Packet track and traceback mechanism against denial of service attacks

Transcription

1 September 2008, 15(3): The Journal of China Universities of Posts and Telecommunications Packet track and traceback mechanism against denial of service attacks LI Li, SHEN Su-bin Institute of Information Network Technology, Nanjing University of Posts and Telecommunications, Nanjing , China Abstract The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet control message protocol (ICMP) traceback (itrace) methods, a packet track and traceback mechanism is proposed, which features rapid response and high accuracy. In this scheme, routers apply packet marking scheme and send traceback messages, which enables the victim to design the path tree in peace time. During attack times the victim can trace attackers back within the path tree and perform rapid packet filtering using the marking in each packet. Traceback messages overcome Pi s limitation, wherein too much path information is lost in path identifiers; whereas path identifiers can be used to expedite the design of the path-tree, which reduces the high overhead in itrace. Therefore, our scheme not only synthesizes the advantages but also compromises the disadvantages of the above two methods. Simulation results with NS-2 show the validity of our scheme. Keywords denial of service (DoS) attack, traceback, packet marking, Pi 1 Introduction The DoS attack is a main threat to the Internet. In flooding-style DoS attacks, the attacker sends large amount of packets to a single victim, exhausting the victim s communication or computing resources in a short time. Even worse, the attacker often hides his true identity with various means such as spoofing, which complicates the attack. As a variation of DoS attack, the distributed denial of service (DDoS) attack is more destructive, in which multiple compromised machines send large numbers of packets to the victim. For example, in February 2000, several high-profit sites including Yahoo, ebay, and Amazon were brought down for hours by DDoS attacks, wherein they were flooded by tens of thousands of legal connections which made servers inaccessible [1]. Many researchers have studied countermeasures. A common solution is the IP traceback technique, whose principle is to redesign the path that the packets take from the attacker through the Internet to the victim. With knowledge of attack paths, defenders can take measures upstream from the victim, e.g., filter attack packets before they reach the victim. Some nice analysis of IP traceback technique can be found in Refs. [2, 3]. In DDoS attacks, the number of attack paths is far beyond that in DoS attacks, where redesigning thousands Received date: Corresponding author: LI Li, lli@njupt.edu.cn of paths would cripple the performance of this technique. For example, the experiment results in Ref. [4] show that fragment marking scheme (FMS) proposed by Savage et al. has a very high computation overhead for the victim to redesign the attack paths and gives a large number of false positives when the attack originates from multiple attackers. Therefore, IP traceback is not that practical in DDoS attacks. Yaar et al. [5] argued that redesigning the exact path is not that necessary in defending against a DDoS attack. They proposed Pi mechanism, in which each packet takes an identifier as an indication of the particular path that the packet takes, making it possible to isolate and discard packets from different paths. This scheme has many benefits compared with IP traceback. IP traceback technique can maintain high accuracy at the price of complexity, time or large-scale deployment. For example, probabilistic packet marking (PPM) scheme [6] needs to collect large numbers of packets before it is able to redesign the path; the device logging method [7] demands close cooperation among routers. In contrast, Pi is light-weight because it imposes slight computation and storage overhead on routers and the victim, it is simple and feasible in deployment because it does not require any cooperation between routers, and it is rapid in responsiveness because the decision can be made on a single-packet basis. However, there are still several disadvantages in the current design that limit its use. One is that the path identifier can not be guaranteed to be globally unique; there are collisions among identifiers of

2 52 The Journal of China Universities of Posts and Telecommunications 2008 different paths which could reduce the accuracy. The other one is that path identifiers provide little information besides the indication to distinguish different paths, which confines its application range. We observe that there is no single approach that can defend against (D) DoS attacks effectively by itself; there should be a combination among various schemes with different merits. Pi is a tracking technique in nature, which is powerful in mitigating the impact of DoS attacks but unable to locate the origin of the attack, which is the motivation of IP traceback technique. In this article, we explore how to incorporate Pi with the IP traceback technique itrace [8], with the objective to integrate their merits and compromise their weaknesses. We propose a packet track and traceback (PTT) mechanism. The process is that: routers apply Pi s marking scheme to mark passing packets, and they also send ICMP traceback messages, which is designed in itrace method. In peace time, the destination host