Increasing the effectiveness of packet marking schemes using wrap-around counting Bloom filter

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 206; 9: Published online 7 July 206 in Wiley Online Library (wileyonlinelibrary.com)..554 RESEARCH ARTICLE Increasing the effectiveness of packet marking schemes using wrap-around counting Bloom filter Samant Saurabh * and Ashok Singh Sairam 2 Department of Computer Science, Birla Institute of Technology, Patna, Bihar 80004, India 2 Department of Computer Science, Indian Institute of Technology, Patna, Bihar 80003, India ABSTRACT Latest variants of denial-of-service attack like low-rate denial-of-service attack require very few packets for launching an attack. As a result, reducing the number of packets required for IP traceback has gained considerable importance. In packet marking schemes, routers probabilistically mark the packets. Therefore, a large number of packets is required by the victim to reconstruct the complete attack path. In this paper, we introduce an efficient data structure known as wrap-around counting Bloom filter (WCBF) to minimize the required number of packets. WCBF maintains a set of cyclic counters to decide which particular mark needs to be sent to the victim for faster IP traceback. We prove the efficacy of our technique by performing detailed theoretical analysis and confirm it using extensive experimental results. In case of probabilistic packet marking, the proposed scheme reduces the number of packets by 5 0 times. Likewise, in case of deterministic packet marking, the number of packets required is reduced by 2 4 times. We also show that WCBF can be incorporated with different variants of probabilistic packet marking and deterministic packet marking to obtain effective results. Finally, we highlight the benefits of WCBF over the other traceback schemes like logging and hybrid traceback. Copyright 206 John Wiley & Sons, Ltd. KEYWORDS Bloom filter; distributed denial of service attack; IP traceback; deterministic packet marking ; probabilistic packet marking; network security *Correspondence Samant Saurabh, Department of Computer Science, Birla Institute of Technology, Patna, Bihar 80004, India. ssauravh@bitmesra.ac.in. INTRODUCTION Denial-of-service (DoS) and distributed DoS (DDoS) attacks have become a major security concern for the Internet. They are explicit attempts to degrade and disrupt the legitimate user s access to the Internet services and resources by exhausting them. DDoS attacks are possible because of IP spoofing and destination-based routing. IP traceback is a mechanism to trace and identify the attackers involved in the DoS attacks; even in case of source address spoofing. IP traceback brings the attackers under the ambit of law and deters them from launching further attacks. The latest variants of DoS attack like low-rate DoS (LRDoS) attack and highly distributed DoS attack require very few packets for launching a DoS attack [,2]. Please ensure that you use the most up to date class file, available from the SEC Home Page at In highly distributed DDoS attack, individual attackers send only a few packets each but the resultant sum of packets from these distributed sources is sufficient in overwhelming the victim. Similarly, LRDoS [3,4] can throttle the victim with very few attack packets by exploiting the feedback mechanism involved in the Transmission Control Protocol (TCP)/IP. Hence, reducing the number of packets required for traceback has become a more crucial problem than ever before because conventional traceback schemes require high number of packets for traceback. Packet marking [5,6] is one of the most prominent and practical technique for performing IP traceback. It requires routers to inject marks into packets. These schemes neither burden the routers with huge storage requirement like that created by packet-logging techniques [7] nor do they generate any traffic-overhead as created in itrace [8]. Moreover, they can perform post-mortem analysis. They require little Internet service provider (ISP) involvement and need negligible processing overhead at the routers. Copyright 206 John Wiley & Sons, Ltd. 3467

2 Effectiveness of packet marking schemes using WCBF S. Saurabh and A. S. Sairam However, packet marking schemes become inefficient in handling DDoS attacks [9] that involve less number of packets from the individual attackers as mentioned earlier... Contribution In this work, we propose a novel data structure known as wrap-around counting Bloom filter (WCBF). Employing WCBF in packet marking schemes significantly reduces the number of packets required for traceback. It improves the performance of packet marking schemes in handling DoS/DDoS attacks that require lesser number of packets. WCBF is deployed at the edge router that is nearest to the source of the packet. Mark that is to be inserted into the packet is decided by the value of the cell corresponding to the destination address in WCBF. In case of probabilistic packet marking (PPM) [2], this value is used by routers in the path to decide which router can mark the packet. We can obtain marks from all the routers in the path using maximum of just 3 packets if no collision is present in WCBF. In deterministic packet marking (DPM) [6], value stored in WCBF is used to decide which IP address fragment needs to be put in the mark. As WCBF maintains a cyclic counter, 6 packets are sufficient for performing traceback in case of DPM (if no collision is present). We also propose a method to configure the number of cells in WCBF such that collision probability can be bounded to obtain the optimal performance. The main contributions of this paper are summarized in the following: WCBF significantly reduces the number of packets required for IP traceback, which enables packet marking algorithms in handling DoS/DDoS variants that require very few packets for launching an attack. The memory overhead caused by WCBF is insignificant compared with the reduction in the required number of packets. WCBF can be incorporated into all the modified forms and extensions