Record Route IP Traceback: Combating DoS Attacks and the Variants

Transcription

1 Record Route IP Traceback: Combating DoS Attacks and the Variants Abdullah Yasin Nur, Mehmet Engin Tozal University of Louisiana at Lafayette, Lafayette, LA, US Abstract The Internet introduces a variety of vulnerabilities that ut the security and rivacy of comuter based systems under risk. One of the most erilous threats in the Internet is the Denial of Service (DoS) attack and its variants such as Distributed DoS (DDoS). In this work we roose a novel robabilistic acket marking scheme to infer forward aths from attacker sites to a victim site and enable the victim to delegate the defense to the ustream Internet Service Providers (ISPs). We exloit the record route feature of the IP rotocol to imlement our robabilistic acket marking scheme. Comared to the other techniques, our aroach requires less many ackets to construct the aths from attacker sites toward a victim site. Our results show that a victim site can construct the forward ath from an attacker site after receiving 2.23 ackets on the average under DoS attacks. Moreover, we construct the forward-aths grah from 5 attacker sites toward the victim site by receiving.5 ackets er attacker site, on the average. Keywords: IP traceback, Probabilistic acket marking, Record route, Denial of service attack, Distributed denial of service attack. Introduction The increasing number of cyber-attacks, acts of exloitation of comuter deendent systems, is considered to be one of the most serious threats today. The economical, social and olitical imacts of cyber-attacks have increased tremendously along with our deendency on comuter systems in the last decade. Moreover, the recent advances in Internet of Things (IoT) and Cyber-Physical Systems (CPSs) rove that this trend will only increase in the future because such systems utilize the ublic Internet as the main communication medium. One of the most erilous threats in the Internet is the Denial of Service (DoS) attack and its variations. The objective of a DoS attack is to exhaust the resources of a system until the system fails to rovide its usual services in a timely fashion. Tyically, a DoS attack involves flooding a system by legitimatelooking traffic and making the system break down comletely, work in less caacity, or fail to serve on time. However once the source of the attack is determined, it is easy to defend the system by blocking the traffic coming from the attacking site. A more severe tye of the DoS attack is the Distributed Denial of Service (DDoS) attack where a large number of hosts simultaneously attack a victim site. DDoS attackers lan their attack in advance by comromising multile hosts, scattered in the Internet, through a common vulnerability. Then, they use all comromised hosts to flood the victim site. The most recent large scale DDoS attack took lace on October 2, 26. The atack targeted the DNS infrastructure of Dyn and took some of the most oular sites offline including Netflix, Twitter, CNN, PayPal and New York Times [34]. Tyically defense against DoS attacks and the variants is carried out in four hases. The first hase involves detecting any anomaly in the incoming traffic. Once a victim site detects the anomaly, the second hase is to distinguish between the rogue traffic and the legitimate traffic. The third hase involves locating the source of the rogue traffic and/or inferring the ath from the source toward the victim site. In the last hase, the victim site mitigates the imact of the attack by alying its defense mechanism. Mitigating the imact of DDoS attacks by filtering the rogue traffic is difficult because it will induce too much overhead on the traffic filtering mechanism of the target system. Moreover, the attacker may forge the attack sites by using IP address soofing. A better aroach to defend a system against DDoS attacks is to delegate the defense to the Internet Service Providers on the ath between the attacker and the victim sites. Therefore, it is necessary to be able to infer the forward aths from attack sites to the victim site. The content of this work falls in the third hase of DoS defense: locating the source of the rogue traffic and/or inferring the ath from the source toward the victim site. Inferring the ath between two hosts from the destination site in the Internet is called IP traceback. The IP traceback roblem is a challenging one because it is not directly suorted by the IP rotocol. Reverse traceroute [24] takes the advantage of routers that coy the IP header in their ICMP resonse messages to reveal a forward ath. It requires densely distributed vantage oints as well as IP soofing suort to reveal longer forward aths in the Internet. Although the technique does not require any modification in acket forwarding, it suffers from rate limiting ractices, restricted scalability and limited router suort [25] [26] [27]. Other solutions that require modifications in acket forwarding scheme are based on acket marking. Packet marking Prerint submitted to Comuters and Security, Elsevier August 2, 27