collects path identifiers carried in packets and traceback messages sent by routers to design a path-tree that reflects the network topology with itself as the center. In the times when there is an attack, besides filtering attack packets at home, the victim can traceback to their origins within the path-tree and take measures to filter packets upstream. In our scheme, ICMP traceback messages provide detailed path information, allowing destinations to map path identifiers into full paths, which enables traceback operations. Designing the path-tree to store path information is effective and allows traceback operations to be carried out locally instead of going through the network. Furthermore, unlike the schemes, such as itrace, which are only invoked during times under attack, the path-tree in our scheme is designed in peace time, which is insensitive to convergence time. Performing traceback locally is more efficient than performing it all over the network. Moreover, stresses that holding topology information is helpful in defending against DDoS attack [4]. The path-tree could be regarded as a pre-generated map of network topology and also reflects the communication pattern of the host to some extent. In a DDoS attack, in order to develop rapidly responsive packet filters to protect it, the victim can drop packets that are not originated within the path-tree. In this way, some normal traffic could be retained before attackers are located or upstream nodes take measures for it. Some concepts used in packet track and traceback mechanism such as marking-bit-pattern and path-tree are defined as follows: Definition 1 Marking-bit-pattern. Divide the marking field in the packet into some number, n, of smaller nonoverlapping fragments, where each fragment is a marking-bit-pattern as shown in Fig. 1. If the total length of the marking field is m b, then the length of a marking-bit-pattern is m/n b. Upon forwarding a packet, the router creates a marking and inserts it into one marking-bit-pattern. At the destination, the value of the marking field is taken as the path identifier. Fig. 1 Relation of path identifier and marking-bit-pattern Definition 2 Path-tree. It is a tree structure as seen in Fig. 2, with D as the root, S x s as leaves, and R y s as internal nodes. D could either be a single host or a device representing many hosts. Nodes R y s represent the routers and leaves S x s represent the origins of packets destined to the root. A leaf S x could either be a single host or a bunch of hosts under the same router. A path from S x is the ordered list of routers between S x and D that the packets have traversed, for example, the path from S 1 to D is <R 6, R 3, R 1 >. Fig. 2 An example of the path tree The rest of this article is structured in the following way. In the next section we analyze Pi s packet marking scheme. Section 3 outlines our scheme and characterizes the algorithms for implementing it. In Sect. 4 we present the simulation experiments showing the scheme s validity under a DoS attack and conclude the article in Sect Analysis of Pi s packet marking algorithm In Pi s marking scheme, the 16-bit IP identification field is used to hold the marking, which is the same as in our scheme. In Pi, for each passing packet, the router uses the TTL value as the index to insert the marking into the IP identification field. The marking is computed by the router using a Hash function whose input is the IP address of the last-hop router in the path and its own IP address. Clearly, the packet marking is deterministic all packets traversing the same path carry the same marking. But it can not guarantee that the path identifier is globally unique, that is to say, different paths may have the same identifier, because each router only has local knowledge of a particular path and the space of the marking field is limited. The collision problem of path identifiers may lead to some problems in defending against (D) DoS attacks. Among

3 Issue 3 LI Li, et al. / Packet track and traceback mechanism against denial of service attacks 53 these, packets outside the attack paths may be filtered and the probability would rise because the number of attack paths increases. To have an indepth view of Pi s marking scheme, particularly the collision problem, we design two marking schemes and perform two sets of experiments. In the experiments, the Internet is modeled as a complete-binary tree referred to Ref. [5], rooted at the destination host. We assign a value to each node in the tree that can be used as the marking. The path identifier is 16 b and the marking-bit-pattern is one bit, so the identifier could hold markings of 16 routers at most. The ith node in a path inserts its marking into the jth marking-bit-pattern, where j equals i mod 16. The two marking schemes are depicted as follows: Marking scheme 1 Set the value of node i as i mod 2, then it is uniformly distributed. Each node takes its own value as the marking. In this scheme, collisions might be induced in two cases. One of the paths is that with different length, which might be contained by one another, for instance, <R 3, R 2, R 1 > and <R 2, R 1 > is such a case; the other one is that nodes close to the victim might overwrite the markings of nodes farther away because of the limited space in the marking field. Marking scheme 2 Set a random value to each node, then it is randomly distributed. Each node takes the value of its child from