An innovative approach to identify the IP address in denial‐of‐service (DoS) attacks based on Cauchy's integral theorem

Denial‐of‐service (DoS) and distributed denial‐of‐service (DDoS) are two of the most severe attacks against computer networks, especially the Internet. Despite its destructive effect, planning these attacks is a feasible task. Given that most attackers usually spoof the source address in packet headers, countermeasures can be based on two steps. First of all, some information from the attack space of the offender must be gathered. Fortunately, packets that reach a victim carry important data that can be acquired by means of a data collection process. One possibility is to use the probabilistic packet marking (PPM) approach for data acquisition. Once this is achieved, the next step consists of reconstructing the attack path, which can be carried out by several methods available in the literature. However, none of them provides a precise solution. In this paper, a new theoretical tracking model for the identification of DoS attackers is presented. The model unites the PPM approach and the concept of winding number, derived from the well‐known Cauchy's integral theorem. The winding number is a hydraulic analogy of the amount of attacking packets growing from a router. A suitable transformation allows seeing the packet traffic, in the attack environment, as a fluid flux in the space of complex variables. The method of solving the tracking problem and identifying the sources of attack presents an additional motivation: the use of continuous techniques when approaching a problem that occurs in a discrete environment. Such association will contribute to the development of further solutions possibly more robust than the one dealt with here. This paper shows that the new model can correctly identify the IP address of the router from which the attack comes by using an integral equation derived from the winding number expression. Copyright © 2008 John Wiley & Sons, Ltd.