Establishing an Effective Combat Strategy for Prevalent Cyber- Attacks by ijcsiseditor

VIEWS: 140 PAGES: 7

									                                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                  Vol. 9, No. 5, 2011

          Establishing an Effective Combat Strategy for
                     Prevalent Cyber-Attacks


             Vivian Ogochukwu Nwaocha                                                             Inyiama H.C.
             University of Nigeria, Nsukka                                                University of Nigeria, Nsukka
              Computer Science Department                                                 Computer Science Department
               ogochukwuvee@gmail.com                                                       drhcinyiama@gmail.com


Abstract—As organisations continue to incorporate the Internet              Service (DDoS) is one of the major threats for the Internet
as a key component of their operations, the global cyber-threat             because of its ability to create a huge volume of unwanted
level is increasing. One of the most common types of cyber-                 traffic [1]. The primary goal of these attacks is to prevent
threats is known as the Distributed Denial of Service (DDoS)                access to a particular resource such as a Web site [2].
attack – an attack preventing users from accessing a system for a
period of time. Recent DDoS attacks have left large corporate
                                                                            The first reported large-scale DDoS attack occurred in August,
and government networks inaccessible to customers, partners
and users for hours or days, resulting in significant financial,            1999, against the University of Minnesota [3]. This attack shut
reputational, and other losses. The attack power of a Distributed           down the victim's network for more than two days. In the year
DoS (DDoS) attack is based on the massive number of attack                  2000, a DDoS attack stopped several major commercial Web
sources instead of the vulnerabilities of one particular protocol.          sites, including Yahoo and CNN, from performing their
DDoS attacks, which aim at overwhelming a target server with an             normal activities [3]. In [4], D. Moore et al. used backscatter
immense volume of useless traffic from distributed and                      analysis on three week-long datasets to assess the number,
coordinated attack sources, are a major threat to the stability of          duration and focus of DDoS attacks, and to characterize their
the Internet. The number and assortment of both the attacks as              behaviour. They found that more than 12,000 attacks had
well as the defense mechanisms is outrageous. Though an array
                                                                            occurred against more than 5,000 distinct victims in February,
of schemes has been proposed for the detection of the presence of
these attacks, classification of the TCP flows as a normal flow or          2001. In October, 2002, the Domain Name Systems (DNS) in
a malicious one, identifying the sources of the attacks and                 the Cooperative Association for Internet Data Analysis
mitigating the effects of the attacks once they have been detected,         (CAIDA) network became the victim of a heavy DDoS attack.
there is still a dearth of complete frameworks that encompass               Many legitimate users could not access web sites because their
multiple stages of the process of defense against DDoS attacks.             DNS requests were not able to reach root DNS servers. The
The growing use of cloud computing services and shared                      congestion caused by the DDoS attack forced routers to drop
infrastructure is further increasing the importance of having a             these requests [5]. A more serious DNS-based DDoS attack
considered plan for managing such attacks. For a proactive                  was reported in March, 2006 [6]. Instead of attacking DNS
mitigation against DDoS attacks, we propose an integrated
                                                                            servers directly, this new type of DDoS attack just used DNS
framework which would handle the classification, mitigation and
traceback of these attacks. Thus, developing an effective                   servers as reflectors to create a stronger attack. This kind of
mitigation strategy is an important measure to minimize the risk            DDoS is harder to be stopped than normal DDoS attacks due
posed to an organisation by the threat of DDoS attacks.                     to complicated DNS protocols and interaction among multiple
                                                                            DNS servers. During two months, 1,500 individual Internet
   Keywords-attacks; classification; cyber, detection; distributed          protocol addresses were attacked using this approach.
denial of service (DDoS); intrusion; mitigation, traceback;
                                                                             As organisations continue to incorporate the Internet as a key
                       I.    INTRODUCTION                                   component of their operations, the global cyber-threat level is
                                                                            increasing. One of the most common types of cyber-threats is
   The growing population using public network has brought
                                                                            known as the Distributed Denial of Service (DDoS) attack –
about an increase in the incidence of network intrusion. Hence
                                                                            an attack preventing users from accessing a system for a
the need for an equivalent increase in business owner’s duty to
                                                                            period of time. Recent DDoS attacks have left large corporate
guarantee due diligence and fiduciary responsibility with
                                                                            and government networks inaccessible to customers, partners
respect to protecting users against all causes of loss or
                                                                            and users for hours or days, resulting in significant financial,
damage. The potential costs of failing to do so can in fact be
                                                                            reputational, and other losses. The attack power of a
quite enormous. Amongst the security threats, the most severe
                                                                            Distributed DoS (DDoS) attack is based on the massive
to the steady functioning of any network are Distributed
                                                                            number of attack sources instead of the vulnerabilities of one
Denial-of-Service (DDoS) attacks. Distributed Denial of