which the packet comes as the marking. We take it as an idealization of Pi s edge marking scheme. In each set of the experiments, we randomly select a given number of unrepeating nodes to send packets to the root, then compute their path identifiers and calculate the collision rate. We count collisions in two ways. One is the same with Pi: if two identifiers are the same, we count it as one collision. In the other way we take path lengths into account, where path length is the number of nodes that the packet has traversed. If two identifiers as well as their path lengths are the same, we count it as one collision. The collision rate equals the number of collisions divided by the total number of paths. We conduct each set of the experiments in two sizes of networks and take the hops of the longest path in the network as the measurement of the size of the network. One is within 16 hops and the other is within 20 hops. The upper boundary of the number of the selected paths is and for each size of networks. Figures 3 and 4 show the results of the experiments. For most of the data points in the figure, we perform approximately 10 to 50 independent tests and compute the average of the results. In Figs. 3 and 4, c1 denotes same identifier counts as a collision, c2 denotes same identifier and same path length counts as a collision. (a) Number of path (hops<16) in Marking scheme 1 case (b) Number of path (hops<20) in Marking scheme 1 case (c) Number of path (hops<16) in Marking scheme 2 case (d) Number of path (hops<20) in Marking scheme 2 case Fig. 3 Distribution of collision rates

4 54 The Journal of China Universities of Posts and Telecommunications 2008 (a) Number of path (hops<16) (b) Number of path (hops<20) Fig. 4 Traverse comparison of the two marking schemes From the distribution of the collision rate shown in Figs. 3 and 4, we come to the conclusions as follows: 1) As shown in Figs. 3(a) and 3(b), the collision rate reduces effectively if path lengths are considered, but it is not the case in Marking scheme 2 (Figs. 3(c) and (d)). If no overwriting happens in Marking scheme 1(Fig. 3(a)), the collision rate falls to zero, a perfect result. 2) In both marking schemes, the collision rate keeps going up as the number of the selected paths increases. In Pi scheme, the authors selected no more than paths for testing and obtained fine results. We can also learn that in Fig. 3(c), the collision rate is less than 20% when paths are less than When paths increase to , the collision rate jumps to 50%, making it difficult to distinguish different paths. In a DDoS attack, it is not impossible to have tens of thousands of attack paths. 3) As shown in Fig. 4, the collision rate in Marking scheme 1 is always lower than that in Marking scheme 2. 4) Considering the two marking schemes, the first one is an idealization because all the links to a node are distinguishable on their own; the second one is similar to Pi s marking scheme and idealizes it in some aspects, for example, randomly distributed markings is the ideal result of hash function in Pi. In brief, Pi s marking scheme behaves well with moderate paths but not in large scale DDoS attacks. If the node could assign distinguishable markings to the links connected to it, then the collision rate will be cut down effectively. Assume that a node has l links, it needs log 2 l b to distinguish each link, which is not practical because of the limited space in the marking field. We can come to the conclusion that it is not easy to get low collision rate through improving the marking scheme. 3 Packet track and traceback mechanism 3.1 The framework The framework of packet track and traceback mechanism is comprised of three components: packet marking component, path-tree designing component and antidos component. As shown in Fig. 5, packet marking components deployed at routers mark passing packets and send traceback messages. Path-tree designing components deployed at hosts design path-trees using received path identifiers and traceback messages. AntiDoS components deployed at hosts and routers perform traceback and packet filtering operations. In the remainder of this section we describe the marking algorithm and path-tree design algorithm and the method of defending against DoS attacks in more detail. Fig. 5 Framework of packet track and traceback mechanism 3.2 Packet marking algorithm It is obvious that the measures taken in Pi s marking scheme such as hashing and edge marking is to increase the marking s entropy and self distinguishability. We also can learn from experiments in Sect. 2 that if the links connected to a node can be distinguished on the marking, the collision rate is the lowest among all the cases. In our scheme, instead of computing markings using Hash functions, the router tries the best to assign a different marking for each link connected to it. It can not be guaranteed that each link could get a different value. For an n b marking, there are at most 2 n values to assign, and the number of links may be more than it. Forwarding a packet, the router takes the value assigned to the link, where the packet is coming as the marking and inserts it into the marking field. Following is the pseudo C code for the marking algorithm: /* ptmark = marking carried in the packet