of PPM and DPM. We provide a method to configure the number of cells in WCBF, which can ensure optimal performance of WCBF by bounding the rate of collision in WCBF. We have evaluated our work through detailed experiments using the UMass Gateway Trace Files. The results confirm the effectiveness of WCBF on packet marking algorithms. We compare WCBF-based packet marking scheme with other IP traceback mechanisms like packet logging, stateless single packet IP traceback, and Internet Control Message Protocol (ICMP) traceback. Wrap-around counting Bloom filter involves space-time trade-off in order to achieve this performance. By using WCBF, collection of packet marks becomes a deterministic sequential process instead of being a coupon collector problem in the present marking techniques, which improves its performance..2. Overall methodology for research We identified that the latest variants of DoS attack like LRDoS and highly distributed DoS attack require very few packets for launching an attack. Conventional traceback schemes like PPM and itrace might fail to perform traceback in such cases due to the collection of insufficient number of packets from the attackers. We propose a novel data structure known as WCBF, which when incorporated with packet marking schemes like PPM and DPM drastically reduces the number of packets required for IP traceback. We provide detailed algorithm for incorporating WCBF in PPM and DPM. We also propose a method to configure the amount of memory allocated to WCBF such that the effect of collision becomes bounded. The configuration is based on the network traffic characteristics. Encouraged by the obtained results, we then analyzed the effect of incorporating WCBF on the other variants of PPM and DPM like FIT [0], AMS [], Goodrich [2], and Algebraic traceback [3]. We found that WCBF could easily be incorporated with all the different variants of packet marking schemes with effective results. Finally, we carry out a comparative study of WCBF-based packet marking schemes with other IP traceback schemes like packet-logging, stateless single packet IP traceback, hybrid traceback, and itrace. WCBF-based packet marking scheme performed better when analyzed with standard metrics like number of packets, memory requirement, cooperation from the network core, and the accuracy of path reconstruction. In the end, we also perform the worst case analysis of our algorithm and analyze the effect of packet loss and retransmission on WCBF. We also provide rigorous proofs regarding the average and the maximum number of packets required for traceback for PPM and DPM..3. Outline The rest of this paper is organized as follows. In the next section, we provide the related work. In Section 3, we describe WCBF and explain its working with the help of a toy example. In Section 4., we discuss the role of WCBF in improving the performance of PPM. In Section 5, we describe the role of WCBF in DPM to improve its performance. In Section 6, we discuss the problem of collision in WCBF and propose a method to alleviate it. In Section 8, we present experimental set up, programs used and the results for WCBF. Conclusion and future work is given in Section RELATED WORK Bloom filter has been used in the literature as an aid in IP traceback. It has been used in logging-based schemes like 3468 Security Comm. Networks 206; 9: John Wiley & Sons, Ltd.

3 S. Saurabh and A. S. Sairam Effectiveness of packet marking schemes using WCBF Source Path Isolation Engine (SPIE) [7], where en-route routers record information about the traversing packets. They create packet digests and store them in Bloom filters, which reduce the storage requirement. This information is later used to identify the source of a malicious packet by recursively querying the connected routers. These schemes can perform IP traceback using just a single packet. However, they create extra-ordinary storage overhead in the network core and demand high ISP involvement for traceback, which make then unfit for today s high speed networks. Laufer et al. [4] improved the logging scheme by proposing a technique that could perform traceback using a single packet and required no storage overhead at the core routers. They proposed to add a new field in the IP header in the form of a generalized Bloom filter, which stored hash value of routers traversed by the packet. This stored information was later used to trace the attackers by recursively querying the neighboring routers. However, introduction of a new header field creates serious deployment issues as it requires a change in the IP protocol stack itself. Moreover, size of this Bloom filter is also not fixed, which makes processing of these packet header quite difficult. Xiao et al. [5] proposed a system that made use of a counting Bloom filter [8] to detect TCP SYN flooding attack. Counting Bloom filter was used to track the number of SYN and corresponding SYN/ACK packets that were exchanged during TCP connection set-up phase. When the deviation in the count of these packets exceeded a given threshold, the authors inferred SYN flooding attack. Dimitris et al. [6] proposed a mechanism to detect flooding attacks against the SIP-based servers, which also utilized counting Bloom filters. Bloom filters were used to record the number of INVITE, OK, and ACK messages. Anomaly in count of these messages indicated a SIP-based flooding attack. However, both counting Bloom filter-based approaches [5,6] are protocol-specific and act only as an aid in the attack detection. They offer no assistance in performing IP traceback as provided by our system incorporating WCBF. To best of our knowledge, Bloom filters have not been used either in PPM or DPM to reduce the number of packets required for IP traceback, and we are the first one to propose the use of Bloom filter in packet marking process for faster IP traceback. 3. WRAP-AROUND COUNTING BLOOM FILTER Wrap-around counting Bloom filter belongs to a class of probabilistic data structure known as Bloom filter [7,8]. It is an array of m cells numbered 0,, (m ) as shown in Figure. It is represented as WCBF[0..