                                                                      142                              http://sites.google.com/site/ijcsis/
                                                                                                       ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                 Vol. 9, No. 5, 2011
particular protocol. DDoS attacks, which aim at overwhelming               DDoS attack. A flooding-based DDoS attack attempts to
a target server with an immense volume of useless traffic from             congest the victim's network bandwidth with real-looking but
distributed and coordinated attack sources, are a major threat             unwanted IP data. As a result, legitimate IP packets cannot
to the stability of the Internet. The number and assortment of             reach the victim due to a lack of bandwidth resource. To
both the attacks as well as the defense mechanisms is                      amplify the effects and hide real attackers, DDoS attacks can
outrageous. Though an array of schemes has been proposed                   be run in two different distributed coordinated fashions. In the
for the detection of the presence of these attacks, classification         first one, the attacker compromises a number of agents and
of the TCP flows as a normal flow or a malicious one,                      manipulates the agents to send attack traffic to the victim. The
identifying the sources of the attacks and mitigating the effects          second method makes it even harder to determine the attack
of the attacks once they have been detected, there is still a              sources because it uses reflectors. A reflector is any host that
dearth of complete frameworks that encompass multiple stages               will return a packet if it receives a request packet [11]. For
of the process of defense against DDoS attacks. The growing                example, a Web server can be a reflector because it will return
use of cloud computing services and shared infrastructure is               a HTTP response packet after receiving a HTTP request
further increasing the importance of having a considered plan              packet. The attacker sends request packets to servers and fakes
for managing such attacks. For a proactive mitigation against              victim's address as the source address. Therefore, the servers
DDoS attacks, we propose an integrated framework which                     will send back the response packets to the real victim. If the
would handle the classification, mitigation and traceback of               number of reflectors is large enough, the victim network will
these attacks. Thus, developing an effective mitigation                    suffer exceptional traffic congestion. Before we introduce the
strategy is an important measure to minimize the risk posed to             DDoS attack architectures and mechanisms, we give two basic
an organisation by the threat of DDoS attacks.                             definitions. First, the DDoS attack traffic is the traffic which is
                                                                           produced or triggered by the compromised agents. Second, the
                                                                           legitimate traffic is the traffic which is produced by the normal
        II.   DISTRIBUTED DENIAL OF SERVICE ATTACKS                        hosts. In order to analyze DDoS attacks, two basic distributed
   A Denial of Service (DoS) attack is commonly                            architectures of flooding -based DDoS attacks and common IP
characterized as an event in which a legitimate user or                    spoofing techniques were employed. Furthermore, we specify
organisation is deprived of certain services such as e-mail or             the basic mechanism of spoofing-based DDoS attacks and list
network connectivity, that they would normally expect to                   three typical flooding-based DDoS attacks.
have. DoS attacks [7, 8] inject maliciously-designed packets
into the network to deplete some or all of these resources. The            A. Distributed Cooperative Architecture of DDoS
attack power of a Distributed DoS (DDoS) attack [9] is based
on the massive number of attack sources instead of the                     Before real attack traffic reaches the victim, the attacker must
vulnerabilities of one particular protocol. DDoS attacks, which            cooperate with all its DDoS agents. Consequently, there must
aim at overwhelming a target server with an immense volume                 be control channels between the agents and the attacker. This
of useless traffic from distributed and coordinated attack                 collaboration requires that all agents send traffic based on
sources, are a major threat to the stability of the Internet. The          commands received from the attacker. The network which
number and assortment of both the attacks as well as the                   consists of the attacker, agents, and control channels is called
defense mechanisms is outrageous. Though an array of                       the attack networks. In [12], attack networks are divided into
schemes has been proposed for the detection of the presence of             three types: the agent-handle model, the Internet Relay Chat
these attacks, characterizing of the flows as a normal flow or a           (IRC)-based model, and the reflector model.
malicious one, identifying the sources of the attacks and
mitigating the effects of the attacks once they have been
detected, there is still a dearth of complete frameworks that
encompass multiple stages of the process of defense against
DoS attacks.
   For a proactive mitigation against flooding- based DDoS
attacks, we propose an integrated framework which would
handle the classification. As one of the major security
problems in the Internet, a denial-of-service (DoS) attack
always attempts to stop the victim from serving legitimate
users. A distributed denial-of-service (DDoS) attack is a DoS
attack which relies on multiple compromised hosts in the
network to attack the victim. There are two types of DDoS
attacks. The first type of DDoS attack has the aim of attacking
the victim to force it out of service for legitimate users by
exploiting software and protocol vulnerabilities of the system
[10]. The second type of DDoS attack is based on a huge
volume of attack traffic, which is known as a flooding-based




