Practical network support for IP traceback

Authors:
Stefan Savage

Department of Computer Science and Engineering, University of Washington, Seattle, WA

Department of Computer Science and Engineering, University of Washington, Seattle, WA
View Profile

,
David Wetherall

Department of Computer Science and Engineering, University of Washington, Seattle, WA

Department of Computer Science and Engineering, University of Washington, Seattle, WA
View Profile

,
Anna Karlin

Department of Computer Science and Engineering, University of Washington, Seattle, WA

Department of Computer Science and Engineering, University of Washington, Seattle, WA
View Profile

,
Tom Anderson

Department of Computer Science and Engineering, University of Washington, Seattle, WA

Department of Computer Science and Engineering, University of Washington, Seattle, WA
View Profile

SIGCOMM '00: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer CommunicationAugust 2000Pages 295–306https://doi.org/10.1145/347059.347560

Published:28 August 2000Publication History

SIGCOMM '00: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication

Pages 295–306

ABSTRACT

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology.

References

1.F. Baker. Requirements for IP Version 4 Routers. RFC 1812, June 1995.]] Google ScholarDigital Library
2.G. Banga, P. Druschel, and J. Mogul. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 45-58, Feb. 1999.]] Google ScholarDigital Library
3.S. M. Bellovin. Security Problems in the TCP/IP Protocol Suite. ACM Computer Communications Review, 19(2):32-48, Apr. 1989.]] Google ScholarDigital Library
4.S. M. Bellovin. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt, Mar. 2000.]]Google Scholar
5.R. Braden. Requirements for Internet Hosts - Communication Layers. RFC 1122, Oct. 1989.]] Google ScholarDigital Library
6.H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source. Unpublished paper, Dec. 1999.]]Google Scholar
7.R. L. Carter and M. E. Crovella. Dynamic Server Selection Using Dynamic Path Characterization in Wide-Area Networks. In Proceedings of the 1997 IEEE INFOCOM Conference, Kobe, Japan, Apr. 1997.]] Google ScholarDigital Library
8.B. Cheswick and H. Burch. Internet Mapping Project. http://cm.bell-labs.com/who/ches/map/ index.html, 2000.]]Google Scholar
9.Cisco Systems. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation, Dec. 1997.]]Google Scholar
10.K. Claffy and S. McCreary. Sampled Measurements from June 1999 to December 1999 at the AMES Inter-exchange Point. Personal Communication, Jan. 2000.]]Google Scholar
11.Computer Emergency Response Team. CERT Advisory CA-96.26 Denial-of-Service Attack via pings. http://www.cert.org/advisories/CA-96.26. ping.html, Dec. 1996.]]Google Scholar
12.Computer Emergency Response Team. CERT Advisory CA-97.28 IP Denial-of-Service Attacks. http://www. cert.org/advisories/CA-97.28.smurf.html, Dec. 1997.]]Google Scholar
13.Computer Emergency Response Team. CERT Advisory CA-98.01 smurf IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-98.01. smurf.html, Jan. 1998.]]Google Scholar
14.Computer Emergency Response Team. CERT Advisory CA-2000-01 Denial-of-Service Developments. http:// www.cert.org/advisories/CA-2000-01.html, Jan. 2000.]]Google Scholar
15.Computer Emergency Response Team. CERT Incident Note IN-2000-04 Denial-of-Service Attacks using Nameservers. http://www.cert.org/incident_notes/ IN-200-04.html, Apr. 2000.]]Google Scholar
16.Computer Security Institute and Federal Bureau of Investigation. 1999 CSI/FBI Computer Crime and Security Survey. Computer Security Institute publication, Mar. 1999.]]Google Scholar
17.Cooperative Associationfor Internet Data Analysis. Skitter Analysis. http: //www.caida.org/Tools/Skitter/Summary/, 2000.]]Google Scholar
18.S. Deering. Internet protocol, version 6 (ipv6). RFC 2460, Dec. 1998.]]Google Scholar
19.W. Feller. An Introduction to Probability Theory and Its Applications (2nd edition), volume 1. Wiley and Sons, 1966.]]Google Scholar
20.P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2267, Jan. 1998.]] Google ScholarDigital Library
21.J. Glave. Smurfing Cripples ISPs. Wired Technolgy News: (http://www.wired.com/news/news/ technology/story/9506.html), Jan. 1998.]]Google Scholar
22.I. Goldberg and A. Shostack. Freedom Network 1.0 Architecture and Protocols. Zero-Knowledge Systems White Paper, Nov. 1999.]]Google Scholar
23.R. Govindan and H. Tangmunarunkit. Heuristics for Internet Map Discovery. In Proceedings of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.]]Google ScholarCross Ref
24.L. T. Heberlein and M. Bishop. Attack Class: Address Spoofing. In 1996 National Information Systems Security Conference, pages 371-378, Baltimore, MD, Oct. 1996.]]Google Scholar
25.J. D. Howard. An Analysis of Security Incidents on the Internet. PhD thesis, Carnegie Mellon University, Aug. 1998.]] Google ScholarDigital Library
26.P. Karn and W. Simpson. Photuris: Session-Key Management Protocol. RFC 2522, Mar. 1999.]] Google ScholarDigital Library
27.C. Kent and J. Mogul. Fragmentation Considered Harmful. In Proceedings of the 1987 ACM SIGCOMM Conference, pages 390-401, Stowe, VT, Aug. 1987.]] Google ScholarDigital Library
28.S. Kent and R. Atkinson. Security architecture for the internet protocol. RFC 2401, Nov. 1998.]] Google ScholarDigital Library
29.C. Meadows. A Formal Framework and Evaluation Method for Network Denial of Service. In Proceedings of the 1999 IEEE Computer Security Foundations Workshop, Mordano, Italy, June 1999.]] Google ScholarDigital Library
30.J. Mogul and S. Deering. Path MTU Discovery. RFC 1191, Nov. 1990.]] Google ScholarDigital Library
31.R. T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report Computer Science #117, AT&T Bell Labs, Feb. 1985.]]Google Scholar
32.V. Paxson. End-to-End Routing Behavior in the Internet. IEEE/ACM Transactions on Networking, 5(5):601-615, Oct. 1997.]] Google ScholarDigital Library
33.C. Perkins. IP Mobility Support. RFC 2002, Oct. 1996.]]Google Scholar
34.J. Postel. Internet Protocol. RFC 791, Sept. 1981.]]Google Scholar
35.M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous Connections and Onion Routing. IEEE Journal on Selected Areas in Communications, 16(4):482-494, May 1998.]]Google ScholarDigital Library
36.E. C. Rosen, Y. Rekhter, D. Tappan, D. Farinacci, G. Fedorkow, T. Li, and A. Conta. MPLS Label Stack Encoding. Internet Draft: draft-ietf-mpls-label-encaps-07.txt (expires March 2000), Sept. 1998.]] Google ScholarDigital Library
37.G. Sager. Security Fun with OCxmon and cflowd. Presentation at the Internet 2 Working Group, Nov. 1998.]]Google Scholar
38.O. Spatscheck and L. Peterson. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 59-72, Feb. 1999.]] Google ScholarDigital Library
39.S. Staniford-Chen and L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 39-49, Oakland, CA, May 1995.]] Google ScholarDigital Library
40.I. Stoica and H. Zhang. Providing Guaranteed Services Without Per Flow Management. In Proceedings of the 1999 ACM SIGCOMM Conference, pages 81-94, Boston, MA, Aug. 1999.]] Google ScholarDigital Library
41.R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In to appear in Proceedings of thje 2000 USENIX Security Symposium, Denver, CO, July 2000.]] Google ScholarDigital Library
42.W. Theilmann and K. Rothermel. Dynamic Distance Maps of the Internet. In Proceedings of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.]]Google ScholarCross Ref
43.C. Villamizar. Personal Communication, Feb. 2000.]]Google Scholar
44.M. Vivo, E. Carrasco, G. Isern, and G. O. Vivo. A review of port scanning techniques. ACM Computer Communications Review, 29(2):41-48, Apr. 1999.]] Google ScholarDigital Library
45.Y. Zhang and V. Paxson. Stepping Stone Detection. In to appear in Proceedings of thje 2000 USENIX Security Symposium, Denver, CO, July 2000.]]Google Scholar

