A hybrid IP Trace Back Scheme Using Integrate Packet logging with hash Table under Fixed Storage

Similar documents
An IP Traceback using Packet Logging & Marking Schemes for Path Reconstruction

A NEW IP TRACEBACK SCHEME TO AVOID LAUNCH ATTACKS

A New Path for Reconstruction Based on Packet Logging & Marking Scheme

A Survey on Different IP Traceback Techniques for finding The Location of Spoofers Amruta Kokate, Prof.Pramod Patil

Prof. N. P. Karlekar Project Guide Dept. computer Sinhgad Institute of Technology

Comparative Study of IP Trace back Techniques

A Novel Hybrid Technique for Internet Protocol Traceback

Aparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India

Research Article Hybrid Single-Packet IP Traceback with Low Storage and High Accuracy

Survey of Several IP Traceback Mechanisms and Path Reconstruction

Single Packet IP Traceback in AS-level Partial Deployment Scenario

SIMULATION OF THE COMBINED METHOD

Multivariate Correlation Analysis based detection of DOS with Tracebacking

Single Packet ICMP Traceback Technique using Router Interface

A Probabilistic Packet Marking scheme with LT Code for IP Traceback

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks

Scalable Hash-based IP Traceback using Rate-limited Probabilistic Packet Marking

RETRIEVAL OF DATA IN DDoS ATTACKS BY TRACKING ATTACKERS USING NODE OPTIMIZATION TECHNIQUE

Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric

Spoofer Location Detection Using Passive Ip Trace back

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Enhancing the Reliability and Accuracy of Passive IP Traceback using Completion Condition

IP Traceback Based on Chinese Remainder Theorem

Enhancing Probabilistic Packet Marking by Integrating Dynamic Probability and Time to Live (TTL) Clustering

TO DETECT AND RECOVER THE AUTHORIZED CLI- ENT BY USING ADAPTIVE ALGORITHM

STF-DM: A Sparsely Tagged Fragmentation with Dynamic Marking an IP Traceback Approach. Online Publication

Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

IP traceback through (authenticated) deterministic flow marking: an empirical evaluation

TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

A proposal for new marking scheme with its performance evaluation for IP Traceback

An Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network

A Precise and Practical IP Traceback Technique Based on Packet Marking and Logging *

Geographical Division Traceback for Distributed Denial of Service

AN UNIQUE SCHEME FOR DETECTING IP SPOOFERS USING PASSIVE IP TRACEBACK

IP Traceback Using DNS Logs against Bots

IP TRACEBACK Scenarios. By Tenali. Naga Mani & Jyosyula. Bala Savitha CSE Gudlavalleru Engineering College. GJCST-E Classification : C.2.

TOPO: A Topology-aware Single Packet Attack Traceback Scheme

Internet level Traceback System for Identifying the Locations of IP Spoofers from Path Backscatter

On IPv6 Traceback. obaidgnetworking.khu.ac.kr,cshonggkhu.ac.kr. highlights the related works; Section 3 will give an overview

Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. Basheer Al-Duwairi, Member, IEEE, and G. Manimaran, Member, IEEE

A Lightweight IP Traceback Mechanism on IPv6

A New Mechanism For Approach of IP Spoofers: Passive IP Traceback Using Backscatter Messages

Flow Based DetectingDDoS Attack in Large Scale Network by Using Entropy Variation Technique

IP TRACEBACK (PIT): A NOVEL PARADIGM TO CATCH THE IP SPOOFERS

A Novel Approach to Denial-of-Service Attack Detection with Tracebacking

Denial of Service, Traceback and Anonymity

(Submit to Bright Internet Global Summit - BIGS)

Detection of Spoofing Attacks Using Intrusive Filters For DDoS

MITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK. J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy

ABSTRACT. A network is an architecture with a lot of scope for attacks. The rise in attacks has been

A Novel Packet Marking Scheme for IP Traceback

A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet

Increasing the effectiveness of packet marking schemes using wrap-around counting Bloom filter

Packet track and traceback mechanism against denial of service attacks

An Investigation about the Simulation of IP Traceback and Various IP Traceback Strategies

DENIAL OF SERVICE ATTACKS: PATH RECONSTRUCTION FOR IP TRACEBACK USING ADJUSTED PROBABILISTIC PACKET MARKING. A Thesis RAGHAV DUBE

Multi Directional Geographical Traceback with n Directions Generalization

Design and Simulation Implementation of an Improved PPM Approach

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

A Flow-Based Traceback Scheme on an AS-Level Overlay Network

Keywords MANET, DDoS, Floodingattack, Pdr.

