A general model of probabilistic packet marking for IP traceback

In this paper, we model Probabilistic Packet Marking (PPM) schemes for IP traceback as an identification problem of a large number of markers. Each potential marker is associated with a distribution on tags, which are short binary strings. To mark a packet, a marker follows its associated distribution in choosing the tag to write in the IP header. Since there are a large number of (for example, over 4,000) markers, what the victim receives are samples from a mixture of distributions. Essentially, traceback aims to identify individual distribution contributing to the mixture. Guided by this model, we propose Random Packet Marking (RPM), a scheme that uses a simple but effective approach. RPM does not require sophisticated structure/relationship among the tags, and employs a hop-by-hop reconstruction similar to AMS [16]. Simulations show improved scalability and traceback accuracy over prior works. For example, in a large network with over 100K nodes, 4,650 markers induce 63% of false positives in terms of edges identification using the AMS marking scheme; while RPM lowers it to 2%. The effectiveness of RPM demonstrates that with prior knowledge of neighboring nodes, a simple and properly designed marking scheme suffices in identifying large number of markers with high accuracy.

[1]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[2]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[3]  Marcel Waldvogel,et al.  GOSSIB vs. IP traceback rumors , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[4]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[5]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[7]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[8]  Brian Krebs,et al.  Attack On Internet Called Largest Ever , 2002 .

[9]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[10]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[11]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[12]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[15]  Min Wu,et al.  Anti-collusion fingerprinting for multimedia , 2003, IEEE Trans. Signal Process..

[16]  Amos Fiat,et al.  Tracing traitors , 2000, IEEE Trans. Inf. Theory.

[17]  Micah Adler Tradeoffs in probabilistic packet marking for IP traceback , 2002, STOC '02.

[18]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.