                                                                     143                               http://sites.google.com/site/ijcsis/
                                                                                                       ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                Vol. 9, No. 5, 2011
Figure 1 Classic Architecture of a DDoS Attack                            A. IP Spoofing
The agent-handler model consists of three components:                     The template is used to format your paper and style the text. IP
attacker, handlers, and agents. Figure 1 illustrates the typical          spoofing is used in all DDoS attacks as a basic mechanism to
architecture of the model. One attacker sends control messages            hide the real address of agents or the attacker. In a classical
to the previously compromised agents through a number of                  DDoS attack, the agents randomly spoof the source addresses
handlers, instructing them to produce unwanted traffic and                in the IP header. In a reflector-based DDoS attack, agents must
send it to the victim. The architecture of IRC-based model is             put the victim's address in the source address field. The
not that much different than that of the agent-handler model              spoofed addresses can be addresses of either existing or non-
except that instead of communication between an attacker and              existing hosts. To avoid ingress filtering, the attacker can use
agents based on handlers, an IRC communication channel is                 addresses that are valid in the internal network because non-
used to connect the attacker to agents [12]. Fig. 2. illustrates          existing addresses have a high possibility of being filtered out.
the architecture of an attack network in the reflector model.             In the real-world, it is possible to launch an attack without IP
The reflector layer makes a major difference from the typical             spoofing if the attacker can compromise enough hosts. For this
DDoS attack architecture. In the request messages, the agents             situation, the attacker would consider how to avoid to be
modify the source address field in the IP header using the                traced out. Usually, the attacker will use a chain of
victim's address to replace the real agents' addresses. Then, the         compromised hosts. Tracing a chain which extends across
reflectors will in turn generate response messages to the                 multiple countries is very hard to be achieved. Furthermore, to
victim. As a result, the flooding traffic which reaches the               compromise poorly monitored hosts in a network will make
victim is not from a few hundred agents, but from a million               tracing more difficult due to a lack of information. In these
reflectors [11]. An exceedingly diffused reflector-based DDoS             situations, IP spoofing is not a necessary step for hiding the
attack raises the bar for tracing out the real attacker by hiding         attacker.
the attacker behind a large number of reflectors. Unlike some
types of DDoS attacks, ―the reflector does not need to serve as           C. Flooding DDoS Attack Mechanisms
an amplifier "[11]. This means that reflectors still can serve            Flooding-based DDoS attacks involve agents or reflectors
other legitimate requests properly even when they are                     sending a large volume of unwanted traffic to the victim. The
generating attack traffic. The attacker does not need to                  victim will be out of service for legitimate traffic because its
compromise reflectors to control their behaviours in the way              connection resources are used up. Common connection
that agents need to be compromised. Therefore, any host                   resources include bandwidth and connection control in the
which will return a response if it receives a request can be a            victim system. Generally, flooding –based DDoS attacks
reflector. These features facilitate the attacker's task of               consist of two types: direct and reflector attacks [65]. Figure 3
launching an attack because it just needs to compromise a                 is another view of the process of a direct flooding-based DDoS
small number of agents and find a sufficient number of                    attack. The architecture of the direct attack is same as the
reflectors.                                                               typical DDoS attack reflected in Fig. 1




Figure 2. Architecture of a DDos attack using reflectors                      Figure 3. A Direct-Flooding Based DDoS Attack


