Escolar Documentos
Profissional Documentos
Cultura Documentos
Institute of Information Network Technology, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
Abstract
The denial of service attack is a main type of threat on the Internet today. On the basis of path identification (Pi) and Internet
control message protocol (ICMP) traceback (iTrace) methods, a packet track and traceback mechanism is proposed, which
features rapid response and high accuracy. In this scheme, routers apply packet marking scheme and send traceback messages,
which enables the victim to design the path tree in peace time. During attack times the victim can trace attackers back within the
path tree and perform rapid packet filtering using the marking in each packet. Traceback messages overcome Pis limitation,
wherein too much path information is lost in path identifiers; whereas path identifiers can be used to expedite the design of the
path-tree, which reduces the high overhead in iTrace. Therefore, our scheme not only synthesizes the advantages but also
compromises the disadvantages of the above two methods. Simulation results with NS-2 show the validity of our scheme.
different paths which could reduce the accuracy. The other forwarding a packet, the router creates a marking and inserts
one is that path identifiers provide little information besides it into one marking-bit-pattern. At the destination, the value of
the indication to distinguish different paths, which confines its the marking field is taken as the path identifier.
application range. We observe that there is no single approach
that can defend against (D) DoS attacks effectively by itself;
there should be a combination among various schemes with
different merits.
Pi is a tracking technique in nature, which is powerful in
mitigating the impact of DoS attacks but unable to locate the Fig. 1 Relation of path identifier and marking-bit-pattern
origin of the attack, which is the motivation of IP traceback
technique. In this article, we explore how to incorporate Pi Definition 2 Path-tree. It is a tree structure as seen in
with the IP traceback techniqueiTrace [8], with the objective Fig. 2, with D as the root, Sxs as leaves, and Rys as internal
to integrate their merits and compromise their weaknesses. nodes. D could either be a single host or a device representing
We propose a packet track and traceback (PTT) mechanism. many hosts. Nodes Rys represent the routers and leaves Sxs
The process is that: routers apply Pis marking scheme to represent the origins of packets destined to the root. A leaf Sx
mark passing packets, and they also send ICMP traceback could either be a single host or a bunch of hosts under the
messages, which is designed in iTrace method. In peace time, same router. A path from Sx is the ordered list of routers
the destination host collects path identifiers carried in packets between Sx and D that the packets have traversed, for example,
and traceback messages sent by routers to design a path-tree the path from S1 to D is <R6, R3, R1>.
that reflects the network topology with itself as the center. In
the times when there is an attack, besides filtering attack
packets at home, the victim can traceback to their origins
within the path-tree and take measures to filter packets
upstream.
In our scheme, ICMP traceback messages provide detailed
path information, allowing destinations to map path
identifiers into full paths, which enables traceback operations.
Designing the path-tree to store path information is effective Fig. 2 An example of the path tree
and allows traceback operations to be carried out locally The rest of this article is structured in the following way. In
instead of going through the network. Furthermore, unlike the the next section we analyze Pis packet marking scheme.
schemes, such as iTrace, which are only invoked during times Section 3 outlines our scheme and characterizes the
under attack, the path-tree in our scheme is designed in peace algorithms for implementing it. In Sect. 4 we present the
time, which is insensitive to convergence time. Performing simulation experiments showing the schemes validity under a
traceback locally is more efficient than performing it all over DoS attack and conclude the article in Sect. 5.
the network. Moreover, stresses that holding topology information
is helpful in defending against DDoS attack [4]. The path-tree 2 Analysis of Pis packet marking algorithm
could be regarded as a pre-generated map of network
topology and also reflects the communication pattern of the In Pis marking scheme, the 16-bit IP identification field is
host to some extent. In a DDoS attack, in order to develop used to hold the marking, which is the same as in our scheme.
