IP traceback through (authenticated) deterministic flow marking: an empirical evaluation
- PDF / 2,766,663 Bytes
- 24 Pages / 595 x 794 pts Page_size
- 23 Downloads / 207 Views
R ESEA R CH
Open Access
IP traceback through (authenticated) deterministic flow marking: an empirical evaluation Vahid Aghaei-Foroushani* and A Nur Zincir-Heywood
Abstract In this paper, we present a novel approach to IP traceback - deterministic flow marking (DFM). We evaluate this novel approach against two well-known IP traceback schemes. These are the probabilistic packet marking (PPM) and the deterministic packet marking (DPM) techniques. In order to do so, we analyzed these techniques in detail in terms of their performances and feasibilities on five Internet traces. These traces consist of Darpa 1999 traffic traces, CAIDA October 2012 traffic traces, MAWI December 2012 traffic traces, and Dal2010 traffic traces. We have employed 16 performance metrics to evaluate their performances. The empirical results show that the novel DFM technique can reduce the number of marked packets by 91% compared to the DPM, while achieving the same or better performance in terms of its ability to trace back the attack. Additionally, DFM provides an optional authentication so that a compromised router cannot forge markings of other uncompromised routers. Unlike PPM and DPM that trace the attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin of incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a network behind a network address translation (NAT) server. Our results show that DFM can reach up to approximately 99% traceback rate with no false positives. Keywords: Flow base IP traceback; DDoS attacks; Deterministic flow marking; Authenticated flow marking; Security
1 Introduction In recent years, much attention has been paid for securing the Internet infrastructure that has become a universal medium for a broad range of communications. Several security approaches have been proposed for securing this infrastructure. The specific security issue, which is the main focus of this study, is anonymous attacks. Due to the trusting nature of the IP protocol, which originally did not include security as a design principle, the source IP address of a packet is not authenticated. Attackers are usually interested in hiding their identity with fake addresses. (Distributed) Denial of Service ((D)DoS) attacks are an example of anonymous attacks where currently there is no obvious way to prevent or trace them. While preventing all attacks on the Internet is far from reality, at least a mechanism of identifying the source(s) of the attack is needed *Correspondence: [email protected] Faculty of Computer Science, Dalhousie University, Halifax, Nova Scotia B3H IW5, Canada
in a situation when prevention fails. This is the reason for designing IP traceback techniques. Traceback is a name given to any method for reliably determining the origin of traffic on the network. To the best of our knowledge, the state-of-the-art traceback methods in the literature are able to detect only up to the autonomous system (AS) level or at best, the
Data Loading...