2 is blemishing the ackets with routers IP address information while the ackets traverse the routers from the source toward the destination. There are two different acket marking schemes; Probabilistic Packet Marking (PPM) [4] and Deterministic Packet Marking (DPM) [2]. In PPM the routers on a ath robabilistically infuse their IP address information into the acket. On the other hand, in DPM only the ingress routers on a ath mark the ackets assing through them with their IP address information. In this work we roose a novel acket marking scheme based on robabilistic acket marking. We modify the record route feature of the IPv4 rotocol [3], yet our scheme can be extended to IPv6 as well [4]. Tyically, each router forwarding a acket in the Internet checks the record route otion of the acket. If the record route otion is enabled, the router inserts one of its IP addresses (referably IP address belonging to the outgoing interface) into the otions field of the acket header. Due to the restrictions regarding the size of the IP acket header [3], at most nine IP addresses can be stored in the otions field. Hence, if the otions field of the IP acket header is full, the router skis inserting its IP address. In our robabilistic scheme, a router always inserts its IP address as long as there is room in the IP otions field. On the other hand, if the IP otions field is full, a router robabilistically restarts record routing by clearing the otions field of the IP acket header. The destination site on the other hand, gradually joins the recorded IP addresses in the otions field to construct a forward-aths grah from all sources toward the destination. Basically, the destination site starts with an emty forward-aths grah and fills the grah with subaths that are reorted via record route. After receiving a acket, the destination site aligns the sequence of the IP addresses in the record route with resect to the current snashot of the grah and imlants the new route in the grah. The final grah can be used to reduce the imact of DoS/DDoS attacks in real time by delegating the defense to ISPs. Our aroach focuses on building a forward-aths toology to fortify DoS/DDoS defense systems rather than discriminating rogue traffic from legitimate traffic. We conducted several exeriments using a real world dataset to demonstrate the efficiency of our aroach under DoS and DDoS attacks. Our results show that a victim site can construct the forward ath from an attacker site after receiving 2.23 ackets on the average under DoS attacks. In DDoS attacks, the average number of ackets needed to construct a forwardaths grah decreases as the number of the attacker sites increases due to the overlaing aths toward the victim site. To illustrate, it is enough to receive.5 ackets er attack site to construct a forward-aths grah for 5 attackers. In addition, we comared our results to other robabilistic acket marking schemes: Fast Internet Traceback (FIT) [7], Authenticated Marking Scheme (AMS) [5] and Fragment Marking Scheme (FMS) [4]. Our results show that FIT needs between 244 and 5 ackets, AMS needs between 4 and 4 ackets and FMS needs between and 4 ackets on the average to construct forward aths of varying ho distances. On the other hand, our aroach requires to 229 ackets on the average for the same ath traces. The overall averages are 2.23, 457., 39.3 and for our aroach, FIT, AMS and 2 FMS resectively, regardless of the ho distance. Comared to the other robabilistic acket marking schemes our aroach (i) requires less many ackets to construct a forward ath from an attack site toward the victim site; (ii) related to the revious item, it takes less time to construct the forward ath; (iii) it does not introduce any false ositive or negative aths; (iv) it is resistant to IP soofing, i.e., we detect the true forward ath even if the attacker soofs its IP address; finally, (v) it needs even less many ackets to construct forward aths as the number of attackers increases. Reducing the required number of ackets to construct forward aths is esecially imortant as adversaries have already started to comromise IoT devices to conduct large scale DDoS attacks [32]. Larger ools of comromised devices allow the adversaries to fabricate rogue ackets soradically at random to reduce the number of ackets er attack site and make attack detection and defense more difficult. Our aroach comlies with the current IP rotocol and does not require any changes in the rotocol itself. Similar to other acket marking schemes, the roosed aroach in this study requires suort from router vendors and Internet Service Providers. The exerimental results show that our aroach can be very effective against DoS and DDoS attacks with a small overhead on the routers. A reliminary work of this study aeared in IEEE Smart- Com as a work-in-rogress aer []. In this study, we resent a theoretical model for our scheme; introduce an alternative rewrite-ski algorithm; develo an efficient forwardaths grah construction algorithm; extend our exeriments to DDoS attacks; and comare our aroach with FIT [7], AMS [5] and FMS [4]. The rest of the aer is organized as follows. In Section II, we resent the related work. We exlain the details of our aroach in Section III. In Section IV, we resent our forwardaths grah construction algorithm. Section V demonstrates our exerimental results. We discuss the advantages and limitations of our aroach in Section VI. Finally, in Section VII we conclude the aer. 2. Related Work Many aroaches have been suggested to defend systems against DoS attacks and the variants [2], [2], [22], [23]. Mirkovic and Reiher classified these attacks and their defense mechanism [6]. One of the suggested solutions named IP traceback is about finding the aths between the attackers and the victim site. The IP traceback roblem has been extensively studied in the last two decades [4], [5], [7], [], [5], [9]. The earliest work can be credited to Burch and Cheswick [3]. Their aroach is based on maing the aths from the victim site towards the attacker sites and flooding the routers on the ath to detect the source(s) of an attack. This technique assumes the aths in the internet are symmetric and introduces extra load to determine attacking site(s). Savage et al. roosed fragment marking scheme (FMS) in one of the earliest works [4]. They used 6-bit IP identification field to robabilistically mark the router information. The victim site uses the router information to construct forward aths.

