The document proposes two new autonomous system (AS) traceback techniques to identify the AS of the attacker launching a denial-of-service (DoS) attack. The first technique, called Prevent Overwriting AS Traceback (POAST), marks packets with a dynamic probability and protects marked packets from being overwritten. It encodes the attacking AS number instead of router IP addresses. The second technique, called Efficient AS Traceback (EAST), is also described but not in detail. Both are evaluated to have better performance than existing probabilistic packet marking techniques for traceback by reducing the number of packets and routers required.
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSIJNSA Journal
Denial of service (DoS) is a significant security threat in open networks such as the Internet. The existing limitations of the Internet protocols and the common availability tools make a DoS attack both effective and easy to launch. There are many different forms of DoS attack and the attack size could be amplified from a single attacker to a distributed attack such as a distributed denial of service (DDoS). IP traceback is one important tool proposed as part of DoS mitigation and a number of traceback techniques have been proposed including probabilistic packet marking (PPM). PPM is a promising technique that can be used to trace the complete path back from a victim to the attacker by encoding of each router's 32-bit IP address in at least one packet of a traffic flow. However, in a network with multiple hops through a number of autonomous systems (AS), as is common with most Internet services, it may be undesirable for every router to contribute to packet marking or for an AS to reveal its internal routing structure. This paper proposes two new efficient autonomous system (AS) traceback techniques to identify the AS of the attacker by probabilistically marking the packets. Traceback on the AS level has a number of advantages including a reduction in the number of bits to be encoded and a reduction in the number of routers that need to participate in the marking. Our results show a better performance comparing to PPM and other techniques.
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMSIJNSA Journal
Denial of service (DoS) is a significant security threat in open networks such as the Internet. The existing limitations of the Internet protocols and the common availability tools make a DoS attack both effective and easy to launch. There are many different forms of DoS attack and the attack size could be amplified from a single attacker to a distributed attack such as a distributed denial of service (DDoS). IP traceback is one important tool proposed as part of DoS mitigation and a number of traceback techniques have been proposed including probabilistic packet marking (PPM). PPM is a promising technique that can be used to trace the complete path back from a victim to the attacker by encoding of each router's 32-bit IP address in at least one packet of a traffic flow. However, in a network with multiple hops through a number of autonomous systems (AS), as is common with most Internet services, it may be undesirable for every router to contribute to packet marking or for an AS to reveal its internal routing structure. This paper proposes two new efficient autonomous system (AS) traceback techniques to identify the AS of the attacker by probabilistically marking the packets. Traceback on the AS level has a number of advantages including a reduction in the number of bits to be encoded and a reduction in the number of routers that need to participate in the marking. Our results show a better performance comparing to PPM and other techniques.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...ijsptm
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by
another sender’s address. This technique allows the attacker to send a message without being intercepted
by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress
Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently
extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve
safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks,
and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address
Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember
the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network
Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have
adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages,
disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering"
technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but
requires some improvements, for dealing with limitations it presents.
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. A distributed denial-of-service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. The proposed system suggests a mechanism based on entropy variations between normal and DDoS attack traffic. Entropy is an information theoretic concept, which is a measure of randomness. The proposed method employs entropy variation to measure changes of randomness of flows. The implementation of the proposed method brings no modifications on current routing software.
BYPASSING OF DEPLOYMENT DIFFICULTIES OF IP TRACEBACK TECHNIQUES USING NEW PAS...Journal For Research
Because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
International Refereed Journal of Engineering and Science (IRJES) is a leading international journal for publication of new ideas, the state of the art research results and fundamental advances in all aspects of Engineering and Science. IRJES is a open access, peer reviewed international journal with a primary objective to provide the academic community and industry for the submission of half of original research and applications
Review on Grey- Hole Attack Detection and PreventionIJARIIT
These Grey Hole attacks poses a serious security threat to the routing services by attacking the reactive routing protocols resulting in drastic drop of data packets. AODV (Ad hoc on demand Distance Vector) routing being one of the many protocols often becomes an easy victim to such attacks. The survey also gives up-to-date information of all the works that have been done in this area. Besides the security issues they also described the layered architecture of MANET, their applications and a brief summary of the proposed works that have been done in this area to secure the network from Grey Hole attacks
Modified AODV Algorithm using Data Mining Process: Classification and Clusteringidescitation
Security of Wireless Ad hoc network has a primary
concern to provide protected communication between mobile
nodes. When we routing some packet it can use both malicious
node or authenticate node for forwarding and receiving data.
Malicious node can attack like black hole, misuse of data or
hacked information. Our aim is to discuss the feasibility of
monitoring the node of different networks, to analyze it for
providing better security in AODV routing protocol. We
implement data mining techniques for search large amount
of data according characteristic rules and patterns to detect
malicious node. We have used growing neural gas (GNS)
clustering algorithm to make clusters and analysis data. Using
soft computing technique we find patterns, analysis node and
take decision based on decision tree.
Passive ip traceback disclosing the locations of ip spoofers from path backscShakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level.