                                                                          The agents send the Transmission Control Protocol/Internet
                                                                          Protocol (TCP), the Internet Control Message Protocol
   Identify applicable sponsor/s here. (sponsors)



                                                                    144                              http://sites.google.com/site/ijcsis/
                                                                                                     ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                 Vol. 9, No. 5, 2011
(ICMP), the User Datagram Protocol (UDP), and other packets                path fingerprints was exploited by Yaar et.al. in [41], and
to the victim directly. The response packets from the victim               subsequently improved in [42]. Various other techniques
will reach the spoofed receivers due to IP spoofing. In a                  involving path filtering [43] [44], statistical filtering [45] [46],
reflector attack, presented in Fig. 2.4, the response packets              and rate limiting [47] [48] have also been explored in
from reflectors truly attack the victim. No response packets               literature. IP Marking [49] is traditionally used for IP
need be sent back to reflector from the victim. The key factors            Traceback.
to accomplishing a reflector attack include: setting the victim
address in the source field of the IP header and finding enough               The basic idea of the IP marking approach is that routers
reflectors. Basically, an attacker can utilize any protocol as the         probabilistically write some encoding of partial path
network layer platform for a flooding-based attack [10]. Direct            information into the packets during forwarding, so that based
attacks usually choose three mechanisms: TCP SYN flooding,                 on this information the destination server can reconstruct the
ICMP echo flooding, and UDP data flooding [14]. The TCP                    path that was taken by the packets. In [50], Song and Perrig
SYN flooding mechanism is different from the other two                     have suggested Advanced and Authenticated Marking
mechanisms. It causes the victim to run out of all available               Schemes that encode the edge information in 16 bits of the
TCP connection control resources by sending a large number                 packet to be marked. For this purpose, the 16-bit IP
of TCP SYN packets.                                                        Identification field used for fragmentation in the IP header is
                                                                           overloaded, i.e. this field carries the encoding information
In a typical DDoS attack network, an attacker sends                        instead of the regular packet fragmentation information. The
commands to compromised agents and requests that they send                 obvious drawback in the methods discussed for IP Traceback
a large volume of traffic to overwhelm the bottleneck link in              is that they do not work for packets that are fragmented as the
the victim network. To hide the attacker itself more deeply, a             IP Identification field is overloaded for edge information.
DDoS attack can construct an attack network with a reflector-                        Several methods have been proposed to characterize
based architecture. In the network, an attacker sends a packet             attack flows. In [51], a simple statistics-based mechanism to
whose source address has been set as the victim's address to               detect TCP SYN flood attacks was proposed. The idea is to
reflectors.                                                                detect deviation from an expected balanced SYN/FIN packet
                                                                           ratio using a nonparametric, cumulative sum method.
                    III.   RELATED WORK                                    However, such a simple technique is not foolproof as the
   Now we would review the existing combat strategies in this              attackers can mix their SYN and FIN packets. Subsequently,
field, in order to compare our work with some associated                   in [52] a spectral analysis method to distinguish attack flows
work. Research in this area can be divided based on the                    from the normal ones by determining the periodicity in the
following three issues: Classification, Mitigation and                     packet process was proposed. But the method does so by using
Traceback DDoS detection, DDoS response, and DDoS                          the Welch’s modified periodogram, which has several
defense framework. The earliest work on DDoS defense led to                disadvantages as compared to the EPSD technique used in this
the concept of network traceback [15] by Burch and                         paper.
Cheswick. Bellovin et.al. proposed ICMP-based out-of-band                            Bohacek [53], suggested a mitigating approach that
messaging in iTrace [16], while Snoeren et.al. proposed SPIE               relies on routers filtering enough packets so that the server is
[17] employing packet logging, which was subsequently                      not overwhelmed while ensuring that as little filtering as
improved by Li et.al. in [18]. Belenky and Ansari proposed a               possible is performed. He has proposed a solution wherein
deterministic packet marking scheme in [19], while Savage                  packets should be filtered at routers through which the attack
et.al. proposed a probabilistic packet marking (PPM)                       packets are passing. But, it is a reactive mitigation technique
technique in [20], with subsequent enhancements made by                    that also has the drawback that legitimate traffic packets may
others in [21] [22] [23] [24]. IP address fragmentation for                also be dropped enroute to the destination. In [54], Kalantari et
efficient packet marking and their vulnerability to attacker               al. have proposed a proactive method for mitigation of the
induced noise have been studied in [25] and [26] respectively.             effects of DDoS attacks wherein each router maintains a
                                                                           partition of active TCP flows into aggregates. Each aggregate
    Recently, various encoding techniques have been used to                is probed to estimate the proportion of attack traffic that it
progressively improve the performance of PPM schemes, as in                contains. Packets belonging to aggregates that contain
Tabu marking [27], Local Topology marking [28], Space-                     significant amounts of attack traffic may be subject to
Time encoding [29], Color Coding [30], and the use of                      aggressive drop policies to prevent attack at the intended
Huffman Codes [31], Algebraic Geometric Codes [32] etc.                    victim. Again, in this case too, legitimate packets face the risk
Additionally various architectures for traceback have been                 of being dropped. For the purpose of our work, we define
explored, such as inter-domain traceback [33] and hybrid                   aggregates as a vital element of the approach. Additionally,
traceback [34] [35], in addition to some other radical                     aggregates are defined in advance of the attack so that their
approaches like in [36]. Research on mitigating DDoS attacks               response measurements are taken to normal (non-attack)
has proceeded in parallel, focusing on network ingress                     traffic in order to be compared later on with measurements
filtering [37], routing table enhancements as in SAVE [38],                under an attack, if any.
CenterTrack [39] and intelligent filtering [40]. The concept of




