SIPT FOR IDENTIFYING DOS ATTACK

ABSTRACT

Denial-of-Service (DoS) is a type of attack in networks in which an attacker may

be able to prevent legitimate users from accessing email, web sites, online
accounts(banking, etc.), or other services that rely on the affected computer.
Unfortunately, mechanisms for dealing with DoS attacks haven’t advanced at the same
pace as the attacks themselves.

A new method for identifying denial-of-service attacks that uses the attacker’s
media access control address for identification and trace back. Our approach to thwarting
DoS attacks, also called Speedy IP Trace back (SIPT), uses the boundary router the
attacker is connected to, allows identification after the attack, and imposes minimal extra
load on the network. Most research in this area has focused on mitigating the effects of
the attacks. This approach provides an effective stopgap measure, but doesn’t eliminate
the problem or discourage attackers.

Denial of Service (DoS) attacks are a serious threat for the Internet. DoS attacks
can consume memory, CPU, and network resources and damage or shut down the
operation of the resource under attack (victim). The quality of service (QoS) enabled
networks, which offer different levels of service, are vulnerable to QoS attacks as well as
DoS attacks. The aim of a QoS attack is to steal network resources, e.g., bandwidth, or to
degrade the service perceived by users. We present a classification and a brief explanation
of the approaches used to deal with the DoS and QoS attacks. Furthermore, we propose
network monitoring techniques to detect service violations and to infer DoS attacks.
Finally, a quantitative comparison among all schemes is conducted, in which, we
highlight the merits of each scheme and estimate the overhead (both processing and
communication) introduced by it. The comparison provides guidelines for selecting the
appropriate scheme, or a combination of schemes, based on the requirements and how
much overhead can be tolerated.

Dept. of E&C, CEC Page |1

SIPT FOR IDENTIFYING DOS ATTACK

CONTENTS

1. INTRODUCTION…………………………………………………………………...........................................1

1.1SYMPTOMS AND MANIFESTATIONS DOS ATTACKS….. 4

1 . 2 M E T H O D S O F A T T A C K ………………………………………………4

2. STUDY OF DOS ATTACK………………………………………………………...6

3.
DETECTION APPROACHES………………………...…………………………...10

3.1 ICMP TRACE BACK…………………………………………………………10

3.2 PACKET MARKING………………………......……………………………...12

4. PREVENTION APPROACHES………………………......……………………….14

4.1. INGRESS FILTERING…………………...………...………………………...14

4.2. ROUTE-BASED FILTERING………………………………………………..15

4.3 LINK TESTING…………………...………………………………………...15

4.3.1 INPUT DEBUGGING………………………………………………….15

4.3.2. CONTROLLED FLOODING…………………...……………………..16

4.4. LOGGING……………………………..…………………………………...…16

5. SIPT FOR IDENTIFYING THE BOUNDARY ROUTER………...………...….18

6. HOW SIPT WORKS………………………..……………………………………...19

7. ADVANTAGES AND DISADVANTAGES………………...……...………….....20

8. CONCLUSION…………………………...…...…………………………………...21

9. BIBLOGRAPHY…………………………………………...………………………22

Dept. of E&C, CEC Page |2

SIPT FOR IDENTIFYING DOS ATTACK

1.INTRODUCTION
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate user
from accessing information or services by targeting his computer and its network
connection, or the computers and network of the sites that he is trying to use. Eg:
flooding the network with information.

In a distributed denial-of-service (DDoS) attack, an attacker may use other user’s

computer to attack another computer. By taking advantage of security vulnerabilities or
weaknesses, an attacker could take control of other computers, thereby sending huge
amounts of data to a web site or send spam to particular email addresses. The attack is
"distributed", because the attacker is using multiple computers, to launch the denial-of-
service attack. They can explicitly conceal their origin by directly compromising
individual slave, or zom-bie, host computers without the computer owner’s knowledge.

For example, a remote master machine can send packets from many different
slave computers under its control. Attackers can also implicitly conceal the attack’s origin
with a reflector that responds to false requests the slaves send on the victim’s behalf.

This trace back problem is driven by the operational need to control and contain
attacks. Even though packets have a source and destination IP address, the source is
frequently falsified, allowing DoS attacks to occur.