3 Song et al. [5] roved that FMS aroach requires many ackets to construct the forward aths and introduces many false ositives for DDoS attack. They imroved the FMS aroach to reduce the number of required ackets for constructing the forward aths as well as to decrease the false ositive rate. Dean et al. [6] roosed an algebraic aroach to solve the IP traceback roblem. Their algorithm encodes router s IP address as a olynomial in 6 bit IP Identification field. In a later study, Yaar et al. [7] roved that this aroach is not efficient for large number of attackers. Although their aroach is similar to the latter, they use more sace for encoding to decrease the number of false ositives and reduce the number of the required ackets. Belenky and Ansari roosed a deterministic acket marking scheme [2] and they imroved their work in a later study []. In their method, the ingress routers on a ath mark every acket assing through them with their IP address information. Yaar et al. [] roosed a ath identification mechanism based on deterministic acket marking idea. They mark each acket with an identifier along a ath. Packets traveling along the same ath have the same identifier. They use the identifiers to filter ackets taking different aths. Foroushani et al. [7] divided the roblem into three main comonents: detection, traceback, and traffic control. The detection comonent involves identifying unusual, susicious activities in the incoming traffic. Then, they use deterministic flow marking techniques to find attackers. Lastly, they send messages asking for traffic adjustment to the edge routers of the attacking networks. Katz-Bassett et al. roosed reverse traceroute [24] to infer a forward ath from a destination to a source at the source host. Their aroach relies on PlanetLab [33] vantage oints and IP soofing suort to reveal longer forward aths in the Internet. Although the technique does not require any modification in acket forwarding, it suffers from rate limiting ractices, restricted scalability and limited router suort [25] [26] [27]. More imortantly, reverse traceroute fails to traceback the source of an attack when IP soofing is used to hide the location of the attack. In this aer, we roose a novel robabilistic acket marking scheme to infer forward aths from attacker sites to a victim site. We modify the record route feature of the IP rotocol. Our results show that the victim site can construct a single forward ath by 2.23 ackets on the average. 3. Methodology In this study, we exloited the record route feature of the IP rotocol and the robabilistic acket marking (PPM) technique. IP address rotocol rovides record route otion to record the route of an internet acket. An IP acket with enabled record route otion solicits each router that handles the acket to aend its IP address into the otions field. Hereby, the destination host can get the list of the routers aeared on the forward ath. Note that the maximum number of IP addresses that could be stored in the IP otions field is nine [3]. Therefore, the destination host receives the IP addresses of the first nine hos even if the ath between the two hosts is longer than nine. 3 Probabilistic acket marking schemes involve the routers that handle an IP acket to embed information into the acket. Tyically the embedded information reflects the identity of the router or the link that the acket asses through. Our scheme requires a router to robabilistically modify the otions field of an IP acket. Similar to the IP record route, a router aends its IP address (referably IP address belonging to the outgoing interface) into the otions field of a acket when there is room. Different from the IP record route, a router rewrites the otions field of a acket with robability when the otions field is full. Equivalently, the router skis rewriting the otions field of a full acket with robability. A router rewriting a full acket, swas the first IP address in the otions field by the last IP address and erases the rest of the otions field. Then, It aends its own IP address in the otions field. Figure shows an examle ath consisting of 7 routers between an attacker and a victim host. In accordance with our rewriting scheme, the first nine routers aend their IP addresses in the record route otions field of the acket, [R, R 2,..., R, R 9 ]. The tenth router on the ath rewrites the acket with robability or skis rewriting with robability. In case it rewrites the acket, the eleventh router receives [R 9, R ] in the record route otions field and aends its IP address with robability since there is room in the field. As a result, the next router receives [R 9, R, R ] in the otions field. On the other hand, if the tenth router does not rewrite the acket the eleventh router receives [R, R 2,..., R, R 9 ] in the record route otions field. Again, the eleventh router rewrites the acket with robability or skis rewriting with robability. If it rewrites then the next router receives [R 9, R ] in the record route otions field. Otherwise, the next router receives [R, R 2,..., R, R 9 ]. This rocedure reeats itself until the acket reaches to the victim site. The tree structure in Figure demonstrates all ossible record route otions field for a ath between the attacker and the victim sites. Each level in the tree reresents ackets that might be received by the corresonding router. The arrow(s) between the levels of the tree reresent the robabilistic decisions that might be made by a router before forwarding the acket to the next router. Note that each arrow is labeled by its decision robability excet the for sure cases where the robability is one. Finally, the leaves of the tree reresent all ossible record route otions fields that the victim site may receive. The leaves marked by thick lines in the tree reresent the essential record route (essentialrr) IP lists that the victim needs to receive to rebuild the forward ath correctly. The record route IP lists other than the essentialrrs (non-essentialrrs) miss one or more intermediate routers on the forward ath. On the other hand, essentialrrs hold a comlete sequence of routers on the forward ath with no missing intermediate router. Therefore, it is necessary for the victim site to receive all essentialrrs and concatenate them in the right order to build the forward ath. It is imortant to note that the last IP address in an essentialrr is the first IP address in the next essentialrr. Additionally, we use two control bits in the IP acket otions field to stam ackets with a acket tye. Control bits, and denote essentialrr ackets while reresents non-