rapidly responsive packet filters to protect it, the victim can In Pi, for each passing packet, the router uses the TTL value
drop packets that are not originated within the path-tree. In as the index to insert the marking into the IP identification
this way, some normal traffic could be retained before field. The marking is computed by the router using a Hash
attackers are located or upstream nodes take measures for it. function whose input is the IP address of the last-hop router in
Some concepts used in packet track and traceback the path and its own IP address. Clearly, the packet marking is
mechanism such as marking-bit-pattern and path-tree are deterministicall packets traversing the same path carry the
defined as follows: same marking. But it can not guarantee that the path identifier
Definition 1 Marking-bit-pattern. Divide the marking field is globally unique, that is to say, different paths may have the
in the packet into some number, n, of smaller nonoverlapping same identifier, because each router only has local knowledge
fragments, where each fragment is a marking-bit-pattern as of a particular path and the space of the marking field is
shown in Fig. 1. If the total length of the marking field is limited. The collision problem of path identifiers may lead to
m b, then the length of a marking-bit-pattern is m/n b. Upon some problems in defending against (D) DoS attacks. Among
Issue 3 LI Li, et al. / Packet track and traceback mechanism against denial of service attacks 53
these, packets outside the attack paths may be filtered and the then it is randomly distributed. Each node takes the value of
probability would rise because the number of attack paths its child from which the packet comes as the marking. We
increases. take it as an idealization of Pis edge marking scheme.
To have an indepth view of Pis marking scheme, In each set of the experiments, we randomly select a given
particularly the collision problem, we design two marking number of unrepeating nodes to send packets to the root, then
schemes and perform two sets of experiments. In the compute their path identifiers and calculate the collision rate.
experiments, the Internet is modeled as a complete-binary tree We count collisions in two ways. One is the same with Pi: if
referred to Ref. [5], rooted at the destination host. We assign a two identifiers are the same, we count it as one collision. In
value to each node in the tree that can be used as the marking. the other way we take path lengths into account, where path
The path identifier is 16 b and the marking-bit-pattern is one bit, length is the number of nodes that the packet has traversed. If
so the identifier could hold markings of 16 routers at most. two identifiers as well as their path lengths are the same, we
The ith node in a path inserts its marking into the jth count it as one collision. The collision rate equals the number
marking-bit-pattern, where j equals i mod 16. The two of collisions divided by the total number of paths. We conduct
marking schemes are depicted as follows: each set of the experiments in two sizes of networks and take
Marking scheme 1 Set the value of node i as i mod 2, the hops of the longest path in the network as the
then it is uniformly distributed. Each node takes its own value measurement of the size of the network. One is within 16
as the marking. In this scheme, collisions might be induced in hops and the other is within 20 hops. The upper boundary of
two cases. One of the paths is that with different length, the number of the selected paths is 10 000 and 50 000 for
which might be contained by one another, for instance, <R3, each size of networks. Figures 3 and 4 show the results of the
R2, R1> and <R2, R1> is such a case; the other one is that experiments. For most of the data points in the figure, we
nodes close to the victim might overwrite the markings of perform approximately 10 to 50 independent tests and
nodes farther away because of the limited space in the compute the average of the results. In Figs. 3 and 4, c1
marking field. denotes same identifier counts as a collision, c2 denotes same
Marking scheme 2 Set a random value to each node, identifier and same path length counts as a collision.
(a) Number of path (hops<16) in Marking scheme 1 case (b) Number of path (hops<20) in Marking scheme 1 case
(c) Number of path (hops<16) in Marking scheme 2 case (d) Number of path (hops<20) in Marking scheme 2 case
Fig. 3 Distribution of collision rates
54 The Journal of China Universities of Posts and Telecommunications 2008
From the distribution of the collision rate shown in Figs. 3 path-tree designing component and antiDoS component. As
and 4, we come to the conclusions as follows: shown in Fig. 5, packet marking components deployed at
1) As shown in Figs. 3(a) and 3(b), the collision rate reduces routers mark passing packets and send traceback messages.