An improved ip traceback mechanism for network securityeSAT Journals
Abstract IP traceback is amongst the main challenges that face the security of today’s Internet. Many techniques were proposed, including in-band packhranits alert and outband packets each of them has advantages and disadvantages. Source IP spoofing attacks are critical issues to the Internet. These attacks are considered to be sent from bot infected hosts. There has been active research on IP traceback technologies. However, the traceback from an end victim host to an end spoofing host has never yet been achieved, because of the insufficient traceback probes installed on each routing path. There exists a will need to replace alternative probes in an effort to lessen the installation cost. Recently a great number of technologies of a given detection and prevention have developed, but it is difficult the fact that the IDS distinguishes normal traffic that are caused by the DDoS traffic due to many changes in network features. In existing work a whole new hybrid IP traceback scheme with efficient packet logging reaching to tend to have a fixed storage requirement for each router ( CAIDA’s data set) in packet logging without the need to refresh the logged tracking information and then to achieve zero false positive and false negative rates in attack-path reconstruction. Existing hybrid traceback approach applied on offline CAIDA dataset which isn't suitable to realtime tracing. With this proposed work efficient hybrid approach for single-packet traceback to our best knowledge, our approach will reduces 2/3 of a given overhead in each of storage and how about recording packet paths, and to discover the time overhead for recovering packet paths is also reduced by a calculatable amount. Keywords –Attack, Trace back, LAN
Abstract: Forged source IP addresses are used by the attackers to hide the locations. For finding the locations of the attackers IP Traceback Mechanism have been used. IP Traceback approaches can be classified in to Packet Marking, ICMP Traceback, Logging on the Router, Link Testing, Overlay and Hybrid Tracing, Based on the captured backscatter messages spoofing activities are still frequently observed. The IP Traceback system on the internet contain with two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. It introduces considerable overhead to the routers generation, packet logging, especially in the high performance networks. The second one is the difficulty to make Internet Service Providers(ISP) collobrate. Attackers spread over every corner of the world, single ISPs to deploy its own traceback system is meaningless. ISPs are generally lack of explicit incentive to help clients of the others to trace attackers in their managed system. There are lot of IP traceback mechanisms and large number of spoofing activities observed , but the real locations of spoofers still remain mystery. Due to the some of the drawbacks it has not been widely used to trace the IP traceback solution. Finally, it was not used to find the locations of the attackers. To overcome the drawback of IP traceback mechanism we propose a Passive IP Traceback Mechanism(PIT). The router may generate an ICMP error message and send the message to the spoofed source addresses. The routers can be close to the attackers, the path backscatter messages may disclose the locations of the attackers. PIT can work in a number of spoofing activities. This technique uses the ICMP features and find the attackers by applying PIT on the ICMP dataset, a number of locations of attackers are captured and presented. As a result, these technique reveal IP spoofing, but it was not well understood. In future, it may be the most suitable mechanism for tracing the attackers on the Internet Level Traceback System.
Keywords: IP Traceback, packet logging, path backscatter, hybrid tracing, link testing.
Title: REVEALING THE LOCATIONS OF IP SPOOFERS FROM ICMP
Author: J Saranya, Dr. A J Deepa
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
AN EFFICIENT IP TRACEBACK THROUGH PACKET MARKING ALGORITHMIJNSA Journal
Denial-of-service (DoS) attacks pose an increasing threat to today’s Internet. One major difficulty to defend against Distributed Denial-of-service attack is that attackers often use fake, or spoofed IP addresses as the IP source address. Probabilistic packet marking algorithm (PPM), allows the victim to trace back the appropriate origin of spoofed IP source address to disguise the true origin. In this paper we propose a technique that efficiently encodes the packets than the Savage probabilistic packet marking algorithm and reconstruction of the attack graph. This enhances the reliability of the probabilistic packet marking algorithm.
because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...ijsptm
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by
another sender’s address. This technique allows the attacker to send a message without being intercepted
by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress
Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently
extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve
safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks,
and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address
Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember
the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network
Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have
adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages,
disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering"
technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but
requires some improvements, for dealing with limitations it presents.
Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. A distributed denial-of-service attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. The proposed system suggests a mechanism based on entropy variations between normal and DDoS attack traffic. Entropy is an information theoretic concept, which is a measure of randomness. The proposed method employs entropy variation to measure changes of randomness of flows. The implementation of the proposed method brings no modifications on current routing software.
BYPASSING OF DEPLOYMENT DIFFICULTIES OF IP TRACEBACK TECHNIQUES USING NEW PAS...Journal For Research
Because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
International Refereed Journal of Engineering and Science (IRJES) is a leading international journal for publication of new ideas, the state of the art research results and fundamental advances in all aspects of Engineering and Science. IRJES is a open access, peer reviewed international journal with a primary objective to provide the academic community and industry for the submission of half of original research and applications
Review on Grey- Hole Attack Detection and PreventionIJARIIT
These Grey Hole attacks poses a serious security threat to the routing services by attacking the reactive routing protocols resulting in drastic drop of data packets. AODV (Ad hoc on demand Distance Vector) routing being one of the many protocols often becomes an easy victim to such attacks. The survey also gives up-to-date information of all the works that have been done in this area. Besides the security issues they also described the layered architecture of MANET, their applications and a brief summary of the proposed works that have been done in this area to secure the network from Grey Hole attacks
Modified AODV Algorithm using Data Mining Process: Classification and Clusteringidescitation
Security of Wireless Ad hoc network has a primary
concern to provide protected communication between mobile
nodes. When we routing some packet it can use both malicious
node or authenticate node for forwarding and receiving data.
Malicious node can attack like black hole, misuse of data or
hacked information. Our aim is to discuss the feasibility of
monitoring the node of different networks, to analyze it for
providing better security in AODV routing protocol. We
implement data mining techniques for search large amount
of data according characteristic rules and patterns to detect
malicious node. We have used growing neural gas (GNS)
clustering algorithm to make clusters and analysis data. Using
soft computing technique we find patterns, analysis node and
take decision based on decision tree.
Passive ip traceback disclosing the locations of ip spoofers from path backscShakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level.