                                                                     145                                http://sites.google.com/site/ijcsis/
                                                                                                        ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                Vol. 9, No. 5, 2011
On the whole, studies have indicated that part of the mitigation
techniques in practice today, suffer from the following
drawbacks:
1. They are reactive in nature.
2. They deploy packet dropping policies at the routers wherein
even legitimate packets face the risk of being dropped.                                                   L-Diatance
3. The topology of the network needs to be known in advance.
The mitigation technique employed in the framework
proposed in this paper seeks to do away with all these
drawbacks as we shall see in next section.                                                                                     V- Server


                                                                                                           C-Bottleneck Link
                IV.   PROPOSED SOLUTION                                                    R-Set
   In this section, we shall outline the various facets of our
                                                                                Clients
proposed framework for defense against DDoS attacks. The
proposed framework provides for proactive mitigation against
the effect of DDoS attacks as described next. Whenever a                  Figure 4 Proposed Framework
packet arrives at a router to be forwarded to the server to be
protected from a DDoS attack, instead of sending that packet              The clients (attack and legitimate) send their requests to the
on the outbound link, a copy of its header [55] is sent toward            server V (indicated by thick arrows). The routers (set R) en
the server for characterization. This provides a proactive                route from the clients to the server will proactively generate
approach to mitigation against the attack as the bandwidth of             copies of these packets and save the original packets with
the links involved will not be exhausted by the voluminous                them. These routers will also stamp their identity in the
attack traffic as only the headers (that are small in size) will          Identification field of the copy of the IP header thus generated
traverse on the links to the server.                                      and send them to V (indicated by thin arrows). The other
  The technique to be used in this framework for mitigation               routers through which these header copies will traverse before
provides the dual functionality of IP Traceback as well. The              reaching V will also append their edge information in the same
16-bit IP Identification field in the header of the original              Identification field. Once these header copies reach the
packet which was being used traditionally for traceback need              bottleneck link C, they will undergo the EPSD test for
not be used now. In the proposed technique, the IP                        periodicity and thus the flows will be characterized as attack
Identification field of the original packet will not be used for          or legitimate. If a flow is characterized as a legitimate flow,
traceback purposes. Instead, the IP Identification field in the           only then will the routers belonging to set R be instructed to
copy of the header generated will be used to store the edge               forward the stored packets to the server. If a flow is
information. The copies of headers generated represent the                characterized as an attack flow, then the encoding information
actual dynamics of the traffic flow to which they belong.                 in the generated copies of the headers will be used to construct
These headers will be subject to the characterization test                the attack graph for IP Traceback [57] and the routers (set R)
described next.                                                           will be asked to drop the corresponding original attack
                                                                          packets. A flowchart depicting the solution is illustrated
   For classification, instead of the Welch’s periodogram                 below.
method used in [52], the Exactly Periodic Subspace
Decomposition (EPSD) [56] technique will be used as part of
this framework. The EPSD technique does away with the
disadvantages of the Welch’s method by difference in the
selection of time domain input elements that constitute the
frequency domain output elements. To get a better
understanding of the proposed model, consider a sample
topology shown in Figure 5. The topology considered is
similar to the one used traditionally to depict a typical client-
server scenario in the Internet for simulation purposes [6].