A SECURITY FRAMEWORK BASED ON FLOW MARKING IP-TRACEBACK TECHNIQUES

A New Logging-based IP Traceback Approach using Data Mining Techniques

An Enhanced Deterministic Flow Marking Technique to Efficiently Support Detection of Network Spoofing Attacks

A Model for Determining the Origin OFA Packet to Find Real Attacks

IP Spoof Prevented Technique to Prevent IP Spoofed Attack

A General Model of Probabilistic Packet Marking for IP Traceback

A METHOD TO DETECT PACKET DROP ATTACK IN MANET

DISTRIBUTED HASH TABLE PROTOCOL DETECTION IN WIRELESS SENSOR NETWORKS

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

A Network Coding Approach to IP Traceback

StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense

Xiang, Yang and Zhou, Wanlei 2005, Mark-aided distributed filtering by using neural network for DDoS defense, in GLOBECOM '05 : IEEE Global

Configuring attack detection and prevention 1

Artificial Neural Network To Detect Know And Unknown DDOS Attack

INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING & TECHNOLOGY (IJCET)

DDoS and Traceback 1

MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

A Thesis. Presented to. The Graduate Faculty of The University of Akron. In Partial Fulfillment. Master of Science. Shanmuga Sundaram Devasundaram

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Provider-based deterministic packet marking against distributed DoS attacks

An Efficient Probabilistic Packet Marking Scheme for IP Traceback

Defending Against Slave And Reflector Attacks With Deterministic Edge Router Marking (DERM)

DDOS Attack Prevention Technique in Cloud

A Study on Intrusion Detection Techniques in a TCP/IP Environment

ABSTRACT. in defeating Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks.

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Configuring attack detection and prevention 1

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

NOWADAYS, more and more critical infrastructures are

Defenses against Large Scale Online Password Guessing by Using Persuasive Cued Click Points

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Denial of Service and Distributed Denial of Service Attacks

Chapter 7. Denial of Service Attacks

Transcription:

Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 2, Issue. 12, December 2013, pg.145 152 RESEARCH ARTICLE ISSN 2320 088X A hybrid IP Trace Back Scheme Using Integrate Packet logging with hash Table under Fixed Storage SSVR Kumar Addagarla 1, Usha Nag S 2 1 Dept of Comp Science, Prasiddha College of Engineering & Technology, Amalapuram, India 2 Dept of Comp Science, Prasiddha College of Engineering & Technology, Amalapuram, India 1 ssvrkumar.research@gmail.com; 2 ushanag1686@gmail.com Abstract - The Internet has been widely applied in various fields, more and more network security issues emerge and catch people s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of traceback schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packet marking with packet logging and therefore create hybrid IP traceback schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP traceback scheme with efficient packet logging aiming to have a fixed storage requirement for each router (under 320 KB) in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction. In addition, we use a packet s marking field to censor attack traffic on its upstream routers. Lastly, we simulate and analyze our scheme, in comparison with other related research, in the following aspects: storage requirement, computation, and accuracy. Keywords: Spoofing; DDos; hybrid IP traceback; packet logging; packet marking I. INTRODUCTION With the rapid growth of the Internet, various internet applications are developed for different kinds of users. Due to the decreasing cost of Internet access and its increasing availability from a plethora of devices and applications, the impact of attacks becomes more significant. To disrupt the service of a server, the sophisticated attackers may launch a distributed denial of service (DDoS) attack. Based on the number of packets to deny the service of a server, we can categorize DDoS attacks into flooding-based 2013, IJCSMC All Rights Reserved 145