5 Issue 3 LI Li, et al. / Packet track and traceback mechanism against denial of service attacks 55 M_BIT = number of bits each router marks mark_bit[l] = marking assigned to link l */ mark(ptmark) { /* select the link from which the packet came */ prehop = Get_prehop(); /* insert the marking*/ ptmark = mark_bit[prehop] (ptmark<<m_bit); } We can learn that the shift operation << makes sure that the current marking is always on the first marking-bit-pattern from right, and the first marking-bit-pattern from left is always the one to be dropped. Unlike the Pi scheme that uses the TTL value in the packet as an index, in our scheme, the markings are arranged in order from right to left. Therefore, we are able to compute sub-path identifiers because it is easy to locate each router s marking. Same to the Pi scheme, there is collision problem in our scheme, but we do not depend on path identifiers wholly to defend against DoS attacks. With the path-tree discussed in next subsection, the victim can map the path identifier into several possible paths and make further distinction with detailed path information. 3.3 Path-tree designing algorithm Collisions happen among path identifiers mainly because the path information is overly compressed. For the destination to get more path information, we introduce ICMP traceback message designed in itrace method into our scheme. ICMP traceback message is a router-generated message containing an authenticated copy of a packet and router s own IP address as well as the IP of the previous and next hop routers. In itrace scheme, the router probabilistically generates an ICMP traceback message for the passing packet and forwards it either to the source or destination address. The destination or source collects traceback messages and redesigns the packet s traversing path. We observe that there may have relations among different paths such as inclusion and convergence. For example, one path may be completely contained by another path; two paths may convergence at one node. In our scheme, we consider using path-tree to store path information. The structure of path-tree is defined in Sect. 1, which is an intuitive way of representing relations among different paths. At the very beginning, the path-tree only has the root, then the destination redesigns a new path and inserts it into the current path-tree. There are three cases as follows: Case 1 If the new path is contained by an existing path, then no change should be made in the current path-tree. Case 2 If the new path joins an existing path at one node, then we add a sub-path to this node. The sub-path is from the source of the new path to the joint node. Case 3 If it is not the above two cases, we add the new path directly to the root. Following shows the path-tree design algorithm provided in pseudo C code. /* root = a pointer pointed to path-tree s root path[n] = new path, an array of nodes, path[0] is the router closest to the destination */ struct path-tree { struct path-tree *prev, *next; NODE node; }; path-tree_formation (path[k], root) { for(int k = 0; k < K; k++) { if (width_first_search (path[k], k)==null) { if (k==0) append path to root; else { subpath = get_subpath (path, k); append subpath to node path[k]; }// if(k==0) break; }//if (width }//for } The width_first_search function performs a breadth-first search at the appointed layer in the tree. The get_subpath function returns the sub-path from the source to the pointed node. The path-tree could be seen as a pre-generated map of Internet topology with the destination as the center. Similar to itrace method, traceback messages might incur significant overhead on network routers and cripple network performance sharply, so it must be generated with low probability, with the suggested value in itrace as [8]. Presumably, reducing the probability requires more packets to redesign the path, which amounts to more convergence time. In our scheme, the path-tree is designed in peace time, insensitive to convergence time. In next subsection, we discuss how to use path identifier and path-tree to defend against DoS attacks. 3.4 Defending against DoS attacks There are generally three lines to defend against the DoS attack [9]: attack prevention and pre-emption, attack detection and filtering, and attack source traceback and identification. Our scheme mainly focuses on the third line of defense and is helpful to attack detection and filtering. When a DoS attack is detected, the victim extracts the path identifier from the attack packet. The traceback process is as follows: 1) Search the path identifier within the path-tree. If a matching node is found, the process is ended. If there s no

6 56 The Journal of China Universities of Posts and Telecommunications 2008 matching node, go to the next step. 2) Drop the first marking-bit-pattern in the path identifier from left, so we get a shorter path identifier, which indicates a sub-path. If the length of the new identifier is not zero, go to step one. This process will be ended either because a matching node is found or because the length of the path identifier decreases to zero. If a matching node is found, the path from the node to the root is the attack path within the path-tree. If this is not the case, it shows that the attack path is not in the current path-tree. The victim can collect traceback packets and redesign the path in real time, in the same process as that described in itrace method. In brief, the traceback operation is firstly carried out locally and then goes through the network if it is necessary. In this way, the efficiency improves. Following shows the traceback algorithm provided in pseudo C code. The traceback process is opposite to the path-tree designing process. It extracts a path from the path-tree using a path identifier. /*attack_pi = the path identifier extracted from attack packet; Path = the attack path found in path-tree */ path traceback(attack_pi) { Pi = attack_pi; node = null; /* search for possible attacking node inside the path-tree*/ while((node == null) && (Pi.length!