Probabilistic Packet Marking for LargeScale IP Trace back
IP traceback is an important step in defending against Denial-of-service
(DoS) attacks. Probabilistic packet marking (PPM) has been studied as a
promising approach to realize IP traceback. In this paper, we propose a new
PPM approach that improves the current state of the art in two practical
directions: (1) it improves the efficiency and accuracy of IP traceback and (2)
it provides incentives for ISPs to deploy IP traceback in their networks. Our
PPM approach employs a new IP header encoding scheme to store the whole
identification information of a router into a single packet. This eliminates the
computation overhead and false positives due to router identification
fragmentation. Our approach does not disclose the IP addresses of the routers
having marked packets, thereby alleviating the ISPs security concern of
disclosing network topology. Our approach is able to control the distribution of
marking information. Hence, it is suitable to be deployed as a value-added
service which may create revenue for ISPs. Therefore our PPM approach
improves the performance and practicability of IP traceback.
severely. Recently, DoS attacks have been used for online extortion and even
become the subject of lawsuits. IP traceback is a technique for tracing the
paths of IP datagrams back toward their origins. IP traceback is not a goal but
a means to defending against DoS attacks. Identifying the origins of attack
packets is the first step in making attackers accountable. In addition, after
figuring out the network path which the attack t r a f f i c follows, the victim
under DoS attack can apply defense measures such as packet filtering further
from the victim and closer to the source. That improves the efficacy of
defense measures and reduces the collateral damage to innocent tr af fi c .
Many IP traceback techniques have been proposed. Among them, the
probabilistic packet marking (PPM) approach has been studied mostly. In a
PPM approach, the router probabilistically marks packets with its identification
information, and then the destination reconstructs the network path by
combining a number of such marked packets.
Internet security is becoming of critical importance in today’s computing
environment, as our society, government, and economy is increasingly relying
vulnerable to attacks—in fact, malicious attacks on the Internet have
increased in frequency and severity. Large scale Distributed Denial-of-Service
(DDoS) attacks disrupt critical Internet services and cause significant financial
loss and operational instability.
One of the most difficult challenges in defending against DDoS and
many other attacks is that attackers often spoof the source IP address of their
packets and thus evade traditional packet filters. Unfortunately, the current
routing infrastructure cannot detect that a packet’s source IP address has
been spoofed or from where in the Internet a spoofed IP packet has originated
from. The combination of these two factors makes IP spoofing easy and
effective for attacks. In fact, many different types of Internet attacks utilize
spoofed IP addresses for different purposes:
OBJECTIVE OF THE PROJECT
Attackers can insert arbitrary source addresses into IP packets, they
cannot, however, control the actual paths that the packets take to the
destination. Based on this observation, Path Identification marking based
Filtering has been proposed as a way to mitigate IP spoofing. The intuition in
this scheme is that, the packets which pass through the concern routers are
marked. Unfortunately, performance degrades substantially if legacy routers
are present, as they decrement the TTL but do not mark the packet. So two
new techniques that greatly enhance the performance of Pi in the presence of
legacy routers the Stack marking and the Routers write-ahead has been
proposed. Hence, any packets with source address and destination address
that appears in a router is marked based on StackPi and Router write-ahead.
There are several existing approaches to the IP trace back
problem Pattern-based Filtering and Hop-by-hop Tracing
the approach of
hop-by-hop tracing, which is also known as link testing, uses a pattern-based
approach to do trace back of a DOS attack while it is in progress. This scheme
requires immediate action during the attack, and requires considerable
coordination between network administrators (to either communicate directly
or setup access points for the agents of partnering administrators).This
technique also requires some pattern-based way to separate legitimate
packets from attack packets. A similar approach is used by Burch and
Cheswick to perform trace back by iteratively flooding from V portions of the
Internet to see its effects on V’s incoming traffic. Unfortunately, because of
their iterative nature, these approaches have limited trace back capabilities in
a large-scale DDOS.
In the proposed approach the concept of detecting and
avoidance of the DDos attacks is splitted up mainly in to three phase’s .They
are attack detection iptraceback, Locating the attacker, filtration. The attack
detection is done in the server that is the victim phase and the iptraceback is
done based on the PPM implementation, and the filtration process is done
based on the interface number that we are implementing in the marking
strategy, At once a client is located as an attacker, the packets from him will
be dropped at the edge router itself, and this is the focused advantage in the
A spoofing attack involves forging one's source address. It is the act of
using one machine to impersonate. To understand the spoofing process, First
know about the TCP and IP authentication process and then how an attacker
can spoof you network. The client system begins by sending a SYN message
to the server. The server then acknowledges the SYN message by sending
SYN-ACK message to the client. The client then finishes establishing the
connection by responding with an ACK message. The connection between the
client and the server is then open, and the service-specific data can be
exchanged between the client and the server. Client and server can now send
service-specific data "The sequence number is used to acknowledge receipt of
data. At the beginning of a TCP connection, the client sends a TCP packet with
an initial sequence number, but no acknowledgment. If there is a server
application running at the other end of the connection, the server sends back
a TCP packet with its own initial sequence number, and an acknowledgment;
the initial number from the client's packet plus one. When the client system
receives this packet, it must send back its own acknowledgment; the server's
initial sequence number plus one.
