ABSTRACT
In this paper, we model Probabilistic Packet Marking (PPM) schemes for IP traceback as an identification problem of a large number of markers. Each potential marker is associated with a distribution on tags, which are short binary strings. To mark a packet, a marker follows its associated distribution in choosing the tag to write in the IP header. Since there are a large number of (for example, over 4,000) markers, what the victim receives are samples from a mixture of distributions. Essentially, traceback aims to identify individual distribution contributing to the mixture. Guided by this model, we propose Random Packet Marking (RPM), a scheme that uses a simple but effective approach. RPM does not require sophisticated structure/relationship among the tags, and employs a hop-by-hop reconstruction similar to AMS [16]. Simulations show improved scalability and traceback accuracy over prior works. For example, in a large network with over 100K nodes, 4,650 markers induce 63% of false positives in terms of edges identification using the AMS marking scheme; while RPM lowers it to 2%. The effectiveness of RPM demonstrates that with prior knowledge of neighboring nodes, a simple and properly designed marking scheme suffices in identifying large number of markers with high accuracy.
- Internet mapping project. Research, Lumeta, Jan. 2006.Google Scholar
- Anomalous DNS activity. Current activity archive, US-CERT, Feb. 6, 2007.Google Scholar
- M. Adler. Tradeoffs in probabilistic packet marking for IP traceback. In Proceedings of ACM Symposium on Theory of Computing (STOC), Nov. 2001. Google ScholarDigital Library
- B. Bloom. Space/time trade-offs in hash coding with allowable errors. Communications of the Association for Computing Machinery, 13(7):422--426, 1970. Google ScholarDigital Library
- S. Bellovin, M. Leech, and T. Taylor. ICMP traceback messages. Internet draft, IETF, draft-ietf-itrace-01.txt, Oct. 2001.Google Scholar
- B. Chor, A. Fiat, and M. Naor. Tracing traitors. In Proceedings of CRYPTO, pages 257--270, Aug. 1994. Google ScholarDigital Library
- D. Dean, M. Franklin, and A. Stubblefield. An algebraic approach to IP traceback. ACM Transactions on Information and System Security, 5(2):119--137, May. 2002. Google ScholarDigital Library
- L. Garber. Denial-of-service attacks rip the Internet. IEEE Computer, 33(4):12--17, Apr. 2000. Google ScholarDigital Library
- M. Goodrich. Efficient packet marking for large-scale IP traceback. In Proceedings of ACM CCS, pages 117--126, Nov. 2002. Google ScholarDigital Library
- J. Li, M. Sung, J. Xu, and L. Li. Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation. In Proceedings of IEEE S&P, May. 2004.Google Scholar
- A. Mankin, D. Massey, C.-L. Wu, S. Wu, and L. Zhang. On design and evaluation of intention-driven ICMP traceback. In Proceedings of IEEE Computer Communications and Networks, Oct. 2001.Google ScholarCross Ref
- D. McGuire and B. Krebs. Attack on Internet called largest ever. Oct. 2002.Google Scholar
- K. Park and H. Lee. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In Proceedings of SIGCOMM, pages 15--26, Aug. 2001. Google ScholarDigital Library
- S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical network support for IP traceback. In Proceedings of SIGCOMM, Aug. 2000. Google ScholarDigital Library
- A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, S. Kent, and W. Strayer. Hash-based IP traceback. In Proceedings of ACM SIGCOMM, Aug. 2001. Google ScholarDigital Library
- D. X. Song and A. Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of IEEE INFOCOM, pages 878--886, Apr. 2001.Google Scholar
- I. Stoica and H. Zhang. Providing guaranteed services without per flow management. In Proceedings of ACM SIGCOMM, Aug. 1999. Google ScholarDigital Library
- W. Trappe, M. Wu, Z. J. Wang, and K. J. R. Liu. Anti-collusion fingerprinting for multimedia. IEEE Transactions on Signal Processing, 51(4):1069--1087, Apr. 2003. Google ScholarDigital Library
- M. Waldvogel. GOSSIB vs. IP traceback rumors. In Proceedings of Annual Computer Security Applications Conference (ACSAC), Dec. 2002. Google ScholarDigital Library
- A. Yaar, A. Perrig, and D. Song. Fit: Fast Internet traceback. In Proceedings of IEEE INFOCOM, pages 1395--1406, Mar. 2005.Google ScholarCross Ref
Recommendations
Dynamic probabilistic packet marking for efficient IP traceback
Recently, denial-of-service (DoS) attack has become a pressing problem due to the lack of an efficient method to locate the real attackers and ease of launching an attack with readily available source codes on the Internet. Traceback is a subtle scheme ...
A practical and robust inter-domain marking scheme for IP traceback
A practical and robust inter-domain marking scheme for IP traceback is proposed. We first identify six drawbacks of Probabilistic Packet Marking (PPM), and then contrive a synergic scheme to address all of them. To relieve the victim from the daunting ...
IP Traceback Based on Deterministic Packet Marking and Logging
SCALCOM-EMBEDDEDCOM '09: Proceedings of the 2009 International Conference on Scalable Computing and Communications; Eighth International Conference on Embedded ComputingIP traceback mechanisms are a critical part of the defense against IP spoofing and DoS attacks. Currently proposed traceback mechanisms are inadequate to address the traceback problem for the following reasons: they lack incentives for ISPs to deploy IP ...
Comments