= 0) ) { node = search_path-tree(pi); //search for matching node Pi_trim(Pi); //get a sub-path identifier } if(node!= null) //extract the attacking path return(extract_path(node)); else /*collect traceback messages and redesign the path in real time.*/ return(itrace()); } Attack source traceback is usually regarded as an after-the-fact response to a DoS attack, which is not a feasible one to stop an on-going attack [9]. In a DoS attack, when an attack packet is detected, the victim can do rapid packet filtering relying on the attack path identifier. Even if the attack packets use spoofed IP addresses, their path identifiers are still the same. Packet filtering enables rapid response to the attack, and traceback can discourage the attacker. In a DDoS attack, it is hard to distinguish attack packets from normal packets, and their paths are mixed together. We argue that it is important for the victim to protect itself from the attack before more effective measures could be taken. Considering that the path-tree reflects the victim s communication pattern to some extent, we can give packets sourced inside the path-tree high priority. As a result, part of the normal traffic could be preserved. It can be regarded as an auxiliary measure in eliminating the DDoS attack. 4 Simulation and results In this section, we present a simulation of the proposed scheme. All of the algorithms in the scheme have been implemented in NS-2. We first present the DoS attack model and then depict the design of the experiments. Finally, we present the results of our experiments. 4.1 DoS attack model In order for a victim to protect it against attack packets, it must have a way to detect and identify the attack packet. Once the attack packet is identified, we can filter packets with the same path identifier and perform traceback within the path-tree. Attack packet identification is outside the scope of this article. However, to incorporate the use of our scheme, we model our DoS attack in two phases, similar to the attack model used in Pi s experiments [5]. In the first phase, the learning phase, the victim analyzes all the packets sent to it, and use path identifiers and ICMP traceback messages to redesign the path-tree. In the second phase, the attack phase, the victim is assumed to have the power to determine whether a packet is an attack packet or a legitimate packet. In this phase, the victim stops redesigning the path-tree, and is forced to use path identifiers and the path-tree to perform packet filtering and traceback. 4.2 Experiment design We designed two sets of experiments. The first set of experiments is a simple demo of our scheme, showing how it works. The network topology is shown in Fig. 6. In learning phase, nodes 10, 13, and 15 are selected as legitimate users to send packets to the victim. In attack phase, nodes 6, 10, and 16 are selected as attackers to send packets to the victim. Then we show the path-tree designed by the victim and the traceback results. (a) Learning phase (b) Attack phase Fig. 6 Path-tree and attackers

7 Issue 3 LI Li, et al. / Packet track and traceback mechanism against denial of service attacks 57 In the second set of experiments, the network topology is structured as a 20-layer binary tree. In each phase, a certain number of different paths are chosen at random, and each end node at a path sends packets to the victim. We change the number of the selected paths in each phase, and calculate the rate of the number of attack packets traced back successfully within the path tree. A successful traceback over here means the victim can trace the packet back to its source. For all the experiments, the ICMP traceback message generating probability is set to be 1. With a lower probability, the victim requires more packets to redesign the path. The probability only influence the convergence time in path redesigning, which is not the focus of this set of experiments. This setting can largely reduce the time and space needed for the simulation. For example, each end node at a path could only send one packet to the victim. (a) The number of attack paths is fixed 4.3 Results Figures 6 and 7 shows the results of the first set of experiments. Figure 6(a) shows the path tree designed in learning phase. Nodes with double circles and links with labels form the path-tree. In Fig. 6(b), nodes with squares are attackers. We can see that two of them are within the path-tree. Figure 7 is the outcome of the traceback operation. For attacker 6 and 10, the victim traced them back to the source; for attacker 16, it only traced to node 7, which is the closest to the source within the path-tree. Fig. 7 Traceback results Figure 8 shows the results of the second set of experiments. It does not mark on the exact range of rate. Because in the second set of experiments we did not simulate with real Internet data such as the topology, and paths are selected at random each time. Each rate has no meaning by itself, but they together show a kind of tendency. In Fig. 8(a), the