An improved ip traceback mechanism for network securityeSAT Journals
Abstract IP traceback is amongst the main challenges that face the security of today’s Internet. Many techniques were proposed, including in-band packhranits alert and outband packets each of them has advantages and disadvantages. Source IP spoofing attacks are critical issues to the Internet. These attacks are considered to be sent from bot infected hosts. There has been active research on IP traceback technologies. However, the traceback from an end victim host to an end spoofing host has never yet been achieved, because of the insufficient traceback probes installed on each routing path. There exists a will need to replace alternative probes in an effort to lessen the installation cost. Recently a great number of technologies of a given detection and prevention have developed, but it is difficult the fact that the IDS distinguishes normal traffic that are caused by the DDoS traffic due to many changes in network features. In existing work a whole new hybrid IP traceback scheme with efficient packet logging reaching to tend to have a fixed storage requirement for each router ( CAIDA’s data set) in packet logging without the need to refresh the logged tracking information and then to achieve zero false positive and false negative rates in attack-path reconstruction. Existing hybrid traceback approach applied on offline CAIDA dataset which isn't suitable to realtime tracing. With this proposed work efficient hybrid approach for single-packet traceback to our best knowledge, our approach will reduces 2/3 of a given overhead in each of storage and how about recording packet paths, and to discover the time overhead for recovering packet paths is also reduced by a calculatable amount. Keywords –Attack, Trace back, LAN
Abstract: Forged source IP addresses are used by the attackers to hide the locations. For finding the locations of the attackers IP Traceback Mechanism have been used. IP Traceback approaches can be classified in to Packet Marking, ICMP Traceback, Logging on the Router, Link Testing, Overlay and Hybrid Tracing, Based on the captured backscatter messages spoofing activities are still frequently observed. The IP Traceback system on the internet contain with two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. It introduces considerable overhead to the routers generation, packet logging, especially in the high performance networks. The second one is the difficulty to make Internet Service Providers(ISP) collobrate. Attackers spread over every corner of the world, single ISPs to deploy its own traceback system is meaningless. ISPs are generally lack of explicit incentive to help clients of the others to trace attackers in their managed system. There are lot of IP traceback mechanisms and large number of spoofing activities observed , but the real locations of spoofers still remain mystery. Due to the some of the drawbacks it has not been widely used to trace the IP traceback solution. Finally, it was not used to find the locations of the attackers. To overcome the drawback of IP traceback mechanism we propose a Passive IP Traceback Mechanism(PIT). The router may generate an ICMP error message and send the message to the spoofed source addresses. The routers can be close to the attackers, the path backscatter messages may disclose the locations of the attackers. PIT can work in a number of spoofing activities. This technique uses the ICMP features and find the attackers by applying PIT on the ICMP dataset, a number of locations of attackers are captured and presented. As a result, these technique reveal IP spoofing, but it was not well understood. In future, it may be the most suitable mechanism for tracing the attackers on the Internet Level Traceback System.
Keywords: IP Traceback, packet logging, path backscatter, hybrid tracing, link testing.
Title: REVEALING THE LOCATIONS OF IP SPOOFERS FROM ICMP
Author: J Saranya, Dr. A J Deepa
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
AN EFFICIENT IP TRACEBACK THROUGH PACKET MARKING ALGORITHMIJNSA Journal
Denial-of-service (DoS) attacks pose an increasing threat to today’s Internet. One major difficulty to defend against Distributed Denial-of-service attack is that attackers often use fake, or spoofed IP addresses as the IP source address. Probabilistic packet marking algorithm (PPM), allows the victim to trace back the appropriate origin of spoofed IP source address to disguise the true origin. In this paper we propose a technique that efficiently encodes the packets than the Savage probabilistic packet marking algorithm and reconstruction of the attack graph. This enhances the reliability of the probabilistic packet marking algorithm.
because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
DDoS attacks have become one of the most dangerous issues in the Internet today. Because of these attacks, legitimate users can not access the resources they need. In [1] authors proposed a combined method for tracing and blocking the sources of DDoS-attacks. The essence of the method is that each router marks the network packet that passes through it using a random hash function from the set. At the receiving side this information is stored and used to filter unwanted traffic and traceback the source of distributed attack. This article describes the simulation and its results of the combined method.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...ijsrd.com
Deep Packet Inspection (DPI) is becoming more widely used in virtually all applications or services like Intrusion Detection System (IDS), which operate with or within a network. DPI analyzes all data present in the packet as it passes an inspection to determine the application transported and protocol. Deep packet inspection typically uses regular expression matching as a core operator. Regular expressions (RegExes) are used to flexibly represent complex string patterns in many applications ranging from network intrusion detection and prevention systems (NIDPSs). Regular expressions represent complex string pattern as attack signatures in DPI. It examine whether a packet’s payload matches any of a set of predefined regular expressions. There are various techniques developed in DPI for deep packet inspection for regular expression. We survey on these techniques for further improvement in regular expression detection in this paper. In the result we found that it is possible to reduce RegEx transaction memory required in network intrusion detection. We made this survey with possible use of DPI techniques in the wireless network.
The Fight against IP Spoofing Attacks: Network Ingress Filtering Versus First...ClaraZara1
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by another sender’s address. This technique allows the attacker to send a message without being intercepted by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks, and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages, disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering" technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but requires some improvements, for dealing with limitations it presents.
A Novel IP Traceback Scheme for Spoofing AttackIJAEMSJORNAL
Internet has been widely applied in various fields, more and more network security issues emerge and catch people’s attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of trace back schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packet marking with packet logging and therefore create hybrid IP trace back schemes demanding less storage but requiring a longer search. In this paper, we propose a new hybrid IP trace back scheme with efficient packet logging aiming to have a fixed storage requirement for each router in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction.
