Ant-based IP traceback

https://doi.org/10.1016/j.eswa.2007.06.034Get rights and content

Abstract

The denial-of-service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic.

In this paper, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function or processing a high volume of fine-grained data used by previous research, the proposed traceback approach uses flow level information to identify the origin of a DoS attack.

Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network.

The proposed method is evaluated through simulation on various network environments and two simulated real networks, NSFNET and DFN. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the networks.

Introduction

The rapid growth of the Internet has fuelled the demand for universal connectivity. However, the open environment of the Internet is a double-edged sword. While the migration from private to public networks has made it possible for any organization to extend the global reach of its business, it also exposes the enterprise to a larger variety of security threats. The tools for disruption are readily available to these Internet attackers, ranging from published operating-system weaknesses to executable software ready to exploit such vulnerabilities. The recent number of high-profile security breaches experienced by prominent industry players reveals the inherent vulnerabilities in operating business-critical applications over public IP-based networks.

According to a study conducted by the Computer Security Institute (2003), 90% of the 530 surveyed companies had detected computer security breaches in 2003. The same study found that 74% acknowledged financial losses due to these security breaches. Although only 47% were able to quantify their losses, the financial losses reported by 251 respondents totaled more than $202 million US dollars. However, it is just a proverbial tip of the iceberg. Furthermore, according to the statistics of dollar amount of losses by type (Computer Security Institute, 2003), the denial-of-service (DoS) attack is the second most expensive computer crime among survey respondents with the cost of more than 65 million US dollars.

Nowadays, many organizations use firewall and instruction detection system (IDS) to secure their network. If the attacker conducts a DoS attack with a large amount of traffic, the network would still be tied up even though we can use IDS to detect the attack and coordinate the firewall to block the malicious traffic. Most work in this area has focused on tolerating attacks by mitigation their effects on the victim. Such passive approach can provide an effective stopgap measure, but does not eliminate the problem or does it discourages the attackers.

The proactive approach is to find the source of the DoS attack and to cooperate with the internet service provider (ISP) or the network administrators stopping the traffic from the origin. Hence, it can restore normal network functionality, preventing reoccurrences and, ultimately, holding the attackers accountable. However, many network-based DoS attacks use the flaw of TCP/IP to manipulate and falsify the source address in the IP header. Conventional trace methods might not be able to identify the origin as the source address could be spoofed.

The core concept of the current IP traceback methods, such as packet-marking (Aljifri et al., 2003, Dean et al., 2002, Savage et al., 2001, Song and Perrig, 2001), hash-based (Soneren et al., 2002, Strayer et al., 2003), and hop-by-hop (Baba & Matsuda, 2002), uses the information of the routers along the DOS path. The drawback of packet-marking is that it needs the routers to encode extra the path information in the rarely-used fields within the IP header which are not designed for IP traceback. Both hash-based and hop-by-hop approaches have to install additional functions on the routers for carrying out IP traceback.

Most previous approaches require to modify the network infrastructure: either encoding the router’s information into the specific fields of the IP header or storing a representative amount of the packet content at the routers for IP traceback purpose. Furthermore, they require all the routers, along the DoS attacking path, to support the IP traceback mechanism for being able to accomplish the traceback task. Alternating an existing network infrastructure or the functionality of all the routers might be time consuming and cost consuming.

The goal of this work is to propose an IP traceback approach to finding out the origin of the DoS attack using the existing traffic flow information, without extra support from the routers. Furthermore, some previous work needs to process a large amount of packets, which may be too cost for detecting DoS attacks. An ant-based traceback algorithm is proposed, using the traffic flow information as the trace for ants finding the attack path.

Section snippets

Related work

Savage et al. (2001) described and implemented probabilistic packet-marking (PPM). When a packet passes through a router, the router determine if marking this packet according to a predefined probability to. The IP fragment identification field is facilitated to store the IP traceback information.

Song and Perrig (2001) proposed modifications on Savage’s method to further reduce storage requirements by storing a hash of each IP address, instead of the address itself. It assumes that the victim

Ant algorithm

Ant algorithm (Dorigo et al., 1991) was inspired by the behavior of natural ants and then applied to many different discrete optimization problems, such as vehicle routing and resource scheduling. In an ant algorithm, multiple agents, represented by ants, cooperate with each other using indirect communication mediated by pheromone. Ant colony algorithm was first introduced to solve the traveling salesman problem (TSP) (Upton, 2002).

A moving ant lays some pheromone (in varying quantities) on the

Ant-based DoS traceback

While an isolated ant moves essentially at random, an ant encountering a previously laid pheromone trail can detect it and decide with high probability to follow it, thus reinforcing the trail with its own pheromone. The collective behavior that emerges is a form of autocatalytic behavior where the more the ants are following a trail, the more attractive that trail becomes for being followed. In the proposed IP traceback scheme, we use the average amount of the octets belong to DoS attack as

Extension to partial flow information

The above IP traceback solution requires all the routers on the DoS attack path to provide flow information to be able to perform the traceback. In reality, some routers might not facilitate such flow information. Therefore, we extend the ant-based traceback method by eliminating the above restriction.

In the ant algorithm, the interaction of many autocatalytic processes can lead to rapid convergence to a subspace of the solution space that contains many good solutions, not converges very

Performance evaluation

We simulate real world topologies to evaluate the correctness and effectiveness of the proposed solution via the network simulator, NS-2 (NS-2). We assume that the routers are facilitated with NetFlow providing flow-level information.

Two network topologies are simulated, NSFNET and DFN, are simulated. Their network characteristics are shown as follows. The default routing is used in NS-2 (static routing use the Dijkstra’s all-pairs SPF algorithm) as the routing strategy in our simulation.

  • NSFNET

Simulation scenario

In this simulation, we design two simulation subscenarios. The first simulation subscenario of NFSNET is illustrated in Fig. 4. It simulates eleven legitimate normal flows in the simulation network and one DoS attack flow through the routers 19, 8, 7, 2, and 0. The result of traceback in the full flow information condition is illustrated in Fig. 5, while the results in the partial flow information condition are shown in Fig. 6, Fig. 7, Fig. 8.

The second simulation subscenario of NFSNET is shown

Conclusions

DoS attack becomes one of the major threats in the Internet and causes massive revenue loss of many companies. However, DoS attacks often associate with spoofed source addresses, making them hard to identify the attacker. A proactive approaches to DoS attacks are finding the original machine which issues the attack and stopping the malicious traffic.

Most current IP traceback methods require to modify the network infrastructure, such as encoding the router’s information into the specific fields

Acknowledgement

This work was supported in part by TWISC@NCKU, National Science Council under the Grants NSC 96-2219-E-006-009 and NSC 95-2221-E-110-083.

References (14)

  • H. Aljifri et al.

    IP traceback using header compression

    Computers & Security

    (2003)
  • T. Baba et al.

    Tracing network attacks to their sources

    IEEE Internet Computing

    (2002)
  • Computer Security Institute (2003). CSI/FBI Computer crime and security survey....
  • D. Dean et al.

    An algebraic approach to IP traceback

    ACM Transactions on Information and System Security

    (2002)
  • Dorigo M., Maniezzo V., & Colorni A. (1991). The ant system: An autocatalytic optimizing process, Technical Report No....
  • M. Dorigo et al.

    The ant system: Optimization by a colony of cooperating agents

    IEEE/ACM Transactions on System, Man and Cybernetics-Part B

    (1996)
  • GT-ITM....
There are more references available in the full text version of this article.

Cited by (0)

View full text