effectively if path lengths are considered, but it is not the case Path-tree designing components deployed at hosts design
in Marking scheme 2 (Figs. 3(c) and (d)). If no overwriting path-trees using received path identifiers and traceback
happens in Marking scheme 1(Fig. 3(a)), the collision rate messages. AntiDoS components deployed at hosts and routers
falls to zero, a perfect result. perform traceback and packet filtering operations. In the
2) In both marking schemes, the collision rate keeps going remainder of this section we describe the marking algorithm
up as the number of the selected paths increases. In Pi scheme, and path-tree design algorithm and the method of defending
the authors selected no more than 10 000 paths for testing and against DoS attacks in more detail.
obtained fine results. We can also learn that in Fig. 3(c), the
collision rate is less than 20% when paths are less than 10 000.
When paths increase to 50 000, the collision rate jumps to
50%, making it difficult to distinguish different paths. In a
DDoS attack, it is not impossible to have tens of thousands of
attack paths.
3) As shown in Fig. 4, the collision rate in Marking scheme 1
is always lower than that in Marking scheme 2.
4) Considering the two marking schemes, the first one is an
Fig. 5 Framework of packet track and traceback mechanism
idealization because all the links to a node are distinguishable
on their own; the second one is similar to Pis marking
3.2 Packet marking algorithm
scheme and idealizes it in some aspects, for example,
randomly distributed markings is the ideal result of hash
It is obvious that the measures taken in Pis marking
function in Pi.
scheme such as hashing and edge marking is to increase the
In brief, Pis marking scheme behaves well with moderate
markings entropy and self distinguishability. We also can
paths but not in large scale DDoS attacks. If the node could
learn from experiments in Sect. 2 that if the links connected to
assign distinguishable markings to the links connected to it,
a node can be distinguished on the marking, the collision rate
then the collision rate will be cut down effectively. Assume
is the lowest among all the cases. In our scheme, instead of
that a node has l links, it needs log2l b to distinguish each link,
computing markings using Hash functions, the router tries the
which is not practical because of the limited space in the
best to assign a different marking for each link connected to it.
marking field. We can come to the conclusion that it is not easy
It can not be guaranteed that each link could get a different
to get low collision rate through improving the marking scheme.
value. For an n b marking, there are at most 2n values to
assign, and the number of links may be more than it.
3 Packet track and traceback mechanism
Forwarding a packet, the router takes the value assigned to
the link, where the packet is coming as the marking and
3.1 The framework
inserts it into the marking field. Following is the pseudo C
The framework of packet track and traceback mechanism is code for the marking algorithm:
comprised of three components: packet marking component, /* ptmark = marking carried in the packet
Issue 3 LI Li, et al. / Packet track and traceback mechanism against denial of service attacks 55
M_BIT = number of bits each router marks path directly to the root.
mark_bit[l] = marking assigned to link l */ Following shows the path-tree design algorithm provided in
mark(ptmark) { pseudo C code.
