DoS/DDoS attacks constitute one of the major classes of security threats in the Internet today. The attackers usually use IP spoofing to conceal their real location. The current Internet protocols and infrastructure do not provide intrinsic support to traceback the real attack sources. The objective of IP Traceback is to determine the real attack sources, as well as the full path taken by the attack packets. Different traceback methods have been proposed, such as IP logging, IP marking and IETF ICMP Traceback (ITrace). In this paper, we propose an enhancement to the ICMP Traceback approach, called ICMP Traceback with Cumulative Path (ITrace-CP). The enhancement consists in encoding the entire attack path information in the ICMP Traceback message. Analytical and simulation studies have been performed to evaluate the performance improvements. We demonstrated that our enhanced solution provides faster construction of the attack graph, with only marginal increase in computation, storage and bandwidth.
[1]
Craig Partridge,et al.
Hash-based IP traceback
,
2001,
SIGCOMM.
[2]
Jon Postel,et al.
Internet Protocol
,
1981,
RFC.
[3]
Steven M. Bellovin,et al.
ICMP Traceback Messages
,
2003
.
[4]
Anna R. Karlin,et al.
Practical network support for IP traceback
,
2000,
SIGCOMM.
[5]
Kevin J. Houle,et al.
Trends in Denial of Service Attack Technology
,
2001
.
[6]
Paul Ferguson,et al.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
,
1998,
RFC.
[7]
George M. Weaver,et al.
Trends in Denial of Service Attack Technology CERT ® Coordination Center
,
2001
.