Novel hybrid schemes employing packet marking and logging for IP traceback

Tracing DoS attacks that employ source address spoofing is an important and challenging problem. Traditional traceback schemes provide spoofed packets traceback capability either by augmenting the packets with partial path information (i.e., packet marking) or by storing packet digests or signatures at intermediate routers (i.e., packet logging). Such approaches require either a large number of attack packets to be collected by the victim to infer the paths (packet marking) or a significant amount of resources to be reserved at intermediate routers (packet logging). We adopt a hybrid traceback approach in which packet marking and packet logging are integrated in a novel manner, so as to achieve the best of both worlds, that is, to achieve a small number of attack packets to conduct the traceback process and a small amount of resources to be allocated at intermediate routers for packet logging purposes. Based on this notion, two novel traceback schemes are presented. The first scheme, called distributed link-list traceback (DLLT), is based on the idea of preserving the marking information at intermediate routers in such a way that it can be collected using a link list-based approach. The second scheme, called probabilistic pipelined packet marking (PPPM), employs the concept of a "pipeline" for propagating marking information from one marking router to another so that it eventually reaches the destination. We evaluate the effectiveness of the proposed schemes against various performance metrics through a combination of analytical and simulation studies. Our studies show that the proposed schemes offer a drastic reduction in the number of packets required to conduct the traceback process and a reasonable saving in the storage requirement.     

一种新的无线传感器网络恶意节点追踪方法

无线传感器网络中缺少单一可信的路由设备,存在中间节点篡改包标记的问题,为解决这一问题,提出一种改进的节点采样包标记算法.该算法通过对ID和数据包进行HASH运算来产生水印,并把水印概率性标记到相应的标记区中,Sink节点根据标记信息来实现对恶意节点的追踪.该算法能够有效地抵抗串通节点更改标记,把恶意节点定位在一跳范围之内.实验表明,改进后的算法可以有效地追踪到恶意节点,并将该方法与基于边标记的追踪方法进行对比,定位成功率得到提高.     

A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking

Tracing IP packets to their origins is an important step in defending Internet against denial-of-service attacks. Two kinds of IP traceback techniques have been proposed as packet marking and packet logging. In packet marking, routers probabilistically write their identification information into forwarded packets. This approach incurs little overhead but requires large flow of packets to collect the complete path information. In packet logging, routers record digests of the forwarded packets. This approach makes it possible to trace a single packet and is considered more powerful. At routers forwarding large volume of traffic, the high storage overhead and access time requirement for recording packet digests introduce practicality problems. In this paper, we present a novel scheme to improve the practicality of log-based IP traceback by reducing its overhead on routers. Our approach makes an intelligent use of packet marking to improve scalability of log-based IP traceback. We use mathematical analysis and simulations to evaluate our approach. Our evaluation results show that, compared to the state-of-the-art log-based approach called hash-based IP traceback, our approach maintains the ability to trace single IP packet while reducing the storage overhead by half and the access time overhead by a factor of the number of neighboring routers.     

基于自适应包标记的IP源追踪方案

防御分布式拒绝服务(DDoS)攻击是当前网络攻击研究的重要课题,本文提出了一种DDoS攻击追踪方案的构想,在自适应包标记理论的基础上,提出了新的改进算法,该方案利用了TTL域和并提出了一种伸缩性的包标记策略,可以通过更少的数据包更快的定位出攻击源。同以往方法比较,该算法的灵活性好,并且误报率很低。经仿真实验证明该系统用较少的数据包即追踪IP源,最大限度的减少了攻击带来的损失。     

基于IPv6的概率包标记路径溯源方案

针对现有IPv6路由追踪技术匮乏,以及IPv4路由追踪技术不能直接移植到IPv6网络环境中的问题,根据IPv6的自身特点,提出了一种基于概率包标记的IPv6攻击源追踪方案。该方案在原有IPv4概率包标记方法的基础上进行了有效的改进,重新规划标记区域,分别在IPv6的基本报头和扩展报头上划分合适的标识域和信息域,既解决标记空间不足的问题,又能规范标记信息的存放秩序;采用动态标记概率,区分对待未标记数据包和已标记数据包,解决标记信息覆盖问题,同时,优化标记算法,实现IPv6网络环境下路径追踪的快速、准确。理论分析与实验结果表明,该方案能有效追踪攻击源,且效果优于原IPv4追踪技术。     

防御DDoS攻击的包标记联合部署方案

提出了一种新的结合确定包标记和路径标识的方案,其在源边界路由器以概率形式选择执行确定性包标记或路径标识。该方案以下游网络拥塞程度和路径追溯结果为依据,动态调整数据包标记操作,并在受害主机处根据不同的标记策略采取不同的防御措施。基于大规模权威因特网拓扑数据集的仿真实验表明,该方案防御效果较好,能有效减轻受害主机遭受DDoS攻击的影响。     

