Hash-based IP traceback

The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packet's origin, wide-spread packet forwarding techniques such as NAT and encapsulation may obscure the packet's true source. Techniques have been developed to determine the source of large packet flows, but, to date, no system has been presented to track individual packets in an efficient, scalable fashion.We present a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past. We demonstrate that the system is effective, space-efficient (requiring approximately 0.5% of the link capacity per unit time in storage), and implementable in current or next-generation routing hardware. We present both analytic and simulation results showing the system's effectiveness.

[1]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[2]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[3]  Jon Postel,et al.  Internet Control Message Protocol , 1981, RFC.

[4]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[5]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[6]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[7]  Hugo Krawczyk,et al.  MMH: Software Message Authentication in the Gbit/Second Rates , 1997, FSE.

[8]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[9]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[10]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[12]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[13]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[14]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[15]  K. Claffy,et al.  Trends in wide area IP traffic patterns - A view from Ames Internet Exchange , 2000 .

[16]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[17]  Nick G. Duffield,et al.  Trajectory sampling for direct traffic observation , 2001, TNET.

[18]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[19]  Craig Partridge,et al.  Hardware support for a hash-based IP traceback , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.