IPv6 IP traceback Research Papers (original) (raw)

DoS / DDoS(Distributed Denial of Service) attacks deny regular, internet services accessed by legitimate users, either by blocking the services completely, or by disturbing it completely, so as to cause customer baulking. Several... more

DoS / DDoS(Distributed Denial of Service) attacks deny regular, internet services accessed by legitimate users, either by blocking the services completely, or by disturbing it completely, so as to cause customer baulking. Several traceback schemes are available to mitigate these attacks. The simulation approach also can be used to test the performing effects of different marking schemes in largescale DDoS attacks. Based on the simulation and evaluation results, more efficient and effective algorithms, techniques and procedures to combat these attacks may be developed. DGT8, directional geographical trackback scheme, with 8 directions is one of them. Having a limited set of 8 directions, DGT8 may not work for routers with more than 8 interfaces. In this paper, we propose M-DGT i.e DGT 16, a 16 directional geographical traceback scheme having all the advantages of DGT. The 16 directions, though not having exactly equal interface, have nearly equal measures, and are identified using a novel scheme of Segment Direction Ratios (SDR). The SDR concept and the associated marking scheme allow the victim to defend against DDoS attacks independent of its ISP and also the generalization to DGT2n, having 2n directions (n>4).

attacks deny regular, internet services from being accessed by legitimate users, either by blocking the services completely, or by disturbing it completely, so as to cause customer baulking. Approach: Several traceback schemes were... more

attacks deny regular, internet services from being accessed by legitimate users, either by blocking the services completely, or by disturbing it completely, so as to cause customer baulking. Approach: Several traceback schemes were available to mitigate these attacks. Directional geographical traceback8 (DGT8), directional geographical trackback scheme, with 8 directions was one of them. Having a limited set of 8 directions, DGT8 may not work for routers with more than 8 interfaces. In this study, we had proposed Multi-DGT (DGT-16), a 16 directional geographical traceback scheme having all the advantages of DGT. The 16 directions, though not having exactly equal interface, had nearly equal measures and were identified using a novel scheme of Segment Direction Ratios (SDR). Results: The scheme of DGT16 SDR in directions D1-D16 in quadrant I-IV and DGT32 SDR in directions D1-D9 in quadrant I were examined. Conclusion: The implementation of DGT16, when a packet arrives at the victim, the geographical location of the attack router can be obtained from the data in the SDR subfields, regardless of the source IP address which may be incorrect or compromised.

In the modern technological world, with the increasing dependency on Internet the security threats are on the rise. Distributed Denial of Service (DDoS) attack is one of the biggest threats. The attackers tend to exhaust the network... more

In the modern technological world, with the increasing dependency on Internet the security threats are on the rise. Distributed Denial of Service (DDoS) attack is one of the biggest threats. The attackers tend to exhaust the network resources, while ingeniously hiding their identity, making the defence process extremely difficult. Many researchers have proposed various solutions to traceback the true origin of attack. Among them Internet Control Message Protocol (ICMP) traceback was considered an industry standard by Internet Engineering Task Force (IETF). ICMP Traceback (ITrace) does not require any change in the existing infrastructure. However it consumes considerable bandwidth and requires a large number of packets to traceback an attacker. This work proposes a Single Packet ICMP Traceback technique using Router Interface (SPITRI). It traces the origin of flooding attack with a single ICMP packet. The bandwidth overhead incurred by SPITRI is several times lesser than ITrace. SPITRI was simulated over the CAIDA Ark dataset. It can traceback the attackers with high accuracy, with zero false positive and zero false negative result. The efficacy of the proposed scheme is demonstrated by simulating and comparing it with ITrace, and the latest router interface based single packet traceback scheme.

Although cybercrime and cyber threats are increasing significantly, yet prevention and security of the critical infrastructure are still far from perfect. The internet has no protection against malicious packet modifications. Attackers... more

Although cybercrime and cyber threats are increasing significantly, yet prevention and security of the critical infrastructure are still far from perfect. The internet has no protection against malicious packet modifications. Attackers exploit such vulnerabilities to forge the source IP addresses while instigating an attack. Consequently, investigating cybercrime is becoming extremely difficult. The best antidote would be to weed out the problem at its root by identifying the source of the attack. The objective of this study is to propose an IP traceback scheme that can identify the origin of an attack with a single packet with minimum computational and storage overhead while ensuring a high degree of accuracy. Compared to the state-ofthe-art single packet IP traceback technique, the proposed scheme entails lesser computation overhead. According to CAIDA topology dataset, it requires only 320 kB of storage on each router. Storage requirement is several thousand times lesser than the pioneer single packet traceback scheme and 6.25 times lesser than the state-of-the-art traceback scheme. It has the better endurance to the change in topology compared with the state-of-the-art schemes. It identifies the attack node with high accuracy and minimal false positive. The obtained result has been validated to demonstrate its statistical significance. • A quadratic function based IP traceback (QIT) scheme using router interface is proposed which o traces back the attacker with a single attack packet;