Consensus Routing And Environmental Discrete Trust Based Secure AODV in MANETsIJCNCJournal
The Mobile Adhoc Network (MANET) is a wireless network model for infrastructure-less communication, and it provides numerous applications in different areas. The MANET is vulnerable to a Black-hole attack, and it affects routing functionality by dropping all the incoming packets purposefully. The Black-hole attackers pretend that it always has the best path to the destination node to mislead the source nodes. Trust is the critical factor for detecting and isolating the Black-hole attackers from the network. However, the harsh channel conditions make it difficult to differentiate the Black-hole routing activities and accurate trust measurement. Hence, incorporating the consensus-based trust evidence collection from the neighbouring nodes improves the accuracy of trust. For improving the accuracy of trust, this work suggests Consensus Routing and Environmental DIscrete Trust (CREDIT) Based Secure AODV. The CREDIT incorporates Discrete and Consensus trust information. The Discrete parameters represent the specific characteristics of the Black-hole attacks, such as routing behaviour, hop count deviation, and sequence number deviation. The direct trust accurately differentiates the Black-hole attackers using Discrete parameters, only when the nodes perform sufficient communication between the nodes. To solve such issues, the CREDIT includes the Consensus-based trust information. However, secure routing against the Black-hole attack is challenging due to incomplete preferences. The in-degree centrality and Importance degree measurement on the collected consensus-based trust from decisionmakers solve the incomplete preference issue as well as improves the accuracy of trust. The performance of the proposed scheme is evaluated using Network Simulator-2 (NS2). From the simulation results, it is proved that the detection accuracy and throughput of the proposed CREDIT are substantially high and the proposed CREDIT scheme outperforms the existing work.
Advisedly delayed packet attack on tcp based mobile ad-hoc networkseSAT Journals
Abstract Efficient routing in mobile ad-hoc networks (MANETs) is a challenging task due to its varying physical channel characteristics, dynamic topology and un-centralized communication. Furthermore, multihop routing is required when the source-destination pairs are not in each other’s communication range. Due to the above challenges these networks are vulnerable to various types of attacks on various layers of the TCP/IP protocol stack. In this thesis, we implement and analyze an attack called advisedly delay packet attack on ad-hoc on-demand distance vector (AODV) routing protocol. The advisedly delay packet attack is an attack that effects the TCP-based as well as UDP-based data transmissions but in this thesis we will also see how it exploits the TCP congestion control mechanism to decrease the throughput of the network. In this attack, the attacker exploit the period of retransmission time out (RTO) of the sender and attack in such a way so the sender is always transmitting in the slow start phase. Keywords- MANETs; Multimedia Streaming; Routing protocols; QoS; Topology; Node Mobility; Network Scalability
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Prevention of Selective Jamming Attacks by Using Packet Hiding MethodsIOSR Journals
Abstract: The open nature of the wireless medium leaves it too weak to intentional interference attacks,
typically defined as jamming. This intentional interference with wireless transmissions can be used as a launch
pad for mounting Denial-of-Service attacks on wireless networks. Typically, jamming has been introduced
under an external threat model. However, intruders with internal knowledge of protocol specifications and
network secrets can launch low-effort jamming attacks that are difficult to detect and counter. In this work, we
address the problem of selective jamming attacks in wireless networks. In these attacks, the hacker is active only
for a short period of time, selectively targeting messages of high importance. We demonstrate the advantages of
selective jamming in terms of network performance degradation and hacker effort by presenting two case
studies; a selective attack on TCP and one on routing. We show that selective jamming attacks can be
forwarded by performing real-time packet classification at the physical layer. To reduce these attacks, we
develop three schemes that prevent real-time packet classification by combining cryptographic primitives with
physical-layer attributes. We analyze the security of the proposed methods and evaluate their computational and
communication overhead.
AN EFFECTIVE PREVENTION OF ATTACKS USING GI TIME FREQUENCY ALGORITHM UNDER DDOSIJNSA Journal
With the tremendous growth of internet services, websites are becoming indispensable. When the number of users gets increased accessing the websites, the performance of the server gets down. Due to much burden on the server, the response time gets delayed. When the process becomes slow, the ratio of the users accessing to the site also goes down. Apart from this, it may also happen due to the attack of Hackers. We have implemented a special kind of technique to recognize the attack carried out by the hackers and block them from using the site. This is termed as Denial of Service and thus is carried out among the web users and is commonly referred to as Distributed Denial of Service (DDoS). To improve server performance and deny the accessibility permissions to the hackers are proposed in this paper.
Mobile Ad-hoc Network is group of wireless mobile device with restricted broadcast range and no use of base Infrastructure. The secure routing model helps for reduced honest elicitation and free riding problem. The term honest elicitation means it forward high recommendation for malicious node in order to avoid itself. It means the high recommendation for colludingmalicious node. When operating in hostile or suspicious setting, MANETs require privacy and ,communication security in routing protocol. In this paper we present the type of attacks and operation on network layer with routing protocol technique i.e. based on an on-demand locationbased anonymous MANET routing protocol called SMRT (secure MANET routing technique ,with trust model) that achieves security and privacy against insider and outsider adversaries.
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijripublishers Ijri
There is a necessity to think over IP traceback technique that help us to track or predict IP address details of malicious
attackers and reveal their actual locations. In spite of lot of research over IP traceback solutions, still there is a necessity
to find an optimal solution that could be implemented at the level of Internet. Real identity of spoofers couldn’t be
revealed by conventional techniques used until today. Through this paper we emphasize primarily on traceback of passive
IP (PIPT) that avoid the procedural risks involved in implementing IP traceback solutions. Path Backscatter (Internet
Control Message Protocol (ICMP) error messages) is probed by PIPT. Spoofing traffic fires these Backscatter, in order to
find the details of spoofer’s topological physical identity and bypasses procedural risks.