                                                                    146                              http://sites.google.com/site/ijcsis/
                                                                                                     ISSN 1947-5500
                                                          (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                             Vol. 9, No. 5, 2011




                                                                                                       REFERENCES

                                                                       [1]    K. Xu, Z.-L. Zhang, and S. Bhattacharyya, \Reducing unwanted traffic
                                                                              in a backbone network," in Steps to Reducing Unwanted Traffic on the
                                                                              Internet Workshop(SRUTI), 2005, pp. 9-15.
                                                                       [2]     CERT Coordination Center, \Denial of service attacks."Available at
                                                                              http://www.cert.org/tech tips/denial of service.html, March 2007.
                                                                       [3]     L. Garber, \Denial-of-service attacks rip the Internet." IEEE Computer,
                                                                              vol. 33, no. 4, April 2000, pp.12-17.
                                                                       [4]     D. Moore, G. M. Voelker, and S. Savage, \Inferring Internet denial-of-
                                                                              service activity." in Proceedings of the 10th USENIX Security
                                                                              Symposium, August 2001.
                                                                       [5]     CAIDA, \Nameserver DoS attack October 2002." Available at
                                                                              http://www.caida.org/funding/dns-analysis/oct02dos.xml, March 2007.
                                                                       [6]     ZDNet, \New denial-of-service threat emerges." Available at
                                                                              http://news.zdnet.com/2100-1009 22-6050688.html, March 2007.
                                                                       [7]     CERT. Denial of Service Attacks. http://www.cert.org/tech tips/denial
                                                                              of service.html, 1997.
                                                                       [8]     K.J. Houle, G. M. Weaver, N. Long, and R. Thomas. ―Trends in denial
                                                                              of service attack technology‖. Technical Report Version 1.0, CERT
                                                                              Coordination       Center,   Carnegie      Melon     University   (2001)
                                                                              http://www.cert.org/archive/pdf/DoS trends.pdf.
                                                                       [9]     F. Lau, S. H. Rubin, M. H. Smith, and L. Trajkovi.―Distributed denial
                                                                              of service Attacks,‖ In Proceedings of IEEE International Conference
                                                                              on Systems and Cybernetics, vol. 3, pp. 2275-2280, 2000.
                                                                       [10]    J. MÄolsÄa, \Mitigating denial of service attacks in computer
                                                                              networks". PhD thesis, Helsinki University of Technology, Espoo,
                                                                              Finland, June 2006.
                                                                       [11]    V. Paxson, \An analysis of using re°ectors for distributed denial-of-
                                                                              service attacks." ACM SIGCOMM Computer Communication Review,
                                                                              vol. 31, no. 3, July 2001.
Figure 5. Flowchart of the Proposed Framework
                                                                       [12]    S. M. Specht and R. B. Lee, \Distributed denial of service: taxonomies
                                                                              of attacks, tools and countermeasures." in Proceedings of the 17th
                                                                              International Conference on Parallel and Distributed Computing
                                                                              Systems, September 2004, pp. 543-550.
         V.   CONCLUSION AND FUTURE WORK                               [13]    R. K. Chang, \Defending against °ooding-based distributed denial-of-
                                                                              service attacks: A tutorial." IEEE Commun. Mag., vol. 40, no. 10,
   As malicious entities unleash an increasing number of                      October 2002, pp.42-51.
DDoS attacks on the Internet, it has become imperative to not          [14]    Cisco Systems, Inc., \Characterizing and tracing packet floods using
only track them to hold them liable (traceback), but also to                  cisco routers." May 2005. Attacks‖, in IEEE TPDS, 2003.
limit their capabilities and render them ineffective                   [15]    H. Burch, B. Cheswick, ―Tracing Anonymous Packets to their
(mitigation). In this paper, we propose a novel framework that                approximate source‖, in Proc. USENIX LISA, Dec. 2000.
provides both traceback and mitigation capabilities. On the            [16]    S. M. Bellovin, ―ICMP traceback messages,‖ Internet Draft, Mar. 2000.
whole, studies have indicated that part of the mitigation              [17]    A. C. Snoeren et. al., ―Hash-Based IP Traceback,‖ in SIGCOMM, 2001.
techniques in practice today, suffer from the following                [18]    Li et. al., ―Large-Scale IP Traceback in High-Speed Internet: Practical
drawbacks: they are reactive in nature; they deploy packet                    Techniques & Theoretical Foundation‖, in IEEE Symp. on Security &
                                                                              Privacy 2004.
dropping policies at the routers wherein even legitimate
                                                                       [19]    A. Belenky, N. Ansari, ―IP Traceback with Deterministic Packet
packets face the risk of being dropped; the topology of the                   Marking‖, in IEEE Communication Letters, Apr 2003.
network needs to be known in advance. The mitigation                   [20]   Savage et. al., ―Practical Network Support for Traceback,‖ in
technique employed in the framework proposed in this study                    SIGCOMM, 2000.
seeks to do away with all these drawbacks.. We hope to                 [21]    D. Song, A. Perrig, ―Advanced and Authenticated Marking Schemes for
evaluate the proposed framework and techniques on an NS2                      IP traceback‖, in Proc. IEEE INFOCOM, 2001.
network simulation platform in our subsequent works.                   [22]    M. Adler, ―Tradeoffs in Probabilistic packet marking for IP traceback‖,
                                                                              in Proc. STOC, pp.407-418, 2002.
                                                                       [23]    T. Peng, C. Leckie, K. Ramamohanarao, ―Adjusted Probabilistic Packet
                                                                              Marking for IP Trace-back‖, in Proc. Networking, 2002.
                                                                       [24]    A. Yaar, A. Perrig, D. Song, ―FIT: Fast Internet Traceback‖, in
                                                                              INFOCOM 2005.
                                                                       [25]    I. Hamadeh, G. Kesidis, ―Performance of IP Address Fragmentation
                                                                              Strategies for DDoS trace-back‖, in Proc. IEEE IPOM, 2003.