Denial of service (DoS) attacks figure highly among the dangers that face the Internet. Many research studies deal with DoS, proposing models and/or architectures to stop this threat. The proposed solutions vary between prevention,... more

Denial of service (DoS) attacks figure highly among the dangers that face the Internet. Many research studies deal with DoS, proposing models and/or architectures to stop this threat. The proposed solutions vary between prevention, detection, filtering and traceback of the attack. The latter (attack traceback) constitutes an important part of the DoS defense. The most complex issue it has to face is related to the fact that attackers often used spoofed or incorrect IP addresses, thus disguising the true origin. In this work, we propose a signaling architecture and a security-oriented signaling protocol named 3SP (Simple Security Signaling Protocol). This solution makes it easier to trace both the DoS and other types of attack back to their sources; it is simple, robust and efficient against IP spoofing, and thus constitutes a novel and efficient approach to deal with the attack traceback problem.

Since adversaries may spoof their source IPs in the attacks, traceback schemes have been proposed to identify the attack source. However, some of these schemes' storage requirements increase with packet numbers. Some even have false... more

Since adversaries may spoof their source IPs in the attacks, traceback schemes have been proposed to identify the attack source. However, some of these schemes' storage requirements increase with packet numbers. Some even have false positives because they use an IP header's fragment offset for marking. Thus, we propose a 16-bit single packet hybrid IP traceback scheme that combines packet marking and packet logging with high accuracy and low storage requirement. The size of our log tables can be bounded by route numbers. We also set a threshold to determine whether an upstream interface number is stored in a log table or in a marking field, so as to balance the logging frequency and our computational loads. Because we store user interface information on small-degree routers, compared with current single packet traceback schemes, ours can have the lowest storage requirements. Besides, our traceback achieves zero false positive/negative rates and guarantees reassembly of fragm...

Nowadays the Internet is exposed to a span of web threats. In the modernized era, multifarious types of attacks are discovered on the Internet, along with the utmost disastrous attack, Distributed Denial of Service (DDoS) attacks. In such... more

Nowadays the Internet is exposed to a span of web threats. In the modernized era, multifarious types of attacks are discovered on the Internet, along with the utmost disastrous attack, Distributed Denial of Service (DDoS) attacks. In such course of attacks, an immense number of settle arrangement tie in with one another to make the services baseless for honest users. These composed systems frequently mask their existence by counterfeit technique. IP traceback is a way used to catch the real path of web packets in such scenario. This paper provides a schematized investigation of various IP traceback approaches with their fruitful domain and doorway for forthcoming research in this thrust expanse of IP traceback.

Distributed Denial-Of-Service (DDoS) attacks are one of the all the more difficult security issues on the Internet today. They can without much of a stretch, fumes the assets of the potential Victims. The issue is much more extreme since... more

Distributed Denial-Of-Service (DDoS) attacks are one of the all the more difficult security issues on the Internet today. They can without much of a stretch, fumes the assets of the potential Victims. The issue is much more extreme since the aggressors regularly produce their IP delivers to shroud their character. The current guard mechanism against DDoS attacks, the attack traffic will be filtered at the victim's side. For this situation, regardless of whether the attacking traffic is filtered by the victim, the attacker may achieve the objective of blocking access to the victim's bandwidth. IP-Traceback approaches enable the victim to traceback to the wellspring of an attack and they will not be able to minimize the attack when the attack is in progress. Hence in this work we proposed a hybrid method to minimize the quantity of malicious packets entering into the network. We introduce a quantum annealing technique at the server side to identify and mitigate the DDoS attack. The attack messages are minimized by utilizing client puzzle as a part of the ingress router; the path fingerprint is used at the egress side. Simulation studies prove that the proposed mechanism is optimally successful in recognizing and mitigating the DDoS attacks.

Abstract: - We propose a novel traceback approach that marks IP traffic by applying selective marking and reducing load mechanisms. Our technique is adaptive and is exploiting any specific properties that help characterizing an activity... more

Abstract: - We propose a novel traceback approach that marks IP traffic by applying selective marking and reducing load mechanisms. Our technique is adaptive and is exploiting any specific properties that help characterizing an activity in communication traffic. It helps reducing ...

Defending against distributed denial-of-service attacks is one of the hardest security problems on the Internet today. One difficulty towards these attacks is to trace the source of the attacks as the attackers intentionally use spoofed... more

Defending against distributed denial-of-service attacks is one of the hardest security problems on the Internet today. One difficulty towards these attacks is to trace the source of the attacks as the attackers intentionally use spoofed IP source addresses to disguise from the true origin. The IP Trace-back in cloud environment is like an Advanced Marking Scheme and the Authenticated Marking Scheme that evolved from the probabilistic packet marking scheme (PPM), which allow the victim to trace-back the approximate origin of spoofed IP packets. The techniques feature low network and router overhead, and support incremental deployment. In contrast to previous works, our techniques have significantly higher precision (lower false positive rate) and lower computation overhead for the victim to reconstruct the attack paths under large scale virtual and distributed denial of-service attacks. Furthermore the Authenticated Marking Scheme provides efficient authentication of routers' markings such that even a compromised router cannot forge or tamper markings from other uncompromised router. The aim is to prevent the network from attackers by reconstructing the attacking path.