attacks and software exploit attacks [8]. The major signature of flooding-based attacks is a huge amount of forged source packets to exhaust a victim s limited resources. Another type of DoS attack, software exploit attacks, attacks a host using the host s vulnerabilities with few packets (e.g., Teardrop attack and LAND attack). Since most edge routers do not check the origin s address of a packet, core routers have difficulties in recognizing the source of packets. The source IP address in a packet can be spoofed when an attacker wants to hide himself from tracing. Therefore, IP spoofing makes hosts hard to defend against a DDoS attack. For these reasons, developing a mechanism to locate the real source of impersonation attacks has become an important issue nowadays. For tracing the real source of flooding-based attack packets, we propose a traceback scheme that marks routers interface numbers and integrates packet logging with a hash table to deal with these logging and marking issues in IP traceback. Packet marking can be put into two categories, deterministic packet marking (DPM) and probabilistic packet marking (PPM). Belenky and Ansari [3], [4] propose DPM traceback schemes to mark a border routers IP address on the passing packets. However, IP header s identification field is not enough to store the full IP address. For this reason, the border router divides its IP into several segments and computes the digest of its IP. Then it randomly chooses a segment and the digest to mark on its passing packets.when the destination host receives enough packets, it can use the digest to assemble the different segments. On the other hand, Savage et al. [8] propose a PPM scheme with edge sampling which is called FMS. Song and Perrig [20] propose the AMS scheme. Yaar et al. [2] propose the FIT scheme. Al-Duwari and Govindarasu [1] propose the probabilistic pipelined packet marking (PPPM) scheme. Gong and Sarac [6] propose a practical packet marking scheme. These probability-based schemes require routers to mark partial path information on the packets which pass through them with a probability. That is to say, if a victim collects enough marked packets, it can reconstruct the full attack path. Since flooding-based traceback schemes need to collect a large amount of attack packets to find the origin of attacks, these schemes are not suitable for tracing the origins of software exploit attacks. Most current tracing schemes that are designed for software exploits can be categorized into three groups: single packet, packet logging [7], [8], and hybrid IP traceback [1], [8], [6], [5]. The basic idea of packet logging is to log a packet s information on routers. Huffman codes [8], Modulo/ Reverse modulo Technique (MRT) [5] and Modulo/Reverse modulo (MORE) [6] use interface numbers of routers, instead of partial IP or link information, to mark a packet s route information. Each of these methods marks routers interface numbers on a packet s IP header along a route. However, a packet s IP header has rather limited space for marking and therefore cannot always afford to record the full route information. So, they integrate packet logging into their marking schemes by allowing a packet s 2013, IJCSMC All Rights Reserved 146

marking field temporarily logged on routers. We find these tracing methods still require high storage on logged routers. Also, their schemes cannot avoid a false positive problem because their packet digests in each log table may have collision, and their schemes even have false negative problem when routers refresh logged data.apart from these,we find their exhaustive searching quite inefficient in path reconstruction. For these reasons, we propose a traceback scheme that marks routers interface numbers and integrates packet logging with a hash table to deal with these logging and marking issues in IP traceback. Our hybrid IP traceback scheme designed to achieve the following properties: Our storage requirement for an arbitrary router is bounded above by the number of paths to the router, and thus every router does not need to refresh logged tracking information. Our scheme achieves zero false positive and false negative rates in attack-path reconstruction. We have higher efficiency in path reconstruction. Our scheme can censor attack traffic. Our propose packet sending scheme can be shown below Figure 1. Packet sending Construction Scheme 2013, IJCSMC All Rights Reserved 147

Routers interface numbers and integrates packet logging with a hash table marks interface numbers of routers on packets so as to trace the path of packets. Since the marking field on each packet is limited, our packet-marking scheme may need to log the marking field into a hash table and store the table index on the packet. We repeat this marking/logging process until the packet reaches its destination. After that, we can reverse such process to trace back to the origin of attack packets[6]. The entire work of this paper is divided into five different modules. They are: Network topology Construction Path Selection Packet Sending Packet Marking and Logging Path Reconstruction II. Network topology Construction A Network Topology may consist of the number of routers that are connected with local area networks. Thus, a router can either receive data from the nearer router or from the local area network. A border router receives packets from its local network [5]. A core router receives packets from other routers. The number of routers connected to a single router is called as the degree of a router. This is calculated and stored in a table. The Upstream interfaces of each router also have to be found and stored in the interface table. As the network topology shows in Fig. 2, a router can be connected to a local network or other routers, or even both. A border router receives packets from its local network. A core router receives packets from other routers [4]. For example, serves as a border router when it receives packets from Host. However, it becomes a core router when receiving packets from the assumptions of our scheme are as follows. 1) A router creates an interface table and numbers the up-stream interfaces in advance. 2) A router knows whether a packet comes from a router or a local network. 3) Such a traceback scheme is viable on every router. 4) The traffic route and network topology may be changed, but not often. If we use the identification field to mark a packet, it can lead to identification number collision in the reassembling process. III. Path Selection The path is said to be the way in which the selected packet or file has to be sent from the source to the destination [3][2]. The Upstream interfaces of each router have to be found and it is stored in the interface table. With the help of that interface table, the desired path between the selected source and destination can be defined. 2013, IJCSMC All Rights Reserved 148

