A deterministic packet marking scheme for tracing multiple Internet attackers

Deterministic packet marking (DPM) has recently been proposed as an alternative approach for IP traceback. It requires no extra bandwidth and is backward compatible with Internet equipments that do not implement it. Moreover, service providers can implement it without revealing their internal network topology. Unfortunately, the false positive rate could be very high if multiple hosts use the same source address to attack the victim simultaneously. Even worse, no source is identified if attackers change their source addresses for every packet they send. These two problems can be solved with a modified DPM scheme which we called DPM with address digest (DPM-AD). We found that the false positive rate of the DPM-AD scheme could be much higher than it was claimed when the number of ingress router interfaces is larger than the number of attackers. In this paper, we propose and evaluate the false positive rate of a novel DPM scheme that is much more scalable than the DPM-AD scheme. Our analysis and simulation results show that the proposed DPM scheme can trace 1K simultaneous attackers at a false positive rate less than 0.5% with acceptable reconstruction complexity.

[1]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[2]  Larry Carter,et al.  Universal classes of hash functions (Extended Abstract) , 1977, STOC '77.

[3]  Nirwan Ansari,et al.  Tracing multiple attackers with deterministic packet marking (DPM) , 2003, 2003 IEEE Pacific Rim Conference on Communications Computers and Signal Processing (PACRIM 2003) (Cat. No.03CH37490).

[4]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[5]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[6]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[7]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[8]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[9]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[10]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[11]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.

[12]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.