Impacts of normal mode and complication mode over Router topological structure are visualized. Nodal info tracker
over parameter i.e Bandwidth, digital sign, source IP, Dest IP and attack status on three network parameters. Spoofing
has been performed on IP addresses, packet data and bandwidth .These three parameter i.e IP addresses, packet data,
bandwidth status and topological nature are been demonstrated through technical stimulation. From the study made
we are able to assure optimized technique of traceback system through PIPT, in order to face the challenges of deployment
at internet level.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
1. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
TRACEBACK OF DOS OVER AUTONOMOUS SYSTEMS
Mohammed Alenezi1 and Martin J Reed2
1
School of Computer Science and Electronic Engineering, University of Essex, UK
mnmale@essex.ac.uk
2
School of Computer Science and Electronic Engineering, University of Essex, UK
mjreed@essex.ac.uk
ABSTRACT
Denial of service (DoS) is a significant security threat in open networks such as the Internet. The existing
limitations of the Internet protocols and the common availability tools make a DoS attack both effective and
easy to launch. There are many different forms of DoS attack and the attack size could be amplified from a
single attacker to a distributed attack such as a distributed denial of service (DDoS). IP traceback is one
important tool proposed as part of DoS mitigation and a number of traceback techniques have been
proposed including probabilistic packet marking (PPM). PPM is a promising technique that can be used to
trace the complete path back from a victim to the attacker by encoding of each router's 32-bit IP address in
at least one packet of a traffic flow. However, in a network with multiple hops through a number of
autonomous systems (AS), as is common with most Internet services, it may be undesirable for every router
to contribute to packet marking or for an AS to reveal its internal routing structure. This paper proposes
two new efficient autonomous system (AS) traceback techniques to identify the AS of the attacker by
probabilistically marking the packets. Traceback on the AS level has a number of advantages including a
reduction in the number of bits to be encoded and a reduction in the number of routers that need to
participate in the marking. Our results show a better performance comparing to PPM and other
techniques.
KEYWORDS
Autonomous System, DoS, Packet Marking, Network Security, Traceback.
1. INTRODUCTION
Denial of service (DoS) becomes a serious threat in Internet today due to the available variety of
DoS forms, size, types, and tools. Attackers can increase the involved machines in the attack from
single attacker causing a classic DoS attack to many compromised machines causing a distributed
denial of service (DDoS) attack. The attack can be amplified to increase the volume of the attack
by using non-compromised machine to reflect spoofed requests containing the victim IP address.
Arbor networks [1] reports that DDoS attacks can reach sizes of up to 40 Gigabits/sec.
In general, research into DoS has been divided into three phases: prevention, detection, and
mitigation. Identifying the origin of the attack is defined as traceback which is one part of the
mitigation phase. Many techniques have been proposed to traceback the origin of the attack.
Probabilistic packet marking (PPM)[2] and deterministic packet marking (DPM)[3] are the two
main forms of packet marking in general.
Most of the proposed techniques are on a hop-by-hop basis where the topology of the ISP is
revealed. However, this paper proposes two new techniques for traceback identifying the AS of
the attacker. Our techniques will mark the packet with the AS number (ASN) based on a dynamic
DOI : 10.5121/ijnsa.2013.5211 131
2. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
probability to improve the performance of the technique. Knowing the distance, for a packet
journey from source to destination, in advance is one of the advantages of using the AS.
Unknown distance was one of the main limitations of PPM and other techniques in specifying the
marking probability for routers. Additionally, the proposed marking probability will reduce the
required number of packets to reconstruct the attack path. In PPM, marks from the early nodes on
the attack are overwritten by the downstream nodes. Therefore, the required number of packets to
reconstruct the attack path is increased.
The paper is organized as follows. Related work is introduced in section 2. The design and
motivations are presented in section 3. The first proposed idea, prevent overwriting AS traceback
(POAST), is explained in section 4 while the second the proposed idea, efficient AS traceback
(EAST), is presented in section 5. Finally, the conclusion is presented in section 6.
2. RELATED WORK
Many techniques have been proposed to traceback the origin of DoS attack based on different
methodologies and on different levels. In the following, different traceback techniques will be
presented based on the proposed methodology and level of traceback.
Link testing[2] is based on testing the links in the upstream direction and can be found in two
types: input debugging and controlled flooding. The traffic is filtered and directed between the
edges of the network in input debugging, while flooding the network by traffic to study the effect
on the attack traffic is in controlled flooding [4].
Selecting specific routers to log the packets and using different data mining techniques to
reconstruct the attack path is termed logging [2]. Using special ICMP packets with a probability
of 1/20,000 to carry the path information is known as ICMP Traceback [5].
Packet marking techniques are divided into main types: probabilistic packet marking (PPM) [2]
and deterministic packet marking [3] (DPM). PPM marks the packets with the IP address of the
router based on a fixed probability P=1/25. PPM uses edge sampling as a marking algorithm
which encodes the edges (two nodes) instead of recording the nodes as in node append or encodes
each node as in nodes sampling [2]. However, there are drawbacks with PPM [3, 6, 7]. Marking
information inside the packets, which will be used by the victim for tracing the attacker's source,
could be explicitly violated by the attacker due to high number of unmarked packets in PPM. The
further the router is away from the victim on the attack path, the higher the chances for its marked
packets to be overwritten by a router closer to the victim. Therefore, the required number of
packets to reconstruct the attack path is high. Furthermore, PPM increases the overhead and
processing in routers because it involves all the routers on the attack path in the marking process.