Internet is a worldwide network and used in almost every field of work such as industrial, educational, military etc. Based on the use, its security needs differ. Few applications may need less security and few may need high security.... more

Internet is a worldwide network and used in almost every field of work such as industrial, educational, military etc. Based on the use, its security needs differ. Few applications may need less security and few may need high security. Today various internet attacks are being developed every day, such as viruses, DoS (Denial of Service), spoofing, etc. Spoofing is a kind of attack in which attacker masks itself under some other user’s IP address. Thus, it is difficult to find the original attacker. IP traceback technique is used to detect the DoS attack. This paper is based on IP traceback, which will help to detect the spoofing attacker by using packet marking and packet logging technique. In packet marking technique router marks identification information of its own into the forwarded packets. In packet logging, routers keep the digest information regarding the forwarded packets. Proposed scheme is termed as E-RIHT (Enhanced Routers Interface Hybrid Traceback) in this, memory requi...

The development of cyber society has fostered the emergence of e-commerce, which is active with business and private transactions. Nevertheless, it also emboldened malicious activities that damage users' profit in the society. Among these... more

The development of cyber society has fostered the emergence of e-commerce, which is active with business and private transactions. Nevertheless, it also emboldened malicious activities that damage users' profit in the society. Among these activities, Distributed Denial of Services (DDoS), which imposes an excessive workload on network entities such as hosts, is one of the most devastating form of attacks and can cause complete malfunctioning of cyber society's infrastructure. In order to counter DDoS and facilitate secure and reliable functioning of cyber societies, various types of traceback mechanisms have been proposed that trace the entire attack path or partial attack path of the attacks. In the future, networks will need to accommodate such traceback functionalities. This paper proposes a taxonomy of traceback mechanisms and describes their characteristics. It also discusses issues toward the deployment of the mechanisms over the Internet.

Denial of service (DoS) attacks figure highly among the dangers that face the Internet. Many research studies deal with DoS, proposing models and/or architectures to stop this threat. The proposed solutions vary between prevention,... more

Denial of service (DoS) attacks figure highly among the dangers that face the Internet. Many research studies deal with DoS, proposing models and/or architectures to stop this threat. The proposed solutions vary between prevention, detection, filtering and traceback of the attack. The latter (attack traceback) constitutes an important part of the DoS defense. The most complex issue it has to face is related to the fact that attackers often used spoofed or incorrect IP addresses, thus disguising the true origin. In this work, we propose a signaling architecture and a security-oriented signaling protocol named 3SP (Simple Security Signaling Protocol). This solution makes it easier to trace both the DoS and other types of attack back to their sources; it is simple, robust and efficient against IP spoofing, and thus constitutes a novel and efficient approach to deal with the attack traceback problem.

Denial of service attack denies services given by resources to the legitimate clients. DOS Attacker uses IP spoofing technique to hide their own identity, so first step to defend against DoS Attack is to find out IP address of the... more

Denial of service attack denies services given by resources to the legitimate clients. DOS Attacker uses IP spoofing technique to hide their own identity, so first step to defend against DoS Attack is to find out IP address of the attacker to take further action. This paper represents a novel and practical IP trace back system, Flexible Deterministic Packet Marking (ADFM) to get IP address of the attacker when IP spoofing technique is used by attacker. ADFM belongs to the packet marking family of IP trace back systems. The novel characteristics of ADFM are in its flexibility: first, it can adjust the length of marking field according to the network protocols deployed (flexible mark length strategy); second, it can also adaptively change its marking rate according to the load of the participating router by a flexible flow-based marking scheme. This paper focuses on implementation of ADFM on network processor.

The technique of IP traceback is used to overcome Denial-of-Service attacks. This paper deals with explaining the two types of IP traceback techniques namely, Packet Marking and Packet Logging which have been proposed earlier. The paper... more

The technique of IP traceback is used to overcome Denial-of-Service attacks. This paper deals with explaining the two types of IP traceback techniques namely, Packet Marking and Packet Logging which have been proposed earlier. The paper further explains about a hybrid IP traceback technique which uses both packet marking and logging. The hybrid technique claims to have a better performance level in terms of reducing the storage overhead at the routers by half and the access time overhead by the number of neighboring routers. Future enhancements have been proposed in the domain of security for the entire system.

The Internet has been widely applied in various fields, more and more network security issues emerge and catch people’s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For... more

The Internet has been widely applied in various fields, more and more network security issues emerge and catch people’s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of traceback schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packet marking with packet logging and therefore create hybrid IP traceback schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP traceback scheme with efficient packet logging aiming to have a fixed storage requirement for each router (under 320 KB) in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction. In addition, we use a packet’s marking field to censor attack traffic on its upstream rou...