(m )]. Each cell consists of d bits and can represent values from 0 to M =2 d. The cells of WCBF follows modulo M addition. WCBF is deployed at the edge router (R edge ) that is nearest to the source of the packet. When a packet w arrives at R edge, it is hashed to one of the m cells using a uniform and independent hash function H(x). Hashing is performed based on the destination (dst) address of the packet w. The value of the cell WCBF[H(w.dst)] is used to decide the mark that needs to be inserted into the packet w. After marking the packet, value of WCBF[H(w.dst)] is incremented by module M. Now, we present some of the important properties and results for WCBF. () Property. Any M consecutive packets hashing to WCBF[i] would make it assume all the values from 0..(M ) once and exactly once. Figure. Wrap-around counting Bloom filter (WCBF) is an array of m cells where each cell has d bits. Value in WCBF[H(packet.dst)] is used to decide the mark that needs to be inserted into the packet during the marking process. Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 3469

4 Effectiveness of packet marking schemes using WCBF S. Saurabh and A. S. Sairam (2) Property 2. For any M consecutive packets w, w 2, w 3, w M destined to d, it would be able to collect all the marks numbered from 0 (M )if and only if packets from no other flow get hashed to the same cell H(d) during this flow duration. (3) Property 3. If flows f, f 2, f n with destinations d, d 2,, d n hash to the same cell as flow f with destination d, i.e. H(d )=H(d 2 )= = H(d n )= H(d) then the problem of destination d collecting all the packet marks from 0..(M ) becomes a coupon collector problem. (4) Property 4. Based on the traffic characteristic and the number of destinations, we can configure the number of cells m such that probability of collision is bounded later, a given threshold ı to achieve the desired performance. (5) Property 5. Let there be N distinct destinations to which packets are being sent, and let m be the number of cells, then the probability of collision P coll = N. m The derivation of the formula is given in Section Toy example explaining wrap-around counting Bloom filter We explain the working of WCBF with the help of an example. In Figure 2, WCBF has m = 4 cells (C 0, C, C 2, C 3 ) and d = 2 bits allocated to each cell. We represent cell C i with array representation WCBF[i]. Initial values stored in WCBF are WCBF[0]=0,WCBF[] = 2, WCBF[2] = 3, WCBF[3] =. Packets are being sent from router R to destinations d, d 2, d 3, d 4 respectively. H(d ) = 2,H(d 2 ) = 0,H(d 3 ) = 0,H(d 4 ) =. Let us evaluate the value of the cells of WCBF for each outgoing packet. Packets w, w 2, w 3, w 4, w 5, w 6, w 7, w 8, w 9, w 0 with destination d 4, d 4, d 4, d 4, d 2, d 2, d 3, d 2, d 3, d 2, respectively arrives at the router R edge in the given sequence. When w arrives at router R edge, value of WCBF[] gets incremented by modulo 4 and its value becomes 3. Next, three packets are also destined to d 4 ; hence, they keep incrementing the value of WCBF[] and its value changes from 3 to 0, 0 to, and to 2. We should note that after 3 values of WCBF[] wraps around and becomes 0 due to modulo 3 addition. We should also note that in four consecutive packets destined to d 4, WCBF[] attains all the values from 0 to 3. This demonstrates property. In four consecutive packets without any collision, destination d 4 is able to collect all the marks from 0 to 3. Hence, this example also demonstrates property 2. Next, two packets are destined to d 2, which hashes to cell 0. For these two packets, value of WCBF[0] changes from 0 to, and from to 2, respectively. d 2 collects marks and 2. It still needs marks 0 and 3 to collect all the four marks. The next packet has destination d 3, which also hashes to cell 0 and it causes collision. It increments the value of WCBF[0] to 3. Another packet destined to d 2 arrives and WCBF[0] becomes 0. Now, d 2 collects packet mark 0. Next, a packet destined to d 3 arrives and WCBF[0] becomes. Finally fourth packet destined to d 2 arrives and WCBF[0] becomes 2. d 2 collects mark 2 again. d 2 receives four consecutive packets w 5, w 6, w 8, w 0. It could collect mark 0,, and 2 but could not collect mark 3. This example illustrates that if in the presence of collision, M consecutive packets does not guarantee the collection of all the M packet marks. Hence, for optimal performance, we should configure m, such that collision is negligible. By using some extra space, we can optimize the number of packets required for traceback. If the victim needs to collect N different marks, it can collect it using any N consecutive packets coming from the edge router nearest to the source of the attack. Collection of all the N marks is necessary because during the packet marking process, there is no enough space in a single packet to encode all the information about the attacking source. 4. PROBABILISTIC PACKET MARKING WITH WRAP-AROUND COUNTING BLOOM FILTER Figure 2. Toy example explaining the working of wrap-around counting Bloom filter (WCBF): C 0, C, C 2, C 3 are the cells of WCBF, d, d 2, d 3 and d 4 are the four destinations to which packets are being sent. H(d ) = C 2, H(d 2 ) = C 0, H(d 3 ) = C 0, H(d 4 )=C. PM i represents the value of mark being sent to destination d i. Probabilistic packet marking is one of the most used packet marking technique for performing full path IP traceback. In PPM, each router in the path marks a packet traversing through it with probability p. Marks can be overwritten by routers downstream. Hence, the probability that the mark from a router at hop distance d from the victim reaches it without being overwritten is given by the formula p( p) d. From this formula, we can observe that the router closest to the source of the attack has the lowest probability of reaching the victim. Because of the probabilistic nature of the marking process in PPM, the number of packets required to collect marks from all the routers 3470 Security Comm. Networks 206; 9: John Wiley & Sons, Ltd.