一种改进的DDoS攻击综合防御系统*

为了在IPv4网络下进一步提高防御DDoS攻击的实时性,提出DDoS防御系统的构想,将客户端防御系统与自适应包标记有效地结合起来,既可以检测防御DDoS攻击,又可以进行追踪攻击源;同时提出一个新的标记方案,该方案利用了TTL域和改进的自适应包标记的方法。与其他标记方法相比,其具有灵活性好、误报率低、计算量小的优点。经验证该系统用较少的数据包即可重构攻击路径,在最大限度上降低了攻击造成的损失。     

伪装IP追踪技术综述

1 引言网络协议和操作系统的缺陷导致了网络的安全问题。有关IP协议最重要的问题是IP地址的伪装。IP协议本身无法验证源地址段中的IP地址是发送者的IP地址。一台机器可以在一段时间内将自己伪装成另一台机器甚至路由器。对网络攻击各种各样的解决办法中IP追踪(traceback)是一种重在威慑的方法,一旦攻击者知道攻击能被追溯,进行攻击时会更慎重。在美国、日本等发达国家伪装IP追踪技术已成为学术界、企业界和政府部门普遍关心的重要问题之一。     

Dynamic camouflage event based malicious node detection architecture

Compromised sensor nodes may collude to segregate a specific region of the sensor network preventing event reporting packets in this region from reaching the basestation. Additionally, they can cause skepticism over all data collected. Identifying and segregating such compromised nodes while identifying the type of attack with a certain confidence level is critical to the smooth functioning of a sensor network. Existing work specializes in preventing or identifying a specific type of attack and lacks a unified architecture to identify multiple attack types. Dynamic Camouflage Event-Based Malicious Node Detection Architecture (D-CENDA) is a proactive architecture that uses camouflage events generated by mobile-nodes to detect malicious nodes while identifying the type of attack. We exploit the spatial and temporal information of camouflage event while analyzing the packets to identify malicious activity. We have simulated D-CENDA to compare its performance with other techniques that provide protection against individual attack types and the results show marked improvement in malicious node detection while having significantly less false positive rate. Moreover, D-CENDA can identify the type of attack and is flexible to be configured to include other attack types in future.     

On deterministic packet marking

In this article, we present a novel approach to IP Traceback – deterministic packet marking (DPM).¹ DPM is based on marking all packets at ingress interfaces. DPM is scalable, simple to implement, and introduces no bandwidth and practically no processing overhead on the network equipment. It is capable of tracing thousands of simultaneous attackers during a DDoS attack. Given sufficient deployment on the Internet, DPM is capable of tracing back to the slaves responsible for DDoS attacks that involve reflectors. In DPM, most of the processing required for traceback is done at the victim. The traceback process can be performed post-mortem allowing for tracing the attacks that may not have been noticed initially, or the attacks which would deny service to the victim so that traceback is impossible in real time. The involvement of the Internet Service Providers (ISPs) is very limited, and changes to the infrastructure and operation required to deploy DPM are minimal. DPM is capable of performing the traceback without revealing topology of the providers’ network, which is a desirable quality of a traceback method.     

Tabu marking scheme to speedup IP traceback

The IP traceback is an important mechanism in defending against distributed denial-of-service (DDoS) attacks. In this paper, we propose a probabilistic packet marking (PPM) scheme, Tabu Marking Scheme (TMS), to speedup IP traceback. The key idea of “tabu mark” is that, a router still marks packets probabilistically, but regards a packet marked by an upstream router as a tabu and does not mark it again. We study the impact of the traffic aggregation on the convergence behavior of PPM schemes. Furthermore we derive a new analytical result on the partial coupon collection problem, which is a powerful tool applicable for computing the mean convergence time of any PPM scheme. Our study shows that the idea of “tabu mark” not only helps a PPM scheme that allows overwriting to reduce the convergence time under a DDoS attack, but also ensures the authentication of the routers’ markings.     

