Research On IP Traceback Based On DPPM

Denial of service attack is a kind of network attack methods causing great harm anddamage and thus it is one of the most serious information security problems in currentInternet. In recent years the researches on how to defend DoS attack have become a hot issuein the field of network security. Among them IP traceback is an effective defense technologyto deal with DoS attack which can pinpoint the attacker and reconstruct the attack path. Thispaper has done some innovation researches on IP traceback approaches based on packetmarking technology and the key research is about the packet marking technology based onDPPM.Regarding the weakness of heavy router’s overhead existed in DPPM, this paper hasproposed a new packet marking approach--Modulo-arithmetic Packet Marking (MPM) thatcan choose which router in the attack path to mark the specific packet by making the modulooperation of the value of Identification field in the header of IP datagram. NS2simulationexperiments have been taken to compare MPM with PPM and DPPM in several aspectsincluding router’s overhead, number of reconstruction packets, convergence time and so on.The results of experiments show that MPM not only outperforms PPM and DPPM in aspectof router’s overhead but also in number of reconstruction packets with less than32under anysituation of different router’s total number. MPM can be used to traceback DoS attackslaunched by IP datagrams.Regarding another problem of limited marking space existed in DPPM, this paper hasproposed another packet marking approach--Multi-tags Dynamic Probabilistic PacketMarking (MDPPM) which uses the data field in ICMP message as the marking space instead of the limited free fields remained in the header of IP datagram and thus can achieve the goalof multi-tags marking. NS2simulation experiments have been taken to make a comparisonbetween MDPPM and DPPM on the number of reconstruction packets under non-lost-packetnetwork and lost-packet network. The results of experiments show that MDPPM not onlysettles the problem of limited marking space but also makes a great reduction in the numberof reconstruction packets on the basis of DPPM. Supposing that one packet can carry tagsfor making, the number of packets MDPPM needs to complete IP traceback process is1/n ofthat DPPM needs under non-lost-packet network and even much less than1/n underlost-packet network. MDPPM can be taken to traceback DoS attacks launched by ICMPmessages.