5 S. Saurabh and A. S. Sairam Effectiveness of packet marking schemes using WCBF in the path becomes quite high. The expected number of packets required for path length d is expressed by the ln(d) following formula E[X] < p( p) d [2]. Because of the requirement of high number of packets for traceback, PPM becomes inefficient in handling the DoS attacks involving lesser number of packets. LRDoS attack and highly distributed DoS attacks fall in this category. Wrap-around counting Bloom filter can be used to reduce the number of packets required for traceback in PPM. WCBF helps the victim to collect marks from all the routers in the path using maximum of just 3 consecutive packets that are originating from the attacker. This number is independent of the path length from the attacker to the victim. The packet marking procedure for WCBF-PPM is given in Algorithm. In Algorithm, when a packet w passes out through the edge router R edge of its network, it resets the packet s time-to-live (TTL) value to 255 and sets the IP ID value to WCBF[H(w.dst)] by querying the WCBF as given in lines 2 6. w.dst is the destination address of packet w. After the assignment of the IP ID field, value of WCBF[H(w.dst)] is incremented by modulo 3 to be assigned to the next packet destined to w.dst. Number of hops traversed by a packet is calculated in line 7 by subtracting the present value of TTL from its initial value of 255. For example, if a packet has traversed 5 hops, then its TTL becomes 240 because TTL is decremented at each hop in the path in the IP protocol. Hence, if we subtract 240 from 255, we get 5, which is the number of hops that has been traversed by the packet. Value stored in WCBF decides the router that is going to mark the packet. For 98% of the cases, maximum hop-distance between any two hosts in the Internet is not more than 30 [9]. Hence, we allocate d =5 bits for each cell in WCBF. This value is sufficient to encode all possible path lengths between any two hosts in the Internet. In lines 8, each router in the path compares the number of hops traversed by the packet with its IP ID value Algorithm WCBF-PPM Marking Algorithm Input: Packet w and Router R Output: w.mark, w.distance : for each packet w do 2: if R = edge router that is nearest to w.source then 3: w.ttl 255 4: w.id WCBF[H(w.dst)] 5: WCBF[H(w.dst)] =(WCBF[H(w.dst)] + )%3 6: end if 7: hopscovered = 255 w.ttl 8: if ((w.id)) == hopscovered then 9: w.id Mark(R) 0: w.distance 0 : end if 2: w.distance w.distance + 3: end for Figure 3. Packet Marking Algorithm (WCBF-PPM): If IP ID field of a packet and a router s hop distance from R edge are equal, then it is allowed to mark the packet. Value in the IP ID field is decided by the WCBF and in particular by WCBF[H(w.dst)]. (packet mark). If these values match, then that particular router is allowed to mark the packet. The packet marking procedure is shown in Figure 3. By allowing R edge to reset the TTL value to 255, we remove the problem of TTL spoofing attack. Besides, TTL value still gets decremented by one at each hop, which removes the problem of routing loops. This way, it does not interfere with the normal working of TTL. 4.. Properties of probabilistic packet marking with wrap-around counting Bloom filter Some of the properties of WCBF-PPM are as follows: () Lemma: Maximum number of packets- Victim can collect marks from all the routers in the path using any 3 consecutive packets from the attacker. Thirty-one is the upper bound of the number of packets required to collect these marks. (2) Proof: Let the first of the 3 consecutive packets has an IP ID value of i. The IP ID values assigned to these 3 consecutive packets would be i,(i+)%3, (i+30)%3, respectively. Now, modulo 3 addition is periodic with period 3. Hence, for any value of i, any 3 consecutive packets would be able to cover all the values from Based on the marking algorithm, all routers in the path would get a chance to mark the packet. For example, if the hop distance between the attacker and the victim is 5, and the initial ID value is 8, then ID values for the 3 consecutive packets would be 8, 9, 20, 30, 0,, 2, 7. For ID values from 8 to 30, no routers would mark the packet because IP ID value will not match with hop distance of any of these routers. When the ID field takes values from 0 to 5, routers starting from R edge would be allowed to mark the packets because routers at hop distance 0 to 5 would match these values. Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 347

6 Effectiveness of packet marking schemes using WCBF S. Saurabh and A. S. Sairam (3) Lemma: Average number of packets - In this section, we find the average number of packets required to collect mark from all the routers in a path of length d assuming no collision. Let N(i) represent the number of packets required to collect marks from all the routers in the path and let i be the initial ID value. Then, N(i) isgivenby 8 < d if i =0 N(i) = 3 if i d : (3 i)+d if d + i 30 As probability of i being 0 30 is equiprobable; hence, P(i = K) where 0 K 30 is 3. Hence, X30 N(i) = N(i) P(i) = d d i=0 As previous equation is monotonically increasing in [, 3]; hence, the minimum number of packets required is 6 for d = and is 3 for d =3. The important thing to note is that WCBF-PPM would never require more than 3 packets for collecting marks from all the routers in the path. 5. DETERMINISTIC PACKET MARKING WITH WRAP-AROUND COUNTING BLOOM FILTER Deterministic packet marking is another important packet marking scheme that is used for IP traceback [6]. In a datagram network, a full path IP traceback is as good as finding the address of the edge router that is nearest to the source in terms of identifying the attacker. Hence, in DPM, only the edge router nearest to the source of the packet (R edge ) takes part in the marking procedure. WCBF can significantly reduce the number of packets required for traceback in DPM as well. Deterministic packet marking uses 6 bits of IP ID field and bit of RF field for packet