A marking scheme using Huffman codes for IP traceback

In (distributed) denial of service attack ((D)DoS), attackers send a huge number of packets with spoofed source addresses to disguise themselves toward a target host or network Various IP traceback techniques such as link testing, marking, and logging to find out the real source of attacking packets have been proposed. We present a marking scheme (with marking and traceback algorithms) in which a router marks a packet with a link that the packet came through. Links of a router are represented by Huffman codes according to the traffic distribution among the links. If the packet runs out of space allotted for the marking field in the packet header, then the router stores the marking field in the router's local memory along with a message digest of the packet. We analyze the memory requirement of routers to store marking fields, compare the scheme with other existing techniques, and address practical issues to deploy the scheme in the Internet. The scheme marks every packet, therefore IP traceback can be accomplished with only a packet unlike in probabilistic markings; also it requires far less amount of memory compared to logging methods and is robust in case of DDoS.

[1]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[2]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[5]  Kurt Rothermel,et al.  Dynamic distance maps of the Internet , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[6]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[7]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[8]  Kimberly C. Claffy,et al.  Measurement and visualization of internet connectivity and performance , 2001 .

[9]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[10]  Michalis Faloutsos,et al.  The Connectivity and Fault-Tolerance of the Internet Topology , 2001 .

[11]  S. Bellovin ICMP Traceback Message , 2003 .