In general terms, DoS attacks are implemented by either forcing the targeted
computer(s) to reset, or consuming its resources so that it can no longer provide its
intended service or obstructing the communication media between the intended users and
the victim so that they can no longer communicate adequately.

Denial-of-service attacks are considered violations of the IAB's Internet proper

use policy, and also violate the acceptable use policies of virtually all Internet service
providers. They also commonly constitute violations of the laws of individual nations.

1.1 SYMPTOMS AND MANIFESTATIONS OF DOS

ATTACKS
Dept. of E&C, CEC Page |3
SIPT FOR IDENTIFYING DOS ATTACK
The United States Computer Emergency Response Team defines symptoms of denial-of-
service attacks to include:

 Unusually slow network performance (opening files or accessing web sites)

 
 Unavailability of a particular web site
 
 Inability to access any web site
 
 Dramatic increase in the number of spam emails received -- (this type of DoS
attack is considered an email bomb)
Denial-of-service attacks can also lead to problems in the network 'branches'
around the actual computer being attacked. For example, the bandwidth of a router
between the Internet and a LAN may be consumed by an attack, compromising not only
the intended computer, but also the entire network.

If the attack is conducted on a sufficiently large scale, entire geographical regions

of Internet connectivity can be compromised without the attacker's knowledge or intent
by incorrectly configured or flimsy network infrastructure equipment.

1.2 METHODS OF ATTACK

A "denial-of-service" attack is characterized by an explicit attempt by attackers to

prevent legitimate users of a service from using that service. There are two general forms
of DoS attacks: those that crash services and those that flood services.

Attacks can be directed at any network device, including attacks on routing

devices and web, electronic mail, or Domain Name  System servers.

Dept. of E&C, CEC Page |4

SIPT FOR IDENTIFYING DOS ATTACK

A DoS attack can be perpetrated in a number of ways. The five basic types of
attack are:

 Consumption of computational resources, such as bandwidth, disk space, or

processor time.
 
 Disruption of configuration information, such as routing information.
 
 Disruption of state information, such as unsolicited resetting of TCP sessions.
 
 Disruption of physical network components.
 
 Obstructing the communication media between the intended users and the victim
so that they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:

 Max out the processor's usage, preventing any work from occurring.
 
 Trigger errors in the microcode of the machine.
 

 Trigger errors in the sequencing of instructions, so as to force the computer into

an unstable state or lock-up.

 Exploit errors in the operating system, causing resource starvation and/or

thrashing, i.e. to use up all available facilities so no real work can be accomplished.

 Crash the operating system itself.

Dept. of E&C, CEC Page |5

SIPT FOR IDENTIFYING DOS ATTACK

2. STUDY OF DOS ATTACK

In the literature, there are several approaches to deal with Denial of Service (DoS)
attacks. In this section, we provide an approximate taxonomy of these approaches. In
addition, we briefly describe the main features of each approach and highlight the
strengths and weaknesses of it.

We divide the approaches for dealing with DoS attacks into two main categories:

 Detection approaches
 Prevention approaches.

The Detection approaches capitalize on the fact that appropriately punishing

wrong doers (attackers) will deter them from re-attacking again, and will scare others to
do similar acts. The detection process has two phases: detecting the attack and identifying
the attacker. To identify an attacker, several trace back methods can be used, as explained
later. The obvious way to detect an attack is just waiting till the system performance
decreases sharply or even the whole system collapses. We propose a more effective
method for detecting attacks before they severely harm the system. We propose to use
monitoring for early detection of DoS attacks.
The Prevention approaches, on the other hand, try to thwart attacks before they
harm the system. Filtering is the main strategy used in the prevention approaches. To
clarify the presentation, we use the hypothetical network topology shown in fig 1 to
demonstrate several scenarios for DoS attacks and how the different approaches react to
them.

Dept. of E&C, CEC Page |6

SIPT FOR IDENTIFYING DOS ATTACK

The figure-2 shows several hosts (denoted by Hs) connected to four domains1
D1;D2;D3; and D4; which are interconnected through the Internet cloud. In the figure, Ai
represents an attacker i while V represents a victim.