DPM is proposed to traceback the attack deterministically. DPM will mark all of the packets at
the access router and will not provide the full attack path but rather identify the access router that
is closest to the attacker. In other words, DPM marks the packets with a probability of 1. The
source IP address of the access router is divided into two parts where each part with a size of 16
bit. Using a probability of 0.5, one of the two parts will be injected inside the packet. Just like
PPM, there are drawbacks with DPM [7-9]. First, a scalability problem exists as there are only 25
spare bits of the IP packet that can be used for updating [6]. In addition, routers need considerable
storage for packet logging [9]. Moreover, routing software needs to be modified in order to apply
DPM and the added overhead would slow down the routers. The IP address (32 bits) of an edge
router will be marked in two packets. Therefore, the victim needs to receive two packets to
identify the IP address. This raises a problem of accuracy if the one of the packets lost.
132
3. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Furthermore, as with PPM, modifications by the attacker can be used to mark the message to
confuse the victim.
Dynamic probabilistic packet marking for efficient IP traceback (DPPM) [10] is another form of
PPM as it marks the packet based on probability. However, it uses a dynamic probability where
the change in the probability is based on the deduced distance from the TTL field in the IP packet.
Although the number of required packets to reconstruct the path are reduced, it has some
drawbacks. The main problem is accurately determining the travelling distance, as DPPM counts
on the TTL field to deduce the distance which will be used for calculating the marking
probability. Additionally, the TTL field can be spoofed intentionally by the attacker to confuse
the technique.
Authenticated AS traceback (AAST) [11] has been proposed to traceback the AS as the origin of
the attack instead of specifying the attacker source itself. The technique is divided into two parts:
AS traceback and the authentication scheme. The traceback is carried out by probabilistically
marking the packets between the AS’s using the ASN instead of the IP address. The marking
technique is the same as in PPM, however, they have changed the value of the marking
probability to P=1/6. The required space is 16 bits for the ASN and 3 bits for the distance. The
authenticated scheme was presented to prevent the spoofed information inserted by an attacker. It
is based on using symmetric key infrastructure through a hash function and exchange of the secret
key between the Autonomous system border routers (ASBR's).
3. DESIGN AND MOTIVATIONS
3.1. Design
Both of the proposed traceback techniques in this paper will be applied on the AS level. The key
points of our design for the presented work are based on the following:
• Reduce the required number of packets in the traceback process.
• Reduce the required storage at the victim side by reducing number of required packets
and avoid any logging schemes.
• Eliminating the unmarked packets, to avoid spoofing that would be intentionally injected
by the attackers.
• Reduce the number of routers involved in packet marking.
3.1. Motivations
Including the AS in the traceback process brings many advantages to overcome limitations with
PPM and other techniques. Using the AS in traceback will not reveal the topology, which is
advantageous for network operators. Additionally, the number of AS hops is significantly less
than actual routers hops. In 99% of cases, a packet passes through less than 6 AS [12, 13] in its
journey from source to destination, while it passes over 20 routers in the hop by hop basis.
Furthermore, routing on the AS is carried by BGP and the distance can be known in advance
between ASs. Knowing the distance in advance, can be used to optimize the marking probability
and reduce the required number of packets to reconstruct the path.
133
4. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
4. PREVENT OVERWRITING AS TRACEBACK
In this section our prevent overwriting AS traceback (POAST) technique is presented. It is based
on marking the packets with a dynamic marking probability and protects the marked packets from
overwriting by downstream routers. The marking is carried out by only one router in each AS by
encoding the AS number instead of a router’s IP address and thus determines the AS of the attack.
4.1. Available Space and Assumptions
4.1.1. Available Space
Most packet marking techniques use 25 bits or more for overloading the IP packet [2, 11]. Our
technique will use the available 25 bits comprising: 8-bit type of service, 16-bit ID and 1-bit
reserved flag. These will be used to encode the fields shown in table.1.
4.1.2 Assumptions
Our assumptions can be summarized in the following:
• The attack could be triggered by single or multiple attackers.
• The attacker/attackers may be aware of the tracing.
• There may be packet loss in any number of packets sent.
• AS routes are stable during the attack.
• The AS routers are not compromised.
4.2. Proposed Technique
Border gateway protocol (BGP) is used for routing the packets between the AS. Each ASBR has a
full path for each AS reachability. At ASBR, upon receiving the packet, BGP table will be
checked and based on the destination, the ASBR selects the path for the packet after matching the
prefix (policies are applied). Using the BGP table, the ASBR knows how many required AS hops
to the destination [14]. Knowing number of hops in advance is considered to be a significant
advantages over most the proposed techniques as the marking probability can be optimized. For
example let assume we have 5 AS's (AS_src- AS1- AS2- AS3- AS_dest) illustrated in Fig.1. A
packet traversing from an attacker in AS_src destined to a victim in AS_dest, has to pass through
ASBR_src before passing AS1, AS2, and AS3. After the attacker starts to send packets to the
victim, the first router will receive the packets is ingress router1 (edge router) of AS1. At the
outgoing interfaces of the edge router1 the First_Flag is set to 1. First_Flag will be set on to
represent the first AS and help ASBR1 to filter out spoofed packets in cooperation with AS_Dist
field. Setting the First_flag on in the ingress router prevents the attacker from pretending to be
from different AS, as the edge router of the attacker's network will set the First_flag on. AS_Dist
is incremented by one at each ASBR until the ASBR marks the packet. Thus AS_Dist is the
distance between the first AS and the AS that carried out the marking. First_flag and AS_Dist
perform an important job in our technique. Once the packet is received by ASBR1, an essential
check is performed before the marking process. Since the First_flag will be set to 1 from the edge
router1 and the AS_Dist will be zero for the first AS, packets with First_flag unset and AS_Dist
equal to zero will be filtered out. When a packet is unmarked by the first ASBR, it could be
marked by any other ASBR on the path. Any packet received by the victim will indicate how far
the packet has traversed from the AS of the attacker before it was marked. ASBR1 will mark
packets with its ASN according to its marking probability. If ASBR1 decides to write its ASN,
134
5. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
the hash of ASN of ASBR1 is stored in the ID field. In order to prevent any ASBR in the transit
network between the attacker and the victim from overwriting the packet, G_flag, which is a one
bit flag, will be set to 1 after marking the packet by any ASBR. Once the packet leaves the
ASBR1, the First_flag is set to zero and AS_Dist incremented by 1. Once the victim receives the
packet, the AS can be specified from the ID field of the IP header. Any ASBR will follow the
same check and marking process. Within 3 marked packets, our technique, will identify the
originating AS with probability of 99% for a distance of 6 hops (maximum number is 6 hops
[12]). The marking algorithm is shown in Fig.2.
