Research On Single-packet IP Traceback And Reactive Packet Filtering Techniques

The last two decades have witnessed the rise of the Internet as the underlying infrastructure of many modern services, such as web search and stock trading, but the advent of the Denial-of-Service (DoS) attack quickly changes the landscape. In recent years, this problem became more complicated than before due to the advent of the mixed DoS attacks, in which both flooding and software-exploits DoS attacks are blended in a single campaign. Therefore, it is more urgent to propose an effective DoS mitigation solution to protect these public-access sites.When the DoS attacks occur, the reactive packet filtering that is an essential technology to block the attack flows, has drawn significant attention in recent years. A handful of the reactive packet filtering schemes have been proposed, but they suffer from the following disadvantages:(1) inability to traceback the mixed DoS attacks;(2) involving excessive filtering routers to degrade the network transmission performance;(3) causing severe loss of legitimate flows during packet filtering due to the shortage of filters. In order to overcome these issues, considering the two DoS attack characteristics (IP spoofing and large number of attack sources), we made in-depth study on the IP traceback and attack traffic filtering problem in the reactive packet filtering technologies. In this dissertation, the major contributions can be summarized as follows:1. Propose a precise and efficient path-based approach for single-packet IP traceback. In the existing single-packet IP traceback approaches, packet logging is a generic technique, which results into the high overhead at routers and low traceback accuracy. Thus, we propose a novel single-packet IP traceback approach called PSIT. Borrowed the idea of label switching principle in Multi-Protocol Label Switching(MPLS),our approach makes use of the routing path to set up traceback paths, instead of packet logging, so as to improve single-packet IP traceback in several dimensions:(1) our storage overhead is only related to the number of routing paths, no matter how many packets traverse on them;(2) the number of queried routers during the traceback process is only related to the number of hops in the attack path;(3) the false positives in attack-path construction is lower than the prior work.2. Propose an efficient K-Means-based filtering location algorithm. Involving excessive filtering routers in a network can cause its severe transmission performance degradation. Thus, a feasible packet filtering scheme should put a limit on the quantity of filtering routers. Considering the location of filtering routers decides its protected network bandwidth resource, going a further step, how to select the filtering locations to protect more network bandwidth resource becomes an issue. We first formulate filtering location problem to an integer linear programming model and design a K-means-based heuristic filtering location algorithm, called KM-LOC. We also evaluate this algorithm through integrating it into the existing reactive packet filtering architecture and implementing this integration scheme on the emulated DoS scenarios based on real-world Internet topology. Our evaluation results show that compared to the state-of-art scheme, this integration scheme only uses20%of its filtering routers to achieve more than70%of its protected network bandwidth resource.3. Propose a flexible filter-based intermediate network reactive packet filtering scheme. The existing reactive packet filtering schemes either do not take the number of available filters into account, which leads to severe collateral damage, or involve millions of filtering routers just to obtain the sufficient filters, which degrades the network transmission performance. Thus, we propose a fitler-based intermediate network reactive packet filtering scheme, which could effectively restrict the scale of involved filtering routers while bringing about less collateral damage. This scheme faces three major challenges:attack path identification, filtering location determination and filter selection. To solve these issues, we first adopt PSIT approach to identify the attack paths; then, use KM-LOC algorithm to determine the filtering location; finally, in order to minimize the collateral damage, we formulate the filter selection problem to an integer linear programming problem and design an optimal incremental updating algorithm on filter selection. We evaluate our scheme through implementing it on the emulated DoS scenarios based on the synthetic and real-world Internet topologies. Our evaluation results show that compared to the prior work, our scheme can use20%of its filtering routers, but only increases less than10%of its collateral damage.