4 Attacker R Emty Packet R2 [R] R3 [R,R2] R9 [R:R] R [R:R9] - R R2 R6 R7 Victim [R9:R] [R:R9] - [R9:R] - [R9,R] [R:R9] [R9:R5] [R9,R:R5] [R9,R2:R5] [R9,R3:R5] [R9,R4:R5] [R9,R5] [R:R9] - [R9:R6] [R9,R:R6] [R9,R2:R6] [R9,R3:R6] [R9,R4:R6] [R9,R5:R6] [R:R9] [R9,R6] - [R9:R7] [R9,R:R7] [R9,R2:R7] [R9,R3:R7] [R9,R4:R7] [R9,R5:R7] [R9,R6:R7] [R9,R7] [R:R9] Figure : All ossible record route otions field for an examle ath between the attacker and the victim sites essentialrr ackets. The control bits are initially set to when a acket is created and they are subject to change by the routers handling the full ackets. denotes the initial control bits. Note that in case the ho distance between the attacker and the victim site is less than or equal to nine, the victim site only gets an essentialrr acket with control bits because there is no rewrite or ski-rewrite oeration. stands for the last essentialrr acket where the ho distance is greater than nine. denotes any essentialrr acket excet the last one where the ho distance is greater than nine. stands for any non-essentialrr acket. Algorithm resents the rewrite and ski-rewrite seudocode. The algorithm exects the record route otions field (RROtions) of an IP acket consisting of an RRIPAddr subfield accommodating a vector of IP addresses and a ControlBits sub-field holding two control bits that reresent the acket tye. Also it exects the IP address of the current router handling the acket as inut. Finally, it returns an udated record route otions field (RROtions). If the router robabilistically decides to rewrite, the algorithm executes lines to 2. In case the router skis rewriting, the algorithm executes lines 3 to 2. At line 2, the algorithm stores the last IP address in the record route otions vector into a temorary variable. It erases the elements of the vector at line 3. At line 4 and 5, it aends the IP address stored in the temorary variable and the IP address of the current router. Finally, it udates the control bits between the lines 6 and 2. If the ho distance between the attacker and the victim sites is less than or equal to nine, any received acket from the attacker is considered to be an essentialrr. In case not, a acket is an 4 Algorithm Rewrite / Ski-Rewrite Algorithm Inut: RROtions IP record route otions field Inut: IP Current router IP address Outut: RROtions udated record route otions field : if Router decides to rewrite then 2: tem = RRIPAddr.get(9) 3: RRIPAddr.erase() erase all IP addresses 4: RRIPAddr.aend(tem) 5: RRIPAddr.aend(IP) 6: if ControlBits equal to then 7: udate to : else if ControlBits equal to then 9: udate to : else and case : do not udate bits 2: end if 3: else router decides to ski rewriting 4: if ControlBits equal to then 5: udate to 6: else if ControlBits equal to then 7: udate to : else and case 9: do not udate bits 2: end if 2: end if essentialrr acket only if all routers ski rewriting when the first router receiving a full acket skis rewriting. Otherwise, the acket is considered to be a non-essentialrr acket. Line 7 is executed when the th router decides to rewrite to denote that the ho distance is larger than nine. Line 9 is executed by a rewriting router which is not the very first one receiving a full acket to denote that it is a non-essentialrr acket. Lastly, line is executed by a rewriting router to denote that the acket is either non-essentialrr or the last essentialrr. Similarly, line 5 is executed when the th router decides to ski-rewrite to denote that the ho distance is larger than nine. Line 7 is executed by a ski-rewrite router to denote

5 that the acket is an intermediate essentialrr. Lastly, line 9 is executed by a ski-rewrite router to denote that the acket is either a non-essentialrr or the last essentialrr. Note that, once the ControlBits is set to, it remains as to denote that the acket is not an essentialrr, i.e., the RRIPAddr sub-field misses one or more routers on the ath ( ) 3.. Probabilistic Model Let essentialrrv be an ordered list of essentialrr ackets that are needed to build a forward ath from the attacker toward the destination. Given that the ho distance from the attacker to the victim site is h, where h >, the total number of the required essentialrrs is h. By definition the total number of the required essentialrrs is one when h =. Let k, k h, be the osition of an essentialrr in the list such that essentialrrv[k] refers to the k th essentialrr acket. Note that all essentialrrs excet the last one hold nine IP addresses. Assuming that the ho distance from the attacker host to the victim site is h, the last essentialrr always contains h (k ) IP addresses. Moreover, let i, i 9, be the index of an IP address located in an essentialrr. That is, essentialrrv[k][i] denotes the IP address located in the k th essentialrr at osition i. The ho distance of the IP address at the essentialrrv[k][i] can be calculated by (k ) + i. To illustrate, let the ho distance between two hosts be 2. The required number of essentialrrs is 2 = 3. The first two essentialrrs contain the IP addresses located at hos [ : 9] and [9 : 7], resectively. The third essentialrr contains four IP addresses, 2 (3 ) = 4, located at hos [7 : 2]. In order to calculate the average number of the ackets to build a forward ath, we need to comute the robability to receive each essentialrr. In the following we detail the robability of receiving essentialrrs. Remember that as long as the record route otions (RROtions) field of an IP acket is not full, each router aends its IP address in the RROtions. In case the RROtions field is full, a router rewrites it with robability and skis rewriting with robability (Algorithm ). Note that all essential- RRs strictly hold nine IP addresses excet the last one. The last essentialrr contains nine IP addresses if the number of the hos between the two hosts is equivalent to h x + where x Z +. Otherwise, the last essentialrr contains h (k ) IP addresses. In order for the destination to receive the k th essentialrr, there must be k rewrites immediately after the RROtions field of a acket gets full. Since the last rewrite reserves two IP addresses in the RROtions, the following routers aend their IP addresses until the RROtions is full, once again. Once the RROtions of the k th essentialrr acket is full, the remaining routers (if any) must ski rewriting. Hence, the robability of receiving the k th essentialrr, P{k}, is X:.4 Y: Figure 2: Best value for k 7k+2 ( ) h (k+) ; if k < h P{k} = k h k+ ; otherwise where h denotes the rank of the last essentialrr. In Equation, the first k routers receiving a full RROtions rewrite with robability and the following routers receiving a full RROtions ski rewriting with robability. Moreover, the terms 7k+2 and h k+ are syntactic sugars reresenting the routers that aend their IP addresses with robability when there is room in the RROtions. Note that in case k refers to the last essentialrr the second iece of the function in Equation comutes the relevant robability because there is not any routers skiing the rewrite oeration after the last rewrite. P{essentialRR} = () h P{k} (2) Equation 2 denotes the robability of receiving an essentialrr. Maximizing Equation 2 in terms of allows us to increase the robability of receiving an essentialrr. On the other hand, the resulting robability scheme may favor some of the essentialrrs comared to the others which may cause disfavored essentialrrs aear rarely. A better aroach would be assigning a uniform-like robability to each essentialrr as shown in Equation 3 k= P{k} = P{k + } k ( ) h (k+) = k ( ) h ((k+)+) ( ) = =.4 (3) where k < h. Figure 2 shows the otimal value of with resect to Equation 3. Our exerimental results show that the otimal =.4 works well for all essentialrrs including the last essentialrr.

