Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Dynamic probabilistic packet marking for efficient IP traceback
Computer Networks: The International Journal of Computer and Telecommunications Networking
Centertrack: an IP overlay network for tracking DoS floods
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Single packet IP traceback in AS-level partial deployment scenario
International Journal of Security and Networks
Tagged fragment marking scheme with distance-weighted sampling for a fast IP traceback
APWeb'03 Proceedings of the 5th Asia-Pacific web conference on Web technologies and applications
Tracing cyber attacks from the practical perspective
IEEE Communications Magazine
Hi-index | 0.00 |
IP traceback is known to be one of the most effective measures to deter Internet attacks. Various techniques for IP traceback have been suggested. Among them, we focus on Probabilistic Packet Marking scheme (PPM) with tagging. We believe PPM is more advantageous than others because it does not generate additional network traffic and requires minimal protocol change. However, three parameters need to be optimized to make PPM practical under massively multiple attack paths: the number of packets to collect, the number of fragment combinations to recover the IP addresses, and the false positive error rate. Tagging is an effective way to reduce the number of combinations but it increases the false positive error rates when the number of routers in the attack paths grows. Other PPM-related techniques suggested in the past have similar problems. They improve one or two parameters at the expense of others, or they require additional data structures such as an upstream router map. In this paper, we propose a method that optimizes the three parameters at the same time and recovers original IPs quickly and correctly even in the presence of massive multiple attack paths. Our method does not need either a combinatorial process to recover IPs or additional information such as an upstream router map. Our result shows that our method recovers 95% of the original IPs correctly with no fragment combinations and with zero false positives. It needs to collect only 8N packets per router where N is the number of routers involved in the attack paths.