/* select the link from which the packet came */ /* root = a pointer pointed to path-trees root
prehop = Get_prehop(); path[n] = new path, an array of nodes, path[0] is the
/* insert the marking*/ router closest to the destination */
ptmark = mark_bit[prehop]||(ptmark<<M_BIT); struct path-tree {
} struct path-tree *prev, *next;
We can learn that the shift operation << makes sure that NODE node;
the current marking is always on the first marking-bit-pattern };
from right, and the first marking-bit-pattern from left is path-tree_formation (path[K], root)
always the one to be dropped. Unlike the Pi scheme that uses {
the TTL value in the packet as an index, in our scheme, the for(int k = 0; k < K; k++) {
markings are arranged in order from right to left. Therefore, if (width_first_search (path[k], k)==NULL) {
we are able to compute sub-path identifiers because it is easy if (k==0)
to locate each routers marking. Same to the Pi scheme, there append path to root;
is collision problem in our scheme, but we do not depend on else {
path identifiers wholly to defend against DoS attacks. With subpath = get_subpath (path, k);
the path-tree discussed in next subsection, the victim can map append subpath to node path[k];
the path identifier into several possible paths and make further }// if(k==0)
distinction with detailed path information. break;
}//if (width
3.3 Path-tree designing algorithm }//for
}
Collisions happen among path identifiers mainly because The width_first_search function performs a breadth-first
the path information is overly compressed. For the destination search at the appointed layer in the tree. The get_subpath
to get more path information, we introduce ICMP traceback function returns the sub-path from the source to the pointed
message designed in iTrace method into our scheme. ICMP node. The path-tree could be seen as a pre-generated map of
traceback message is a router-generated message containing Internet topology with the destination as the center. Similar to
an authenticated copy of a packet and routers own IP address iTrace method, traceback messages might incur significant
as well as the IP of the previous and next hop routers. In iTrace overhead on network routers and cripple network performance
scheme, the router probabilistically generates an ICMP sharply, so it must be generated with low probability, with the
traceback message for the passing packet and forwards it suggested value in iTrace as 1 2 000 [8]. Presumably,
either to the source or destination address. The destination or reducing the probability requires more packets to redesign the
source collects traceback messages and redesigns the packets path, which amounts to more convergence time. In our
traversing path. We observe that there may have relations scheme, the path-tree is designed in peace time, insensitive to
among different paths such as inclusion and convergence. For convergence time. In next subsection, we discuss how to use
example, one path may be completely contained by another path identifier and path-tree to defend against DoS attacks.
path; two paths may convergence at one node. In our scheme,
we consider using path-tree to store path information. The 3.4 Defending against DoS attacks
structure of path-tree is defined in Sect. 1, which is an
intuitive way of representing relations among different paths. There are generally three lines to defend against the DoS
At the very beginning, the path-tree only has the root, then the attack [9]: attack prevention and pre-emption, attack detection
destination redesigns a new path and inserts it into the current and filtering, and attack source traceback and identification.
path-tree. There are three cases as follows: Our scheme mainly focuses on the third line of defense and is
Case 1 If the new path is contained by an existing path, helpful to attack detection and filtering.
then no change should be made in the current path-tree. When a DoS attack is detected, the victim extracts the path
Case 2 If the new path joins an existing path at one node, identifier from the attack packet. The traceback process is as
then we add a sub-path to this node. The sub-path is from the follows:
source of the new path to the joint node. 1) Search the path identifier within the path-tree. If a
Case 3 If it is not the above two cases, we add the new matching node is found, the process is ended. If theres no
56 The Journal of China Universities of Posts and Telecommunications 2008
matching node, go to the next step. the normal traffic could be preserved. It can be regarded as an
2) Drop the first marking-bit-pattern in the path identifier auxiliary measure in eliminating the DDoS attack.
from left, so we get a shorter path identifier, which indicates a
sub-path. If the length of the new identifier is not zero, go to 4 Simulation and results
step one.
This process will be ended either because a matching node In this section, we present a simulation of the proposed
is found or because the length of the path identifier decreases scheme. All of the algorithms in the scheme have been
to zero. If a matching node is found, the path from the node to implemented in NS-2. We first present the DoS attack model
the root is the attack path within the path-tree. If this is not the and then depict the design of the experiments. Finally, we
case, it shows that the attack path is not in the current present the results of our experiments.
path-tree. The victim can collect traceback packets and
redesign the path in real time, in the same process as that 4.1 DoS attack model
described in iTrace method. In brief, the traceback operation
is firstly carried out locally and then goes through the network In order for a victim to protect it against attack packets, it
if it is necessary. In this way, the efficiency improves. must have a way to detect and identify the attack packet.
