ABSTRACT
This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology.
- 1.F. Baker. Requirements for IP Version 4 Routers. RFC 1812, June 1995.]] Google ScholarDigital Library
- 2.G. Banga, P. Druschel, and J. Mogul. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 45-58, Feb. 1999.]] Google ScholarDigital Library
- 3.S. M. Bellovin. Security Problems in the TCP/IP Protocol Suite. ACM Computer Communications Review, 19(2):32-48, Apr. 1989.]] Google ScholarDigital Library
- 4.S. M. Bellovin. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt, Mar. 2000.]]Google Scholar
- 5.R. Braden. Requirements for Internet Hosts - Communication Layers. RFC 1122, Oct. 1989.]] Google ScholarDigital Library
- 6.H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source. Unpublished paper, Dec. 1999.]]Google Scholar
- 7.R. L. Carter and M. E. Crovella. Dynamic Server Selection Using Dynamic Path Characterization in Wide-Area Networks. In Proceedings of the 1997 IEEE INFOCOM Conference, Kobe, Japan, Apr. 1997.]] Google ScholarDigital Library
- 8.B. Cheswick and H. Burch. Internet Mapping Project. http://cm.bell-labs.com/who/ches/map/ index.html, 2000.]]Google Scholar
- 9.Cisco Systems. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation, Dec. 1997.]]Google Scholar
- 10.K. Claffy and S. McCreary. Sampled Measurements from June 1999 to December 1999 at the AMES Inter-exchange Point. Personal Communication, Jan. 2000.]]Google Scholar
- 11.Computer Emergency Response Team. CERT Advisory CA-96.26 Denial-of-Service Attack via pings. http://www.cert.org/advisories/CA-96.26. ping.html, Dec. 1996.]]Google Scholar
- 12.Computer Emergency Response Team. CERT Advisory CA-97.28 IP Denial-of-Service Attacks. http://www. cert.org/advisories/CA-97.28.smurf.html, Dec. 1997.]]Google Scholar
- 13.Computer Emergency Response Team. CERT Advisory CA-98.01 smurf IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-98.01. smurf.html, Jan. 1998.]]Google Scholar
- 14.Computer Emergency Response Team. CERT Advisory CA-2000-01 Denial-of-Service Developments. http:// www.cert.org/advisories/CA-2000-01.html, Jan. 2000.]]Google Scholar
- 15.Computer Emergency Response Team. CERT Incident Note IN-2000-04 Denial-of-Service Attacks using Nameservers. http://www.cert.org/incident_notes/ IN-200-04.html, Apr. 2000.]]Google Scholar
- 16.Computer Security Institute and Federal Bureau of Investigation. 1999 CSI/FBI Computer Crime and Security Survey. Computer Security Institute publication, Mar. 1999.]]Google Scholar
- 17.Cooperative Associationfor Internet Data Analysis. Skitter Analysis. http: //www.caida.org/Tools/Skitter/Summary/, 2000.]]Google Scholar
- 18.S. Deering. Internet protocol, version 6 (ipv6). RFC 2460, Dec. 1998.]]Google Scholar
- 19.W. Feller. An Introduction to Probability Theory and Its Applications (2nd edition), volume 1. Wiley and Sons, 1966.]]Google Scholar
- 20.P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2267, Jan. 1998.]] Google ScholarDigital Library
- 21.J. Glave. Smurfing Cripples ISPs. Wired Technolgy News: (http://www.wired.com/news/news/ technology/story/9506.html), Jan. 1998.]]Google Scholar
- 22.I. Goldberg and A. Shostack. Freedom Network 1.0 Architecture and Protocols. Zero-Knowledge Systems White Paper, Nov. 1999.]]Google Scholar
- 23.R. Govindan and H. Tangmunarunkit. Heuristics for Internet Map Discovery. In Proceedings of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.]]Google ScholarCross Ref
- 24.L. T. Heberlein and M. Bishop. Attack Class: Address Spoofing. In 1996 National Information Systems Security Conference, pages 371-378, Baltimore, MD, Oct. 1996.]]Google Scholar
- 25.J. D. Howard. An Analysis of Security Incidents on the Internet. PhD thesis, Carnegie Mellon University, Aug. 1998.]] Google ScholarDigital Library