Fig 2. Different scenarios for DoS attacks. Attacker A1 launches an attack on the victim V . A1 spoofs
IP address of host H5 from domain D5. Another attacker A3 uses host H3 as a reflector to attack V:

The aim of a DoS attack is to consume the resources of a victim or the resources
on the way to communicate with a victim. By wasting the victim’s resources, the attacker
disallows it from serving legitimate customers. A victim can be a host, server, router, or
any computing entity connected to the network. Inevitable human errors during software
development, configuration, and installation open several unseen doors for these type of
attacks.
Flooding a victim with an overwhelming amount of traffic is the most common.
This unusual traffic clogs the communication links and thwarts all connections among the
legitimate users, which may result in shutting down an entire site or a branch of the
network. TCP SYN flooding is an instance of the flooding attacks [22]. Under this attack,
the victim is a host and usually runs a Web server. A regular client opens a connection
with the server by sending a TCP SYN segment.

Dept. of E&C, CEC Page |7

SIPT FOR IDENTIFYING DOS ATTACK
The server allocates buffer for the expected connection and replies with a TCP
ACK segment.

The connection remains half-open (backlogged) till the client acknowledges the
ACK of the server and moves the connection to the established state. If the client does not
send the ACK, the buffer will be deallocated after an expiration of a timer. The server can
only have a specific number of half-open connections after which all requests will be
refused. The attacker sends a TCP SYN segment pretending a desire to establish a
connection and making the server reserves buffer for it. The attacker does not complete
the connection. Instead, it issues more TCP SYNs, which lead the server to waste its
memory and reach its limit for the backlogged connections. Sending such SYN requests
with a high rate keeps the server unable to satisfy connection requests from legitimate
users. Schuba et al. [22] developed a tool to alleviate the SYN flooding attack. The tool
watches for SYN segments coming from spoofed IP addresses and sends TCP RST
segments to the server. The RST segments terminate the half-open connections and free
their associated buffers. Other types of flooding attacks include TCP ACK and RST
flooding, ICMP and UDP echo-request flooding, and DNS request flooding [16, 24]. This
list is by no means exhaustive.

A DoS attack can be more severe when an attacker uses multiple hosts over the Internet to
storm a victim. To achieve this, the attacker compromises many hosts and deploys
attacking agents on them. The attacker signals all agents to simultaneously launch an
attack on a victim. Barros [1] shows that DDoS attack can reach a high level of
sophistication by using reflectors. A reflector is like a mirror that reflects light. In the
Internet, many hosts such as Web servers, DNS servers, and routers can be used as
reflectors because they always reply to (or reflect) specific type of packets. Web servers
reply to SYN requests, DNS servers reply to queries, and routers send ICMP packets
(time exceeded or host unreachable) in response to particular IP packets. The attackers
can abuse these reflectors to launch DDoS attacks. For example, an attacking agent sends
a SYN request to a reflector specifying the victim’s IP address as the source address of
the agent. The reflector will send a SYN ACK to the victim. There are millions of
reflectors in the Internet and the attacker can use these reflectors to flood the victim’s
network by sending a large amount of packets. Paxson [20] analyzes several Internet

Dept. of E&C, CEC Page |8

SIPT FOR IDENTIFYING DOS ATTACK

protocols and applications and concludes that DNS servers, Gnutella servers,
and TCP-based servers are potential reflectors.

 Apply software patch

 SYN
Prevention and cookies, client puzzles
preemption
 Design DoS attack resistant systems
(before the attack)
 Overlay networks

 Signature (misuse) detection

Detection
 Anomaly
(during the attack)detection

Client puzzles
Mitigation and filtering
 Aggregate filtering, pushback
(during the attack)
 Overlay networks

Attack source traceback packet marking

IP traceback:
and identification
IP traceback: packet logging
(during and after the
 “Attack traceback”
attack)

Dept. of E&C, CEC Page |9

SIPT FOR IDENTIFYING DOS ATTACK

3. DETECTION APPROACHES
The detection approaches rely on finding the malicious party who launched a DoS
attack and consequently hold him liable for the damage he has caused. However, pinning
the real attacker down is not a straightforward task. One reason is that the attacker spoofs
the source IP address of the attacking packets. Another reason is that the Internet is
stateless, which means, whenever a packet passes through a router, the router does not
store any information (or traces) about that packet. Therefore, mechanisms such as ICMP
trace back and packet marking are devised to figure out the real attacker. In this
subsection, we describe several techniques to identify the attacker after the attack took
place