Following shows the traceback algorithm provided in pseudo Once the attack packet is identified, we can filter packets with
C code. The traceback process is opposite to the path-tree the same path identifier and perform traceback within the
designing process. It extracts a path from the path-tree using a path-tree. Attack packet identification is outside the scope of
path identifier. this article. However, to incorporate the use of our scheme,
/*attack_Pi = the path identifier extracted from attack packet; we model our DoS attack in two phases, similar to the attack
Path = the attack path found in path-tree */ model used in Pis experiments [5]. In the first phase, the
path traceback(attack_Pi) learning phase, the victim analyzes all the packets sent to it,
{ and use path identifiers and ICMP traceback messages to
Pi = attack_Pi; redesign the path-tree. In the second phase, the attack phase,
node = null; the victim is assumed to have the power to determine whether
/* search for possible attacking node inside the path-tree*/ a packet is an attack packet or a legitimate packet. In this
while((node == null) && (Pi.length != 0) ) { phase, the victim stops redesigning the path-tree, and is forced
node = search_path-tree(Pi); //search for matching node to use path identifiers and the path-tree to perform packet
Pi_trim(Pi); //get a sub-path identifier filtering and traceback.
}
if(node != null) //extract the attacking path 4.2 Experiment design
return(extract_path(node));
else /*collect traceback messages and redesign the path in We designed two sets of experiments. The first set of
real time.*/ experiments is a simple demo of our scheme, showing how it
return(iTrace()); works. The network topology is shown in Fig. 6. In learning
} phase, nodes 10, 13, and 15 are selected as legitimate users to
Attack source traceback is usually regarded as an send packets to the victim. In attack phase, nodes 6, 10, and
after-the-fact response to a DoS attack, which is not a feasible 16 are selected as attackers to send packets to the victim.
one to stop an on-going attack [9]. In a DoS attack, when an Then we show the path-tree designed by the victim and the
attack packet is detected, the victim can do rapid packet traceback results.
filtering relying on the attack path identifier. Even if the
attack packets use spoofed IP addresses, their path identifiers
are still the same. Packet filtering enables rapid response to
the attack, and traceback can discourage the attacker.
In a DDoS attack, it is hard to distinguish attack packets
from normal packets, and their paths are mixed together. We
argue that it is important for the victim to protect itself from
the attack before more effective measures could be taken.
Considering that the path-tree reflects the victims
communication pattern to some extent, we can give packets (a) Learning phase (b) Attack phase
sourced inside the path-tree high priority. As a result, part of Fig. 6 Path-tree and attackers
Issue 3 LI Li, et al. / Packet track and traceback mechanism against denial of service attacks 57
4.3 Results
traceback. Computer Communication Review, 2000, 30(4): 295306 Societies, Apr 2226, 2001, Anchorage, AK, USA. Piscataway, NJ, USA:
4. Dawn X S, Perrig A. Advanced and authenticated marking schemes for IP IEEE, 2001: 3383347
traceback. Proceedings of the 20th Annual Joint Conference of the IEEE 7. Tchakountio F, Kent S T, Strayer W T. Hash-based IP traceback.
Computer and Communications Societies, Apr 2226 2001, Anchorage, Proceedings of Conference on Applications, Technologies, Architectures,
AK, USA. Piscataway, NJ, USA: IEEE, 2001: 878886 and Protocol for Computer Communication (SIGCOMM01), Aug 2731,
5. Yaar A, Perriq A, Sonq D. Pi: a path identification mechanism to defend 2001. San Diego, CA, USA. New York, NY, USA: ACM, 2001: 314
against DDoS attacks. Proceedings of Symposium on Security and 8. Bellovin S, Leech M, Taylor T. Internet draft. ICMP traceback messages.
Privacy, May 1114, 2003, Berkeley, CA, USA. Piscataway, NJ, USA: [2007-02-01]. http://tools.ietf.org/html/draft-ietf-itrace-04
IEEE. 2003: 93107 9. Chang R K C. Defending against flooding-based distributed
6. Park K, Lee H. On the effectiveness of probabilistic packet marking for denial-of-service attacks: a tutorial. IEEE Communications Magazine,
IP traceback under denial of service attack. Proceedings of the 20th 2002, 40(10): 4251
Annual Joint Conference of the IEEE Computer and Communications
References