Analysis of the false-positive error rate of tagged fragment marking scheme

IP traceback is an effective measure to deter internet attacks. A number of techniques have been suggested to realize IP traceback. The Fragment Marking Scheme (FMS) is one of the most promising techniques. However, it suffers a combinatorial explosion when computing the [email protected]?s location in the presence of multiple attack paths. The Tagged Fragment Marking Scheme (TFMS) has been suggested to suppress the combinatorial explosion by attaching a tag to each IP fragment. Tagging is effective because it allows the victim to differentiate IP fragments belonging to different routers, thereby greatly reducing the search space and finding the correct IP fragments. TFMS, however, increases the number of false positives when the number of routers on the attack path grows beyond some threshold. In this paper, we rigorously analyze the performance of TFMS to determine the correlation between the number of routers and the false positive error rate. Using a probabilistic argument, we determine the formulas for combination counts and error probabilities in terms of the number of routers. Under TFMS, our results show that we can reduce the required time to find an [email protected]?s location at the cost of a low error rate for a moderate number of routers.

[1]  Stephen G. Kochan,et al.  Unix System Security , 1986 .

[2]  Yeh-Ching Chung,et al.  Dynamic probabilistic packet marking for efficient IP traceback , 2007, Comput. Networks.

[3]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[4]  Tsern-Huei Lee,et al.  A deterministic packet marking scheme for tracing multiple Internet attackers , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[5]  Vamsi Paruchuri,et al.  TTL Based Packet Marking for IP Traceback , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[6]  Nirwan Ansari,et al.  Tracing multiple attackers with deterministic packet marking (DPM) , 2003, 2003 IEEE Pacific Rim Conference on Communications Computers and Signal Processing (PACRIM 2003) (Cat. No.03CH37490).

[7]  Ki-Chang Kim,et al.  Tagged Fragment Marking Scheme with Distance-Weighted Sampling for a Fast IP Traceback , 2003, APWeb.

[8]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[9]  Nirwan Ansari,et al.  IP traceback with deterministic packet marking , 2003, IEEE Communications Letters.