Mechanism that decides which types of IP datagrams will be processed normally and which will be discarded is called IP filtering. Discarding datagrams means that the datagram is completely ignored and deleted, as if it had never been... more

Mechanism that decides which types of IP datagrams will be processed normally and which will be discarded is called IP filtering. Discarding datagrams means that the datagram is completely ignored and deleted, as if it had never been received. There are many criteria to determine which datagrams are to be filtered. IP filtering is a network layer facility which doesn't understand anything about the application using the network connection. It only knows about the connections themselves. if we want to deny users access to internal network on the default telnet port, but rely on IP filtering alone, it is not possible to stop them from using the telnet program with a port that allow to pass through firewall. By using proxy servers for each service, it is possible to solve this problem. The proxy servers can prevent abuses. If firewall supports a World Wide Web proxy, telnet connection will always be answered by the proxy and will allow only http requests to pass. A large number of proxy-server programs are there. Some are free software and many others are commercial products. Here we present a survey on IP filtering mechanisms.

Attacks on the internet keep on increasing and it causes harm to our security system. In order to minimize this threat, it is necessary to have a security system that has the ability to detect zero-day attacks. “Honeypot is the proactive... more

Attacks on the internet keep on increasing and it causes harm to our security system. In order to minimize this threat, it is necessary to have a security system that has the ability to detect zero-day attacks. “Honeypot is the proactive defense technology, in which resources placed in a network with the aim to observe and capture new attacks”. This paper proposes a honeypot-based model for intrusion detection system (IDS) to obtain the best useful data about the attacker.Honeypots are a modern approach to network security. Ahoneypot is used in the area of internet security and cryptography. It is a resource, which is intended to be attacked and compromised to gain more information about the attacker and the used implementations. It can be deployed to attract and divert an attacker from their real targets. Honeypots have the big advantage that they do not generate false alerts as each observed traffic is doubtful, because no productive components are running on the system. This fact...

Distributed denial of service (DDoS) is real time challenging problem for internet users. Due to unknown nature of attack, any defense mechanism should perform these two tasks: immediately detect the attack and take measurements to stop... more

Distributed denial of service (DDoS) is real time challenging problem for internet users. Due to unknown nature of attack, any defense mechanism should perform these two tasks: immediately detect the attack and take measurements to stop the upcoming flood. Currently deployed defense mechanisms can easily be defeated by the attackers because they know the weaknesses in the systems. Yaar [1] proposed Pi marking scheme using the 16 bit IP header identification field. The performance of Pi marking is not effective because of static 1 bit or 2 bit marking criteria. Our technique decides the packet marking dynamically on the bases of number of hop counts. The performance is promising as compared to other existing schemes.

Souzan.asadollahi@gmail.com _______________________________________________________________________________________ Abstract— In recent years, Denial-of-service attacks emerged as a pressing problem. Since a lot of attention has been... more

Souzan.asadollahi@gmail.com _______________________________________________________________________________________ Abstract— In recent years, Denial-of-service attacks emerged as a pressing problem. Since a lot of attention has been placed on Denial-of-service defense research and a number of approaches have been proposed. One suggested solution is ―IP Trace back‖ which is referred to as tracing malicious packets back to their origin. It categorized in several methodology. Packet Marking from this category is the subject of our study. In this paper, we focus on ―Probabilistic Packet Marking (PPM)‖ which is inefficient in the case of Distributed Denial of Service (DDoS) attacks due to high false positive in reconstructing attack graph and also high convergence time. We adopt the dynamic probability along with Time to Live clustering method in order to reduce the rate of false positive and convergence time. We envision DDoS attack starts when network traffic is more than our default ...

Efficient Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents taxonomies for classifying attacks and defenses,... more

Efficient Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria were selected to highlight commonalities and important features of attack strategies, that defines challenges and dictate the design of countermeasures. We propose a novel trace back method for DDoS attacks that is based on entropy variations between normal and DDoS attack traffic, which is fundamentally different from commonly used packet marking techniques, results are graphically represented, the proposed model out performs the existing models in a significant way.

Abstract— IP source address spoofing exploits a fundamental weakness in the Internet Protocol. It is exploited in many types of network-based attacks such as session hijacking and Denial of Service (DoS). Ingress and egress filtering is... more

Abstract— IP source address spoofing exploits a fundamental weakness in the Internet Protocol. It is exploited in many types of network-based attacks such as session hijacking and Denial of Service (DoS). Ingress and egress filtering is aimed at preventing IP spoofing. ...

Network forensics can be an expansion associated with network security design which typically emphasizes avoidance and detection of community assaults. It covers the necessity for dedicated investigative abilities. When you look at the... more

Network forensics can be an expansion associated with network security design which typically emphasizes avoidance and detection of community assaults. It covers the necessity for dedicated investigative abilities. When you look at the design, this indeed currently allows investigating harmful behavior in communities. It will help organizations to examine external and community this is undoubtedly around. It is also important for police force investigations. Network forensic techniques can be used to identify the source of the intrusion and the intruder’s location. Forensics can resolve many cybercrime cases using the methods of network forensics. These methods can extract intruder’s information, the nature of the intrusion, and how it can be prevented in the future. These techniques can also be used to avoid attacks in near future. Modern network forensic techniques face several challenges that must be resolved to improve the forensic methods. Some of the key challenges include hig...