- 26.P. Karn and W. Simpson. Photuris: Session-Key Management Protocol. RFC 2522, Mar. 1999.]] Google ScholarDigital Library
- 27.C. Kent and J. Mogul. Fragmentation Considered Harmful. In Proceedings of the 1987 ACM SIGCOMM Conference, pages 390-401, Stowe, VT, Aug. 1987.]] Google ScholarDigital Library
- 28.S. Kent and R. Atkinson. Security architecture for the internet protocol. RFC 2401, Nov. 1998.]] Google ScholarDigital Library
- 29.C. Meadows. A Formal Framework and Evaluation Method for Network Denial of Service. In Proceedings of the 1999 IEEE Computer Security Foundations Workshop, Mordano, Italy, June 1999.]] Google ScholarDigital Library
- 30.J. Mogul and S. Deering. Path MTU Discovery. RFC 1191, Nov. 1990.]] Google ScholarDigital Library
- 31.R. T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report Computer Science #117, AT&T Bell Labs, Feb. 1985.]]Google Scholar
- 32.V. Paxson. End-to-End Routing Behavior in the Internet. IEEE/ACM Transactions on Networking, 5(5):601-615, Oct. 1997.]] Google ScholarDigital Library
- 33.C. Perkins. IP Mobility Support. RFC 2002, Oct. 1996.]]Google Scholar
- 34.J. Postel. Internet Protocol. RFC 791, Sept. 1981.]]Google Scholar
- 35.M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous Connections and Onion Routing. IEEE Journal on Selected Areas in Communications, 16(4):482-494, May 1998.]]Google ScholarDigital Library
- 36.E. C. Rosen, Y. Rekhter, D. Tappan, D. Farinacci, G. Fedorkow, T. Li, and A. Conta. MPLS Label Stack Encoding. Internet Draft: draft-ietf-mpls-label-encaps-07.txt (expires March 2000), Sept. 1998.]] Google ScholarDigital Library
- 37.G. Sager. Security Fun with OCxmon and cflowd. Presentation at the Internet 2 Working Group, Nov. 1998.]]Google Scholar
- 38.O. Spatscheck and L. Peterson. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 59-72, Feb. 1999.]] Google ScholarDigital Library
- 39.S. Staniford-Chen and L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 39-49, Oakland, CA, May 1995.]] Google ScholarDigital Library
- 40.I. Stoica and H. Zhang. Providing Guaranteed Services Without Per Flow Management. In Proceedings of the 1999 ACM SIGCOMM Conference, pages 81-94, Boston, MA, Aug. 1999.]] Google ScholarDigital Library
- 41.R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In to appear in Proceedings of thje 2000 USENIX Security Symposium, Denver, CO, July 2000.]] Google ScholarDigital Library
- 42.W. Theilmann and K. Rothermel. Dynamic Distance Maps of the Internet. In Proceedings of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.]]Google ScholarCross Ref
- 43.C. Villamizar. Personal Communication, Feb. 2000.]]Google Scholar
- 44.M. Vivo, E. Carrasco, G. Isern, and G. O. Vivo. A review of port scanning techniques. ACM Computer Communications Review, 29(2):41-48, Apr. 1999.]] Google ScholarDigital Library
- 45.Y. Zhang and V. Paxson. Stepping Stone Detection. In to appear in Proceedings of thje 2000 USENIX Security Symposium, Denver, CO, July 2000.]]Google Scholar
Index Terms
- Practical network support for IP traceback
Recommendations
Practical network support for IP traceback
This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing ...
Network support for IP traceback
This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back toward their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing ...
IP Traceback: A New Denial-of-Service Deterrent?
The increasing frequency of malicious computer attacks has caused severe economic waste and unique social threats. IP traceback- the ability to trace IP packets from source to destination-is a significant step toward identifying and, thus, stopping, ...
Comments