IP Traceback Research Articles

Classification and comparison of IP traceback techniques for DoS/DDoS/DRDoS defence

Classification and comparison of IP traceback techniques for DoS/DDoS/DRDoS defence

Classification and comparison of IP traceback techniques for DoS/DDoS/DRDoS defence

Classification and comparison of IP traceback techniques for DoS/DDoS/DRDoS defence

SDN-Defend: A Lightweight Online Attack Detection and Mitigation System for DDoS Attacks in SDN.

With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method-Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

HDSL: A Hybrid Distributed Single-packet Low-storage IP Traceback Framework. (Dept. E)

HDSL: A Hybrid Distributed Single-packet Low-storage IP Traceback Framework. (Dept. E)

A SINGLE-PACKET IP TRACEBACK: COMBATING DOS-DDOS ATTACKS

Cyber-attacks such as Denial of Service (DoS) and Distributed Denial of Service(DDoS) can affect Internet security so that they become a major threat to the computer and computer networks. Therefore, several IP traceback methods were developed to trace back each attack packet to its origin of the attack. These schemes require many packets to trace back the origin of the DoS attack. In this paper, we proposed a novel approach that can trace back the origin of the DoS attack using a single packet-based on Deterministic Packet Marking (DPM) and Probabilistic Router Logging(PRL). Our experimental results, using NS-3 simulator, show that our novel proposed approach can reconstruct the attack path from the victim target to the exact attacker after receiving only a single attack packet. Moreover, this novel proposed approach detects spoofed attack packets in reactive and proactive schemes so that our proposed traceback solution is, therefore, robust because it has a null false positive (negative) rate.

ICSTrace: A Malicious IP Traceback Model for Attacking Data of the Industrial Control System

Considering that the attacks against the industrial control system are mostly organized and premeditated actions, IP traceback is significant for the security of the industrial control system. Based on the infrastructure of the internet, we have developed a novel malicious IP traceback model, ICSTrace, without deploying any new services. The model extracts the function codes and their parameters from the attack data according to the format of the industrial control protocol and employs a short sequence probability method to transform the function codes and their parameters into a vector, which characterizes the attack pattern of malicious IP addresses. Furthermore, a partial seeded K-means algorithm is proposed for the pattern’s clustering, which helps in tracing the attacks back to an organization. ICSTrace is evaluated based on the attack data captured by the large-scale deployed honeypots for the industrial control system, and the results demonstrate that ICSTrace is effective on malicious IP traceback in the industrial control system.

On Capturing DDoS Traffic Footprints on the Internet

While distributed denial-of-service (DDoS) attacks are easy to launch and are becoming more damaging, the defense against DDoS attacks often suffers from the lack of relevant knowledge of the DDoS traffic, including the paths the DDoS traffic has used, the source addresses (spoofed or not) that appear along each path, and the amount of traffic per path or per source. Though IP traceback and path inference approaches could be considered, they are either expensive and hard to deploy or inaccurate. We propose PathFinder, a service that a DDoS defense system can use to obtain the footprints of the DDoS traffic to the victim. PathFinder employs an architecture that is easy to implement and deploy on today's Internet, a PFTrie data structure that introduces multiple design features to log traffic at line rate, and streaming and zooming mechanisms that facilitates the storage and transmission of DDoS footprints more efficiently. Our evaluation shows that PathFinder can significantly improve the efficacy of a DDoS defense system, its PFTrie data structure is fast and has a manageable overhead, and its streaming and zooming mechanisms significantly reduce the delay and overhead in transmitting DDoS footprints.