FIGURE.3.Distributed Attack Detection Approach

3.1. ICMP TRACEBACK

Bellovin [2] proposes the idea of ICMP trace back messages, where every router
samples the forwarded packets with a very low probability (e.g., 1 out of 20,000) and
sends an ICMP Trace back message to the destination .An ICMP Trace back message
contains the previous and next hop addresses of the router, timestamp, portion of the
traced packet, and authentication information. In Figure 1, while packets are traversing
the network path from the attacker A1 to the victim V; the intermediate routers (R1;

Dept. of E&C, CEC P a g e | 10

SIPT FOR IDENTIFYING DOS ATTACK
R2;R3;R4;R5; and R6) sample some of these packets and send ICMP Trace back
messages to the destination V:With enough messages, the victim can trace the network
path A1 ! V: The pitfall of this approach is that the attacker can send many false
ICMP Trace back messages to confuse the victim.
To address Distributed DoS (DDoS) attacks by reflectors, Barros [1] proposes a
modification to the ICMP Trace back messages. In his refinement, routers sometimes
send ICMP Trace back messages to the source. In Figure1, A3 launches a DDoS attack
by sending TCP SYN segments to the reflector H3 specifying V as the source address.
H3, in turn, sends SYN ACK segments to the victim V: According to the modification,
routers on the path A3 ! H3 will send ICMP messages to the source, i.e., to V: This
reverse trace enables the victim to identify the attacking agent from these trace packets.
The reverse trace mechanism depends only on the number of attacking agents, and not on
the number of reflectors [20]. This achieves scalability because the number of available
reflectors is much higher than the number of attacking agents on the Internet.

Snoeren et al. [23] propose an attractive hashed-based system that can trace the origin of
a single IP packet delivered by a network in the recent past. The system is called source
path isolation engine (SPIE). The SPIE uses an efficient method to store information
Dept. of E&C, CEC P a g e | 11
SIPT FOR IDENTIFYING DOS ATTACK
about packets traversing through a particular router. The method uses n bit of the hashed
value of the packet to set an index of a 2n-bit digest table. When a victim detects an
attack, a query is sent to SPIE, which queries routers for packet digests of the relevant
time periods. Topology information is then used to construct the attack graph from which
the sourceof the attack is determined.

3.2. PACKET MARKING

Instead of having routers send separate messages for the sampled packets,
Burch and Cheswick [5] propose to inscribe some path information into the header of the
packets themselves. This marking can be deterministic or probabilistic. In the
deterministic marking, every router marks all packets. The obvious drawback of the
deterministic packet marking is that the packet header grows as the number of hops
increases on the path. Moreover, significant overhead will be imposed on routers to mark
every packet.

FIGURE-3.2 Marking a packet. Routers pick out packets directly connected to clients and mark them with
the attacker identification information
The probabilistic packet marking (PPM) encodes the path information into a small
fraction of the packets. The assumption is that during a flooding attack, a huge amount of
traffic travels towards the victim. Therefore, there is a great chance that many of these
packets will be marked at routers throughout their journey from the source to the victim.
It is likely that the marked packets will give enough information to trace the network path