6 3.2. Exected In this section we study the exected number of ackets needed to construct a single forward ath at the victim site. Our aroach can be considered as a modification of the classical Couon Collector s Problem [9]. The Couon Collector s Problem involves the usual setu for a collect all couons to win contest. Assume that there are k different couons that one has to collect to win a rize. Each couon has the same robability of being drawn and a erson draws a new couon each time with relacement. The Couon Collector s Problem examines the average number of the required draws to collect each tye of couon at least once. In our roblem each essentialrr corresonds to a couon. The destination site needs at least one instance of each essentialrr to construct a single forward ath. Unlike the classical roblem, the destination site receives non-essentialrrs as well. Moreover, the robability of receiving a non-essentialrr is not equal to the robability of receiving an essentialrr. Similar to the revious section, let h be the number of hos between a source and a destination. Then, the total number of distinct essentialrrs is m = h. Let P{k} given in Equation be the robability of receiving the k th essentialrr. Re- gardless of the order of essentialrrs, assume that i essentialrrs have already been collected at least once. Then, the robability of receiving a new essentialrr that was not collected before is i = [m (i )] P{k}. To ut in other words, i is the robability of receiving the i th unobserved essentialrr after observing i essentialrrs regardless of the order. Let T i be a random variable denoting the number of the ackets to be received in order to get the i th new essentialrr, given that i essentialrrs have already been collected. The.m.f of T i is P{T i = t} = i ( i ) t. The exected value of E[T i ] (Equation 4) gives us the average number of ackets to observe a new essentialrr, given that i essentialrrs have already been collected. E[T i ] = t i ( i ) t t= = i t ( i ) t t= = i ( i ) [ ( i ) t ] = i = i 2 i t= ( i ) [ i i ] = i (4) where the final ste is calculated by differentiating and integrating the right hand side of Equation 4 with resect to i. Finally, T = m i= T i is the total number of received ackets to collect all essentialrrs at least once. That is, E[T] (Equation 5) 6 is the total number of ackets required to construct a comlete forward ath using all essentialrrs. E[T] = = k E[T i ] i= k i= i (5) Note that E[T] in Equation 5 gives the exected value for h x + which also serves as an uer bound for the cases that do not satisfy the equivalence. To illustrate, it requires., 7.96 and 5.6 ackets on the average for ho distances 9, 7 and 25, resectively. At most 7.96 ackets are needed to construct a forward ath between two hosts if they are 9 to 7 hos aart. 4. Forward-Paths Grah Construction The victim site gradually joins the recorded IP addresses in the otions fields of the received ackets to construct a forwardaths grah from all sources including the attacker sites. The forward-aths grahs is a directed grah reresenting multile aths from sources toward the victim site. The victim site starts with an emty forward-aths grah and fills the grah with subaths that are reorted via record route otions field. After receiving a acket, the victim site aligns the sequence of the recorded IP addresses with resect to the current snashot of the grah and imlants the new route in the grah. In order to form a comlete forward ath from a single source, the victim site needs to get at least one instance of each essentialrr on the ath. Remember that, the victim site uses the ControlBits sub-field to determine the tye of a received acket (Section 3). Moreover, essentialrrs hold a comlete sequence of routers on the forward ath with no missing intermediate routers. On the other hand, non-essentialrrs miss one or more intermediate routers on the forward ath. The missing routers can only aear between the first and the second reorted IP addresses in a non-essentialrr acket because a rewrite oeration after one or more skiing routers allow room for the following routers to aend their IP addresses. To ut in other words, all IP addresses after the first IP address in a non-essentialrr acket belong to consecutive routers in our scheme. Our forward-aths grah construction algorithm utilizes those IP addresses in nonessentialrrs in addition to the ones in essentialrrs to minimize the required number of the ackets to build a forward-aths grah. Algorithm 2 resents the forward-aths grah construction seudocode. The algorithm exects the record route otions (RROtions) field of a received acket, as well as the current snashot of the forward-aths grah. It udates the inut grah by inserting the links of the ath in the RROtions field. At lines -5, the algorithm checks if the received acket holds an essentialrr or not and sets the alignment index that marks the beginning of the consecutive IP addresses. The for loo at line 6 rocesses each air of consecutive IP addresses in the RROtions field. Secifically, lines 7 and define the variables holding two consecutive IP addresses. Lines 9 and 2 check if the

7 Algorithm 2 Forward-Paths Grah Construction Inut: G(V, E) current grah Inut: RROtions IP record route otions field of received acket Outut: G(V, E) udated grah : if ControlBits is then 2: startindex = non-essentialrr 3: else essentialrr 4: startindex = 5: end if 6: for i = startindex to RRIPAddr.length do 7: IP i = RRIPAddr.get(i) : IP i+ = RRIPAddr.get(i + ) 9: if IP i not in the grah then : create new IP i node : end if 2: if IP i+ not in the grah then 3: create new IP i+ node 4: end if 5: if no link between IP i and IP i+ in the grah then 6: insert link f rom IP i to IP i+ 7: end if : end for Number of Path Traces 6 x Ho Distance 25 Figure 3: iplane Ho distance distribution related IP addresses are already in the grah and adds them in case not. Finally, line 5 adds the link between those IP addresses if it is not already in the grah. The victim site kees the forward-aths as a grah in its memory and udates it as the ackets arrive. In general, grahs are either reresented as adjacency matrices or adjacency lists. In our imlementation, we reresented the forward-aths grah as an adjacency list because the the IP-level grah reresentation of the Internet is sarse. Therefore, our memory comlexity is O( V + E ) where V reresents the IP addresses and E corresonds to the links between the routers of the two consecutive IP addresses aearing on a ath trace. Obviously, the ractical memory comlexity deends on the imlementation as well as the imlementation language. The time comlexity of the algorithm is O( V + E ) because for each IP address the algorithm locates the successor among the neighbours of the IP address. 5. Exerimental results In this section we emirically demonstrate the efficiency of our algorithm using a real world dataset. We used the iplane interface-level atlas dataset [] consisting of more than 5 million (5,65,26) ath traces collected from more than 5 vantage oints. The dataset consists of 46, 79 different IP addresses and 2, 67, 25 links between them. iplane collects this dataset by sending traceroute robes to all routable IP refix clusters [29]. Note that we only included the loo-free ath traces that reach to their secified destinations. The minimum and maximum ho lengths in our dataset are and 3, resectively. The average ho length is 6.23 and the ho length distribution is symmetric-like as shown in Figure 3. Moreover, we assume that the routers on a ath between an attacker and a victim site are not comromised. In case the routers along the 7 Average Ho Distance Figure 4: Average number of ackets needed to construct a ath from an attacker toward a victim site with resect to the ho distance. The red line shows the overall average at 2.23 ackets attacking aths are comromised our technique will fail like any other robabilistic acket marking scheme. We first conducted two exeriments for DoS and DDoS. In the DoS case, we randomly icked a single attacker and a victim IP addresses. Next, we ran our Matlab rocedure which emulates the aroach resented in Section 3. We gradually constructed the forward-aths grah from the attacker IP address toward the victim IP address. Our results show that a victim site can construct the forward ath from a single attacker site after receiving 2.23 ackets on the average. However, the number of ackets needed to build a forward ath deends on the ho distance between the attacker and the victim site. Figure 4 shows the average number of ackets needed to construct a forward ath with resect to the ho distances between the attacker and victim sites. Obviously, the number of ackets needed to build a forward ath increases (non-linearly) as the distance increases. Particularly, it reaches to 229 ackets at ho distance 3. Moreover, the figure

8 Ho Distance Figure 5: Emirical distribution of the number of the required ackets er ho distance to construct a forward ath demonstrates jums at ho distances 9, 7 and 25 according to h x+ where x Z + (Section 3). Because the number of the required essentialrrs increases after the boundaries 9, 7 and 25, meaning that more ackets needed to construct a forward ath. In theory, the required number of ackets to construct a ath grows non-linearly as the ho distance increases. However, this theoretical disadvantage does not affect our scheme in ractice because the diameter of the Internet is reorted to be around 3 [2]. This figure comlies with our extensive iplane dataset which reveals maximum ho distance as 3 out of more than 5 million ath traces. Considering that the diameter of the Internet is 3 in our iplane snashot, the non-linear increase in the average required number of ackets is bounded by 229 in ractice. To rovide the reader with more insight, Figure 5 shows box lots of the required number of ackets er ho distance. In this exeriment, we randomly chose 5 ath traces er each ho distance. Next, we comuted the distribution of the number of the required ackets with resect to the ho distances. In the figure, the box lots show the first, second (median) and the third quartiles. For each ho distance, the average number of ackets is shown by a + sign. The outlying cases are shown by dots. In comliance with Figure 4, the average number of ackets increases as the ho distance increases. Figure 5 shows that the variance also increases as the ho distance increases beyond 26. Obviously, this introduces outlying cases where the required number of ackets changes from 275 to 4 for ho distances 26 thru 3. However, the ECDF lots in Figure 6 show that in 95% of the cases the number of the required ackets change between 35 and 494. Moreover, reading Figure 5 along with Figure 3 shows that not only the robabilities of having the outliers are low but also the number of long ho distances are small in the Internet. That is, in Figure 3 the aths of length 26 or more only corresonds to the 2.2% cases. As a result the joint robability of having a long ath and an outlier case becomes very small. ECDF ECDF ECDF Ho distance 26 X: 35 Y:.95 5 Ho distance 2 X: 39 Y: Ho distance 3 X: 456 Y: ECDF ECDF ECDF Ho distance 27 X: 362 Y:.95 5 Ho distance 29 X: 42 Y: Ho distance 3 X: 494 Y: Figure 6: ECDF for ho distances 26 to 3 out of 5 samles Table shows theoretical (Section 3.2) and exerimental average number of ackets needed to build a forward ath between an attacker and a victim site. The table shows average number of the required ackets for boundary ho distances 9, 7, 25 and 33. For any other ho distance between any of the two boundaries the larger boundary gives the uer limit of the average number of the required ackets. The theoretical results are slightly different from the exerimental results due to the randomness factor in our exeriments. Lastly, there is no exerimental figure for ho distance 33 in the table because the maximum ho distance in our real world dataset is 3. Probabilistic acket marking aroaches in the literature use the IP ID field of IP ackets which is two bytes. Because those aroaches either fragment IP addresses or their hashes or encode consecutive IP addresses, they may introduce false ositive or negative aths. On the other hand, our aroach