Index Terms

Practical network support for IP traceback

Recommendations

Practical network support for IP traceback

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing ...
Read More
Network support for IP traceback

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back toward their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing ...
Read More
IP Traceback: A New Denial-of-Service Deterrent?

The increasing frequency of malicious computer attacks has caused severe economic waste and unique social threats. IP traceback- the ability to trace IP packets from source to destination-is a significant step toward identifying and, thus, stopping, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SIGCOMM '00: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
August 2000
348 pages
ISBN:1581132239
DOI:10.1145/347059
Chairman:
Craig Partridge
BBN Technologies, Cambridge, MA
ACM SIGCOMM Computer Communication Review Volume 30, Issue 4
October 2000
319 pages
ISSN:0146-4833
DOI:10.1145/347057
Editor:
Roch Guerin
Univ. of Pennsylvania, Philadelphia
Issue’s Table of Contents
Copyright © 2000 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 August 2000
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- Article
Conference

Acceptance Rates
SIGCOMM '00 Paper Acceptance Rate26of238submissions,11%Overall Acceptance Rate554of3,547submissions,16%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 683
  Total Citations
  View Citations
- 4,694
  Total Downloads
- Downloads (Last 12 months)253
- Downloads (Last 6 weeks)41
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Practical network support for IP traceback

SIGCOMM '00: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication

ABSTRACT

References

Cited By

Index Terms

Recommendations

Practical network support for IP traceback

Network support for IP traceback

IP Traceback: A New Denial-of-Service Deterrent?