Dept. of E&C, CEC P a g e | 12

SIPT FOR IDENTIFYING DOS ATTACK
from the victim to the source of the attack. Savage et al. [21] describe efficient
mechanisms to encode the path information into packets. This information contains the
XOR (exclusive OR) of two IP addresses and a distance metric. The two IP addresses are
for the start and the end routers of the link. The distance metric represents the number of
hops between the attacker and the victim. To illustrate the idea, consider the attacker A1
and the victim V in Figure 1. Assume there is only one hop between routers R3 and R4: If
Router R1 marks a packet, it will encode the XOR of R1 and R2 addresses into the packet
and sets the distance metric to zero, that is, it will encode the tuple < R1 _ R2; 0 >. Other
routers on the path just increase the distance metric of this packet, if they don’t decide to
mark it again. When this packet reaches the victim, it provides the tuple <R1_R2; 5>.
Similarly, some packets may get marked at routers R2;R3;R4;R5; and R6 and they will
provide the tuples <R2 _ R3; 4 >; < R3 _ R4; 3 >; < R4 _ R5; 2 >; < R5 _ R6; 1 >; <R6; 0
>; respectively, when they reach the victim. The victim can retrieve all routers on the path
by XORing the collected messages sorted by distance. (Recall that Rx _ Ry _ Rx = Ry.)
This approach can reconstruct most network paths with 95% certainty if there are about
2,000 marked packets available and even the longest path can be resolved with 4,000
packets [21]. For DoS attacks, this amount of packets is clearly obtainable because the
attacker needs to flood the network to cause a DoS attack. (Moore et al. [16] report that
some severe DoS attacks had a rate of thousands of packets per second.) The authors
describe ways to reduce the required space and suggest to use the identification field
(currently used for IP fragmentation) of IP header to store the encoding of the path
information. They also propose solutions to handle the co-existence of marking and
fragmentation of IP packets[21].

The main limitation of the PPM approaches stems from the fact that, nothing
prevents the attacker from marking packets. If a packet marked by the attacker does not
get re-marked by any intermediate router, it will confuse the victim and make it harder to
trace the real attacker. Park and Lee [17] show that for single-source DoS attacks, PPM
can identify a small set of sources as potential candidates for a DoS attack. For DDoS
attacks, however, the attacker can increase the uncertainty in localizing the attacker.
Therefore, PPM is vulnerable to distributed DoS attacks [17].

Dept. of E&C, CEC P a g e | 13

SIPT FOR IDENTIFYING DOS ATTACK
4. PREVENTION APPROACHES

Preventive approaches try to stop a DoS attack by identifying the attack packets
and discarding them before reaching the victim. We summarize several packet filtering
techniques that achieve this goal.

4.1. INGRESS FILTERING

Incoming packets to a network domain can be filtered by ingress routers. These

filters verify the identity of packets entering into the domain, like an immigration security
system at the airport. Ingress filtering, proposed by Farguson and Senie [10], is a
restrictive mechanism that drops traffic with IP address that does not match a domain
prefix connected to the ingress router. As an example, in Figure1, the attacker A1 resides
in domain D1 with the network prefix a.b.c.0/24. The attacker wants to launch a DoS
attack to the victim V that is connected to domainD4. If the attacker spoofs the IP address
of host H5 in domain D5, which has the network prefix x.y.z.0/24, an input traffic filter
on the ingress link of R1 will thwart this spoofing. R1 only allows traffic originating from
source addresses within the a.b.c.0/24 prefix. Thus, the filter prohibits an attacker from
using spoofed source addresses from outside of the prefix range. Similarly, filtering foils
DDoS attacks that employ reflectors. In Figure 1, ingress filter of D2 will discard packets
destined to the reflector H3 and specifying V 0s address in the source address field. Thus,
these packets will not be able to reach the reflector. Ingress filtering can drastically
reduce the DoS attack by IP spoofing if all domains use it. It is hard, though, to deploy
ingress filters in all Internet domains. If there are some unchecked points, it is possible to
launch DoS attacks from that points. Unlike ingress filters, egress filters [13] reside at the
exit points of a network domain and checks whether the source address of exiting packets
belong to this domain. Aside from the placement issue, both ingress and egress filters
have similar behavior.

Dept. of E&C, CEC P a g e | 14

SIPT FOR IDENTIFYING DOS ATTACK

4.2. ROUTE-BASED FILTERING

Park and Lee [18] propose route-based distributed packet filtering, which rely on
route information to filter out spoofed IP packets. For instance, suppose that A1 belongs
to domain D1 and is attempting a DoS attack on V that belongs to domain D4. If A1 uses
the spoofed address H5 that belongs to domain D5, the filter at domain D1 would
recognize that a packet originated from domain D5 and destined to V should not travel
through domain D1. Then, the filter at D1 will discard the packet. Route based filters do
not use/store individual host addresses for filtering, rather, they use the topology
information of Autonomous Systems (ASes). The authors of [18] show that with partial
deployment of route-based filters, about 20% in the Internet AS topologies, it is possible
to achieve a good filtering effect that prevents spoofed IP flows reaching other ASes.
These filters need to build route information by consulting BGP routers of different ASes.
Since routes on the Internet change with time [19], it is a challenge for route-based filters
to be updated in real time. Finally, all filters proposed in the literature so far fall short to
detect IP address spoofing from the domain in which the attacker resides. For example, in
Figure 1, if A1 uses some unused IP addresses of domain D1; the filters will not be able
to stop such forged packets to reach the victim V.

