Research On IP Traceback Techniques And Collaboration Patterns

With the rapid development of Internet, more traditional working manners and life manners are replaced by the convenient, open and efficient network applications, including many key operations. In this way, security issues in the Internet get arouses more concerns. The Denial of Service (DoS) attack, a major form of Internet attacks, has been threatening the Internet severely. Because of the design deficiency of TCP/IP and the open design principle of the Internet, the source address in IP header may be forged. When a host is under intrusion, it cannot find the attacker reliably. Many security measures have been proposed for defending against DoS attack, and IP traceback is an important member, which records the state information of packets in some special modes. When attack occurs, the victim can find the attacker with the help of IP traceback techniques, and stop the attack taking place. Therefore, IP traceback plays an important role in defending the DoS attack, and it is already becoming a research hotspot.Based on the analysis of IP traceback research status and developing trend, in this dissertation, we study the solution to the IP traceback of the DoS attack. We first study the major forms of DoS attack, flooding form and single packet form, including their different intrusion aims and characteristics. Then we discuss the features and scopes of applications of different IP traceback methods; make analysis of their merits and demerits, and present approaches to develop algorithms in traceback accuracy, overhead and time for attack path reconstruction. Finally, we propose collaboration patterns, which can facilitate the practical deployment of IP traceback system. The main contribution of this dissertation includes:1. Propose a probabilistic packet marking approach based on marking rate self-adaptive adjustment scheme. In the view of the disadvantages of existing traceback approaches, such as poor practicality, low speed for path reconstruction, neglection for overhead of traceback-enabled routers and so on, we propose a probabilistic packet marking IP traceback approach based on two-stage marking rate self-adaptive adjustments. In the first stage, we design a location-aware marking rate adjustment method, so as to resolve the slow path reconstruction problem. In order to avoid traceback-enabled routers becoming overloaded when their load are already heavy, we design the second stage marking rate adjustment method. Routers can adjust the marking rate according to their current load status. The experimental results show that compared with existing methods, our method has the advantage including fast path reconstruction, low false positive, and routers overloaded avoidance.2. Proposed a hybrid IP traceback approach added with path validation. In order to trace single packet DoS attack, we need to keep the state information of every packet. The existing methods have the vulnerability that they may add false node to the reconstructed attack path. In this dissertation, we present a path validation scheme for packet logging, which can avoid the generation of false path. Then we combine the packet logging and packet marking in the form of hybrid IP traceback strategy, and improve the encoding scheme. All these efforts are aimed for lower storage overhead, which is more practical. Mathematical analysis and experimental results show that the method in this paper has a great improvement in storage overhead and false node number in the path.3. Propose corresponding collaborative methods for different dimentions in IP traceback system. In existing IP traceback approach, entities are lack of collaborative interactions. In this way, the traceback system cannot conduct IP traceback for the sophisticated and subtle DoS attack in today’s Internet, and may become locally overloaded. In order to solve these problems, in this paper, we design three-layer traceback collaborative framework to conduct collaborative interactions from three different dimensions, including system level, elements level, and methods level. When a traceback-enabled router is heavily loaded, the collaborative framework chooses proper collaborative methods to conduct traceback, and avoid locally overload in the same time. The experimental results show that the collaborative approaches can make traceback-enabled routers finish attack path reconstruction with less packets, low storage cost, and keep high packet forwarding rate.