A note on denial-of-service in operating systems
IEEE Transactions on Software Engineering
Routing of multipoint connections
Broadband switching
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Tracing Anonymous Packets to Their Approximate Source
LISA '00 Proceedings of the 14th USENIX conference on System administration
ISMS '10 Proceedings of the 2010 International Conference on Intelligent Systems, Modelling and Simulation
Hi-index | 0.00 |
We describe a general-purpose distributed system capable of traceback of malicious flow trajectories in the wide area despite possible source IP spoofing. Our system requires the placement of agents on a subset of the inter-autonomous system (AS) links of the Internet. Agents are instrumented with a uniform notion of attack criterion. Deployed, these agents implement a self-organizing, decentralized mechanism that is capable of reconstructing topological and temporal information about malicious flows. For example, when the attack criterion is taken to be based on excessive TCP connection establishment traffic to a destination, the system becomes a traceback service for distributed denial of service (DDoS) attacks. As another special case, when the attack criterion is taken to be based on malicious payload signature match as defined by an intrusion detection system (IDS), the agents provide a service for tracing malware propagation pathways. The main contribution of this paper, is to demonstrate that the proposed system is effective at recovering malicious flow structure even at moderate levels of deployment in large networks, including within the present Internet topology.