Figure 1. Network topology
The marking probability that will be used at each ASBR is based on number of hops from the
current ASBR to the AS of the destination. Other proposed techniques make the probability based
on the packet TTL [10, 15]. However, this is likely to be inaccurate as the TTL varies depending
upon end-system. This work determines the AS hops count directly from the BGP table. Using
dynamic marking probability over a fixed probability would be advantageous as it will reduce
number of packets are required to reconstruct the path and provide the fairness in marking. Using
dynamic probability, where P=1/d and d represents the travelling distance, would be an advantage
if the distance is not known in advance. However, if the distance is known in advance such as in
AS routing, using 1/d will not be the optimal choice to our design. The proposed probability is
P=1-(1/d), where d is equal to number of hops the AS will make to reach the last AS which
contains the required destination. The advantages of this marking probability are that: it gives
more emphasis to the first AS which it is most desirable to mark; it does not mark every packet at
each AS.
Table 1. Required Fields for POAST.
ID G_flag AS_Dist First_flag
20 bits 1 bit 3 bits 1 bit
135
6. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Figure 2. POAST algorithm
4.3. Performance and Analysis
One of the key issues in marking the packets is the marking probability that will be used by the
routers. PPM proposed to use fixed probability by all routers along the attack path. Using the
fixed probability leads to unwanted results such as high false positives rate which is caused by
spoofed packets and unfairness marking due to overwriting problem. Here most of the effort will
be put on using a marking probability that will insure a high rate of marking by the far ASBR
(first ASBR) from the victim. Once the packet being marked by the first ASBR, the G_flag will
be set on and none of the transit AS's could mark the packet. Therefore, overwriting problem is
not an issue in our approach. Number of marked packets is increased with the new used
probability. Increasing the number of marked packets will reduce the uncertainty that would be
caused by unmarked packets. However, it will increase the overhead in total for the routers. That
is the key advantage of our technique. It is designed to mark many packets based on high
136
7. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
probability and reduce the overhead as much as possible. In order to reduce the overhead, G_flag
is used, which is a flag to prevent any other ASBR from overwriting the packet. Therefore, the
marking is carrying only once, by one of the ASBR's, which is reducing the counted overhead.
Note that this technique does not mark packets destined within the same AS. The victim can be
aware of this through the lack of packet marking and intra-domain traceback or DoS mitigation
would be required. The required number of packets to identify the AS of the attacker is reduced
comparing to PPM and AAST. Fig. 3 shows the comparison between our technique and other
techniques. It is clear that number of packets is highly reduced.
Figure 3. Comparison for required number of packets of different techniques
5. EFFICIENT AS TRACEBACK
In this section, our second idea is proposed. It will traceback the attack to the originating AS with
a full AS path. The difference in this technique from the early presented (POAST) is in the
marking probability and the design. This technique will provide the full AS path for the victim
and use different marking probability. The proposed marking probability will efficiently mark the
packets and dynamically changed.
5.1. Available Space and Assumptions
5.1.1. Available Space
Our technique will overload the IP header with the same suggested fields in 4.1.1.The
assumptions are similar to most of other traceback techniques [2, 16] with some modifications to
fit our design.
5.1.2 Assumptions
Our assumptions can be summarized in the following:
• Autonomous system border routers (ASBRs) are not compromised.
• Single or multiple attackers could launch the attack.
• Attackers may be aware of being traced.
• Stable routes exist between autonomous systems (ASs).
137
8. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
• Packets could be routed differently due to ASs policies.
• Attack could be from any type of packets.
5.2. Proposed Technique
Efficient AS traceback (EAST) is based on marking the packets probabilistically. PPM uses a
static marking probability p= 0.04 over all of the routers along the attack path. In PPM, the
chances for the packets, marked by the closest router to the attacker to reach the victim without
being overwritten by the downstream routers, are very low. Therefore, PPM requires a high
number of packets to reconstruct the attack path as the victim has to wait for the marked packets
from the earlier router on the attack path. Dynamic PPM uses dynamic marking probability p=
1/d, where d is the travelling distance. The travelling distance was deduced from the TTL value in
the IP header by most of the proposed Dynamic PPM techniques [10, 15, 17]. All of the dynamic
PPM TTL-based techniques are suffering from two drawbacks. First, the initial TTL value is
system dependent which means the value would be changing based on the used system. Second,
the attacker can intentionally inject packets with different TTL to confuse the technique. Fig. 4
shows a comparison between using PPM with fixed and changing probability for all routers along
the attack path. It is clear that using a changing probability for each router along the attack path
would give a significant difference over using a fixed probability. Our technique will mark the
packets probabilistically with a dynamic marking probability. However, our marking probability
will be p = 1/(a-2), where a is the number of ASs from the AS of attacker to the AS of the victim.
