Practical network support for IP traceback

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology.

[1]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[2]  Christopher A. Kent,et al.  Fragmentation considered harmful , 1987, SIGCOMM '87.

[3]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[4]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[5]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[6]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[7]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[8]  Fred Baker,et al.  Requirements for IP Version 4 Routers , 1995, RFC.

[9]  Charles E. Perkins,et al.  IP Mobility Support , 1996, RFC.

[10]  V. Paxson End-to-end routing behavior in the internet , 2006, CCRV.

[11]  Matt Bishop,et al.  Attack class: address spoofing , 1997 .

[12]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[13]  B. Cheswick,et al.  The Internet mapping project , 1998 .

[14]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[15]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[16]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[17]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[18]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[19]  Marco de Vivo,et al.  A review of port scanning techniques , 1999, CCRV.

[20]  Peter Druschel,et al.  Resource containers: a new facility for resource management in server systems , 1999, OSDI '99.

[21]  Larry L. Peterson,et al.  Defending against denial of service attacks in Scout , 1999, OSDI '99.

[22]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[23]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[24]  Ramesh Govindan,et al.  Heuristics for Internet map discovery , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[25]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[26]  Kurt Rothermel,et al.  Dynamic distance maps of the Internet , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[27]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[28]  Dino Farinacci,et al.  MPLS Label Stack Encoding , 2001, RFC.