Speedy ip trace back(sipt) for identifying sadhan


Published on

To trace the IP address of a system which tried to access te system without authorized permissions

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Speedy ip trace back(sipt) for identifying sadhan

  1. 1. Sadankumar.B 08C41A1263
  2. 2.  Denial-of-service (DoS) is a type of attack in networks in which an attacker may be able to prevent legitimate users from accessing email, web sites, online accounts(banking, etc.) Unfortunately, mechanisms for dealing with DoS attacks haven’t advanced at the same pace as the attacks themselves. This paper presents a new method for identifying denial-of-service attacks that uses the attacker’s media access control address for identification and trace back. 2
  3. 3.  Introduction DoS. DDoS. SIPT for identifying the boundary router. Existing mechanisms. Conclusion. References. 3
  4. 4.  In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate user from accessing information or services by targeting his computer and its network connection, or the computers and network of the sites that he is trying to use. Eg: flooding the network with information. 4
  5. 5. In a distributed denial-of-service(DDoS) attack, an attacker may useother user’s computer to attack anothercomputer. By taking advantage of securityvulnerabilities or weaknesses, an attackercould take control of other computers,thereby sending huge amounts of data to aweb site or send spam to particular emailaddresses. 5
  6. 6. Speedy IP Trace back (SIPT) method finds boundary router (the router connected directly to the client). Once we know the boundary router and the attacker’s media access control (MAC) address, we can identify the attacker and find the attack path. 6
  7. 7. Boundary router:A router that connects the internet to a company’s intranet(aprivate computer network that uses IP technologies tosecure any part of organization’s information).Media Access Control Address(MAC):MAC is a unique identifier assigned to network interfaces forcommunication on the physical network segment. 7
  8. 8. With SIPT, each router determines whetherthe packet came from a client, the routerinserts a data link connection identifier for thesource (client) and the IP address of its ownincoming interface.With this additional source link addressinformation in the packet, the destination canidentify the attacker’s boundary router. 8
  9. 9. 1) Ingress filtering2) Link Testing3) Packet marking 9
  10. 10.  The ingress filtering approach configures routers to block packets that arrive with illegitimate source addresses. This requires a router with enough power to examine the source address of every packet, and sufficient knowledge to distinguish between legitimate and illegitimate addresses 10
  11. 11.  Administrators use two different types of link tests: input debugging and controlled flooding. Input Debugging: With this test, administrators capture and record specific details on IP packets that traverse networks. Once administrators know that an attack is in progress, they must find a unique characteristic common across attack packets. This is called the attack signature, which is used to differentiate attack traffic and determine the inbound interface 11
  12. 12.  This involves sending large bursts of traffic link by link upstream and monitoring the impact on the rate of received attacking packets. While an attack is in progress, an administrator can run extended pings across each upstream link to see which has an effect on attacking traffic. Once the administrator finds this link on the router closest to the victim, the process is repeated with the next router upstream. 12
  13. 13. Packet marking 13
  14. 14.  The router plays a vital role in SIPT. The router inserts the client’s data link identifier and its own IP address into the packet’s IP header using one of the several available packet-marking techniques. 14
  15. 15. Every packet that the server receives is hencemarked with the MAC address of the machinethat sent it and the IP address of the router themachine is connected to. The marking must be done at the first routerbecause it alone knows the client’s MAC address.Subsequently, the attacker’s source MAC addresswill be lost when the MAC header is replaced inthe next hop. 15
  16. 16. The server retrieves the IP address ofthe router the attacker is directlyconnected to and the attacker’s MACaddress. The system can identify theattacker with just these two pieces ofinformation. 16
  17. 17.  Since our method has backward compatibility and supports incremental deployment, the probability of finding an attacker will increase with the percentage of routers. The SIPT approach doesn’t constitute a hop-by-hop trace back. Instead, it directly finds the boundary router connected to the attacker. 17
  18. 18.  1. S. Specht and R. Lee, “Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures,” 2. P. Ferguson and D. Senie, Network Ingress Filtering. 3. S. Savage et al., “Network Support for IP Trace back,” 4. C. Gong and K. Sarac, “IP Trace back with Packet Marking and Logging,” 18