                                                                 147                                     http://sites.google.com/site/ijcsis/
                                                                                                         ISSN 1947-5500
                                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                          Vol. 9, No. 5, 2011
[26] M. Waldvogel, ―GOSSIB vs Traceback Rumors‖, in ACSAC, 2002.                    [48] D. Yau, J. Lui, F. Liang, ―Defending against DDoS attacks with max-
[27] M. Ma, ―Tabu Marking Scheme for Traceback‖, in IPDPS, 2005.                         min fair server-centric router throttles‖, in Proc. IWQoS, 2002.
[28] B. Al-Duwairi, T. Daniels, ―Topology Based Packet Marking,‖ in                 [49] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson,
     ICCCN 2004.                                                                         ―Practical network support for ip traceback,‖ in Proceedings of the 2000
                                                                                         ACM SIGCOMM Conference, Aug.2000.
[29] M. Muthuprasanna, G. Manimaran, ―Space-Time Encoding for DDoS
     Attack Traceback‖, in Proc. IEEE GLOBECOM, 2005.                               [50] Dawn Xiaodong Song and Perrig A., ―Advanced and authenticated
                                                                                         marking schemes for IP traceback,‖ Proceedings. IEEE INFOCOM
[30] M. Muthuprasanna, G. Manimaran, Mansoor Alicherry, Vijay Kumar,                     2001. Twentieth Annual Joint Conference of the IEEE Computer and
     ―Coloring the Internet: IP Traceback‖, in Proc. ICPADS, 2006.                       Communications Societies, Vol. 2, pp: 878 – 886, Apr. 2001.
[31] K. Choi, H. Dai, ―A Marking Scheme using Huffman Codes for IP                  [51] H. Wang, D. Zhang, and K. G. Shin. ―Detecting SYN flooding attacks,‖
     Traceback‖, in Proc. ISPAN, 2004.                                                   In Proceedings of IEEE INFOCOM 2002,pp. 1530 – 1539, June 2002.
[32] C. Bai et.al., ―Algebraic Geometric Code Based IP Traceback‖, in
                                                                                    [52] Chen-Mou Cheng, H. T. Kung, and Koan-Sin Tan, ―Use of Spectral
     IPCCC 2004.
                                                                                         Analysis in Defense Against DoS Attacks,‖ In theProceedings of Global
[33] Y. Sawai, M. Oe, K. Iida, Y. Kadobayashi, ―Performance Evaluation of                Telecommunications Conference,2002, GLOBECOM '02. IEEE, Vol. 3,
     Inter-Domain IP Traceback‖, in Proc. IEEE ICT, 2003.                                pp: 2143 –2148, Nov. 2002.
[34] B. Al-Duwairi, G. Manimaran, ―Novel Hybrid Schemes employing                   [53] B. Stephan, ―Optimal filtering for denial of service mitigation,‖
     Packet Marking & Logging for Traceback‖, in IEEE TPDS,                              Proceedings of the 41st IEEE Conference on Decision and Control,
     2005.                                                                               2002, Vol. 2, pp: 1428 – 1433, Dec. 2002.