There are a few variations on the types of attacks that successfully
employ IP spoofing. Although some are relatively dated, others are very
pertinent to current security concerns.
This type of attack takes place when the attacker is on the same subnet
as the victim. The sequence and acknowledgement numbers can be sniffed,
eliminating the potential difficulty of calculating them accurately. The biggest
threat of spoofing in this instance would be session hijacking. This is
accomplished by corrupting the DataStream of an established connection,
then re-establishing it based on correct sequence and acknowledgement
numbers with the attack machine. Using this technique, an attacker could
effectively bypass any authentication measures taken place to build the
This is a more sophisticated attack, because the sequence and
acknowledgement numbers are unreachable. In order to avoid this, several
packets are sent to the target machine in order to sample sequence numbers.
While not the case today, machines in the past used basic techniques for
generating sequence numbers. It was relatively easy to discover the exact
formula by studying packets and TCP sessions.
MAN IN THE MIDDLE ATTACK
Both types of spoofing are forms of a common security violation known
as a man in the middle (MITM) attack. In these attacks, a malicious party
intercepts a legitimate communication between two friendly parties. The
malicious host then controls the flow of communication and can eliminate or
alter the information sent by one of the original participants without the
knowledge of either the original sender or the recipient. In this way, an
attacker can fool a victim into disclosing confidential information by “spoofing”
the identity of the original sender, who is presumably trusted by the recipient.
DENIAL OF SERVICE ATTACK
IP spoofing is almost always used in what is currently one of the most difficult
attacks to defend against – denial of service attacks, or DoS. Since crackers
are concerned only with consuming bandwidth and resources, they need not
worry about properly completing handshakes and transactions. Rather, they
wish to flood the victim with as many packets as possible in a short amount of
time. In order to prolong the effectiveness of the attack, they spoof source IP
addresses to make tracing and stopping the DoS as difficult as possible. When
multiple compromised hosts are participating in the attack, all sending
spoofed traffic it is very challenging to quickly block traffic.
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate
users from accessing information or services. By targeting your computer and
its network connection, or the computers and network of the sites you are
trying to use, an attacker may be able to prevent you from accessing email,
web sites, online accounts (banking, etc), or other services that rely on the
The most common and obvious type of DoS attack occurs when an attacker
“floods” a network with information. When you type a URL for a particular web
site in your browser, you are sending a request to that site’s computer server
to view the page. The server can only process a certain number of requests at
once, so if an attacker overloads the server with requests, it can’t process
your requests. This is denial of service because you can’t access that site. 
Figure 2.6 Denial of Service Attack
DISTRIBUTED DENIAL OF SERVICE ATTACK
In a distributed denial of service (DDoS) attack, an attacker may use
your computer to attack another computer. By taking advantage of security
vulnerable or weakness, an attacker could take control of your computer. He
or she could then force your computer to send huge amounts of data to a web
site or send spam to particular email address or computers. The attack is
“distributed” because the attacker is using multiple computers, including
yours, to launch the denial-of-service attack.