Anonymity is important to perpetrators of network-based attacks. One of the simplest ways to remain anonymous is to hide the source of an attack by chaining together multiple connections into an extended connection. This is typically done... more

Anonymity is important to perpetrators of network-based attacks. One of the simplest ways to remain anonymous is to hide the source of an attack by chaining together multiple connections into an extended connection. This is typically done by logging into a remote host, then from there logging into a third and fourth and so on until, at the final host, an attack is launched. These intermediate hosts are called stepping stones. Tracing such an attack back to the original source is difficult. Some techniques exist to trace individual connections, but tracing an extended connection requires identifying related connection pairs at each stepping stone. This paper examines the problems and approaches to connection tracing, focusing on tracing extended connections across stepping stones. We survey the literature and discuss the several techniques that have been offered so far for discovering related connection pairs, and offer a taxonomy of these techniques. We then discuss a set of experiments performed on four selected algorithms to compare them and gain better understanding of their relative strengths and weaknesses. An architecture for an integrated attack attribution system, including both stepping stone detection and IP traceback, is offered, followed by concluding remarks and observations. Our future work will include constructing the master function and installing stepping stone detection extensions into SPIE to provide a more complete traceback solution.

The digital evidences emphatically are commonly considered as a backbone for the forensic body in order to deliver a reliable investigation when a breach occurred since a forensic basically based on them. However, there are challenges... more

The digital evidences emphatically are commonly considered as a backbone for the forensic body in order to deliver a reliable investigation when a breach occurred since a forensic basically based on them. However, there are challenges harming the integrity and reliability of these digital evidences such as removing or tampering with them since most of equipments of production environment are accessible to intruders because they normally assign an Internet Protocol (IP). Therefore, a hidden mechanism namely Honeynet ...

The utilization of the internet within organizations has surged over the past decade. Though, it has numerous benefits, the internet also comes with its own challenges such as intrusions and threats. Bring Your Own Device (BYOD) as a... more

The utilization of the internet within organizations has surged over the past decade. Though, it has numerous benefits, the internet also comes with its own challenges such as intrusions and threats. Bring Your Own Device (BYOD) as a growing trend among organizations allow employees to connect their portable devices such as smart phones, tablets, laptops, to the organization's network to perform organizational duties. It has gained popularity over the years because of its flexibility and cost effectiveness. This adoption of BYOD has exposed organizations to security risks and demands proactive measures to mitigate such incidents. In this study, we propose a Digital Forensic Readiness (DFR) framework for BYOD using honeypot technology. The framework consists of the following components: BYOD devices, Management, People, Technology and DFR. It is designed to comply with ISO/IEC 27043, detect security incidents/threats and collect potential digital evidence using low-and high-level interaction honeypots. Besides, the framework proffers adequate security support to the organization through space isolation, device management, crypto operations, and policies database. This framework would ensure and improve information security as well as securely preserve digital evidence. Embedding DFR into BYOD will improve security and enable an organization to stay abreast when handling a security incident.

Network forensics can be an expansion associated with network security design which typically emphasizes avoidance and detection of community assaults. It covers the necessity for dedicated investigative abilities. When you look at the... more

Network forensics can be an expansion associated with network security design which typically emphasizes avoidance and detection of community assaults. It covers the necessity for dedicated investigative abilities. When you look at the design, this indeed currently allows investigating harmful behavior in communities. It will help organizations to examine external and community this is undoubtedly around. It is also important for police force investigations. Network forensic techniques can be used to identify the source of the intrusion and the intruder’s location. Forensics can resolve many cybercrime cases using the methods of network forensics. These methods can extract intruder’s information, the nature of the intrusion, and how it can be prevented in the future. These techniques can also be used to avoid attacks in near future. Modern network forensic techniques face several challenges that must be resolved to improve the forensic methods. Some of the key challenges include hig...

IP source address spoofing exploits a fundamental weakness in the Internet Protocol. It is exploited in many types of network-based attacks such as session hijacking and Denial of Service (DoS). Ingress and egress filtering is aimed at... more

IP source address spoofing exploits a fundamental weakness in the Internet Protocol. It is exploited in many types of network-based attacks such as session hijacking and Denial of Service (DoS). Ingress and egress filtering is aimed at preventing IP spoofing. Techniques such as History based filtering are being used during DoS attacks to filter out attack packets. Packet marking techniques are being used to trace IP packets to a point that is close as possible to their actual source. Present IP spoofing countermeasures are hindered by compatibility issues between IPv4 and IPv6, implementation issues and their effectiveness under different types of attacks. We propose a topology based packet marking method that builds on the flexibility of packet marking as an IP trace back method while overcoming most of the shortcomings of present packet marking techniques.

Here in this work we presented a hybrid model of packet marking and logging for the IP trace back for the node that wants to attack any node in the network. The main idea is to detect the DOS attacks in the network by employing the ip of... more

Here in this work we presented a hybrid model of packet marking and logging for the IP trace back for the node that wants to attack any node in the network. The main idea is to detect the DOS attacks in the network by employing the ip of the attacker node. Here we are implementing the packet marking and the logging for the homogenous and the heterogeneous network. Also here we are integrating the concept of pre shared key exchange on the routers to make the marking of the packets is easy and can increase the efficiency of detecting attacks in the network.

Network forensics is a type of digital forensics which goal is to monitoring, correlate, examine and analysis of computer network traffic for various purposes like-information gathering, legal evidence, or intrusion detection. Now a days,... more

Network forensics is a type of digital forensics which goal is to monitoring, correlate, examine and analysis of computer network traffic for various purposes like-information gathering, legal evidence, or intrusion detection. Now a days, various services like email, web, online transactions are used as network communication schemes. The purpose of this paper is to give an overview of different real time security mechanisms for forensic investigation of network communication schemes.

It is normal that the attackers over the network may use the fake source IP address to conceal their actual locations. This paper proposes a framework that bypasses the deployment challenges of IP Traceback techniques [1]. This system... more

It is normal that the attackers over the network may use the fake source IP address to conceal their actual locations. This paper proposes a framework that bypasses the deployment challenges of IP Traceback techniques [1]. This system researches Internet Control Message Protocol error messages (named path backscatter) activated by spoofing traffic, and tracks the Spoofers based on the information available by the public(e.g., topology). Along these, the proposed framework can discover the Spoofers with no deployment prerequisite. Despite the fact that the proposed framework can't work in all the spoofing attacks, it might be the most helpful mechanism to trace Spoofers before an Internet-level traceback framework has been deployed in real. The results are got by implementing in the form of simulation using Java platform for understanding the system over the networks.

The identification of the exact path that packets are routed in the network is quite a challenge. This paper presents a novel, efficient traceback strategy named Tracemax in context of a defense system against distributed denial of... more

The identification of the exact path that packets are routed in the network is quite a challenge. This paper presents a novel, efficient traceback strategy named Tracemax in context of a defense system against distributed denial of service (DDoS) attacks. A single packet can be directly traced over many more hops than the current existing techniques allow. In combination with a defense system it differentiates between multiple connections. It aims to letting good connections pass while bad ones get thwarted. The novel concept allows detailed analyses of the traffic and the transmission path through the network. The strategy can effectively reduce the effect of common bandwidth and resource consumption attacks, foster early warning and prevention as well as higher the availability of the network services for the wanted customers.

Because the Internet has been widely applied in various fields, more and more network security issues emerge and catch people's attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch... more

Because the Internet has been widely applied in various fields, more and more network security issues emerge and catch people's attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of traceback schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packetmarking with packet logging and therefore create hybrid IP traceback schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP traceback scheme with efficient packet logging aiming to have a fixed storage requirement for each router (under 320 KB, according to CAIDA's skitter data set) in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction. In addition, we use a packet's marking field to censor attack traffic on its upstream routers. Lastly, we simulate and analyze our scheme, in comparison with other related research, in the following aspects: storage requirement, computation, and accuracy. EXISTING SYSTEM: Most of current single packet traceback schemes tend to log packets' information on routers. Most current tracing schemes that are designed for software exploits can be categorized into three groups: single packet, packet logging and hybrid IP traceback. The basic idea of packet logging is to log a packet's information on routers. The methods used in the existing systems

DDoS attacks have become one of the most dangerous issues in the Internet today. Because of these attacks, legitimate users can not access the resources they need. In [1] authors proposed a combined method for tracing and blocking the... more

DDoS attacks have become one of the most dangerous issues in the Internet today. Because of these attacks, legitimate users can not access the resources they need. In [1] authors proposed a combined method for tracing and blocking the sources of DDoS-attacks. The essence of the method is that each router marks the network packet that passes through it using a random hash function from the set. At the receiving side this information is stored and used to filter unwanted traffic and traceback the source of distributed attack. This article describes the simulation and its results of the combined method.

Distributed Denial of Service (DDoS) attack is an unavoidable attack. Among various attacks on the network, DDoS attacks are difficult to detect because of IP spoofing. The IP traceback is the only technique to identify DDoS attacks. The... more

Distributed Denial of Service (DDoS) attack is an unavoidable attack. Among various attacks on the network, DDoS attacks are difficult to detect because of IP spoofing. The IP traceback is the only technique to identify DDoS attacks. The path affected by DDoS attack is identified by IP traceback approaches like Probabilistic Packet marking algorithm (PPM) and Deterministic Packet Marking algorithm (DPM). The PPM approach finds the complete attack path from victim to the source where as DPM finds only the source of the attacker. Using DPM algorithm finding the source of the attacker is difficult, if the router get compromised. Using PPM algorithm we construct the complete attack path, so the compromised router can be identified. In this paper, we review PPM and DPM techniques and compare the strengths and weaknesses of each proposal.

—IP traceback plays an important role in cyber investigation processes, where the sources and the traversed paths of packets need to be identified. It has a wide range of applications, including network forensics, security auditing,... more

—IP traceback plays an important role in cyber investigation processes, where the sources and the traversed paths of packets need to be identified. It has a wide range of applications, including network forensics, security auditing, network fault diagnosis, and performance testing. Despite a plethora of research on IP traceback, the Internet is yet to see a large-scale practical deployment of traceback. Some of the major challenges that still impede an Internet-scale traceback solution are, concern of disclosing ISP's internal network topologies (in other words, concern of privacy leak), poor incremental deployment, and lack of incentives for ISPs to provide traceback services. In this work, we argue that cloud services offer better options for practical deployment of an IP traceback system. We first present a novel cloud-based traceback architecture, which possesses several favorable properties encouraging ISPs to deploy traceback services on their networks. While this makes the traceback service more accessible, regulating access to traceback service in a cloud-based architecture becomes an important issue. Consequently, we address the access control problem in cloud-based traceback. Our design objective is to prevent illegitimate users from requesting traceback information for malicious intentions (such as ISPs topology discovery). To this end, we propose a temporal token-based authentication framework, called FACT, for authenticating traceback service queries. FACT embeds temporal access tokens in traffic flows, and then delivers them to end-hosts in an efficient manner. The proposed solution ensures that the entity requesting for traceback service is an actual recipient of the packets to be traced. Finally, we analyze and validate the proposed design using real-world Internet datasets.

Honeynets originated as a security tool designed to be tracked, attacked and compromised by hypothetical intruders. They consist of network environments and sets of applications, and after being installed and configured with all of these... more

Honeynets originated as a security tool designed to be tracked, attacked and compromised by hypothetical intruders. They consist of network environments and sets of applications, and after being installed and configured with all of these components, the Honeynet is ready to be attacked with the purpose of maintaining a controlled environment for the study of the events that occurred. Through the analysis of these events, it is possible to understand the objectives, tactics and interests that the attackers have for the proposed environment. This paper describes the state of the art of Honeynets, referring to architectures, Honeynet types, tools used in Honeynets, Honeynet models and applications in the real world that are focused on capturing information.

Digital Forensics is a field that deals with safe and unaltered collection of vital data from the scene of crime incidence for the purpose of investigation and prosecution. Different tools have been developed to help in analysing or... more

Digital Forensics is a field that deals with safe and unaltered collection of vital data from the scene of crime incidence for the purpose of investigation and prosecution. Different tools have been developed to help in analysing or estimating the degree or extent of the criminality. However, the exponential growth and expansion being experienced in field of computing and networking is making these estimations or forensic analysis more or less accurate. Some of the reasons militating against effective analysis are attributed to various inhibiting policies across different platforms, routers, domains of networking. In this paper, some tools used for forensics analysis or estimating the probative values of digital evidence are referred to estimators. Three of these estimators are selected and tested in a simulated environment. Analysis of three digital forensics estimators (EnCase, Safeback and TootKit) is carried out in this paper. This is experimentally aided by simulation of heterogeneous domain-based network and packet analyzer is used to collect probability reading in the packet option field at each hop along the communication path between an attacker and the victim. The graphical analysis with varied initial values shows that estimation accuracies of the estimators reduce irrespective of initial values. With the developed model, the router could be configured for packet boosting at the point of dwindling probabilities using Maximum Network Flow Algorithm.

Mechanism that decides which types of IP datagrams will be processed normally and which will be discarded is called IP filtering. Discarding datagrams means that the datagram is completely ignored and deleted, as if it had never been... more

Mechanism that decides which types of IP datagrams will be processed normally and which will be discarded is called IP filtering. Discarding datagrams means that the datagram is completely ignored and deleted, as if it had never been received. There are many criteria to determine which datagrams are to be filtered. IP filtering is a network layer facility which doesn\'t understand anything about the application using the network connection. It only knows about the connections themselves. If we want to deny users access to internal network on the default telnet port, but rely on IP filtering alone, it is not possible to stop them from using the telnet program with a port that allow to pass through firewall. By using proxy servers for each service, it is possible to solve this problem. The proxy servers can prevent abuses. If firewall supports a World Wide Web proxy, telnet connection will always be answered by the proxy and will allow only http requests to pass. A large number of proxy-server programs are there. Some are free software and many others are commercial products. Here we present a survey on IP filtering mechanisms.

Denial-of-service (DoS) attacks pose an increasing threat to today's Internet. One major difficulty to defend against Distributed Denial-of-service attack is that attackers often use fake, or spoofed IP addresses as the IP source address.... more

Denial-of-service (DoS) attacks pose an increasing threat to today's Internet. One major difficulty to defend against Distributed Denial-of-service attack is that attackers often use fake, or spoofed IP addresses as the IP source address. Probabilistic packet marking algorithm (PPM), allows the victim to trace back the appropriate origin of spoofed IP source address to disguise the true origin. In this paper we propose a technique that efficiently encodes the packets than the Savage probabilistic packet marking algorithm and reconstruction of the attack graph. This enhances the reliability of the probabilistic packet marking algorithm.

