Reflective Probabilistic Packet Marking Scheme for IP Traceback

This paper describes the design and implementation of Reflective Probabilistic Packet Marking (RPPM) scheme, which is a traceback scheme against distributed denial-of-service (DDoS) attacks. Attacks include traffic laundered by reflectors which are sent false requests by attackers posing as a victim. Reflectors are among the hardest security problems on today’s Internet. One promising solution to tracing the origin of attacks, the probabilistic packet marking (PPM) scheme, has proposed. However, conventional PPM cannot work against reflector attacks — reflector problem. Also, it encodes a mark into IP Identification field, this disables the use of ICMP — encoding problem. RPPM is a solution to both the reflector and encoding problem. We have extended PPM to render reflectors ineffectual by reflecting marking statistics of incoming packets at reflectors in order to trace the origin of the attacks. Furthermore, we have encoded a mark into the IP option field without reducing necessary information. Thus, RPPM can traceback beyond reflectors, ensures ICMP-compatibility, and eliminates possibility of failure in attack path reconstruction. Simulation results and our implementation based on Linux demonstrated that RPPM retains the semantics of conventional PPM on a path between an attacker and a reflector, and its performance is feasible for practice.

[1]  B. Cheswick,et al.  The Internet mapping project , 1998 .

[2]  Ion Stoica,et al.  Providing guaranteed services without per flow management , 1999, SIGCOMM '99.

[3]  Roger Faulkner,et al.  The Process File System and Process Model in UNIX System V , 1991, USENIX Winter.

[4]  Everette S. Gardner,et al.  Exponential smoothing: The state of the art , 1985 .

[5]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[8]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[9]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[10]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[12]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[13]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[14]  Ramesh Govindan,et al.  Heuristics for Internet map discovery , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[15]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[16]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[17]  Bruce Bowerman Time series and forecasting , 1979 .

[18]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.