marking. In DPM, edge router s IP address is divided into k segments numbered from 0 to k. Its mark consists of three fields: a = 32 k bits address segment field, s = log 2 (k) bits segment identifier field and l =7 a s bits address digest field. Address digest is hash of IP address of R edge. Address digest enables the victim to associate different address segments of the attacking edge router with each other to reconstruct the complete IP address of R edge during a DDoS attack. For optimal performance, we should have k = 6 [6]. Each time a packet goes out of the network, a random address segment, the corresponding address segment ID and the address digest is added as the mark. By collecting all the address-segments of the attacking edge router during a DDoS attack, we can perform IP traceback. This becomes a coupon collector problem. As a result, high number of packets is required to reconstruct the IP address of the edge router. By using WCBF, we can significantly reduce this required number of packets. It can be made equal to the number of address segments k instead of O(kln k) required by normal DPM. Packet marking algorithm for WCBF- DPM is explained in algorithm 2. In WCBF-DPM, for a packet w destined to w.dst, the segment number and the address segment added to the mark is not chosen randomly but is decided by the value of WCBF[H(w.dst)] as shown in line 3 of Algorithm 2. After this assignment, value of WCBF[H(w.dst)] is incremented to (WCBF[H(w.dst)] + )mod(k) to be assigned to the next packet destined to w.dst. Algorithm 2 WCBF-DPM Marking Algorithm Input: Packet w and Number of Address Segments k Output: w.mark : for each packet w do 2: if R=R edge then 3: idx WCBF[H(w.dst)] 4: WCBF[H(w.dst)] = (WCBF[H(w.dst)] + )%k 5: w.mark.addrseg = IPaddSeg(R edge, idx) 6: w.mark.segno = idx 7: w.mark.digest = H(IP(R edge )) 8: end if 9: end for Example: If k = 6 and initially, i = 9, then in 6 consecutive packets, we will receive segments 9, 0, 5, 0,, 8, which covers all the segments from 0 to 5. It shows that reconstruction can be performed using any k consecutive packets. Lemma. Number of packets - Because of module k addition in WCBF-DPM, victim can perform traceback by collecting any k consecutive packets originating from the attacker and destined to the victim. Proof. Let us assume that the victim receives the first packet from R edge with segment ID i. Now, based on Algorithm 2, in k consecutive packets, it will receive segments with ID i,(i+)%k,(i+2)%k, (i+(k ))%k. By remainder property of natural numbers, these numbers would cover all the segments from 0 to k. 6. COLLISIONS IN WRAP-AROUND COUNTING BLOOM FILTER In this section, we study the effect of collision on our packet marking schemes and 2. Thereafter, we propose a method to configure the number of cells in WCBF that bounds the rate of collision and alleviates this problem Security Comm. Networks 206; 9: John Wiley & Sons, Ltd.

7 S. Saurabh and A. S. Sairam Effectiveness of packet marking schemes using WCBF 6.. Collisions in wrap-around counting Bloom filter Wrap-around counting Bloom filter is a probabilistic data structure, which is prone to collision. High number of collisions in WCBF will lead to an increase in the number of packets required for IP traceback and hence degrade its performance. Collisions occur in WCBF, if destinations of the concurrent flows hash to the same cell as that of the victim. In Figure 4, d 2, d 3, and d 6 all hash to the same cell WCBF[3] as the victim V. Let each cell of WCBF consist of 2 bits. This implies that the victim needs to collect marks 0,, 2, and 3. Let us assume that initial value of WCBF[3] = 0. The sequence of packets arriving at the edge router during collection of packets by the victim and the value of WCBF[3] during that period is given in Table I. From the table, it is clear that even after collecting seven packets from the attacker, victim could not collect mark 2. It was only able to collect marks 0,, and 3. Without collision, it was expected that four packets would be sufficient for collecting all the four marks. The flows destined to d 2, d 3, and d 6 collide with the flow towards the victim and hence the performance of our packet marking procedure degrades. For victim V, if there exist one or more concurrent flows with destinations d, d 2, d n for which H(d ) = H(d 2 )= = H(d n )=H(V), then all of them will hash to WCBF[H(V)]. This would result in interleaving of ID value destined towards the victim V because all these flows would be incrementing WCBF[H(V)] intermittently and randomly based on their arrival at the edge router. However, when the size of n is large and arrival of packets are random, we can assume that P(WCBF[H(V)] = i) = N where N is the total number of different packet marks. In such cases, for WCBF-PPM, the probability of collision P(WCBF[H(V)] = i) = 3 where 0 i 30. Hence, the problem of collecting marks from all the routers in the path becomes a coupon collector problem with equal probabilities p = 3. If the distance is d hops, then number of packets required to collect marks from all routers in the path (d out of n coupons) would be given by N(i) =n d + d + d ln(d) In case of WCBF-DPM in presence of collision, the probability that i th address segment is put as a mark in the packet is given by the formula P(WCBF[H(V)] = i) = k where 0 i k and k is total number of address segments. Hence, the problem of collecting all the address segments for R edge becomes a coupon collector problem, which requires k ln(k) packets, same as normal DPM and does not produce any gain. However, we propose a mechanism to configure the number of cells m of WCBF, which can bound the collision rate and assist in achieving optimal performance for both Algorithms and 2. Figure 4. Collisions in WCBF: H(d 2 ), H(d 3 ), H(d 6 ) and H(V) all hash to the cell number 3. Table I. The sequence of packets arriving at the edge router during the collection of packets by the victim V andthevalueof WCBF[3] during this period. Pkt Seq Num