An SDN-based Intrusion Detection System using SVM with Selective Logging for IP Traceback

In this paper we introduce a Software Defined Networking (SDN) based Intrusion Detection System (IDS) using the Support Vector Machines (SVM) along with Selective Logging for IP Traceback. We achieve a detection accuracy of 95.98% on the full NSL-KDD dataset and 87.74% on the selected sub-features of the dataset. Detection of anomalous traffic and network intrusion is done during the PACKET_IN event at the controller and then again by fetching the flow statistics from the OpenFlow switches at regular intervals. Selective logging of suspicious packets/flows during a PACKET_IN event enables an IP traceback to be performed in the eventuality of an attack which can be initiated by a network admin using an HTTP-based web console. This approach gains significance given that it is practically impossible to achieve 100% attack detection accuracy. Moreover, it is not always correct to take punitive action against packets of a traffic flow, solely based on a detection of a possible threat which may result in blocking or dropping of genuine packets. In the proposed scheme, logging is performed selectively at the controller and not at the switches, achieving significant savings in terms of overall memory resources. Moreover logging is performed using the in-memory structure at the controller thereby enhances the performance of the logging operation over traditional file-based database by 9.76%. Finally, we have chosen this approach because (i) SDN provides a centralized architecture for detection analysis and logging (ii) SVM provides decent detection accuracy without much computation overhead (iii) Selective Logging provides about 90% to 95% savings in terms of overall memory resources and (iv) IP traceback provides the ability to track the actual source of the packets in the eventuality of an attack.

An Effective Traceback Network Attack Procedure for Source Address Verification

The Internet is being extensively used in various fields to serve billions of users, which leads to the number of network security issues. Here, Internet Protocol Spoofing is considered the main threat for masquerade of the packet identity. An IP packet, which contains the header with the source IP address, lacks source verification. The invaders to spoof the network address of the packet use this vulnerability. To overcome this, verification of source is performed by marking the packets and tracing back to the source. Existing schemes make use of either packet marking or packet logging for trace back to the source with high computational and storage overhead. This paper proposed a scheme to minimize both the overheads by using a Combined IP Traceback procedure. Packet marking is done efficiently by using the 16-bit ID field of the packet header and packet logging is completed more effectively by using the hash table. The path reconstruction is done using the mark value in the packet, which traces back to the original source border router. The proposed method is empirically validated against the related ones.

A Multiple-Swarm Particle Swarm Optimisation Scheme for Tracing Packets Back to the Attack Sources of Botnet

Network intrusion detection systems that employ existing IP traceback (IPTBK) algorithms are generally unable to trace multiple attack sources. In these systems, the sampling mechanism only screens parts of the routing information, which leads to the tracing of the neighbour of the attack source and fails to identify the attack source. Theoretically, the multimodal optimisation problem cannot be solved for all of its multiple solutions using the traditional particle swarm optimisation (PSO) algorithm. The present study focuses on the use of multiple-swarm PSO (MSPSO) for recursively tracing attack paths back to a botnet’s multiple attack sources using the subgroup strategy. Specifically, the fitness of each path was calculated using a quasi-Newton gradient descent method to confirm the crucial path for successfully tracing the attack source. For multimodal optimisation problems, the MSPSO algorithm achieves an effective balance between individual particle exploitation and multiswarm exploration when premature convergence occurs. Thus, this algorithm accurately traces multiple attack sources. To verify the effectiveness of identifying Distributed Denial-Of-Service (DDoS) control centres, networks with various topology sizes (32–64 nodes) were simulated using ns-3 with the Boston University Representative Internet Topology Generator. The proposed A* search algorithm (minimal cost pathfinding algorithm) and MSPSO were used to identify the sources of simulated DDoS attacks. Compared with commonly available systems, the MSPSO algorithm performs better in multimodal optimisation problems, improves the accuracy of traceability analysis and reduces false responses for IPTBK problems.

