Practical network support for ip traceback

Packets marked according to each of these different techniques are analyzed in a different manner to determine the router or node closest to the attacker. In a first packet marking embodiment referred to as "node sampling," a relatively simple marking scheme is used.

  1. Definition.
  2. the android phone cannot be tracked.
  3. criminal court records for indio ca;
  4. Please turn JavaScript on and reload the page.;

Each time a packet is marked, any previous marking from a prior node is overwritten and therefore lost. This marking scheme requires a relatively large number of packets to be available for analysis, because as will be described in detail below, the farther a router closest to the attacker is from the destination or victim , the fewer will be the number of packets marked with that router' s identifying data. In a second packet-marking embodiment referred to as "edge-sampling," the marking technique is more intricate, and instead of erasing data included by a prior router, a portion of that data is retained in the marking, enabling a trace-back to be performed on a smaller set of packets received by the victim from the attacker.

Regardless of the embodiment, the marking data must be sufficiently small so that the marking can be included in a header section of a packet to minimize the demand, and maintain packet integrity. Details of the Node-Sampling Embodiment. The present invention minimizes the amount of path data included in each packet by not adding the address of all routers transited by the packet. In a first embodiment of the present invention, referred to as node-sampling, when a packet is marked, any marking data included by a previous router or node is erased, thus ensuring that the only the data required to identify a single node or router is added to any packet.

If all the packets transiting a particular router were marked in this fashion, then packets would only be marked with the address of the router closest to the victim all other router data having been erased. For example, referring to FIGURE 1, regardless of which attacker 14 is the source of a packet, router R t is the closest router to victim 12, and if all packets were marked with the identifying data for each successive router, all packets received by victim 12 would be marked with the identifying data for only router Ri.

To ensure that at least some packets will maintain data identifying each of the other routers between an attacker or an origin and a victim or a destination , only a few packets are marked by each router. Each time a packet enters a node, that node will determine whether or not to mark the packet.


Conceptually, a single static "node" field is reserved in the packet header for marking purposes. In this embodiment, the static node field is preferably sufficiently large to hold a single router address i. Upon receiving a packet, each router applies some probability P when determining whether to write its address in the node field.

After enough packets have been received from an attacker, the victim should have received at least one packet identifying each router in the attack path.

Nav view search

Because most attacks include a large number of packets, and because over at least the short period of time of a DOS attack, Internet routes are stable, this sampling should converge so that the router closet to the attacker can be identified. Realistically, reserving a bit field in a packet header is difficult. Preferably, the router address will be compressed and encoded to use less than 16 bits, as will be described in more detail below.

It should be noted however, that other compression and encoding strategies than those described below can be employed. Any compression and encoding strategy used should: 1 reduce the router address to a size that will readily fit in the packet header, and 2 not be computationally demanding on the routers or other packet managing equipment employed.

As indicated in a block 42, the logic provides for generating a pseudo-random variable X. The specific method employed for generating X is not critical, and many suitable methods for generating random numbers are known in the art. If however, X is less than P, the logic proceeds to a block 46, in which the address of the current node is compressed. Next, the logic proceeds to a block 48, which provides that the compressed address is encoded into the packet header. The preferred compression technique will be described in more detail below, in reference to the edge-sampling embodiment.

Nav view search

It should be understood that the compression step is not needed if it is known that sufficient space in the packet header will be available, or if a system wide router identification scheme is established that uniquely identifies individual routers with 16 bits or less.

Based on the current accepted router address length, and widely accepted IP packet standards, it is anticipated that router address compression will be necessary. Although it might seem challenging to reconstruct an ordered path given only an unordered collection of node samples, it turns out that with a sufficient number of trials, the order can be deduced from the relative number of samples per node. Since routers are arranged serially, the probability that a packet will be marked by a router and then left unchanged by all successive downstream routers is a strictly decreasing function of the distance to the victim.

Since this function is monotonic in the distance from the victim, ranking each router by the number of samples it contributes will tend to produce an accurate attack path. The node-sampling embodiment is efficient to implement, because it only requires the addition of a write and checksum update to the forwarding path.

Current high-speed routers already must perform these operations efficiently to update the time-to-live field on each hop. Nor can an attacker reorder valid routers in the path by contributing more samples than the difference between any two downstream routers. First, inferring the total router order from the distribution of samples is a relatively slow process. Routers far away from the victim contribute relatively few samples especially since P must be large and random variability can easily lead to misordering unless a very large number of samples are observed.

US7619990B2 - Two tiered packet labeling for data network traceback - Google Patents

Still, since many DOS attacks include a much larger number of packets, this limitation does not preclude the trace-back method from being successful, particularly for attacks that employ a large number of packets. The next limitation of the node-sampling embodiment is more serious, in that if there are multiple attackers, multiple routers may exist at the same distance, and hence may be sampled with the sample probability.

