Research On Packet Marking Against Malicious IP Packets

Distributed Denial of Service (DDoS) attack is one of the main factors that threaten theInternet security. DDoS attack, with a much more severe damage, originated from traditionalDenial of Service attack. Among the technologies to defend against DDoS attack, packet markinghas attracted a great deal of attentions. The path traceback based on packet marking can help thevictim to locate the source of malicious packets. By this technology, a victim can target to deployother related defensive technologies in appropriate location to effectively curb the impact ofmalicious flow on intermediate transmission network and the destination host. And the Pathidentification (Pi) can help the victim effectively identify legitimate packets and malicious ones, torespond quickly to the attack, and minimize the impact of the attack.In this thesis, we focus on packet marking technology, and study a few new technologies ofpacket marking in traditional IPv4network and next-generation IPv6network. Three specificoptimization and innovative schemes are proposed and strive to achieve good defense.(1)By researching IP traceback and path identification deeply, we propose a novel idea jointeddeterministic packet marking and path identification (Pi-DPM). Recording and transporting twokinds of information in marking field, victim can both accurately reconstruct IP address of theboundary node in the true source of malicious packet by the DPM scheme, and filter a large groupof malicious packets marked by Pi. The simulation shows that this scheme can effectively reducethe impact of the DDoS attack streams targeting on the victim, and locate the autonomic systemposition of the real attacker at the same time.(2)On the basic of in-depth studying of probabilistic packet marking (PPM), considering thelimitation of path reconstruction time and space complexity, we propose a novel probabilisticpacket marking scheme based on source mark (S-PPM). The new scheme adds a13-bit field asidentification of malicious source, and the victim can take advantage of this field to pre-classify themalicious packets. By the pre-classification process, the path reconstruction process of themuti-source distributed attack is simplified to many processes of the single-source attack, whichgreatly reduces the time and difficulty required for reconstruction algorithm. The simulation resultsshow that the scheme could effectively reduce the number of packets and time required by pathreconstruction.(3)Through studying the IPv6header structure and address allocation strategy, we propose anovel source-filter deterministic packet marking scheme based on the IPv6address allocation strategy (SDPM6). SDPM6employs the source address authentication technology to ensure thatthe source address is accurate. And DPM algorithm is used to trace the access-to-Internet node ofIPv6packets. Then the network administrators can to filiter malicious packets at the sourcenetwork by cooperations. The scheme simplify the marking information with a length of only14Bytes, whitch is carried in the destination option extension header. SDPM6also takes into accountthe information needed by starting filter process after the source of attackers has been traced.Finally, the theoretical analyses and simulation results show the effectiveness of SDPM6.The packet marking schemes proposed in this thesis has made a little achievement in the fieldof DDoS attack defense. But with the development of network and new applications, DDoS attackdefense methods can be and will be faced with many new problems in practical, so theirrequirements of effectiveness, security and expansion are growing.