Separating Monitoring from Control in SDN to Mitigate DDoS Attacks in Hybrid Clouds

Background & Objective: Detecting and mitigating Distributed Denial of Service (DDoS) attacks is a serious problem. In addition, new features and network deployments such as Software- Defined Networking (SDN) may open the door for new threats that did not previously exist. : Recent publications and patent are reviewed to find new techniques developed for integrating different mechanisms to secure networks against DDoS. Methods: This work presents a simple model for integrating different mechanisms to secure both SDN and legacy network in a hybrid cloud environment, it is called FocusON. It aims at mitigating DDoS attacks of a victim network. In addition, separating network monitoring from its control aims at mitigating DDoS attacks of a victim network. Traffic pattern analysis is apart from attack detection mechanism that gives a conceptual representation of a specific kind of DDoS attacks. DDoS detection is a completely automated process. Once called, for the reaction, the active response will be taken against the real IP source of the attacker. : The communication time overhead was tested in order to evaluate the remote server response time in case of deploying our proposed model mechanisms and without our proposed model. : Here we introduce a response mechanism that consists of an analysis of event logs, traffic patterns, and IP traceback. The proposed model categorizes the underlying network according to the location into a victim network and the source of attack (public cloud). Results & Conclusion:: The proposed model implemented in a hybrid cloud environment using the network of SDN and legacy network. The experimental setup was built using our network lab connected to the Amazon public cloud.

IP Traceback using Flow Based Classification

Background:Distributed Denial of Service (DDoS) attack is a major threat over the internet. The IP traceback mechanism defends against DDoS attacks by tracing the path traversed by attack packets. The existing traceback techniques proposed till now are found with few short comings. The victim required many number of packets to trace the attack path. The requirement of a large number of packets resulted in more number of combinations and more false positives.Methods:To generate a unique value for the IP address of the routers in the attack path Chinese Remainder theorem is applied. This helped in combining the exact parts of the IP address at the victim. We also applied K-Nearest Neighbor (KNN) algorithm to classify the packets depending on their traffic flow, this reduced the number of packets to reconstruct the attack path.Results:The proposed approach is compared with the existing approaches and the results demonstrated that the attack graph is effectively constructed with higher precision and lower combination overhead under large scale DDoS attacks. In this approach, packets from diverse flows are separated as per flow information by applying KNN algorithm. Hence, the reconstruction procedure could be applied on each group separately to construct the multiple attack paths. This results in reconstruction of the complete attack graph with fewer combinations and false positive rate.Conclusion:In case of DDoS attacks the reconstruction of the attack path plays a major role in revealing IP addresses of the participated routers without false positives and false negatives. Our algorithm FRS enhances the feasibility of information pertaining to even the farthest routers by incorporating a flag condition while marking the packets. The rate of false positives and false negatives are drastically reduced by the application of Chinese Remainder Theorem on the IP addresses of the router. At the victim, the application of KNN algorithm reduced the combination overhead and the computation cost enormously.

On packet marking and Markov modeling for IP Traceback: A deep probabilistic and stochastic analysis

From many years, the methods to defend against Denial of Service attacks have been very attractive from different point of views, although network security is a large and very complex topic. Different techniques have been proposed and so-called packet marking and IP tracing procedures have especially demonstrated a good capacity to face different malicious attacks. While host-based DoS attacks are more easily traced and managed, network-based DoS attacks are a more challenging threat. In this paper, we discuss a powerful aspect of the IP traceback method, which allows a router to mark and add information to attack packets on the basis of a fixed probability value. We propose a potential method for modeling the classic probabilistic packet marking algorithm as Markov chains, allowing a closed form to be obtained for evaluating the correct number of received marked packets in order to build a meaningful attack graph and analyze how marking routers must behave to minimize the overall overhead.

Detection of Spoofing Attacks on SDN through IP Trace Back Protocol

Detection of Spoofing Attacks on SDN through IP Trace Back Protocol

Correction to: Hybrid Approach for IP Traceback Analysis in Wireless Networks

There was a typo in the second author’s name in the original article. The correct name is S. Karthik, as listed here. The original article has been corrected.

