Research Of DDoS Attack Traceback Based On Autonomous System

The lethal Denial of Service (DoS) attack and its advanced variant,theDistributed DoS (DDoS) attack,have increasingly become great threats to the currentInternet.Internet Protocol traceback (IP Traceback) is a critical ability for identifyingsources of attacks and instituting protection measures for the Internet.To achieve better attack effects,the DDoS attacker assaults the victim fromhundreds of zombies rather than from their own machine.IP spoofing technique isfrequently used to elude possible penalties,making it difficult for the victim todetermine the source of DDoS attack.Many IP traceback schemes are proposed.But the deficiencies of the existingapproaches include,but are not limited to:heavy computational burdens,slowconvergence and high false alarm rates.To be practical and effective,a well-designedIP traceback scheme should possess the following properties:●Fast convergence:A traceback scheme should allow the victim to identifythe attack path with only a small number of packets,thus making it possiblefor the victim to react in real-time.●Minimal network and router overhead:A traceback scheme should incurlittle increase in communication overhead to the network and imposeminimal computation and storage overhead on routers.●Marking field security:A traceback scheme should provide mechanism tothwart marking forgery.●Scalability:A traceback scheme should scale to a large number of attackerswhile maintaining accuracy.●Incentives:A traceback scheme should not disclose sensitive informationabout network details of Internet administrative unit such as ISPs.This dissertation is to aim at resolving the above key issues,the work andcontributions are summarized as follows.First,in Chapter 3,this dissertation proposes a novel traceback scheme based on probabilistic packet marking (PPM),called ASPPM.This scheme employs the IPheader encoding method by marking with AS number and router ID number.Byoverloading the offset filed of IP header to obtain more available marking space,thisscheme also employs non-repeating probabilistic marking.Two independent Hashfunctions are used to validate the source identification information to lower falsepositives.The path reconstruction algorithm is also optimized to speed up thetraceback process.The simulation shows that ASPPM scheme can significantlyoutperform background PPM schemes in convergence time,false positives andcomputational overhead.Second,in Chapter 4,this dissertation proposes a novel traceback scheme basedon deterministic packet marking (DPM),called ASDPM.This scheme embeds themarking information IP header with the AS number and AS's edge router ID.Aparameter named marking rate is introduced to change adaptively according to theload of the participating edge router.Analytical results show that this scheme is easyto implement and achieves good performance in traceback accuracy and convergencetime when dealing with large-scale DDoS attack.Third,in Chapter 5,this dissertation proposes a hybrid traceback scheme whichcombines the advantages of PPM and DPM,called ASLPM.In ASLPM,thetracebacking procedure is divided into two steps based on AS administrative unit.Inthe first step,an inter-AS-based PPM scheme is adopted to determine theattack-originating AS.In the second step,a random number DPM scheme is used toidentify the exact origin of the attacks in the specific AS.Node sampling and optimalmarking methods are employed in the first inter-AS traceback procedure and randomnumber is generated by HMAC in the second intra-AS traceback procedure.TheASLPM scheme is based on the consideration that autonomous system is an importantcomponent of the Internet hierarchy.The design of ASLPM is embodiment of"divideand conquer"defending tactics which is rarely used in the other IP tracebackapproaches.The simulation result shows that ASLPM scheme enjoys the desirablequality of security,speed and scalability,which is suitable for real-time attacktraceback. Fourth,the schemes proposed in this dissertation employ new IP headerencoding method by marking with AS number and router ID number.The advantagesof this method lie in two factors:one is to store the complete source identificationinformation into fewer packets compared with the backgound IP traceback,and theother is to perform the traceback without revealing the ISP's sensitive informationsuch as ISP's internal network topology and routing policy.