Académique Documents
Professionnel Documents
Culture Documents
LOGGING:
Some have proposed using reserved
and unused fields in the IP header to
support this feature. Although adding
more information to IP headers might
increase fragmentation, an administrator
could create a coding scheme to ensure
that traceback information doesn’t cause
packets to exceed the maximum
transmission unit.
Attackers could also forge the
information in this field, similar to
spoofing the source address. However,
an administrator could put a security or
authentication measure in place to
prevent this. One other drawback: Packet
marking would need to be implemented
globally within the Internet to be of real
value.
Table 1 shows the relative advantages
and disadvantages of the new approach
(SIPT) and each traceback technique.
Packet Marking:
One inventive idea is to insert traceback
information directly into IP headers as
they traverse routers. As Figure 2 shows,
this would let a DoS attack victim glean
the attack traffic’s true path from the
original packet. This technique would
also eliminate attacker’s ability to
conceal the true source.
into the packet’s IP header using one of
the several available packet-marking
techniques.
This marking process inserts the
attacker identification information
(AII). After marking, the system
forwards the packet as usual. If the
packet didn’t arrive from a directly
connected client, but instead from
another upstream router, it is forwarded
as usual without any marking.
Every packet that the server receives is
hence marked with the MAC address of
the machine that sent it and the IP
address of the router the machine is
connected to. The server is thus armed
with enough information to establish the
origin of every packet it receives. The
marking must be done at the first router
because it alone knows the client’s MAC
address. Subsequently, the attacker’s
source MAC address will be lost when
the MAC header is replaced in the next
HOW SIPT WORKS : hop. Several available intrusion
The router plays a vital role in detection systems will detect a DoS
SIPT. For packets originating from a attack and trigger our system into
directly connected client, the router action.The server then captures the
inserts the client’s data link identifier attack packets either by pattern analysis,
(available in the source MAC field of the or by a hash-table counting method.
MAC header) and its own IP address As Figure 3 shows, we used the hash-
(the address of the incoming interface) table counting method in our all-Linux
implementation. This new approach
extracts the AII from the packet and
stores it in the hash table after
classifying or hashing it on the basis of
the MAC address. This approach also
maintains a record of the number of
packets arriving from the same machine
and containing the same AII.
On building the hash table, we could CONCLUSION :
clearly identify the machine(s) that sent Since our method has
traffic in anomalously large proportions. backward compatibility and supports
These were then blacklisted as attack incremental deployment, the probability
machines. We could also identify when of finding an attacker will increase with
more than one machine sent the percentage of routers capable of
anomalously large proportions of traffic, running our trace back algorithm. For
a capability that makes our system useful our implementation, we trust the
for fighting DDoS attacks. authenticity of the MAC addresses.
After this, an administrator can Although IP address spoofing is
quickly and easily perform the common, statistics show that MAC
traceback. The server refers to the AII address spoofing is less prevalent.
and retrieves the IP address of the router However, future MAC address
the attacker is directly connected to and spoofing can’t be ruled out. In any case,
the ttacker’s MAC address. The system even if the MAC address is spoofed,
can identify the attacker with just these this method manages to pinpoint the
two pieces of information. boundary router, which in itself amounts
to solving a major portion of the IP
traceback problem.
The SIPT approach doesn’t
constitute a hop-by-hop traceback.
Instead, it directly finds the boundary
router connected to the attacker. Besides
being a faster method for finding the IEEE/ACM Trans. Networking, June
attacker, SIPT results in a lower network 2001, pp. 226-237.
overload than other methods. Although 4. C. Gong and K. Sarac, “IP Traceback
tuned for defense of DoS, SIPT can be with Packet Marking
used to single out other kinds of attacks and Logging,” Proc. South Central
once the trace has identified an attack Information Security
packet. Symp. (SCISS 04), Univ. of North
Considering the vast scope of Texas, 2004, p. 1.
networking issues and problems, many 5. S. Bellovin, M. Leech, and T. Taylor,
more layers of implementation might be “ICMP Traceback Messages,”
needed as we proceed with deployment. Network Working Group Internet draft,
Mar. 2000;
REFERENCES: www.cs.columbia.edu/~smb/papers/draft
1. S. Specht and R. Lee, “Distributed
-bellovin-itrace-00.txt.
Denial of Service: Taxonomies of
Attacks, Tools, and Countermeasures,”
Proc. 17th Int’l Conf. Parallel and
Distributed Computing Systems
http://palms.ee.princeton.edu/PALMSop
en/DDoS%20Final%20PDCS%20
Paper.pdf.
2. P. Ferguson and D. Senie, Network
Ingress Filtering: Defeating
Denial of Service Attacks which Employ
IP Source Address
Spoofing, IETF RFC 2827, May 2000;
www.rfceditor.
org/rfc/rfc2827.txt.
3. S. Savage et al., “Network Support for
IP Traceback,”