Research On Attack Source Traceback In Distributed Denial-of-Service Attacks

Distributed denial-of-service (DDoS) attack is one of the major threats to the current Internet. Existing traditional countermeasures, such as firewalls and intrusion detection systems, can not do very well only by passive defense policy. The distributed nature of DDoS attack problem desiderates a distributed defense solution. Attack source traceback is a new defense technique to indentify the sources of DDoS attacks. It is an important step of distributed defense for DDoS attacks, and a key technique of network forensics technology.The research of this dissertation focuses on the source traceback in DDoS attacks. Through taxonomy of DDoS attacks and defense mechanisms, this dissertation analyzes the principle of the DDoS attack, points out the important role which the traceback technique plays in DDoS attack defense, and analyzes the challenges which the traceback research is facing. After presenting the definition and the state of the art of the traceback problem, the main research of this dissertation focuses on following three problems: traceback speed, security and deployment of the traceback system, and application of the traceback technique. The main contributions of this dissertation are as follows.1. Improvement on the traceback speed.In order to improve the traceback speed, three new traceback algorithms are proposed one after the other, including "adaptive edge marking scheme (AEMS)", "log-assisted probabilistic packet marking scheme (LAPPM)", and "logless fast IP traceback (LFIT)" algorithm. Theoretical analysis and simulation results have shown that these three algorithms could speed up attack source traceback to different extent.(1) A Reverse-Validation Based IP Traceback SchemeOn the basis of analysis about one of the traditional probabilistic packet marking (PPM) schemes - advanced marking scheme (AMS), a reverse-validation IP traceback scheme, which no longer requires the too strong assumption of AMS, is proposed. And in order to improve other adaptive algorithms, AEMS is proposed. Theoreticanalysis and simulation results have shown it can converge more quickly and stably than AMS.(2) Log-Assisted Probabilistic Packet Marking AlgorithmFurther research shows that low marking packet utilization is the main reason for no further improvement of traceback speed. In order to traceback attackers as quickly as possible, the LAPPM algorithm is proposed. This algorithm has two distinct advantages, namely less convergence time than previous PPM schemes and much less log overhead than other log-based schemes.(3) Logless Fast IP Traceback AlgorithmIn order to avoid the extra bandwidth occupied by log transmission in LAPPM, a logless traceback algorithm (LFIT) is proposed. This algorithm not only has the comparative traceback speed with LAPPM, but also leverages the in-band channel to implement marking information collection. In addition, the algorithm uses the flow mark to transform the traditional packet traceback into flow traceback.2. Security and deployment of the traceback system.Security and deployment issues are the obstacles of practical application and further development of traceback techniques. In order to solve these two problems in end-host traceback schemes, a hierarchical IP traceback system (HITS) is proposed. On the one hand, through changing the traceback subject and utilizing a service-consumer profit driven mode, all participants of the traceback process could benefit from the deployment of traceback system. This design constructs an incentive mechanism for the deployment of traceback system. On the other hand, an integrate security solution, which includes security of the traceback system, authentication of traceback requests and results, and authentication of traceback information (marking information), is proposed to ensure the traceback results educed by HITS are more credible and authoritative. The flexible security and deployment mechanisms of HITS provide a cooperative platform for traceback across different domains.3. Applicaton of the traceback technique.With the development of traceback technique, more and more studies about traceback application will be conducted. In this dissertation an IP traceback-based rate limit algorithm is proposed. It leverages the traceback technique not only to mitigate the DDoS attack effect as close to attack source as possible, but also to improve the throughput of legitimate traffic under various types of attacks.In addition, an overlay-based distributed rate limit framework (O~2-DN) isproposed to improve the current rate limit measures. This defense framework could not only ensure the security of rate limit, but also construct a cooperative environment for distributed rate limit across several domains.