Scalable packet digesting schemes for IP traceback

Identifying the sources of an attack is an important task in the Internet security area. An attack could consist of a large number of packet streams generated by many compromised slaves that consume resources associated with various network elements to deny normal services or a few offending packets to disable a system. Several techniques based on probabilistic samples of transit packets have been developed, to determine the sources of large packet flows. It seems that logging of packet digests is necessary for traceback of an individual packet. A clever technique based on Bloom filters has recently been proposed to generate the audit trails for each individual packet within the network. The scheme is effective. However, the storage requirement is approximately 0.5% of the link capacity, which becomes a problem as link capacity increases. In this paper, we propose packet digesting schemes for flows and sets of packets sharing the same source and destination addresses. Compared with the individual packet digesting scheme, these schemes can achieve similar goals and are much more scalable. Simulations with real Internet traffic show that the storage requirements of our proposed schemes are one to two orders of magnitude lower.

[1]  R. Sekar,et al.  A high-performance network intrusion detection system , 1999, CCS '99.

[2]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[3]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[4]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[5]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[6]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[7]  Carsten Lund,et al.  Properties and prediction of flow statistics from sampled packet streams , 2002, IMW '02.

[8]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[9]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[10]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[11]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[12]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[13]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[14]  S. C. Lee,et al.  Challenges to automated attack traceback , 2002 .

[15]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.