attacks.
This approach provides an
Speedy IP trace
back (SIPT)for
identifying DOS
attacks
ABSTRACT:
Denial-of-service (DoS) is a type of
attack in networks in which an attacker
may be able to prevent legitimate users
from accessing email, web sites, online
accounts(banking, etc.), or other services
that rely on the affected computer.
Unfortunately, mechanisms for dealing
with DoS attacks haven’t advanced at
the same pace as the attacks themselves.
This paper presents a new method
for identifying denial-of-service attacks
that uses the attacker’s media access
control address for identification and
trace back. Our approach to thwarting
DoS attacks, also called Speedy IP
Trace back (SIPT), uses the boundary
router the attacker is connected to,
allows identification after the attack, and
imposes minimal extra load on the
network. Most research in this area has
focused on mitigating the effects of the
effective stopgap measure, but doesn’t
eliminate the problem or discourage
attackers.
INTRODUCTION:
In a denial-of-service (DoS) attack,
an attacker attempts to prevent
legitimate user from accessing
information or services by targeting his
computer and its network connection, or
the computers and network of the sites
that he is trying to use. Eg: flooding the
network with information.
In a distributed denial-of-service
(DDoS) attack, an attacker may use
other user’s computer to attack another
computer. By taking advantage of
security vulnerabilities or weaknesses,
an attacker could take control of other
computers, thereby sending huge
amounts of data to a web site or send
spam to particular email addresses. The
attack is "distributed", because the
attacker is using multiple computers, to
launch the denial-of-service attack. They
can explicitly conceal their origin by
directly compromising individual slave,
or zom-bie, host computers without the
computer owner’s knowledge.
For example, a remote master machine
can send packets from many different
slave computers under its control.
Attackers can also implicitly conceal the
attack’s origin with a reflector that
responds to false requests the slaves send
on the victim’s behalf.
This traceback problem is driven by
the operational need to control and
contain attacks. Even though packets
have a source and destination IP address,
the source is frequently falsified,
allowing DoS attacks to occur.
SIPT FOR IDENTIFYING THE
BOUNDARY ROUTER :
Existing techniques to combat
DoS attacks focus on finding the entire
set of routers that the attack packet has
traversed. However, knowing the
packet’s actual path doesn’t really help
to find the attacker. Statistically, packets
don’t usually follow many different
paths while moving between the source
and destination.
Speedy IP Traceback (SIPT)
method finds boundary router (the router
connected directly to the client) or a
particular client’s Linux embedded
appliance firewall router. Once we know
the boundary router and the attacker’s
media access control (MAC) address, we
can identify the attacker and find the
attack path.
With SIPT, each router determines if
an incoming packet originated from a
directly connected client or another
router. If the packet came from a client,
the router inserts a data link connection
identifier for the source (client) and the
IP address of its own incoming interface.
The packet is then forwarded as usual. If
the packet came from a router, it is
simply forwarded without any addition.
With this additional source link address
information in the packet, the destination
can identify the attacker’s boundary
router.
EXISTING MECHANISMS:
A variety of IP trace back techniques
exist. However, all have their own
drawbacks. Some of the existing
mechanisms are:
INGRESS FILTERING :
The ingress filtering
approach configures routers to block
packets that arrive with illegitimate
source addresses. This requires a router
with enough power to examine the
source address of every packet, and
sufficient knowledge to distinguish
between legitimate and illegitimate
addresses.
LINK TESTING :
Administrators use two different types of
link tests: input debugging and
controlled flooding.
Input Debugging: With this test,
administrators capture and record
specific details on IP packets that
traverse networks. Once administrators
know that an attack is in progress, they
must find a unique characteristic
common across attack packets. This is
called the attack signature, which is
used to differentiate attack traffic and
determine the inbound interface.
Controlled Flooding:
This involves sending large bursts
of traffic link by link upstream and
monitoring the impact on the rate of
received attacking packets. While an
attack is in progress, an administrator
can run extended pings across each
upstream link to see which has an effect
on attacking traffic. Once the
administrator finds this link on the router
closest to the victim, the process is
repeated with the next router upstream.
LOGGING:
Some assume that administrators
can store, or log, all packets that traverse
a router or network to investigate attacks
even after they have stopped.
Administrators could handle this by
using a fixed amount of storage capacity
and logging recent data while purging
old data as needed. They could also use
packet slicing, which only records each
packet’s IP header information. This
technique could potentially affect system
and network performance through
increased traffic from logged data and
higher router CPU and memory
utilization.
ICMP Traceback:
Internet Control Message Protocol
(ICMP) traceback forwards packets so
that routers can, with a low probability,
generate a traceback message that’s sent
along to the destination. With enough
traceback messages from enough routers
along the path, the traceback can
determine the traffic source and path.
