Conference Paper

Improved marking model ERPPM tracing back to DDoS attacker

Network Res. Center, Tsinghua Univ., Beijing, China
DOI: 10.1109/ICITA.2005.158 Conference: Information Technology and Applications, 2005. ICITA 2005. Third International Conference on, Volume: 2
Source: IEEE Xplore


In this paper we present a new model ERPPM for providing traceback information in IP packets, which marking the packet with a dynamic optimal marking probability to ensure that the victim receives all the marked packets with equal probability, which can greatly reduce the number of packets needed to reconstruct the attacking path.

5 Reads
  • [Show abstract] [Hide abstract]
    ABSTRACT: The enhanced routers which can provide tracing service are referred to as tracers. In this paper, we propose a new hierarchical tracers deployment which can guarantee that the distance between any attack origin and its first met tracer be within an assigned hop distance. Networks are partitioned into hierarchical areas which are surrounded by tracers. Based on hierarchical tracers deployment, we design a multi-layer traceback method which can guarantee to find all of attack origins. Packets are marked only by their first met tracer in low probability. A single marked packet can be used to locate where the area attack origin is from. If the number of nodes in the found area is more than a threshold, the proposed multi-layer traceback will be recursively executed till attack origins are found. Extended simulation shows that the searching cost of finding attack origins can be bounded.
    Advanced Information Networking and Applications - Workshops, 2008. AINAW 2008. 22nd International Conference on; 04/2008
  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper describes a novel DDoS traceback scheme. It aims at the disadvantages of the current schemes, which can not traceback the large-scale DDoS attack with the increasing false positive rate, or which can not traceback the DDoS attack fast from the large number of packets required for reconstruction, or which can not apply in the high-speed Internet because of the high overhead of network and router etc. The proposed scheme maps k hash digests of the router's IP into an m-bit Bloom Filter array. Then the m-bit Bloom Filter array is probabilistically written into the IP header of the passing packet or deterministically accumulated with the marking information in the IP header of the marked packet. If the Bloom Filter array in the marking information is full, the marking information is probabilistically written into another packet with the same source address and same destination address. This scheme has several advantages low false positive rate; fewer packets to reconstruct the attack path; and low computation overhead and storage overhead at the router. It implements the local traceback fast under large-scale DDOS attack in high-speed Internet.
  • [Show abstract] [Hide abstract]
    ABSTRACT: To solve the DoS/DDoS problems efficiently, the first things is to locate the attack origins and then cooperate the filter(s) nearby for dropping abnormal packets in time. The original routers can't provide these functions such as tracking, filtering, and etc. They have to be enhanced with additional functions to defend DoS/DDoS attacks. We refer the enhanced routers as tracers. According to the characteristic, cost and necessity of tracers, three kinds of heterogeneous tracers are selected, namely tunneling-enabled tracers, marking-enabled tracers and filtering-enabled tracers. The tunneling-enabled tracers with the lowest cost can alter the path of the passing packets to destination easily. In this paper, we study how to use tunneling-enabled tracers efficiently to forward packets to the best marking-enabled or filtering-enabled tracer for locating attack origins and filtering abnormal packets in time. Four methods are proposed and compared with the optimal solution. The fourth method with the assistance of marking-enabled tracers has the best performance of protecting network bandwidth by simulation result.