number of attack paths is fixed. When the number of learning paths increases, the rate of successful traceback goes up. This result coincides with our intuition. In Fig. 8(b), the number of attack paths increases as well as the learning paths. The rate of successful traceback goes up when the number of paths increases. With a fixed ICMP traceback message generating probability, having more learning paths means a longer learning phase. And we can conclude that a longer learning phase may improve the probability of successful traceback. (b) The number of attack paths increases with the learning paths Fig. 8 Rate of successful traceback 5 Conclusions Defending against (D) DoS attacks is one of the hardest security problems on the Internet today. We propose an approach to deal with this problem in a combined way. In our approach, we apply Pi s packet marking scheme in conjunction with ICMP traceback message in itrace method, which allows the victim to design the path-tree in peace time, and quickly find the attacker during times of attack. The simple simulation carried out shows that our scheme is effective in defending against DoS attacks. Furthermore, work is needed at a larger scale and in real network environment to validate our approach. Acknowledgements This work is supported by the National Natural Science Foundation of China ( ), Blue Project in Nanjing University of Posts and Telecommunications (NY207118). References 1. Computer Emergency Response Team. Cert advisory ca : denial-of-service developments. [ ]. CA html 2. Belenky A, Ansari N. On IP traceback. IEEE Communications Magazine, 2003, 41(7): Savage S, Wetherall D, Karlin A, et al. Practical network support for IP

8 58 The Journal of China Universities of Posts and Telecommunications 2008 traceback. Computer Communication Review, 2000, 30(4): Dawn X S, Perrig A. Advanced and authenticated marking schemes for IP traceback. Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies, Apr , Anchorage, AK, USA. Piscataway, NJ, USA: IEEE, 2001: Yaar A, Perriq A, Sonq D. Pi: a path identification mechanism to defend against DDoS attacks. Proceedings of Symposium on Security and Privacy, May 11 14, 2003, Berkeley, CA, USA. Piscataway, NJ, USA: IEEE. 2003: Park K, Lee H. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies, Apr 22 26, 2001, Anchorage, AK, USA. Piscataway, NJ, USA: IEEE, 2001: Tchakountio F, Kent S T, Strayer W T. Hash-based IP traceback. Proceedings of Conference on Applications, Technologies, Architectures, and Protocol for Computer Communication (SIGCOMM 01), Aug 27 31, San Diego, CA, USA. New York, NY, USA: ACM, 2001: Bellovin S, Leech M, Taylor T. Internet draft. ICMP traceback messages. [ ] Chang R K C. Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE Communications Magazine, 2002, 40(10): From p. 50 remaining curves in them either drop or stay along with the increase of nodes, since more nodes indicates more choices. Figure 7 compares the power offset that each transmission suffers for SN and RN from the average power of surrounding nodes. The definition of offset is Pcurrent + Pto_be_used φoffset = (15) P average transmission performance. Three different partner selection strategies are proposed, and as the simulation results show, all are supposed to be good tradeoffs between power consumption and transmission performance with different goals. Acknowledgements This work is supported by the Hi-Tech Research and Development Program of China (2006AA01Z257). References Fig. 7 The power offset for SN and RN under different partner selection strategies with the increasing nodes The total offset equals φ, offset_s + φ offset_r which is the summation of the source and the relay offsets. We can see that for all four strategies, the power offset increases when the nodes increase, while the MSNR strategy remains the highest, and the MAPU strategy has more plane trends than the others, which adequately fulfill its original intention. 5 Conclusions In this study, we consider partner selection strategies for cooperative wireless communications. Our solitary goal is to determine the best way to balance the power distribution and 1. Mischa D. Virtual antenna arrays. London, UK: King s College London, Wang Q H, Zhao B H. Protocol for the application of cooperative MIMO based on clustering in sparse wireless sensor networks. Journal of China Universities of Posts and Telecommunications, 2007, 14(2): Aria N, Todd E H. Grouping and partner selection in cooperative wireless networks. IEEE Journal on Selected Areas in Communications, 2007, 25(2): Ramesh A, Pamela C C, Laurence B M. Statistical channel knowledge-based optimum power allocation for Relaying protocols in the high SNR regime. IEEE Journal on Selected Areas in Communications, 2007, 25(2): Goodman D J, Mandayam N B. Power control for wireless data. IEEE Personal Communications, 2000, 7(2): Chen Y, Cheng P, Qiu P L, et al. Optimal partner selection strategies in wireless cooperative networks with fixed and variable transmit power. Proceedings of Wireless Communications and Networking Conference, (WCNC 2007): Mar 11 15, 2007, Kowloon, China. New York, NY, USA: IEEE, 2007: Laneman J N, Tse D N C, Wornell G W. Cooperative diversity in wireless networks: efficient protocols and outage behavior. IEEE Transactions on Information Theory, 2004, 50(12): Todd E H, Aria N. Diversity through coded cooperation. IEEE Transactions on Wireless Communications, 2006, 5(2):