[35] Gong et.al., ―IP Traceback based on Packet Marking & Logging‖, in              [54] M. Kalantari, K. Gallicchio and M. A. Shayman, ―Using transient
     ICC 2005.                                                                           behavior of TCP in mitigation of distributed denial of service attacks,‖
[36] M. Walfish, M. Vutukuru, Hari Balakrishnan, D. Karger, Scott Shenker,               Proceedings of the 41st IEEE Conference on Decision and Control,
     ―DDoS Defense by Offense‖, in Proc. SIGCOMM, 2006.                                  2002, Vol. 2, pp:1422 – 1427, Dec. 2002.
[37] P. Ferguson, D. Senie, ―Network ingress filtering: Defeating denial of         [55] S. Bellovin. ICMP traceback messages, March 2000. Internet Draft:
     service attacks which employ IP source address spoofing,‖ in RFC 2267,                    http://www.cs.columbia.edu/~smb/papers/draft-bellovinitrace-
     1998.                                                                                     00.txt
[38] J. Li, J. Mirkovic, M. Wang, M. Reiher, L. Zhang, ―SAVE: Source                [56] D. Darian Muresan, and Thomas W. Parks, ―Orthogonal, Exactly
     address validity enforcement protocol‖, in Proc. of INFOCOM, 2001.                  Periodic Subspace Decomposition,‖ IEEE Trans. On Signal Processing,
[39] R. Stone, ―CenterTrack:An IP overlay network for tracking DoS                       Vol. 51, No. 9, pp: 2270-2279, Sep. 2003.
     floods‖, in Proc. USENIX Security Symposium, 2000.                             [57] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson,
[40] M. Sung, J. Xu, ―Intelligent Packet Filtering: A Novel Technique for                ―Practical network support for ip traceback,‖ in Proceedings of the 2000
     defending against DDoS Attacks‖, in IEEE TPDS, 2003.                                ACM SIGCOMM Conference, Aug. 2000.
[41] A. Yaar, A. Perrig, D. Song, ―Pi: A Path Identification Mechanism to
     defend against DDoS Attacks,‖ in Proc. IEEE Symposium on Security
     and Privacy, 2003.
[42] A. Yaar, A. Perrig, D. Song, ―StackPi: New Packet Marking Filtering
     Mechanisms for DDoS & IP Spoofing Defense‖, in JSAC, pp.1853-
     1863, Oct. 2006.
[43] C. Jin, H. Wang, K. G. Shin, ―Hop-Count Filtering: An effective
     defense against spoofed DDoS traffic‖, in ACM CCS, 2003.
[44] A. Keromytis, V. Misra, D. Rubenstein, ―SOS: An architecture for
     mitigating DDoS attacks‖, in IEEE JSAC, pp. 176-188, Jan. 2004.
[45] Y. Kim, W. Lau, M. Chuah, J. Chao, ―PacketScore: A statistical-based
     overload control against DDoS attacks‖, in Proc. IEEE INFOCOM,
     2004.
[46] T. Peng, C. Leckie, K. Ramamohanarao, ―Protection from DDoS attacks
     using history-based IP filtering‖, in Proc. IEEE ICC, 2003.
[47] J. Ioannidis, S. M. Bellovin, ―Implementing Pushback: Router-based
     defense against DDoS attacks‖, in Proc. NDSS, 2002.




                                                                              148                                    http://sites.google.com/site/ijcsis/
                                                                                                                     ISSN 1947-5500

								
To top