Pkt Mark Val Pkt Dst P V P d2 P d3 P V P d2 Pkt Seq Num Pkt Mark Val Pkt Dst P d3 P d6 P V P V P d2 Pkt Seq Num Pkt Mark Val Pkt Dst P d3 P V P V P V 6... Worst case of wrap-around counting Bloom filter. In this section, we consider the worst case performance of WCBF. Let the probabilities of receiving marks be different. These probabilities are based on the arrival pattern of the packets of the colliding flows. The number of packets required to collect all the different marks would depend upon the probability distribution of getting each mark. Let P(WCBF[H(V)] = i) =p i for the attack flow to the victim, where 0 i N diff. Here, N diff is the total number of marks that needs to be collected. The expected number of packets E[X], required to receive all the marks at the victim would be E[X] = p + 0 p + p p Ndiff [9]. Value of E[X] would primarily depend upon the smaller values of p 0 i s. In worst case, some of the p i could become 0. Then it would take infinite number of packets to perform traceback. For example, in case of PPM, let there be two colliding flows. Let both of them have a scheduling pattern such that flow (attacker) gets to send 6 packets (WCBF value ranges from 0 to 5) and flow 2 with 6 packets (WCBF value ranging from 7 to 3). If the distance d between the attacker and the victim is more than 6 hops, then victim would never be able to collect the marks for routers at distance 7 to d, respectively. Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 3473

8 Effectiveness of packet marking schemes using WCBF S. Saurabh and A. S. Sairam However, we can always configure m such that we can bound the number of collision as discussed in Section 6.2. We configure m such that the probability of collision can be bounded below a given threshold ı chosen by the user. In our experiment, we choose this value as Configuring the number of cells in wrap-around counting Bloom filter In this section, we outline the steps involved in calculating the minimum number of cells m required by WCBF in order to achieve the desired level of performance. Let there be n other flows during the time flow f to victim V is active. Let there be m cells in the WCBF. Probability that a flow collides with that of the victim is given by P collision = m. The probability that it does not collide with flow f is given by P no_collision_for_one_flow = m. Probability that none of the n flows collide with flow f is given n. by P no_collision_n_flows = m Hence, the probability that at least one flow collides with the flow f is given by ı = n. m Hence, the minimum value of m for which we can achieve this collision probability is given by m ( ı) n 6.3. Computation of n We define n to be equal to the average number of unique destinations to which packets are being sent from R edge in time interval 2. Here, is the average duration of flow length in the Internet. For 90% of flows in the Internet, time-duration <s [20]; hence, we choose =s for our experiment. A flow f, active during the time interval (t, t+) would experience zero collision if and only if no other flow starting in time duration (t, t +) hashes to the same cell as flow f as can be seen from Figure 5. Hence, this collision Figure 5. Collision window: If a flow starts in time interval (t ) to (t + ), then a collision would occur with the flow towards the victim. () window has a size of 2. Thus, to bound our collision-rate below ı, we must choose m such that it satisfies Equation Overheads, false positive and false negative In our system, memory overhead is incurred only at R edge. If each cell of WCBF consists of d bits, then the memory overhead incurred by WCBF is d m bits where d = 5 bits for WCBF-PPM and 4 bits for WCBF-DPM. For each outgoing packet, R edge needs to query WCBF and perform a modulo addition, both of which are constant time operations. Hence, the processing overhead is reasonably low. False positive or collision rate is given by the formula n. ı = m It can be observed that as m increases, collision rate approaches zero, and hence, the false positive rate is bounded. Our system does not incur any false negative. 7. OTHER CONSIDERATIONS In this section, we outline the reasons for the choice of WCBF as the data-structure for our scheme. We highlight the effect of packet-loss and retransmission on WCBFbased schemes. We also provide assumptions and limitations of our work. 7.. Other data-structures in comparison to wrap-around counting Bloom filter In this section, we analyze some other data-structures that can be used besides WCBF. The data that needs to be stored is a key value pair. The key being the IP address and value being the N bit counter. Now, we can store this keyvalue pair in many different data structures like: (i) linked list (queue); (ii) search trees; and (iii) hash table. If we store N elements in a linked list, then search operation in O(N) while insertion and deletion are O(N). The storage requirement is O(N). In a binary search tree, search, insertion, and deletion are all O(log(N)), and storage requirement is O(N). If we compare this with Bloom filter, then insertion and search are both O(), and it does not require any deletion. Moreover, Bloom filter is a space efficient data structure, which needs much less memory as compared with linked list and trees. However, this efficiency is gained by incurring some false positive, which can always be bounded by making suitable choice of number of cells in the Bloom filter. Bloom filter is better than a hash table because it allows us to maintain a common-shared counter for each of the destination IP address using less space. We do not need to store all those IP addresses in the Bloom filter like that performed in a hash table using separate linked list. We choose counting Bloom filter because we need to maintain a counter to decide which router in the path would mark a packet in PPM and which fragment needs to be sent in case of DPM. The wrap around functionality added to 3474 Security Comm. Networks 206; 9: John Wiley & Sons, Ltd.