A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting
a vulnerability in one computer system and making it the DDoS "master." It is
from the master system that the intruder identifies and communicates with
other systems that can be compromised. The intruder loads cracking tools
available on the Internet on multiple, sometimes thousands of compromised
systems. With a single command, the intruder instructs the controlled
machines to launch one of many flood attacks against a specified target. The
inundation of packets to the target causes a denial of service
OVERVIEW OF Pi
It is a per-packet deterministic mechanism. Each packet traveling along
the same path carries the same identifier. This allows the victim to take a
proactive role in defending against a DDoS attack by using the Pi mark to
filter out packets matching the attackers’ identifiers on a per packet basis. The
Pi scheme performs well under large-scale DDoS attacks consisting of
thousands of attackers, and is effective even when only half the routers in the
Internet participate in packet marking. Pi marking and filtering are both
extremely light-weight and require negligible state
A packet filter is a mechanism used to provide a level of digital security
by controlling the flow of information (data packets) via the examination of
key information in packet headers. A packet filter determines if these packets
are allowed to go through a given point based on certain access control
policies. Typically, this “point” is a firewall, router or gateway into a network
IP traceback is a name given to any method for reliably determining the origin
of a packet on the Internet. The datagram nature of the Internet makes it
difficult to determine the originating host of a packet – the source id supplied
in an IP packet can be falsified (Internet protocol spoofing) allowing for Denial
Of Service attacks (DoS) or one-way attacks (where the response from the
victim host is so well known that return packets need not be received to
continue the attack). The problem of finding the source of a packet is called
the IP traceback problem. IP Traceback is a critical ability for identifying
sources of attacks and instituting protection measures for the Internet. Most
existing approaches to this problem have been tailored toward DoS attack
detection. Such solutions require high numbers of packets (tens of thousands)
to converge on the attack path(s). By nature, a solution requiring large packet
volume is specifically targeted toward DoS attacks and tend to be probablistic
BASIC MARKING SCHEME
Each router treats the IP Identification field as though it were a stack. Upon
receipt of a packet, a router shifts the IP Identification field (hereon referred
to as the marking field) of the packet’s header to the left by n bits, and writes
a pre-calculated set of n bits (represented by the marking m) into the least
significant bits that were cleared by the shifting. This is the equivalent of
pushing a marking onto the stack. Every following router in the path does the
same until the packet reaches its destination. Because of the finite size of the
marking field, after b16/nc routers have pushed their markings onto the
marking field, additional markings simply cause the oldest markings (the ones
pushed first onto the stack) to be lost. The packet’s StackPi mark is merely
the concatenation of all the markings in the marking field when the packet
arrives at its destination. Because routers always push their markings onto
the least significant n bits of the marking field, their markings will always
appear in the same order; and because every router’s bit markings are precalculated, each StackPi marking is deterministic packets that follow the same
path will have the same marking.
PROBABILISTIC PACKET MARKING
Burch et al. suggested the possibility of IP traceback based on packet
marking. The intuition is to notify the packet destination of the network path
by recording the existence of the routers on the route in forwarded packets.
One feasible packet marking scheme is that the router probabilistically marks
packets with its identification information as they are forwarded by that
router. The marking information overloads a rarely used field in IP header.
While each marked packet represents only a small portion of the path it has
traversed, the whole network path can be reconstructed by combining a
modest number of marked packets. This kind of approach is referred to as
probabilistic packet marking (PPM).
Because of the probabilistic nature of PPM, a packet may arrive at the
destination without having been marked by any of the intermediate routers.
Wily attackers are able to insert false routers into the network path by
sending packets with carefully forged marking values. Most PPM approaches
reserve a distance field in the marking space to limit the effect of fake
marking values. When a router decides to mark a packet, it writes a zero into
the distance field; otherwise, the router increments the distance field using a
saturating addition. In this way, any packet written by the attacker will have a
distance greater than the length of the true attack path. Therefore, it is
impossible for an attacker to forge a router closer than the first traceback
enabled router through which its packets have to pass.
In a DDoS attack, there are multiple attackers and the attack t r a f f i c
traverses multiple paths before converging at the victim. The goal of IP
traceback is to reconstruct the attack tree which is rooted at the victim and
composed of the attack paths from all of the attackers to the victim.
Therefore, in order to track multiple attackers in a DDoS attack, the PPM
approach needs a mechanism to classify the routers in different attack paths.
Two kinds of schemes are employed
in PPM approaches to reconstruct attack trees. One is edge marking
and the other one is node marking supplemented with a network map.
In the edge marking scheme, which is used in CEFS, a marked packet
carries the information about an edge in the network path. An edge is
represented with the two routers at each end of a link. This scheme
can distinguish multiple attack paths because the edges in the same
path can be jointed together and the routers in different paths produce
disjoint edges. In the node marking scheme, which is used in FIT, a
marked packet carries the information of an individual router. The
victim consults an upstream router map (a tree topology rooted at the
victim) to discern routers in different paths.
The PPM approach has following advantages:
• Low overhead at routers. Packet marking does not incur any
storage overhead at routers and the marking procedure (a write
and checksum update) can be easily executed at current routers.
• No additional network traffic . The marking information is
encoded in IP header and piggy-backed on passing packets.
• Supporting incremental deployment. The marking information
encoded in packets can pass through legacy routers not supporting
PPM and arrives at the destination eventually. Given a subset of
the routers in a path, an approximate path can be determined.
However, there are two challenges in applying PPM approaches for IP
traceback in practice. (1) Scalability. Current PPM approaches are not
scalable to large-scale DDoS attacks. There is no place in the current
IP header designated to store marking information. To store marking
information in an IP option is not feasible because most routers handle
packets with IP options very slowly. In PPM approaches, the marking
information overloads a rarely used field in IP header, i.e., 16-bit IP
identification field. A single packet usually cannot t the identification
information of a router (e.g., a 32-bit IP address or an IP address hash
with similar length). The usual solution is to split the router
identification into multiple non-overlapping fragments. When a router
decides to mark a packet, the router randomly selects one fragment
and marks the packet with the selected fragment plus its offset in the
original identification. Those fragments are reassembled at the
receiver to restore the router identification. In a DDoS attack, the
attack t r a f f i c originates from multiple sources and the victim receives
identification fragments from multiple routers at the same distance.
