Reflective Probabilistic Packet Marking Scheme for IP Traceback (特集: 新たな脅威に立ち向かうコンピュータセキュリティ技術) (original) (raw)
Related papers
Reflective Probabilistic Packet Marking Scheme for IP Traceback
2003
This paper describes the design and implementation of Reflective Probabilistic Packet Marking (RPPM) scheme, which is a traceback scheme against distributed denial-of-service (DDoS) attacks. Attacks include traffic laundered by reflectors which are sent false requests by attackers posing as a victim. Reflectors are among the hardest security problems on today’s Internet. One promising solution to tracing the origin of attacks, the probabilistic packet marking (PPM) scheme, has proposed. However, conventional PPM cannot work against reflector attacks — reflector problem. Also, it encodes a mark into IP Identification field, this disables the use of ICMP — encoding problem. RPPM is a solution to both the reflector and encoding problem. We have extended PPM to render reflectors ineffectual by reflecting marking statistics of incoming packets at reflectors in order to trace the origin of the attacks. Furthermore, we have encoded a mark into the IP option field without reducing necessary...
AN EFFICIENT IP TRACEBACK THROUGH PACKET MARKING ALGORITHM
2010
Denial-of-service (DoS) attacks pose an increasing threat to today's Internet. One major difficulty to defend against Distributed Denial-of-service attack is that attackers often use fake, or spoofed IP addresses as the IP source address. Probabilistic packet marking algorithm (PPM), allows the victim to trace back the appropriate origin of spoofed IP source address to disguise the true origin. In this paper we propose a technique that efficiently encodes the packets than the Savage probabilistic packet marking algorithm and reconstruction of the attack graph. This enhances the reliability of the probabilistic packet marking algorithm.
Adaptive probabilistic packet marking scheme for IP traceback
2014 World Congress on Computer Applications and Information Systems (WCCAIS), 2014
IP Traceback is a fundamental mechanism in defending against cyber-attacks in particular the denial of service (DoS) attacks. Many schemes have been proposed in the literature; in particular, Probabilistic Packet Marking (PPM) schemes were in the center of the researchers' attention given their scalability and thus their ability to trace distributed attacks such as distributed denial of service attacks (DDoS). A major issue in PPM-based schemes is the fixed marking probability, which reduces the probability of getting marked packets from routers far away from the victim given that their marked packets have a higher probability to be re-marked by routers near the victim. This increases the number of packets required to reconstruct the attack path. In this paper, we propose a simple, yet efficient solution for this issue by letting the routers adapt their marking probability based on the number of packets they have previously re-marked. We compare our scheme to the original PPM through extensive simulations. The results clearly show the improvement brought by our proposed marking scheme.
On the (in) effectiveness of Probabilistic Marking for IP Traceback under DDoS Attacks
2007
Abstract Distributed denial-of-service attacks (DDoS) pose an immense threat to the Internet. The most studied solution is to let routers probabilistically mark packets with partial path information during packet forwarding, which is referred as Probabilistic Packet Marking (PPM). In this paper, we study the effect of simple attacker strategies to spoof the markings to impede victim's capacity to traceback. We show that random marking is sufficient to impede the victim from tracing the attackers.
Survey on Packet Marking Algorithms for IP Traceback
Oriental Scientific Publishing Company, 2017
Distributed Denial of Service (DDoS) attack is an unavoidable attack. Among various attacks on the network, DDoS attacks are difficult to detect because of IP spoofing. The IP traceback is the only technique to identify DDoS attacks. The path affected by DDoS attack is identified by IP traceback approaches like Probabilistic Packet marking algorithm (PPM) and Deterministic Packet Marking algorithm (DPM). The PPM approach finds the complete attack path from victim to the source where as DPM finds only the source of the attacker. Using DPM algorithm finding the source of the attacker is difficult, if the router get compromised. Using PPM algorithm we construct the complete attack path, so the compromised router can be identified. In this paper, we review PPM and DPM techniques and compare the strengths and weaknesses of each proposal.
