IP traceback marking scheme based packets filtering mechanism

Abstract

Denial of service attacks have become one of the most serious threats to the Internet community. One effective means to defend against such attacks is to locate the attack source(s) and to filter out the attack traffic. To locate the attack source(s), this paper proposes an adaptive packet marking scheme for IP traceback, which supports two types of marking. A participating border router would perform deterministic router id marking when a packet enters the network for the first time, and probabilistic domain id marking when it receives a packet from another domain. After collecting sufficient packets, the victim would reconstruct the attack graph incorporating attack paths and the source router(s) identified, with each node on the paths viewed as a domain. Based on the attack graph traced back we propose to let the filtering agent(s) inspect the markings inscribed in the received packets and filter the packets with a marking matching with the attack signatures. Simulation results show that the proposed marking scheme outperforms other IP traceback methods as it requires fewer packets for attack paths reconstruction, and can handle large number of attack sources effectively with relatively low false positives produced. Meanwhile, with the attack packets filtering mechanism, around 80% attack traffic would be removed and the normal traffic can be efficiently preserved in order to restore the victim's service.