4.3 LINK TESTING

Administrators use two different types of link tests:

 Input debugging
 Controlled flooding.

Dept. of E&C, CEC P a g e | 15

SIPT FOR IDENTIFYING DOS ATTACK

4.3.1 INPUT DEBUGGING

With this test, administrators capture and record specific details on IP packets
that traverse networks. Once administrators know that an attack is in progress, they must
find a unique characteristic common across attack packets. This is called the attack
signature, which is used to differentiate attack traffic and determine the inbound interface.

4.3.2 CONTROLLED FLOODING

This involves sending large bursts of traffic link by link upstream and monitoring
the impact on the rate of received attacking packets. While an attack is in progress, an
administrator can run extended pings across each upstream link to see which has an effect
on attacking traffic. Once the administrator finds this link on the router closest to the
victim, the process is repeated with the next route upstream.

4.4 LOGGING

Some assume that administrators can store, or log, all packets that traverse a
router or network to investigate attacks even after they have stopped. Administrators
could handle this by using a fixed amount of storage capacity and logging recent data
while purging old data as needed. They could also use packet slicing, which only records
each packet’s IP header information. This technique could potentially affect system and
network performance through increased traffic from logged data and higher router CPU
and memory utilization.

Dept. of E&C, CEC P a g e | 16

SIPT FOR IDENTIFYING DOS ATTACK

5.SIPT FOR IDENTIFYING THE BOUNDARY ROUTER

Existing techniques to combat DoS attacks focus on finding the entire set of
routers that the attack packet has traversed. However, knowing the packet’s actual path
doesn’t really help to find the attacker. Statistically, packets don’t usually follow many
different paths while moving between the source and destination.

Speedy IP Trace back (SIPT) method finds boundary router (the router connected
directly to the client) or a particular client’s Linux embedded appliance firewall router.
Once we know the boundary router and the attacker’s media access control (MAC)
address, we can identify the attacker and find the attack path.

With SIPT, each router determines if an incoming packet originated from a

directly connected client or another router. If the packet came from a client, the router
inserts a data link connection identifier for the source (client) and the IP address of its
own incoming interface. The packet is then forwarded as usual. If the packet came from a
router, it is simply forwarded without any addition. With this additional source link
address information in the packet, the destination can identify the attacker’s boundary
router.

Dept. of E&C, CEC P a g e | 17

SIPT FOR IDENTIFYING DOS ATTACK

6. HOW SIPT WORKS

The router plays a vital role in SIPT. For packets originating from a directly
connected client, the router inserts the client’s data link identifier (available in the source
MAC field of the MAC header) and its own IP address (the address of the incoming
interface) into the packet’s IP header using one of the several available packet-marking
techniques.

This marking process inserts the attacker identification information (AII). After
marking, the system forwards the packet as usual. If the packet didn’t arrive from a
directly connected client, but instead from another upstream router, it is forwarded as
usual without any marking.

Every packet that the server receives is hence marked with the MAC address of the
machine that sent it and the IP address of the router the machine is connected to. The
server is thus armed with enough information to establish the origin of every packet it
receives. The marking must be done at the first router because it alone knows the client’s
MAC address. Subsequently, the attacker’s source MAC address will be lost when the
MAC header is replaced in the next hop. Several available intrusion detection systems
will detect a DoS attack and trigger our system into action.The server then captures the
attack packets either by pattern analysis, or by a hash-table counting method.

As Figure 3 shows, we used the hash-table counting method in our all-Linux

implementation. This new approach extracts the AII from the packet and stores it in the
hash table after classifying or hashing it on the basis of the MAC address. This approach
also maintains a record of the number of packets arriving from the same machine and
containing the same AII.

On building the hash table, we could clearly identify the machine(s) that sent
traffic in anomalously large proportions. These were then blacklisted as attack machines.
We could also identify when more than one machine sent anomalously large proportions
of traffic, a capability that makes our system useful for fighting DDoS attacks.

