Research On IP Traceback In Denial-of-Service Attacks

Denial of service attack is among the hardest problems to address since it is easy to launch, difficult to defend and trace. The existing countermeasures can not do well only by passive defense policy. IP traceback is a kind of active defensive technology which is able to locate the source of attacks. In order to insulate the attack, provide the legal proof and deter attack, it is nesseary to locate the source of attack rapidly and efficiently. So IP traceback is the key thesis in defending the DoS attack.The research focuses on the IP traceback in DoS/DDoS attack. Based on the analysis of the packet marking schemes, two new packet marking methods: Non-compulsory Reparable Probabilistic Packet Marking(nCR PPM) and Record-Based Reparable Probabilistic Packet Marking(RBR PPM) are brought forward to resolve the issues arise from that the information contained in the marking field may be overwrited by downstream routers. Meanwhile, the low convergence results from "the weakest link" problem, and the high compute overhead and false positive arised from assembling and hash conflict are all settled. These two methods utilize the new marking information in IP header, use non-compulsory marking and record based marking to repair the reduction of the leftover probability caused by the compulsorily remarking, and utilize network topology to check edge ID. Campare to PPM, new schemes have optimal convergency, lower compute overhead and false positive.The exiting schemes rise several issues and can not settle the IP spoofing attackes and inter-domain traceback. A new trust-relationship based router interface ID marking method is put forward. Use the trust factor to divide the trust area. The different routers have the different trust factors. Through this method, the edge of the trust area can be traced. With this method, the issues that the routers whose interfaces are more than 64 are not supported, the IP spoofing attack and inter-domain traceback problem are all settled. Under the circumstance were the routers compromised, the edge routers of the trust domain can be tracked.