Hybrid Approach for IP Traceback Analysis in Wireless Networks

Distributed Denial-Of-Service (DDoS) attacks are one of the all the more difficult security issues on the Internet today. They can without much of a stretch, fumes the assets of the potential Victims. The issue is much more extreme since the aggressors regularly produce their IP delivers to shroud their character. The current guard mechanism against DDoS attacks, the attack traffic will be filtered at the victim’s side. For this situation, regardless of whether the attacking traffic is filtered by the victim, the attacker may achieve the objective of blocking access to the victim’s bandwidth. IP-Traceback approaches enable the victim to traceback to the wellspring of an attack and they will not be able to minimize the attack when the attack is in progress. Hence in this work we proposed a hybrid method to minimize the quantity of malicious packets entering into the network. We introduce a quantum annealing technique at the server side to identify and mitigate the DDoS attack. The attack messages are minimized by utilizing client puzzle as a part of the ingress router; the path fingerprint is used at the egress side. Simulation studies prove that the proposed mechanism is optimally successful in recognizing and mitigating the DDoS attacks.

I-SMITE: An IP Traceback mechanism for Inter-AS SDN Networks using BGP

In this paper, we introduce I-SMITE an inter autonomous systems (inter-AS) IP traceback mechanism based on SMITE to support efficient IP traceback across inter-AS software-defined networks (SDN) ne...

Hybrid Multilayer Network Traceback to the Real Sources of Attack Devices

With the advent of the Internet of Things (IoT), there are also major information security risks hidden behind them. There are major information security risks hidden behind them. Attackers can conceal their actual attack locations by spoofing IP addresses to attack IoT devices, law enforcement cannot easily track them. Therefore, a method to trace stealth attacks is required. Conventional IP traceback methods that traceback only attackers on the network layer and cannot infer the path information of a packet traversing the switch. This article proposes a method to simultaneously traceback attack sources at the network layer and the data link layer with only one single packet. Even if the core network contains a switch or if multiple attackers launch attacks from different locations, the method can correctly traceback the true devices responsible for the attacks, and its achievements include a zero false negative rate and a low false positive rate.

Improved detection mechanism in MANETs using adaptive IP tracing mechanism

The network has enabled enormous volumes of services without any restrictions, different users need to have access to the service provided are more focused by malicious users. It is imperative to identify malicious entry or access to services, hence this paper discusses the various aspects of malicious access due to DDoS attacks and on how to detect it also this method uses the decisions made by hackers to manage the Traceback information science. In this paper, we consider the flash crowds based on the difference between DDoS attacks, a flash crowd is used to mitigate the DDoS attack. There is a tendency to see information on flux entropy variations on routers’ short-term and store them. Once the victim has been aware of a DDoS attack, the victim starts pushback tracing. The initial Traceback rule identifies its upstream routers where attacks have taken place and transmits the requests for Traceback to the upstream connected routers. If the flow rate is low, the low detection rule is initiated to trace the attackers and therefore the study is evaluated based on the instances where the packets are attacked by malicious users. The evaluation is conducted based on whether the packet traversed is malicious or normal and finally the accuracy of IP Traceback techniques and time complexity are tested.

Tracing Website Attackers by Analyzing Onion Routers’ Log Files

The Onion Router (Tor) is one of the major network systems that provide anonymous communication and censorship circumvention. Tor enables its users to surf the Internet, chat, and send messages anonymously; however, cyber attackers also exploit the system for circumventing criminal activity detection. Recently, various approaches that prevent or mitigate abuse of Tor have been proposed in the literature. This paper, which presents one of the approaches, addresses an IP traceback problem. In our model, onion routers that voluntarily participate in attacker tracing detect attack packets (packets carrying an attacker's code or data) recorded in the log files by sharing necessary information with an attacked server over an Ethereum blockchain network. The detection algorithm in this paper uses the statistics of packet travel and relay times and outputs attack-packet candidates. The proposed method attaches a reliability degree to each candidate, which is based on the upper bounds of its Type I and II error rates. A smart contract running on the blockchain network ranks the detection results from onion routers according to the reliability degrees.