After this, an administrator can quickly and easily perform the trace back. The
server refers to the AII and retrieves the IP address of the router the attacker is directly

Dept. of E&C, CEC P a g e | 18

SIPT FOR IDENTIFYING DOS ATTACK
connected to and the attacker’s MAC address. The system can identify the attacker with
just these two pieces of information.

Dept. of E&C, CEC P a g e | 19

SIPT FOR IDENTIFYING DOS ATTACK

7. ADVANTAGES AND DISADVANTAGES

Table:7 shows the relative advantages and disadvantages of the new approach (SIPT) and
each trace back technique

Dept. of E&C, CEC P a g e | 20

SIPT FOR IDENTIFYING DOS ATTACK

8. CONCLUSION
Since our method has backward compatibility and supports incremental
deployment, the probability of finding an attacker will increase with the percentage of
routers capable of running our trace back algorithm. For our implementation, we trust the
authenticity of the MAC addresses. Although IP address spoofing is common, statistics
show that MAC address spoofing is less prevalent.

However, future MAC address spoofing can’t be ruled out. In any case, even if
the MAC address is spoofed, this method manages to pinpoint the boundary router,
which in itself amounts to solving a major portion of the IP trace back problem.

The SIPT approach doesn’t constitute a hop-by-hop trace back. Instead, it

directly finds the boundary router connected to the attacker. Besides being a faster
method for finding the attacker, SIPT results in a lower network overload than other
methods. Although tuned for defense of DoS, SIPT can be used to single out other kinds
of attacks once the trace has identified an attack packet.

Considering the vast scope of networking issues and problems, many more layers
of implementation might be needed as we proceed with deployment.

Dept. of E&C, CEC P a g e | 21

SIPT FOR IDENTIFYING DOS ATTACK

9. BIBLOGRAPHY

[1] C. Barros. A proposal for ICMP trace back messages. Internet Draft
http://www.research.att.com/lists/ietfitrace/ 2000/09/msg00044.html, Sept. 18, 2000.

[2] S. M. Bellovin. ICMP trace back messages. Internet draft: draft-bellovin-itrace-00.txt,

Mar. 2000.

[3] S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, and W. Weiss. An architecture

for Differentiated Services. RFC 2475, Dec. 1998.

[4] Y. Breitbart C. Y. Chan, M. Garofalakis, R. Rastogi, and A. Silberschatz. Efficiently

monitoring bandwidth and latency in IP networks. In Proc. IEEE INFOCOM, Anchorage,
AK, Apr. 2001.

[5] H. Burch and H. Cheswick. Tracing anonymous packets to their approximate

source. In Proc. USENIX LISA, pages 319–327, New Orleans, LA, Dec. 2000.

[6] R. C´aceres, N. G. Duffield, J. Horowitz, and D. Towsley. Multicast-based inference

of network-internal loss characteristics. IEEE Transactions on Information Theory,
Nov.1999.

[7] M. C. Chan, Y.-J. Lin, and X.Wang. A scalable monitoring approach for service level
agreements validation. In Proc.

[8]. S. Specht and R. Lee, “Distributed Denial of Service: Taxonomies of Attacks, Tools,
and Countermeasures,” Proc. 17th Int’l Conf.
http://palms.ee.princeton.edu/PALMSopen/DDoS%20Final%20PDCS%20.

[9]. P. Ferguson and D. Senie, Network Ingress Filtering: Defeating Denial of Service
Attacks which Employ IP Source Address Spoofing, IETF RFC 2827, May 2000;
www.rfceditor. org/rfc/rfc2827.txt.

[10]. S. Savage et al., “Network Support for IP Trace back,” IEEE/ACM Trans.
Networking, June 2001, pp. 226-237.

[11]. C. Gong and K. Sarac, “IP Trace back with Packet Marking and Logging,” Proc.
South Central Information Security Symp. (SCISS 04), Univ. of North Texas, 2004, p.1.

Dept. of E&C, CEC P a g e | 22

SIPT FOR IDENTIFYING DOS ATTACK

Dept. of E&C, CEC P a g e | 23

SIPT FOR IDENTIFYING DOS ATTACK

Dept. of E&C, CEC P a g e | 24