TOPO: A Topology-aware Single Packet Attack Traceback Scheme

With the phenomenal growth of the Internet, more and more people enjoy and depend on its provided services. Unfortunately, the number of network-based attacks is also increasing quickly. Network attackers can very easily hide their identities, and thereby reduce the chance of being captured and punished. Some attacks can even succeed by using only one or a few well-targeted packets. Therefore, it is desirable to design effective and efficient single packet IP traceback systems to attribute attackers. Several single packet IP traceback systems have been designed using Bloom filters. However, the inherent false positives of Bloom filters caused by unavoidable collisions restrain the effectiveness of these systems. To reduce the impact of unavoidable collisions in Bloom filters, we propose a topology-aware single packet IP traceback system, namely TOPO. We utilize the router's local topology information, i.e., its immediate predecessor information. Our performance analysis shows that TOPO can reduce the number and scope of unnecessary queries, and significantly decrease false attributions. Furthermore, to improve the practicability of Bloom filter-based IP traceback systems, we design TOPO to allow partial deployment while maintaining its traceback capability. When Bloom filters are used, it is difficult to decide their optimal control parameters a priori. We design a k-adaptive mechanism which can dynamically adjust parameters of Bloom filters to reduce the false positive rate

[1]  Eugene H. Spafford,et al.  OPUS: Preventing weak password choices , 1992, Comput. Secur..

[2]  Nasir D. Memon,et al.  Payload attribution via hierarchical bloom filters , 2004, CCS '04.

[3]  Ramesh Govindan,et al.  Heuristics for Internet map discovery , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[4]  R. Power CSI/FBI computer crime and security survey , 2001 .

[5]  Shigeyuki Matsuda,et al.  Design and implementation of unauthorized access tracing system , 2002, Proceedings 2002 Symposium on Applications and the Internet (SAINT 2002).

[6]  Dan Massey,et al.  Intention-Driven ICMP Trace-Back , 2001 .

[7]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[8]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[9]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[10]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2002, TNET.

[11]  K. Claffy,et al.  Topology discovery by active probing , 2002, Proceedings 2002 Symposium on Applications and the Internet (SAINT) Workshops.

[12]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[13]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[14]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[15]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[16]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[17]  Bill Cheswick,et al.  Mapping and Visualizing the Internet , 2000, USENIX Annual Technical Conference, General Track.

[18]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[19]  DeanDrew,et al.  An algebraic approach to IP traceback , 2002 .

[20]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[21]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[22]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[23]  W.T. Strayer,et al.  SPIE-IPv6: single IPv6 packet traceback , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[24]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[25]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[26]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.