9 S. Saurabh and A. S. Sairam Effectiveness of packet marking schemes using WCBF CBF helps in collecting L different marks by collecting any L packets Effect of packet loss and retransmission on wrap-around counting Bloom filter Transmission Control Protocol of Internet provides reliable packet transfer. The receiver sends acknowledgement to confirm the receipt of packet. When a packet is lost, it would be ultimately retransmitted by the sender. Now, a packet can be retransmitted even if the ACK is lost or it is delayed. In this case, WCBF would work correctly as marks from none of the routers are lost. However, if a packet is lost then two cases arise in case of PPM. Let the distance between the attacker and the victim (V) be d hops. Let a packet or a set of packets be lost for mark value (WCBF[H(V)]) between d 3. In this case, traceback would be completed in 3 packets itself. However, if a packet or a set of packets are lost for WCBF[H(V)] between [0 (d )], then we need to collect the lost packet marks in the future iterations, which would happen after the WCBF value wraps around from 3 to 0. If p loss is the packet loss probability in the Internet, then the probability of successful traceback in 3 packets is P success =( p loss ) d because there should be no packet loss only for packets whose mark value is in the range from [0, d ]. The mean value of getting success in n trials is np success and the expected number of iterations required would be N avg = P success. Average packet loss rate in the Internet is less than p loss = 0.3% [2]. Hence, average number of attempts for successful retransmission would be ( 0.003) davg = ( 0.003) 20 =.06 attempts. This is in fact an upper bound for number of iterations needed because in successive iterations, we just need to collect marks that were not received in the previous iteration. Similarly, in case of DPM with k = 6 fragments, upper bound on expected number of iteration required would be ( 0.003) 6 =.04. We do not tackle the problem of retransmission because it would require synchronization with the TCP retransmission protocol and would require extra state (memory) to handle this problem. Moreover, the expected increase in the number of packets is less than 5%. We recommend to perform IP traceback at the beginning of a DoS attack when the packet loss rate is low. In case of packet loss, the performance of WCBF would be same for both UDP and TCP. The reason being that WCBF considers a packet and a re-transmitted packet as unique and different packets Transmission Control Protocol and User Datagram Protocol attacks Packet marking-based IP traceback schemes work at the network layer of the IP stack. Packet mark is added in the IP identifier field which resides in the IP header. Hence, packet marking schemes can be used for performing traceback for any of the transport layer protocols like TCP and User Datagram Protocol (UDP). It would work in tracing both TCP and UDP-based DoS attacks Denial-of-service attack inside a network Many times a DoS attack might be launched inside a network. The network might be a group of local area networks connected together by the gateway routers. In this case, we need to enable packet marking at the routers so that they can identify the source sub-network of a DoS attack. If we want to locate the actual host generating the DoS attack, then we also need to look at other hints like (i) input port the packet arrives on (ii) MAC address of the source (iii) cell number (iv) channel number, etc. The mechanism to identify the host inside the network would also depend upon the network type. It would be different for local area network, metropolitan area network, wireless sensor network, and mobile ad hoc network Other applications of wrap-around counting Bloom filter Wrap-around counting Bloom filter can find applications in fields like file sharing in peer-to-peer networks where peers can keep track of the chunks of files that are being transferred to different peers using WCBF. Nodes in the sensor network can also use WCBF for data dissemination in their networks [22 25] Limitations of wrap-around counting Bloom filter In this section, we list the limitations of our work. Packet loss: Our algorithm performs optimally if the packet loss rate is negligible or low (below 0.5%). If the packet loss rate becomes high then traceback would need higher number of packets. Hence, we assume that traceback should be performed as soon as the attack is started. At this time instant, the number of packets required would be low and traceback can be performed faster. Low collision: If there is collision in WCBF, then the performance of IP traceback would degrade. As discussed in Section, number of packets required would then depend upon the probability distribution of getting different marks. Based on different packet arrival patterns, it might happen that some of the marks never get encoded in the packet. In that case, it might take very high (even infinite) number of packets to perform traceback. But, we provide a way to configure the number of cells in WCBF that can bound rate of collision in WCBF. However, in presence of high packet-loss rate or high number of collisions, collection of marks would turn into a coupon collector problem like that in case of PPM and DPM. We can assume packet loss and collision distribution to be uniform. Then in the worst case too, the performance of WCBF would not degrade below that of conventional PPM and DPM as explained in Section 6.. Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 3475

10 Effectiveness of packet marking schemes using WCBF S. Saurabh and A. S. Sairam 8. RESULTS In this section, we experimentally validate the efficacy of our proposed Bloom filter and the packet marking algorithms using the traffic trace files obtained from the gateway router of the UMass Campus Network[26]. The UMass Amherst Campus is connected to the Internet through a commercial ISP, which is a Gigabit Ethernet link. A passive monitoring infrastructure is installed that sniffs on the packets on the commercial Gigabit Ethernet link, strips off the packet headers, and after anonymization of the address fields, archives the header-records on disk. An accurate time stamp is affixed to each of the header record. We have written a C program named parse.c, which parses these header records and writes destination and time stamp of each record into a file named dstrec.txt. A total of packets are analyzed. We implement WCBF using Java. This program takes the dstrec.txt file as input. Using the time stamp values for each packet, it divides the records into 2 s time interval. For each of these time windows, it finds the number of unique destinations to which packets are sent from the gateway router. Its average value is 5672 and the 90th percentile value is 745 in each time period. Its maximum value is around packets. The procedure to extract this value is shown in Figure 6. Figure 6. Finding the average number of unique destinations to which packets are sent in 2-s time interval. 8.. Rate of collision We experimentally evaluate the collision rate for Umass traffic traces for different values of m. Corresponding results are shown in Figure 7. We observe that for m 7000, collision rate is high (approximately 30%). As m increases, collision-rate decreases exponentially. It reaches below 5% for m > 50 K cells and becomes almost negligible for m > 00 K cells. We observe that experimental value of rate of collision is much less than the theoretical value because we are taking the 90th percentile value of the flow length and most of the flows would have smaller size than this value. Based on Equation, we choose m = for no collision (ı < 5%) and m = 3000 cells for high collision case. As a result, memory overhead is 355 = 675 KB for WCBF-PPM and 354 = 540 KB for WCBF-DPM. We observe that memory overhead is quite small (in KB) which would not be a large requirement for the modern routers Number of packets as a function of the number of cells In our next experiment, we evaluate the number of packets required for IP traceback for both PPM and DPM. For this purpose, we create a pool of 0 5 victim IP addresses. For each of these victims, we sprinkle attack flows consisting of 000 packets destined to the victim. We interleave these attack packets with packets from trace file. Number of interleaving packets follows uniform distribution with numbers chosen between [0, 00]. We inject 00 such attacks in the trace file by dividing the trace file into 00 different parts. Our Umass trace file contains packets. The attacks are well separated from each other in the trace file to avoid any overlapping. The packets from these trace files are passed through the WCBF implemented by us in Java. WCBF can be configured to have different values of number of cells and number of bits in each cell. Figure 7. Number of cells, m, in wrap-around counting Bloom filter (WCBF) versus collision rate: as the number of cells increases in WCBF, collision rate decreases exponentially Security Comm. Networks 206; 9: John Wiley & Sons, Ltd.

