Vulnerabilities in distance-indexed IP traceback schemes

In order to counter Denial-of-Service (DoS) attacks using spoofed source addresses, many IP traceback schemes have been proposed in the last few years. Among them, distance-indexed probabilistic packet marking schemes appear to be very attractive. In this paper, we first discover two intrinsic vulnerabilities in these schemes. Substantiated by efficacy analysis and numerical results, several exploits are designed to take advantage of these vulnerabilities in an efficient manner when compared with the traceback effort attempted by victims. Consequently, we show that the design goal of these schemes can be compromised in practice. Further, we discuss these vulnerabilities in a general context relevant to network protocols and examine a few possible alternatives.

[1]  Marcel Waldvogel,et al.  GOSSIB vs. IP traceback rumors , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[2]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[3]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[4]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[5]  Hiroaki Hazeyama,et al.  A Layer-2 Extension to Hash-Based IP Traceback , 2003 .

[6]  Nirwan Ansari,et al.  Tracing cyber attacks from the practical perspective , 2005, IEEE Communications Magazine.

[7]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[8]  Craig Partridge,et al.  Hardware support for a hash-based IP traceback , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[9]  Dawn Song,et al.  StackPi: A New Defense Mechanism against IP Spoofing and DDoS Attacks , 2003 .

[10]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[11]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[12]  Micah Adler Tradeoffs in probabilistic packet marking for IP traceback , 2002, STOC '02.

[13]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[14]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[15]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[16]  B. Rizvi,et al.  Analysis of adjusted probabilistic packet marking , 2003, Proceedings of the 3rd IEEE Workshop on IP Operations & Management (IPOM 2003) (IEEE Cat. No.03EX764).

[17]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[18]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[19]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[20]  Helena Sandström,et al.  An Evaluation of Different IP Traceback Approaches , 2002, ICICS.

[21]  Kotagiri Ramamohanarao,et al.  Adjusted Probabilistic Packet Marking for IP Traceback , 2002, NETWORKING.

[22]  Vrizlynn L. L. Thing,et al.  On the issues of IP traceback for IPv6 and mobile IPv6 , 2003, Proceedings of the Eighth IEEE Symposium on Computers and Communications. ISCC 2003.

[23]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[24]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[25]  Moon-Chuen Lee,et al.  An IP traceback technique against denial-of-service attacks , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[26]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[27]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..