9 Table : Comaring theoretical and exerimental average number of ackets w.r.t. boundary ho distances Attacker4 Attacker3 Attacker2 Ho Distance Average number of ackets (Theoretical) Average number of ackets (Exerimental) Attacker 6 x 5 95th ercentile comlete ath construction 5 Attacker Victim Attacker Attacker Number of Path Traces Attacker2 Attacker3 Attacker 3.2 Attacker4 Attacker5 Attacker6 Attacker Ho Distance Figure : An examle DDoS attack showing ath merges Figure 7: Comlete ath construction at 95th ercentile stitches artial aths together such that each artial ath is correct. Moreover, the forward ath construction rocedure given in Algorithm 2 stitches the artial aths according to their beginning and ending IP addresses. Therefore, our aroach does not roduce any false ositives or negatives. However, at any time the forward-aths grah may have incomlete aths due to the lack of the required ackets. As a result, we analyse our aroach in terms of artial/comlete aths rather than false ositives/negatives. Figure 7 shows the number of the ackets required to fully construct a forward ath from an attacker toward a victim at 95% of the time. Since the number of the required ackets deends on the ho distance, we suerimose the ho distance frequency along with 95 ercentile line. In the figure, the required number of ackets to construct 95 ercentile forward aths increases as the ho distance increases. Particularly, it jums from 4 to 35 at ho distance 26. However, as shown in the same figure the number of ath traces having ho distance 26 or more corresonds to only 2.2% of all ath traces. In our next exeriment, we emulated DDoS attack for,, 2, 3, 4 and 5 randomly chosen attackers. Instead of assuming that each attacker conducts an indeendent DoS attack, we gradually augmented the forward-aths grah after receiving a acket regardless of its source. In this way, we built the DDoS forward-aths grah by using less many ackets on the average because the forward aths from attacker sites 9 tend to merge towards the victim site. Figure illustrates a DDoS attack conducted from 4 attacker sites toward a victim site. In the figure, the aths taken by the DDoS ackets merge at various routers. The link colors between the routers reflect the merging traffic toward the victim site using a color gradient from light gray to black. Table 2 resents the required average number of ackets er attacker site to build a comlete forward-aths grah for DDoS attacks of,, 2, 3, 4 and 5 attacker sites. Remember that the victim site needs 2.23 ackets on the average to construct the forward-aths grah in a DoS attack. In Table 2, the average number of ackets decreases as the number of the attackers increases. The reason behind this is the fact that aths from multile sources to a single destination merge toward the destination in the Internet. Hence, our technique requires less many ackets to build a comlete forward-aths grah for a DDoS attack. Table 2: Average number of ackets w.r.t. number of attacker sites in DDoS Number of attacker Average number of sites ackets

10 Our Method FIT AMS FMS 6 5 Our Method FIT AMS Average Reconstruction Time (millisecond) Ho Distance Number of Attackers Figure 9: Our aroach comared to FIT, AMS and FMS under DoS attacks Figure : Our aroach comared to FIT and AMS under DDoS attacks In the following, we comare our results to other acket marking schemes: Fast Internet Traceback (FIT) [7], Authenticated Marking Scheme (AMS) [5] and Fragment Marking Scheme (FMS) [4]. We imlemented FIT s 4/3 (n/n ma ) scheme with 95% robability of reconstruction, AMS s m > 5 scheme with the marking robability.4 and FMS with the marking robability.4 as used in the corresonding aers. To achieve a fair comarison, we started the emulation at time zero for all methods where the victim site does not have any information about the toology. For each ho distance in iplane dataset, we selected 5 random ath traces where the source of the trace is an attacker and the destination is the victim site. Then, we comuted average number of required ackets to build forward aths by reeating the exeriment times. Figure 9 shows that FIT needs between 244 and 5 ackets, AMS needs between 4 and 4 ackets and FMS needs between and 4 ackets on the average to construct forward aths for varying ho distances. On the other hand, our aroach needs to 229 ackets on the average for the same ath traces. The overall averages are 2.23, 457., 39.3 and for our aroach, FIT, AMS and FMS resectively, regardless of the ho distance. On the other hand, these methods use two bytes (IP identification field) er acket and we use 4 bytes (record route field). As a result, our aroach consumes more bandwidth comared to them (Section 6). In our imlementation we reresented ath grahs by adjacency lists for all aroaches because the IP-level Internet toology is sarse. Therefore, all aroaches have comlexity O( V + E ). Next, we emirically comare the methods with resect to forward-aths grah construction time where the number of attackers vary from to 5 samled at every 5 attackers. We assume that all routers, links and traffic loads in the network are identical and the attackers generate ackets with the same rate, i.e., one acket er millisecond. Note that this exeriment is to show the relative time differences among different aroaches. In our exeriment, we randomly chose the attackers regardless their ho distances to the victim. To imrove our confidence, we reeated the exeriment times and comuted the average time. Figure shows the results of our exeriment. In the figure, x-axis resents the number of attackers and y-axis resents the grah reconstruction time (ms) in log scale. Note that, we omitted FMS because the aroach did not scale after attackers. That is, FMS took several hours to construct the ma even for attackers. In the figure, the rate of the forward-ath grah construction time decreases as the number of attackers increase due to the overlaing aths from the attackers toward the victim in our aroach. The figure shows that our aroach takes 2.42 milliseconds to.5 seconds to construct the grah for to 5 attackers. On the other hand, FIT and AMS require milliseconds to seconds and 56. millisecond to seconds for the same to 5 attackers, resectively. 