11 S. Saurabh and A. S. Sairam Effectiveness of packet marking schemes using WCBF Figure 8. Number of packets required to get marks from all routers in path for probabilistic packet marking with wrap-around counting Bloom filter (WCBF-PPM) with no collision, WCBF-PPM with collision and PPM. Figure 9. Number of packets required to collect all the address segments of R edge for attacker address reconstruction in deterministic packet marking (DPM). In Figure 8, we study the number of packets required to collect marks from all routers in the path for WCBF- PPM with no collision (WCBF-PPM-NC (m = 35 K), WCBF-PPM with collision (WCBF-PPM-C (m = 3 K)) and normal PPM algorithm. We find that for WCBF-PPM- NC, we require minimum number of packets. In case of WCBF-PPM-NC, maximum number of packets required to collect marks from all the routers in the path never exceeds 3. On an average, the number of packets required is 5 0 times less than that of normal PPM. The efficiency increases as the path length increases. Even in case of collision (WCBF-PPM-C), the number of packets required in case of WCBF-PPM is 2 3 times less because collection of marks at the victim side becomes a coupon collector problem with equal probabilities rather than being a coupon collector with not equal probability, which requires far more number of packets for performing traceback. In Figure 9, we observe similar trends for DPM. WCBF- DPM with no collision (m = 35 K) requires minimum number of packets for reconstructing the IP address of the attacker. This number is same as the number of address segments in DPM. In WCBF-DPM with collision (m = 3000), the number of packets required is same as that in DPM because in case of collision, collecting different marks becomes a coupon collector problem similar to the normal DPM procedure. However, we can always achieve the optimal performance by configuring the number of cells in WCBF using Equation and minimizing the effect of collision Comparison of probabilistic packet marking with wrap-around counting Bloom filter with variants of probabilistic packet marking In this section, we compare WCBF-PPM with other modified versions of PPM. They improve the original PPM in terms of one or more of the following parameters: (i) false positive rate; (ii) number of attackers traceback can handle; (iii) number of packets required for traceback; and (iv) information encoded in the mark. We compare Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 3477

12 Effectiveness of packet marking schemes using WCBF S. Saurabh and A. S. Sairam Figure 0. Comparison of the number of packets required for complete IP traceback for variants of probabilistic packet marking (PPM) and PPM with wrap-around counting Bloom filter (WCBF-PPM). Figure. Reduction in the number of packets required for complete IP traceback for variants of probabilistic packet marking (PPM) after incorporating WCBF. WCBF-PPM with Fast Internet Traceback (FIT) [0], Advanced and Authenticated Marking Scheme (AMS) [], Goodrich s Large Scale IP traceback [2], and Algebraic Approach to IP traceback [3]. They are all derived from PPM. FIT [0] and AMS [] use upstream router map to reconstruct the attack path. Algebraic approach [3] uses a polynomial to record the attack path. Goodrich [2] uses large checksum cords to link message fragments in a way that is highly scalable. In Figure 0, we first demonstrate that WCBF-PPM requires much less number of packets compared with all of these variants of PPM. Next, in Figure, we show that WCBF can be incorporated with these schemes to drastically reduce the number of packets required for traceback. To reconstruct the complete attack path, the victim needs to collect multiple fragments from each routers because 6 bits are not sufficient in encoding the complete information. AMS [] requires four fragments to encode an edge. PPM by Savage requires eight fragments to encode and edge. FIT requires eight fragments to represent each node. Algebraic approach needs 64 fragments to encode the attack path polynomial, and Goodrich s scheme needs eight fragments to represent a link. These fragments are chosen randomly and filled in the packet mark. From Figure 0, we can observe that WCBF-PPM requires minimum number of packets when compared with the other variants of PPM. The number of packets required for IP traceback observes the following sequence in terms of the required number of packets for traceback 0 Algebraic > AMS > Goodrich > PPM > FIT > WCBF-PPM. FIT is one of the most promising variant of PPM because it is scalable (can trace large number of attackers with higher accuracy) and it requires less number of packets for IP traceback. Hence, we recommend to use WCBF with FIT to achieve the best performance. In Figure, we provide the results regarding the number of packets required for different PPM variants by incorporating WCBF for complete IP traceback. We find that there is almost an order of magnitude decrease in the number of packets required for traceback for different PPM-based traceback schemes Security Comm. Networks 206; 9: John Wiley & Sons, Ltd.