IV. Packet Sending One of the Packet or file is to be selected for the transformation process. The packet is sent along the defined path from the source LAN to destination LAN[1][5]. The destination LAN receives the packet and checks whether that it has been sent along the defined path or not. V. Packet Marking and Logging Packet marking is the phase, where the efficient Packet Marking algorithm is applied at each router along the defined path. It calculates the Pmark value and stores in the hash table. If the Pmark is not overflow than the capacity of the router, then it is sent to the next router. Otherwise it refers the hash table and again applies the algorithm. The packet marking and logging scheme and Notations are shown below. Notations: Figure 2. Network Topology for path construction R i D(R i ) UI i P H() M C1,c2 HT HT[index] {R1,R2,R3 Ri,..Rx} Routers in the internet The degree of R i The upstream interface number of the router R i in the route r The received packet A hash function The size of a hash table (i.e the number of slots in a hash table) Constant An m entries hash table HT[index]: the entry of the hash table HT with the address index 2013, IJCSMC All Rights Reserved 149

(HT[0] is reserved) HT[index].mark:HT[index] s mark field % HT[index].UI:HT[index] s UI field The modulo operations Packet Marking and Logging Scheme Input: P, UI i begin 1. mark new =P.mark X (D(R i )+1) + UI i +1 2. if mark new is overflow then 3. index=h=h(p.mark) 4. probe=0 5. while not(ht[index] is empty or HT[index] is equal to (P.mark, UI i )) 6. probe++ 7. index=(h+c1 x probe + c2 x probe 2 )%m 8. end while 9. if HT[index] is empty then 10. HT[index].mark=P.mark 11. HT[index].UI=UIi 12. Endif 13. mark new =index x (D(R i )+1) 14. endif 15. P.mark=mark new 16. Forward the packet to the next router End VI. Path Reconstruction Once the Packet has reached the destination after applying the Algorithm, there it checks whether it has sent from the correct upstream interfaces. If any of the attack is found, it request for the Path Reconstruction. Path Reconstruction is the Process of finding the new path for the same source and the destination in which no attack can be made. The below shows the path reconstruction scheme. 2013, IJCSMC All Rights Reserved 150

Path Reconstruction Scheme Begin 1. UI i =mark req %(D(R i )+1)-1 2. If UI i = -1 then 3. Index = mark reg /(D(R i )+1) 4. If not index = 0 then 5. UI i =HT[index].UI 6. mark old = HT[index].mark 7. send reconstruction request with mark old to upstream router by UI i 8. else 9. this router is the nearest border router to the attacker 10. endif 11. else 12. mark old =mark req /(D(R i )+1) 13. send reconstruction request with mark old to upstream router by UI i 14. endif End VII. CONCLUSION In this paper, we propose a new hybrid IP traceback scheme for efficient packet logging aiming to have a fixed storage requirement in packet logging without the need to refresh the logged tracking information. Also, the proposed scheme has zero false positive and false negative rates in an attack-path reconstruction. Apart from these properties, our scheme can also deploy a marking field as a packet identity to filter malicious traffic and secure against DoS/DDoS attacks. Consequently, with high accuracy, a low storage requirement, and fast computation, our scheme can serve as an efficient and secure for hybrid IP traceback. As for our future work, we would like to come up with another version of the scheme which uses a 16-bit marking field to avoid the problem caused by packet fragmentation. REFERENCES [1] B.Al-Duwari andm. Govindarasu, Novel hybrid schemes employing packet marking and logging for IP traceback, IEEE Trans. Parallel Distributed Syst., vol. 17, no. 5, pp. 403 418, May 2006. [2] A. Appleby, Murmurhash 2010 [Online]. Available: http://sites.google. com/site/murmurhash/ [3] A. Belenky and N. Ansari, IP traceback with deterministic packet marking, IEEE Commun. Lett., vol. 7, no. 4, pp. 162 164, Apr. 2003. [4] A. Belenky and N. Ansari, Tracing multiple attackers with deterministic packetmarking (DPM), in Proc. IEEE PACRIM 03, Victoria, BC, Canada, Aug. 2003, pp. 49 52. 2013, IJCSMC All Rights Reserved 151

[5] S. M. Bellovin, M. D. Leech, and T. Taylor, ICMP traceback messages, Internet Draft: Draft-Ietf- Itrace-04.Txt, Feb. 2003. [6] H. Burch and B. Cheswick, Tracing anonymous packets to their approximate source, in Proc. USENIX LISA 2000, New Orleans, LA, Dec. 2000, pp. 319 327. [7] CAIDA s Skitter Project CAIDA, 2010 [Online]. Available: http://www.caida.org/tools/skitter/ [8] K. H. Choi and H. K. Dai, A marking scheme using Huffman codes for IP traceback, in Proc. 7th Int. Symp. Parallel Architectures, Algorithms Networks (SPAN 04), Hong Kong, China, May 2004, pp. 421 428. 2013, IJCSMC All Rights Reserved 152

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback