However, so far, no Internet-level IP trace back system has ever been deployed because of deployment difficulties. In this paper, we present a flow-based trace. A Flow-Based Traceback Scheme on an AS-Level Overlay Network | IP trace back Overlay Network, Scheme and Routing Protocols | ResearchGate, the. proach allows a victim to identify the network path(s) traversed by attack traffic without While our IP-level traceback algorithm could be an important part of the . [43] R. Stone, “CenterTrack: An IP overlay network for tracking DoS floods,” in.

Author: Digul Mikakasa
Country: Serbia
Language: English (Spanish)
Genre: Career
Published (Last): 8 August 2014
Pages: 27
PDF File Size: 5.20 Mb
ePub File Size: 17.21 Mb
ISBN: 691-4-60009-435-7
Downloads: 86828
Price: Free* [*Free Regsitration Required]
Uploader: Nikoramar

Since adversaries may spoof their source IPs in the attacks, traceback schemes have been proposed to identify the attack source. However, some of these schemes’ storage requirements increase with packet numbers. Some even have false positives because they use an IP header’s fragment offset for marking. Thus, we propose a bit single packet hybrid IP traceback scheme that combines packet marking and packet logging with high accuracy and low storage requirement.

An AS-level overlay network for IP traceback – Semantic Scholar

The size of our log tables can be bounded by route numbers. We also set a threshold to determine whether an upstream interface number is stored in ipp log table or in a marking field, so as to balance the logging frequency and our computational loads. Because we store user interface information on small-degree routers, compared with current single oevel traceback schemes, ours can have the lowest storage requirements. Recent years have seen the rapid growth of the Internet, and the widespread Internet services have become a part of our daily life.

These services, however, are vulnerable to many potential threats. In a flooding-based attack, the victim’s resources can be exhausted by a huge amount of forged source packets. But in a software exploit attack, a villain needs to find the host’s vulnerabilities and then uses only a few packets to launch attacks, for example, Teardrop attacks and LAND attacks [ 2 ]. Normally the source and destination IP addresses are stored in a packet’s IP header to indicate its source and destination.

In practice, however, most routers do not verify a packet’s source IP. This is why attackers usually take this advantage and spoof their real address to evade tracking. This security issue has come to our attention and we find it urgent to propose an efficient traceback scheme tracking the real source of impersonation attacks.

Therefore, packet-marking schemes are proposed to trace the real source of flooding-based packets. They use the free fields of each packet’s IP header to kevel the packet’s route and the routers along the route. As these packets are usually in a huge amount, these marking schemes are categorized as probabilistic packet marking PPM [ 3 — 9 ] and deterministic packet marking DPM [ 10 — 14 ].

The two methods are proposed to lower the routers’ marking loads. However, both PPM and DPM require at least eight packets for path reconstruction [ 12 ], so they may not be able to trace the source of software exploit attacks, which can tracwback only one packet to paralyze the system.

If we want to achieve single packet traceback, we have to use packet logging schemes [ 15 — 17 ] to log the packet’s unchanged data on the routers.

And the path reconstruction requires hop-by-hop queries of previous routers. For example, in Snoeren et al. But if the filter logs too many packets, there might be collision in their log tables and therefore they will have false positives during path reconstruction. Likewise, TOPO [ 16 ] uses each upstream router’s identifier to decrease the chance of collision and false positives.

If the log tables are refreshed, the traceback scheme is unable to reconstruct the attack route. For these reasons, hybrid single packet traceback schemes have been proposed to combine packet marking and packet logging.


These methods can achieve single packet tracking and have lower storage requirements and false positive rates. There are two types of these hybrid single packet traceback schemes: But the storage requirement on each router grows when the packet number increases.

When it exceeds the router’s quota, the logged data will be refreshed and the path reconstruction fails. The other type encodes a packet’s route as a mark and stores it in the packet’s header. If the mark is larger than the size of a marking field, the packet’s route is logged onto a router [ 24 — 26 ] to decrease each router’s storage loads. These schemes decrease the false negative rate because the logged data in a router does not need to be refreshed. When a router receives the packet, it uses the packet’s destination IP as an index to choose a log table to log this mark.


Then the router writes its ID and the packet’s upstream routes into the mark, so that the downstream routers can use the mark to trace the origin of the attack. However, in Lu et al. Besides, the scheme does not have indexes for their log tables. It needs to do an exhaustive search during path reconstruction, so as to find the corresponding upstream interface number of the attack packet. Since the exhaustive search consumes lots of computation power of a router, it makes their traceback scheme not practical.

Storage-Efficient 16-Bit Hybrid IP Traceback with Single Packet

Yang propose RIHT [ 24 ] to encode all the upstream routers’ interface numbers as their log table’s indexes. The routers do not need to search their log tables during path reconstruction. But in the two schemes, if a packet’s size exceeds the maximum transmission unit MTUthe packet will be fragmented and cannot be assembled at the destination.

If a router receives a packet whose mark is larger thanthe router hashes the packet’s destination IP and uses the hash value to assign a log table; it also hashes the packet’s mark to compute an index value.

According to the table number and the index value, the packet’s route is logged on the router. Besides, because a router that supports IPsec may need to add ESP’s header to each packet, it can tracebacl a packet’s length and fog chance of fragmentation.

Hence, IPsec may not work because of the high chance of packet fragmentation and because of the difficulty in packet reassembly. Also, the values of Fragment Flag and Fragment Offset are used to show whether a packet is fragmented or not. If they are used as a marking field instead, the downstream router cannot tell if the received packet has been fragmented.

However, in Yang’s bit hybrid single IP a scheme [ 26 ], he uses the quadratic probing algorithm to search an available levdl for his log tables and to minimize the impact of collision. In quadratic probing, the load factor suggests the usage rate of each log table. RIHT defines its load factor according to the chance of their successful and unsuccessful searches, and it finds its unsuccessful search rate soars when each log table has used over half its slots. In order to balance the collision times and each table’s usage rate, Yang sets his load factor as 0.

However, the use of quadratic probing has caused half of his log tables to be unused and this results in a waste of space to the routers. To reduce the storage requirements for logging, we propose two schemes in our bit hybrid traceback protocol to encode the upstream routers’ interface numbers as an index of the log table’s entry.

An AS-level overlay network for IP traceback

A router will compare its degrees with aw threshold to choose a coding scheme to calculate the mark. Therefore, we can decrease the storage requirements by reducing the logging frequency. Also, we propose a logging scheme to further reduce the storage requirements for logging. To write the packet’s route into a log table, we search the first empty slot in the log table from the top to the bottom sequentially. The main contributions of our scheme are leveel below and we aim to satisfy the first three so as to achieve the last two:.

Our traceback scheme will be elaborated in the following sections. The simulation, analysis, and comparison of our scheme and other related hybrid traceback approaches are provided in Section 3. And a conclusion is drawn ax Section 4. In overay to prevent packet drop caused by fragmentation and high entwork requirements, we propose a new marking scheme to further decrease the storage requirements for a router.

As shown in Table 1we use the bit ID field as our marking field in our traceback scheme. While we keep low storage requirements, our storage can still be bounded by path numbers and the fragmented packets can be reassembled.


Figure 1 illustrates an example setup of our traceback scheme. A router can be connected to a local network or other levell. A border router receives packets from its local network and sends the packets to the destination through a core router. Because packets come from different sources, a border router may also be a core router. For example, R 9 serves as a border router when it receives packets from Host. However, it becomes a core router when receiving packets from R 8.

In the following discussion, we use D R i to indicate the degree of router R ithat tracebaxk, the number of routers adjacent to R i. But the degree does not include the interface of a LAN. In our protocol, any router R i and its network topology has to follow the following assumptions:. Our traceback scheme consists of two stages: The levfl of how we trace the origin of an attack will be elaborated in the following subsections.

Tracsback our marking scheme, we mark a router’ interface numbers and store the mark in a packet’s IP header. But an IP header has only limited space, so we combine logging with marking to log marks on the leevl.

During path reconstruction, each router can only track its upstream router’s adjacent interface number. When a packet enters a network from its host, every router that complies with our protocol has to mark its own route info on the passing packets and store the mark in each packet’s marking field.

Each router’s route info ovelray of the interface number where the packet enters; its log table’s information; and its degrees. The packets that a router receives can be categorized into two types.

In the first type, when a border router receives a packet from its local network, it sets the packet’s marking field as zero and forwards the packet to the next core router. Therefore, when adversaries send attack packets with a forged path in the marking field trying to confuse our tracking, we can still locate their origin correctly. Hence we can verify whether a router is the source router of an attack by checking if the marking field is zero.

However, such a marking and logging method may require more log tables on a router. According to CAIDA’s skitter data [ 29 ], this method would exceed a log table’s maximum entries [ 26 ]. As shown sa Table 2 aa router’s log table HT k consists of three parts: The marks include the routers’ interface numbers and are passed to the next router with the packets.

But a large metwork D R i makes a large logged mark, which can cause high overla frequency and increase the storage requirements for its downstream routers. To lower the logging frequency caused by a large interface number UI irouter R i logs the packet mark and its interface number UI i to reduce the mark size; see Table 2 b. However, if we insert the interface number into a logging table, it requires more storage for router R i to store the table.

To balance the storage requirements for router R overkay and its downstream routers and to have lower average global storage requirements, we set a threshold for a router’s degree so as to decide whether to write levsl interface number UI i into a packet’s header or into a log table. We suggest the value of threshold in Section 3. Algorithm 1 shows the detailed steps of our marking and logging scheme.

When a router receives a packet P j and needs to log its mark, the router checks its degree D R i to decide whether or not to log the interface number UI i ; compare lines 29—33 in Algorithm 1. Next the router sends the new mark to the downstream router.

Since which table will be used to log a packet is determined by the hash value of the packet’s source, packets that have the same source IP but come from different routes will be logged in the same table [ 26 ].