Leadership Stage Project - IP Trace Back Algorithm for Low Rate DDOS Attacks Detection

Therefore, this technique is not robust against multiple attackers. The full node-sampling algorithm is as follows: Marking procedure at router R: for each packet w. Rj from ordered node fields in NodeTable. As noted above, node sampling can require a larger than preferred number of packets be received from the attacker to ensure success, and node sampling is not as effective against multiple attackers. A straightforward solution to these problems is to explicitly encode edges in the attack path, rather than to simply encode the addresses of individual nodes.

IP Traceback

This embodiment is referred to as edge sampling, and requires reserving two static address-sized fields,. These start and end fields represent the routers at each end of a link. The edge-sampling embodiment also requires an additional small field to represent the distance of an edge sample from the victim. The use of two address fields and a distance field necessarily increases the number of bits required to be incorporated into each packet header. Increasing the number of bits added to each packet can lead to packet fragmentation and decreased router performance.

[PDF] A Layer-2 Extension to Hash-Based IP Traceback - Semantic Scholar

Thus, compressing the data added to packets is required to ensure that the edge-sampling embodiment is compatible with the majority of today's Internet traffic, unless changes in Internet architecture obviate the need for compression. Furthermore, the compression steps may not be required in networks whose data packets are not required to conform to Internet standard protocols.

The preferred compression scheme is described in detail below. In FIGURE 4, a flow chart 50 illustrates the logical steps implemented by the present invention in the edge-sampling embodiment when a router determines whether to mark a packet. The logical process for determining whether to mark a packet in the edge-sampling embodiment begins in a start block If in decision block 54 X is not less than P, then the logic advances to decision block 55, which determines if the distance field counter is empty not even a zero value , and if not, proceeds to a block 56 in which a distance field counter is incremented.

Once the distance field counter is incremented in block 56, the logic proceeds to a block 64, which indicates that the distance field counter data are compressed. The logic then advances to a block 68, and the distance field data are encoded into the packet. As will be described in detail below, the marking data is preferably encoded into the packet header.

It should be noted that if compression is not required to ensure compatibility with network traffic either due to changes in Internet protocols or because a different type of network enables a greater amount of data to be added to packets without fragmentation , then the steps indicated in blocks 64 and 66 are not required. If in decision block 54, however, X is less than P, the logic proceeds to a decision block 58, which determines if the distance field counter is empty i. If the distance field counter is empty, then the address of the router is written into the start field in a block 66 this step only occurs the first time a packet is marked.

At the same time the address of the current node is written into the start field, a zero is entered into the distance field counter. Writing a zero in the distance field counter enables a later router to determine that the start field already contains data. From block 66, the logic advances to block 64, and the start field is compressed.

Then the logic proceeds to block 68, where the edge data are encoded into the packet header. Referring once again to decision block 58, if the distance field counter is not empty, the logic proceeds to a block 60 and the router's address is written into the end field. Note that by writing its address into the end field, the current router is representing the edge between itself and the previous router described in the start field. After block 60, the logic advances to a block 62, and the distance field counter is incremented. The logic then proceeds to blocks 64 and 68 to implement the compression and encoding steps described above and returns to decision block 32 in FIGURE 2.

Preferably, the compression in block 64 reduces the size of the distance field, start field and end fields to less than 16 bits. Details of the preferred compression strategy are provided below. It should also be noted that as described above with respect to block 56, even if the router doesn't mark the packet, the distance field counter is incremented. This step provides a somewhat baroque signaling mechanism that enables edge-sampling to be incrementally deployed, so that edges are constructed only between participating routers.

This mandatory incrementing is necessary to avoid spoofing by an attacker. When the packet arrives at the victim, its distance field counter represents the number of hops traversed since the edge it contains was marked.

It is important that distance field counter is updated using a saturating addition scheme. If the distance field counter were allowed to wrap, then an attacker could spoof edges close to the victim by sending packets with a distance value close to the maximum. Any packets written by the attacker will necessarily have a distance greater or equal to the length of the true attack path where length is measured by the number of hops indicated by the distance field counter.

Note that because the edge-sampling embodiment does not use the sampling rank approach employed in the node- sampling embodiment described above, arbitrary values can be used for the marking probability P. To reconstruct a path encoded by the edge-sampling embodiment, the victim uses the edges sampled in these packets to create a graph or tree see FIGURE 1 leading back to the source, or sources, of the DOS attack.

Because the probability of receiving a sample is geometrically smaller the further away in hops it is from the victim, the time for the edge-sampling algorithm to converge is dominated by the time to receive a sample from the most distant router as measured in hops , j in expectation, for a router d hops away. However, there is a small probability that the victim will receive a sample from the most distant router, but not from some nearer router.

This issue is addressed with the following logic.