IP Traceback through Modified Probabilistic Packet Marking Algorithm
— Denial of service (DOS) attack is one of the most common attacks on the internet. The most difficult part of this attack is to find the source of the denial of service (DOS) attack. Savage et al. proposed PPM algorithm to traceback the route to the attacker. We found two disadvantages of the Savage traceback technique. The first disadvantage is probability of finding of far away routers is very less which results in losing some of the routers identity. This affects the attack graph construction. The second disadvantage is, because of remarking of the edges the constructed graph contain new edges which do not exist in attack graph. In this paper, we propose a modified probabilistic packet marking (MPPM) IP traceback methodology and we found that the results are quite interesting when compared with the approach proposed by Savage. Keywords— DOS attack, IP traceback, indicator, far away routers, Modified Probabilistic Packet marking.
A proposal for new marking scheme with its performance evaluation for IP traceback
WSEAS Transactions on Computers archive, 2008
Detecting and defeating Denial of Service (DoS) attacks is one of the hardest security problems on IP networks. Furthermore, spoofing of IP packets makes it difficult to combat against and fix such attacks. Packet marking is one of the methods to mitigate the DoS attack that helps traceback to the true origin of the packets. A hybrid packet marking algorithm, along with traceback mechanism to find the true origin of the attack traffic is presented in this study. The router marks the packets with inbound interface identifier of the router, but the novelty lies on the way it marks the packets. The stamping based on modulo technique and reverse modulo for the purpose reconstruction of attack path to traceback to the real source of the packets are proposed. The experimental measurements on the presented algorithm ensure that it requires less amount of time to mark and reconstruct the attack graph. It is also able to trace back to single packet, nevertheless it requires logging at very few routers and thus incurring insignificant storage overhead on the routers. The simulation study and the qualitative comparison with different traceback schemes are also presented to show the performance of the proposed system.
A prediction based approach to IP traceback
37th Annual IEEE Conference on Local Computer Networks -- Workshops, 2012
Sources of a Distributed Denial of Service (DDoS) attack can be identified by the traffic they generate using the IP traceback technique. Because of its relevance, the Probabilistic Packet Marking (PPM) schemes for IP traceback is an intensively researched field. In these schemes, routers are given the extra function of randomly selecting packets from those that go through them, to embed their address information in those selected packets. During or after the attack, the paths that were traversed by the attack traffic can be identified based on the router information in the marked packets. Since these schemes require a large number of received packets to trace an attacker successfully, they usually demand a high time and space complexity to trace many attackers as is the case in DDoS attacks. This is partly because the marking scheme allows remarking, where routers can overwrite previous marking information in a selected packet, which leads to data loss.
A Resolved IP Traceback through Probabilistic Packet Marking Algorithm
2011
The major problem of network security in present years is DoS (Denial of Service) attacks, in order to protect the network from these attacks a research is implemented in the key streams of network security. Packet marking is always required to track few details of packet like its source and the status toward reaching the destination. In most of the cases, packets transmitted by a source are lost or data in it is corrupted and may lose the packets permanently. A perfect packet marking algorithm is always required to mark the packet by the IP address of source and the current routers traversed by it. We suggest not marking each and every packet with equivalent probability; instead the marking probability is computed for the purpose of every packet by all the routers depending on field value of TTL (Time to Live).
DDPM: Dynamic Deterministic Packet Marking for IP Traceback
2006 14th IEEE International Conference on Networks, 2006
Marking and Mark-based Detection to the field of IP Traceback. In Dynamic Marking it is possible to find the attack agents in a large scale DDoS network. Moreover, in the case of a DRDoS it enables the victim to trace the attack one step further back to the source, to find a master machine or the real attacker with only a few numbers of packets. The proposed marking procedure increases the possibility of DRDoS attack detection at the victim through Mark-based Detection. In Mark-based method, the detection engine takes into account the marks of the packets to identify varying sources of a single site involved in a DDoS attack. This significantly increases the probability of detection. In order to satisfy the end-to-end arguments approach, fate-sharing and also respect to the need for scalable and applicable schemes, only edge routers implement our simple marking procedure. The delay and bandwidth overhead added to the edge routers is fairly negligible.