IP Traceback Techniques Research Based On The Packet Marking Schemes

At present, denial of service attacks (including DoS, DDoS, DRDoS attack) are the main threat to the Internet. Because the Internet plays a vitally important role in the social and economic life, defense against denial of service attacks has important social meaning and economic significance.In recent years, researchers have designed and implemented various types of defence technology strategy. In these proposed strategies, the IP traceback technology occupies a crucial position:tracing the paths and sources of attack packets is not only advantageous to guide the victims to deploy defence equipments, but also conducive to punish the true attacker, which makes the potential aggressor will not dare easily to implement attacks, thus effectively maintaining the network security.Around the problem of tracing denial of service attacks, this dissertation first studies the countermeasures to the attacks and clears the position of traceback measures in defensive system, then presents the research range of IP traceback, conducts deep study on different types of IP traceback methods and analyzes the methods'advantages and disadvantages. This dissertation especially introduces the IP traceback methods that are based on packet marking and proposes some performance index for assessing the packet marking schemes. After that, this dissertation studies the packet marking based traceback methods for (D)DoS and DRDoS attack respectively. The methods proposed in this paper achieve or exceed the level of other similar traceback schemes in traceback speed, accuracy, usability and so on. The main work and contributions are as follows:(1) Propose a cross-AS traceback method based on flexible fragmentation of path information for tracing (D)DoS attack. In view of the existing cross-AS traceback methods' bad usability, high ability requirements to victim and low traceback speed, based on the routing information provided by BGP AS-PATH attribute, we propose to fragment the corresponding number of ASs that a packet passes through in a flexible way, so as to reduce the number of packets needed for reconstructing attack path. Meanwhile, we fill the authentication information in the idle room that has not been used by mark information, which makes the proposed method be able to identify forging mark information, thus improving the traceback accuracy. The theoretical analysis and simulation results demonstrate that our method:impact on network performance is small; performance on false positive number is not inferior to existing method. And our method has the following advantages:simple in path reconstruction; low ability requirements to victim; be able to resist forging mark information.(2) Propose a fast intra-domain IP traceback method based on dynamic probabilistic marking for tracing (D)DoS attack. In this method, we divide the traceback process into two stages:"constructing network map" and "identifying intrusion paths". Because the tasks of these two stages are distinct, we make them use different marking methods respectively. Aiming at the problems, such as low traceback speed, attacker could forge mark information to disturb traceback, that caused by marking packets with fixed probability, we adopt optimal marking probability in the two stages, which makes the routers adjust their packet marking probability dynamically. In order to avoid disclosing the intra-domain topology, when a packet is leaving an AS domain, we let the border gateway preserve the mark information of that packet and empty the packet's marking space which may carry the information of intra-domain topology. Meanwhile, to reducing the storage space needed for saving mark information, we let the border gateways save the information based on the "flow" strategy. The experimental results show that compared with existing method, our method not only possesses shorter convergence time, smaller false positive number and negative number, but also has not added more burden to the network.(3) Propose a traceback method for tracing DRDoS attack based on packet marking and router logging. In view of the existing methods'bad practicality, low traceback precision, we integrate the advantages of packet marking and hash-based router logging and propose a traceback method named ADPM. In ADPM, we let the first router that a request packet qw passes through marks qw and the last router qw passes through saves qw's characteristics and mark information, thus avoiding losing the mark information and make the victim can locate the attack source that hides behind the reflector. The analysis and simulation results show that ADPM requires small memory to saving the mark information and has high availability. And compared with other method, ADPM has obvious superiority in convergence number, convergence time, incremental deployment, false positive number and impact on network performance.