针对WSN的DDoS攻击的改进概率包标记算法研究*

当无线传感器网络（WSN）遭受分布式拒绝服务（DDoS）攻击时,攻击者会传送大量攻击数据包到受害主机,使其迅速消耗资源而无法正常运作,最终造成网络瘫痪。为了检测针对资源有限的WSN的DDoS攻击,基于传统网络的概率包标记算法提出一个改进概率包标记算法,使其适应在WSN中检测DDoS攻击。改进的算法减少了重建攻击路径所需的攻击数据包,从而减少WSN的资源消耗,弥补了WSN资源有限的缺陷。     

一种新的IP追踪的分片标记方法

拒绝服务攻击（DoS）是难以解决的网络安全问题。IP追踪技术是确定DoS攻击源的有效方法。针对用于IP追踪的压缩边分片采样算法（CEFS）存在的不足,提出了新分片标记算法（NFMS）,该算法通过扩大标记空间和采用自适应概率的方法,减少了重构路径所需数据包数,并通过给分片加标注,减少了重构路径的计算量和误报率,并且将点分片（路由器分片）、边分片（该路由器分片与同偏移值的下游相邻路由器分片的异或值）分开存放,可验证重构路径时所得攻击路径中节点的正确性。分析和仿真结果表明NFMS算法的性能较优。     

非强制性包标记算法

防御分布式拒绝服务(DDoS)攻击是目前最难处理的网络安全问题之一。在众多解决方法中,包标记方法受到了广泛的重视。在这类标记方案中,路径中的路由器根据一定策略标记过往的数据包,从而受害者可以在短时间内对攻击路径进行重构,实现对攻击者的IP回溯。论文提出了一种新的包标记方法,非强制性包标记算法。可以有效地降低重构时间和误报率,减少了网络和路由器标记数据包的负担。     

一种新的DDoS攻击源追踪包标记方法

分布式拒绝服务（DDoS）攻击是目前最难处理的网络难题之一,在提出的多种对策中,通过包标记方法来进行IP跟踪受到广泛重视。提出了一种新的包标记方法（IPPM）,来改进包标记方法需要网络中每个路由器都支持的弱点。通过实验表明,在包标记方法不完整配置的网络中,该方法能有效地重构攻击路径并且误报率很低。     

新的基于Huffman编码的追踪方案

面对DDoS攻击,研究人员提出了各种IP追踪技术寻找攻击包的真实源IP地址,但是目前的追踪方案存在着标记过程中的空间问题、追踪源是否准确及追踪所需包的数量等问题.提出一种新的基于Huffman编码的追踪方案,可以节省大量的存储空间,提高空间效率,而且当遭遇DoS(拒绝服务攻击)和DDoS的攻击时能迅速作出反应,仅仅收到一个攻击包即可重构出攻击路径,找到准确的攻击源, 将攻击带来的危害和损失减小到最低程度.     

基于确定线性网络编码的IPv6追踪

针对IPv6的概率包标记(PPM)IP追踪方法的重构路径算法复杂度和误报率过高等不足,提出基于确定线性网络编码的IPv6追踪方法。该方法采用IPv6逐跳选项扩展报头作为标记区域,将确定线性网络编码应用到概率包标记中,同时添加了64bit的攻击路径采样。理论分析和在NS2环境下的仿真实验结果表明,该方法减少了占用的网络带宽和重构路径所需要的数据包数,降低了重构算法复杂度和误报率,提高了标记效率。     

Using mobile agents to recover from node and database compromise in path-based DoS attacks in wireless sensor networks

Wireless sensor networks represent a new generation of real-time embedded systems with significantly different communication constraints from the traditional networked systems. With their development, a new attack called a path-based DoS (PDoS) attack has appeared. In a PDoS attack, an adversary, either inside or outside the network, overwhelms sensor nodes by flooding a multi-hop end-to-end communication path with either replayed packets or injected spurious packets. Detection and recovery from PDoS attacks have not been given much attention in the literature. In this article, we consider wireless sensor networks designed to collect and store data. In a path-based attack, both sensor nodes and the database containing collected data can be compromised. We propose a recovery method using mobile agents which can detect PDoS attacks easily and efficiently and recover the compromised nodes along with the database.     

一种无日志的快速DDoS攻击路径追踪算法

分布式拒绝服务攻击是目前Internet面临的主要威胁之一.攻击路径追踪技术能够在源地址欺骗的情况下追踪攻击来源,在DDoS攻击的防御中起到非常关键的作用.在各种追踪技术中随机包标记法具有较明显的优势,然而由于较低的标记信息利用率,追踪速度仍然不够快.为了提高追踪速度提出一种无日志的快速攻击路径追踪算法.该算法利用少量路由器存储空间和带内信息传输方式提高标记信息利用率,不仅大大提高了追踪速度,而且避免占用额外的网络带宽.     

基于信任关系的路由器接口标记IP追踪方案

防御拒绝服务（DDS）攻击是目前最难解决的网络安全问题之一。概率包标记（PPM）是一种比较有效且实用的解决方法。提出一种新的基于信任关系的路由器接口标记IP追踪方案（TRIM）,为不同的路由器设置不同的信任因子,划分信任域。根据信任因子确定标记概率,路由器使用接口ID对数据包进行概率标记,有效地减少重构路径时的收敛时间以及计算开销,提高路径重构的效率。在边界路由器不诚实的情况下,能够快速准确的追踪到信任域的边界。