 by
the World Scientific Publishing. Dr. Agrawal is an editor for
the Journal of Parallel and Distributed Systems and the
International Journal of High Speed Computing. He has
served as an editor of the IEEE Computer magazine, and the
IEEE Transactions on Computers. Recently, he has been
invited to serve as a founding member of the editorial board
of three new journals, International Journal on Distributed
Sensor Networks, International Journal of Ad Hoc and
Ubiquitous Computing (IJAHUC), International Journal of
Ad Hoc & Sensor Wireless Networks, and the Journal of
Information Assurance and Security (JIAS), Dynamic
Publishers Inc.. He has served as an editor of the IEEE
Computer magazine, and the IEEE Transactions on
Computers. He has been the Program Chair and General
Chair for numerous international conferences and meetings.
He has received numerous certificates and awards from the
IEEE Computer Society.
He was awarded a “Third
Millennium Medal,” by the IEEE for his outstanding
contributions. He has also delivered keynote speech for five
international conferences. He also has 4 patents and 17
patent disclosures in wireless networking area. He has been
selected as a Fulbright Senior Specialist for duration of five
years. He is a Fellow of the IEEE, the ACM, the AAAS, and
WIF.
93
94
Santhanam, Kumar & Agrawal