 Some have proposed using reserved
and unused fields in the IP header to
support this feature. Although adding
more information to IP headers might
increase fragmentation, an administrator
could create a coding scheme to ensure
that traceback information doesn’t cause
packets to exceed the maximum
transmission unit.
Attackers could also forge the
information in this field, similar to
spoofing the source address. However,
an administrator could put a security or
authentication measure in place to
prevent this. One other drawback: Packet
marking would need to be implemented
globally within the Internet to be of real
value.
Table 1 shows the relative advantages
and disadvantages of the new approach
(SIPT) and each traceback technique.
Packet Marking:
One inventive idea is to insert traceback
information directly into IP headers as
they traverse routers. As Figure 2 shows,
this would let a DoS attack victim glean
the attack traffic’s true path from the
original packet. This technique would
also eliminate attacker’s ability to
conceal the true source.

HOW SIPT WORKS :
The router plays a vital role in
SIPT. For packets originating from a
directly connected client, the router
inserts the client’s data link identifier
(available in the source MAC field of the
MAC header) and its own IP address
(the address of the incoming interface)
into the packet’s IP header using one of
the several available packet-marking
techniques.
This marking process inserts the
attacker identification information
(AII). After marking, the system
forwards the packet as usual. If the
packet didn’t arrive from a directly
connected client, but instead from
another upstream router, it is forwarded
as usual without any marking.
Every packet that the server receives is
hence marked with the MAC address of
the machine that sent it and the IP
address of the router the machine is
connected to. The server is thus armed
with enough information to establish the
origin of every packet it receives. The
marking must be done at the first router
because it alone knows the client’s MAC
address. Subsequently, the attacker’s
source MAC address will be lost when
the MAC header is replaced in the next
hop. Several available intrusion
detection systems will detect a DoS
attack and trigger our system into
action.The server then captures the
attack packets either by pattern analysis,
or by a hash-table counting method.
As Figure 3 shows, we used the hash-
table counting method in our all-Linux
implementation. This new approach
extracts the AII from the packet and
stores it in the hash table after
classifying or hashing it on the basis of
the MAC address. This approach also
maintains a record of the number of
packets arriving from the same machine
and containing the same AII.
On building the hash table, we could
clearly identify the machine(s) that sent
traffic in anomalously large proportions.
These were then blacklisted as attack
machines. We could also identify when
more than one machine sent
anomalously large proportions of traffic,
a capability that makes our system useful
for fighting DDoS attacks.
After this, an administrator can
quickly and easily perform the
traceback. The server refers to the AII
and retrieves the IP address of the router
the attacker is directly connected to and
the ttacker’s MAC address. The system
can identify the attacker with just these
two pieces of information.
CONCLUSION :
Since our method has
backward compatibility and supports
incremental deployment, the probability
of finding an attacker will increase with
the percentage of routers capable of
running our trace back algorithm. For
our implementation, we trust the
authenticity of the MAC addresses.
Although IP address spoofing is
common, statistics show that MAC
address spoofing is less prevalent.
However, future MAC address
spoofing can’t be ruled out. In any case,
even if the MAC address is spoofed,
this method manages to pinpoint the
boundary router, which in itself amounts
to solving a major portion of the IP
traceback problem.
The SIPT approach doesn’t
constitute a hop-by-hop traceback.
Instead, it directly finds the boundary
router connected to the attacker. Besides
being a faster method for finding the IEEE/ACM Trans. Networking, June
attacker, SIPT results in a lower network 2001, pp. 226-237.
overload than other methods. Although 4. C. Gong and K. Sarac, “IP Traceback
tuned for defense of DoS, SIPT can be with Packet Marking
used to single out other kinds of attacks and Logging,” Proc. South Central
once the trace has identified an attack Information Security
packet. Symp. (SCISS 04), Univ. of North
Considering the vast scope of Texas, 2004, p. 1.
networking issues and problems, many 5. S. Bellovin, M. Leech, and T. Taylor,
more layers of implementation might be “ICMP Traceback Messages,”
needed as we proceed with deployment. Network Working Group Internet draft,
Mar. 2000;
REFERENCES: www.cs.columbia.edu/~smb/papers/draft
1. S. Specht and R. Lee, “Distributed
-bellovin-itrace-00.txt.
Denial of Service: Taxonomies of
Attacks, Tools, and Countermeasures,”
Proc. 17th Int’l Conf. Parallel and
Distributed Computing Systems
http://palms.ee.princeton.edu/PALMSop
en/DDoS%20Final%20PDCS%20
Paper.pdf.
2. P. Ferguson and D. Senie, Network
Ingress Filtering: Defeating
Denial of Service Attacks which Employ
IP Source Address
Spoofing, IETF RFC 2827, May 2000;
www.rfceditor.
org/rfc/rfc2827.txt.
3. S. Savage et al., “Network Support for
IP Traceback,”