The victim needs to try all combinations of the fragments at each
distance with disjoint offset values, check their correctness, and then
accepts correct ones.
There are two kinds of schemes to verify the correctness of
fragment combinations. One scheme is using integrity verification
codes to correlate the fragments of the same router identification. An
integrity verification code, such as a hash or a checksum of router
identification, is included into the marking value. All packets marked
by the same router carry integrity verification codes which are
identical or compatible with each other. The other scheme is using
predefined sets to check the correctness of fragment combinations. A
fragment combination is considered correct if it is in the set. The set
could be the routers at the same distance from the victim in an
upstream router map or the polynomials with a degree of specific
values in algebraic domain.
Neither scheme is 100% accurate, more or less, in verifying the
combinations introduce nonexistent routers in reconstructed attack
paths. In addition, the process of combining router identification
overhead on the victim. The more the attackers in a DDoS attack, the
higher the computation overhead and the more the number of false
positives. Hence, router identification fragmentation prevents PPM
approaches from being scalable to large-scale DDoS attacks.
ISPs lack incentives to deploy PPM approaches in
their networks. In general, ISPs are not willing to support a new
protocol that cannot be sold as a service. IP traceback accelerates
victim’s reaction to DoS attacks and improves the efficacy of DoS
defense measures. Although some customers may clamor for IP
traceback, it is not easy for ISPs to offer PPM-based IP traceback as a
value-added service to create benefit. Since it is unrealistic to
maintain per-flow state at routers, the routers supporting PPM have
disregarding whether the packet destination is paying for IP traceback
service or not. ISPs need a mechanism to restrict the use of IP
traceback service only to paying customers.
More importantly, ISPs would not like to disclose the details of their
networks because of security concerns. In current PPM approaches,
the router marks packets with its IP address or related variants (e.g.,
hash of IP address). Any dedicated end system can construct an
upstream router map and derive the IP addresses of those routers in
the map using the marking information in received packets. Attackers
may utilize that mapping feature to set ISPs routers as targets.
a. Normal phase
b. Attack phase
a. Implementation of PPM
c. Filteration (at edgerouters)
a. Attack detection
a. Normal Phase
In this normal phase the packets will be sent normally that
is the client acts as a good node and it sends good packets
b. Attack Phase
In this phase the clients performs attacks the Dos it could be of
type redundant packet sending, Ip spoofing, sending
overloaded packets beyond the servers limits.
Normal packets sent to Server via Routers.
Attack packets sent to Server via Routers.
Data sent to Server successfully.
If Attack packets sent then it is traced.
a. Implementation of PPM
Each and every packet passing through the each and every
router will be marked based on the PPM (i.e Probabilistic Packet
Marking), and based on this marking strategy each and every packet is
marked with the router’s Ip address, checksum value, HMAC to check
the integrity and the index value to support packet shuffling, and at
edge routers the interface value is also added with the packet header
so that we will be able to locate the attacker properly.
b. Ip traceback
Once the server or the victim locates the attacker the trace back
starts with the ip address in the packet header and the checksum
value in the marked packet, the trace back is done in a tree structured
pattern as the packet may not be sent in a single path.
At the edge router when the packets reached the edge router it
checks for the interface ID in its register to locate the attacker. At
once it located the attacker it stores it the black list and once for all
the packets sent by that node will be dropped in the edge router itself.
Incoming packets from Client either it is Normal or Attack
If the client sent normal packets then it is sent to the server via
router after the normal procedures like PPM implementation has
If the incoming packet is attack one and once if the server
detects it, then the IP Traceback and Filtration process has done
at the router end.
a. Attack detection
Each and every packet that reaches the victim is
analyzed, to detect whether it is an attack packet, and the type of
attack is detected. And it starts the trace back process based on the
Incoming packets from the router.
Here once the packet is received from Router, Attack Detection
is done with the incoming packets. If the packet is detected as
attack packets then IP Traceback is done in the edge router.
HARDWARE / SOFTWARE REQUIREMENTS
MODULE IMPLEMENTATION DETAILS
The project is implemented based on the design procedure
developed. The implementation is the process of implementing the
design details. The software is implemented using Java.
The project focuses on developing Packet Marking and Filtering
Mechanisms for DDoS Attack. We present a new technique, called Pi
marking using StackPi and Router Write-Ahead marking that provides
a conservative estimate of denial-of-service. Use this technique, we
have deny the unauthorized persons entered in the network and deny