— Denial of service (DOS) attack is one of the most common attacks on the internet. The most difficult part of this attack is to find the source of the denial of service (DOS) attack. Savage et al. proposed PPM algorithm to traceback the... more

— Denial of service (DOS) attack is one of the most common attacks on the internet. The most difficult part of this attack is to find the source of the denial of service (DOS) attack. Savage et al. proposed PPM algorithm to traceback the route to the attacker. We found two disadvantages of the Savage traceback technique. The first disadvantage is probability of finding of far away routers is very less which results in losing some of the routers identity. This affects the attack graph construction. The second disadvantage is, because of remarking of the edges the constructed graph contain new edges which do not exist in attack graph. In this paper, we propose a modified probabilistic packet marking (MPPM) IP traceback methodology and we found that the results are quite interesting when compared with the approach proposed by Savage. Keywords— DOS attack, IP traceback, indicator, far away routers, Modified Probabilistic Packet marking.

Probabilistic Packet Marking algorithm suggests a methodology to identify all the participated routers of the attack path by probabilistically marking the packets. In this approach, these marked packets contain partial information... more

Probabilistic Packet Marking algorithm suggests a methodology to identify all the participated routers of the attack path by probabilistically marking the packets. In this approach, these marked packets contain partial information regarding the routers of the attack path. At receiver, to get the complete information of every router, it requires more number of marked packets and hence more combinations and more false positives. To overcome this drawback we have presented a novel idea in finding the exact IP address of the routers in the attack path by applying Chinese Remainder Theorem. The result of our implementation reveals that our idea requires less number of marked packets and takes no time in constructing the attack path. The same idea is true even in the case of multiple attackers.

IP trace back is a solution for attributing cyber attacks, and it is also useful for accounting user traffic and network diagnosis. Marking -based trace back (MBT) has been considered a promising trace back approach, and... more

IP trace back is a solution for attributing cyber attacks, and it is also useful for accounting user traffic and network diagnosis. Marking
-based trace back (MBT) has been considered a promising trace back approach, and has received considerable attention. However, the trace back message delivery problem in MBT, which is important to the successful completion of a trace back, has not been adequately studied in the literature. To address this issue, we present the design, analysis, and evaluation of opportunistic piggyback marking (OPM) for IP trace back in this paper.The OPM distinguishes itself from the existing works by decoupling the trace back message content encoding and delivery functions in MBT, and efficiently achieves expedited and robust trace back message delivery by exploiting piggyback marking opportunities. Based on the proposed OPM scheme, we then present the flexible marking-based trace back framework, which is a novel design paradigm these DoS attacks is that attackers use incorrect IP or spoofed IP addresses in the attack packets features for practical deployment of IP trace back. Through the numerical analysis and the comprehensive simulation evaluations, we
demonstrate that our design effectively reduces the trace back
completion delay and router processing overhead, and
increases the message delivery ratio compared with other baseline approaches.

Because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets... more

Because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.

The common cases that often occur on a computer network is a weak point of computer security on computer networks. Network Forensic is a process of analyzing activity, recording, or even to identify the network to find digital evidence... more

The common cases that often occur on a computer network is a weak point of computer security on computer networks. Network Forensic is a process of analyzing activity, recording, or even to identify the network to find digital evidence from a computer crime. Since the existence of the Internet as a global communication tool, it is a crime that often occurs gap. Internet containing the network forensics and lawful interception are important tasks for many organizations including small medium business, enterprises, banking and finance industry. This archiving and restoration of internet data can be used for legal evidence in case of disagreement. Government and intelligence agencies use technology to protect and defend national security. In general, computer forensics is simply the application of computer investigation and analysis techniques to determine the legal evidence that may be. There are several ways to find a crime on a computer network. The use of several applications supported are to improve the success of network forensic processes in the common cases.

The Distributed Denial-of-Service attack is a serious threat in Internet and an effective method is needed for distinguishing the attack traffic from the legitimate traffic. We propose the concept of bit marking to identify and drop the... more

The Distributed Denial-of-Service attack is a serious threat in Internet and an effective method is needed for distinguishing the attack traffic from the legitimate traffic. We propose the concept of bit marking to identify and drop the attack packets. Bit marking is a variation of packet marking technique that modifies the packet header at each router. However bit marking differs from packet marking in its process and the purpose. Instead of storing the router information in the packets, bit marking alters one or more bits in the marking field at each router. The bit positions for each ingress line card are selected randomly only once at the initialization. Such bit marking is performed to all the packets, resulting in a common path signature in the marking field upon arriving at a destination for all the packets originating from the same location. Since the packets traversing different paths are likely to have different path signatures, the bit marking process generates quite unique path signature for different sources, roughly emulating the source IP. Such Path Signature allows an easy identification and blocking of the DDoS attack.