6. Discussions Different from the revious robabilistic acket marking schemes, we exloited the IP record route field rather than the IP ID field of the IP rotocol. The IP ID field is only two bytes whereas the record route field allows us to utilize 4 bytes. Therefore, our technique consumes more bandwidth comared to others. Assuming that T is the IP traffic volume in bytes er second and l is the average IP acket length in bytes, T = n denotes l the number of ackets er second. Holding n fixed, let T be the traffic volume when we use an additional 4 bytes to construct forward aths. T = (l + 4) n will be the new traffic volume under our scheme. Then, T T = 4 denotes our traffic overhead. It is reorted that the IP acket length changes between T l 4 to 5 bytes deending on the communication rotocols and alications with a strong mode around 3 bytes [3]. Using the mode as the reference acket length, our aroach 4 introduces 3.7% additional traffic. 3

11 Minimum number of ackets (Exerimental) Ho Distance Figure : Minimum number of ackets to construct a forward ath (Exerimental) According to the Verizon s Data Breach Investigations Reort in 26 DoS attacks are either large in magnitude or they are long in duration, but tyically not both [3]. The reort confirms that the majority of the DDoS attacks last from a few hours to 4 days or more. The reort also states that a DDoS attack camaign generates.9 Ms (million ackets er second) on the average. Obviously, rogue acket rate er attack site deends on the total number of the attackers which can easily scale u to hundreds of thousands of comromised machines. As a result each attack site can generate a dozen ackets er second on the average. Recently, hackers comromise IoT devices to conduct large scale DDoS attacks [32]. This new trend will increase the average size of botnets which in turn may reduce the number of ackets er attack site. In theory (Section 3.), the minimum number of required essentialrr ackets to construct a forward ath is one for -9 hos, two for -7 hos, three for -25 hos and four for 26-3 hos. However, receiving only essentialrrs is very unlikely, e.g., for ho distance 2 the robability of immediately receiving all essentialrrs is ( 3 ( ) 4 from Equation ). To estimate the emirical minimum number of required ackets, we selected 5 random ath traces where the source of the trace is an attacker and the destination is the victim site. Then, we comuted minimum number of required ackets to build forward aths by reeating the exeriment times. Figure shows the exerimental minimum number of ackets to construct forward aths. The figure follows the theoretical minimum number of ackets u to ho length 25. Since the variance increases after 25 hos (Figure 5) the minimum number of ackets changes between 7.53 to 4. for hos 26 to 3, on the average. Note that, Figure catures the minimum even if it aears once out of 5 ath traces. Therefore, while Figure gives us the minimum boundary, Figure 4 resents the realistic case in the long run. Obviously in case an attack site generates less many ackets, constructing the forward aths becomes highly unlikely in our aroach. Finally, similar to other acket marking schemes, the roosed technique in this study requires suort from router vendors and Internet Service Providers. In case the suort is artial, the forward-aths grah that our algorithm generates would be artial. Nevertheless, a artial grah can still be beneficially to reduce the imact of DoS attacks and the variants in the Internet. 7. Conclusions The Internet introduces a variety of vulnerabilities that uts the security and rivacy of comuter based systems under risk. One of the most erilous threats in the Internet is the Denial of Service (DoS) attack and the variants such as Distributed DoS (DDoS). In this work, we roosed a novel robabilistic acket marking scheme to infer forward aths from attacker sites to a victim site to delegate the defense to the ustream Internet Service Providers (ISPs). We exloit the record route feature of the IP rotocol to imlement our robabilistic acket marking scheme. In our method, a router inserts its IP address in the record route otions field of a acket with robability as long as there is room. On the other hand, if there is no room in the otions field, the router rewrites the otions field with robability or skis rewriting with robability. We also resented an algorithm to construct a forward-aths grah from multile attacker sites to a victim site. The algorithm starts from an emty forward-aths grah and gradually builds u the grah by incororating the sub-aths reorted in the record route otions field of the received ackets. Our results show that a victim site can construct the forward ath from an attacker site after receiving 2.23 ackets on the average for DoS attacks. In DDoS attacks the average number of ackets needed to construct a forward-aths grah decreases as the number of the attacker sites increases due to the overlaing aths toward the victim site. To illustrate, it is enough to receive.5 ackets er attacker site on average to construct a forward-aths grah from 5 attacker sites toward the victim site. Comared to the other techniques, our aroach requires less many ackets to construct the aths from attacker sites to a victim site. However, our technique consumes more bandwidth because it utilizes the 4 bytes record route otions field of the IP header. Finally, source code of our technique is ublicly available at our roject website [2]. [] A. Y. Nur, M. E. Tozal, Defending Cyber-Physical Systems against DoS Attacks, IEEE International Conference on Smart Comuting, Smart- Com, May 26 [2] Network Science Research Grou, University of Louisiana at Lafayette - htt://nsrg.louisiana.edu/ [3] H. Burch, B. Cheswick, Tracing anonymous ackets to their aroximate source, in Proc. of 4th Systems Administration Conference, USENIX, December 2 [4] S. Savage, D. Wetherall, A. Karlin, T. Anderson, Network suort for IP traceback, IEEE/ACM Transactions on Networking, vol. 9, no. 3, , 2 [5] D. Song, A. Perrig, Advanced and Authenticated Marking Schemes for IP traceback, in Proc. IEEE INFOCOM, Aril 2.