Since our technique performs traceback at the AS level, a can be known in advance and this helps
optimize the marking probability. Therefore, the attacker will not be able to influence the value of
a as it is derived in the ASBR from BGP table, unlike other techniques. Our technique will use
node sampling as a marking algorithm unlike PPM where the edge sampling is used as the
marking algorithm.
Figure 4. PPM with fixed and dynamic probability.
BGP is used to route packets between ASs via autonomous system border routers (ASBRs). Each
ASBR will have a full reachability table for other ASBRs. For any received packets by ASBR,
the BGP table will be checked and a full path to the required destination, is provided. For
illustration purpose, the example in Fig.1 will be used for explaining our technique. The attacking
packets will leave the AS_source from the ASBR_Src. Once the ASBR_Src receives a packet,
BGP will be checked and the reachability path is extracted. The marking probability P is
calculated from the extracted path. Based on the marking probability, ASBR_Scr will decide if
the packet is going to be marked or not. If the ASBR_Scr decides to mark the packets, the hash
138
9. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
value of the 32 bit AS number is injected inside the AS_ID field which is 22 bits. Distance is a 3
bit field which keeps track of travelling distance and starts from the AS that marks the packet to
the destination AS. The distance field will reset to zero by the marking router and increment by 1
for non-marking ASBR. The distance field will help the victim in ordering the samples for path
reconstruction. Overwriting is allowed by downstream ASBRs and if a packet is unmarked by
ASBR_Src, it has to be marked by downstream ASBRs such as ASBR1 or ASBR2 or ASBR3.
The required fields for our technique can be shown in Table 2 and the proposed marking
algorithm presented in Fig. 5. By design, number of unmarked packets is significantly reduced
comparing to PPM and AS_PPM(see performance and analysis section).
Table 2. Required Fields for EAST.
AS_ID AS_Dist
22 bits 3 bits
Figure 5. EAST algorithm
5.3. Performance and Analysis
In order to design a traceback technique that performs better than PPM in terms of number of
required packets to reconstruct the path and uncertainty, the marking probability has to be chosen
carefully. We started with the choice of dynamic marking instead of fixed probability. Simulation
results in Fig.4 show that using dynamic marking is advantageous over static marking. Then we
have studied how to improve and choose the right dynamic marking probability. The problem
with most of proposed techniques is the distance. Some techniques assume fixed probability and
some deduce the distance from TTL field. Here, we are taking the advantage of the AS full path
where the distance is known in advance. According to Muhlbauer [12], in 99% of cases, a packet
traversing from source to destination passes 6 ASs or less. We believe that knowing half of the
AS path would be enough to determine the AS of the attacker. We propose to exclude the last two
AS out of the marking probability considerations since the AS of the victim is part of the AS full
path. Indeed, simulation in Fig.6 shows a better performance than PPM and AAST by using a
marking probability of p = 1/ (a-2) . The required number of packets to reconstruct the attack path
for EAST is less than AAST and PPM. Unmarked packets are significantly reduced comparing to
PPM and AAST. Fig.7 shows number of unmarked packets by each technique. It is clear that
there are no unmarked packets with EAST and this is due to the design of marking probability. A
comparison between EAST and Dynamic PPM (DPPM) is shown in Fig.8. It is clear that EAST
139
10. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
converges faster than DPPM with the proposed marking probability. The value of p was also
tested experimentally to be the best.
Figure 6. EAST and other techniques comparison
Figure 7. Comparison for unmarked packets
140
11. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Figure 8. EAST and Dynamic PPM comparison
6. CONCLUSION
DoS is considered to be a high security threat in the internet today. To traceback the origin of the
attack is a challenging process as the attacker could spoof his identity. Here two AS based packet
marking techniques have been proposed. Prevent overwriting AS traceback (POAST) has been
shown that it has advantages over PPM in that fewer routers are involved in the marking process,
thus reducing router overhead, and additionally intra-domain topology information is not
disclosed both of which are desirable features for network operators. The system can uniquely
inform the victim of the originating AS and this information is given high emphasis through high
marking probability in the first AS hop. The marking probability is investigated and a dynamic
marking probability has been suggested which is based on AS hop count that is determined from
BGP tables. In order to traceback the AS of the attacker with a full path, efficient AS traceback
(EAST) has been proposed. While there have been a number of attempts at overloading the
current IP forwarding process to provide traceback, they have significant disadvantages. The
EAST technique proposed here circumvents many of the disadvantages of other techniques in that
it reduces the number of routers involved in the marking and converges to a valid traceback value
in fewer packets. Moreover, EAST eliminates unmarked packets which could be used by the
attacker to confuse the traceback technique.
REFERENCES
[1] ArborNetworks, "Worldwide Infrastructure Security Report," 2008.
[2] S. Savage, et al., "Network Support for IP Traceback " IEEE/ACM Transactions on Networking
(TON), vol. 9, JUNE 2001.
[3] S. M. A. Belenky and N. Ansari, IEEE, "IP Traceback With Deterministic Packet Marking," IEEE
COMMUNICATIONS LETTERS, vol. 7, APRIL 2003.
[4] H. Burch and B. Cheswick, "Tracing anonymous packets to their approximate source," in LISA Dec
2000, pp. 319-327
[5] M. L. Steve Bellovin, Tom Taylor, "ICMP Traceback messages," Network Working Group, Internet
Engineering Task Force (IETF)February 2003.
[6] M. T. Goodrich, "Probabilistic packet marking for large-scale IP traceback," Networking, IEEE/ACM
Transactions on, vol. 16, pp. 15-24, 2008.
[7] W. Z. Shui Yu, Robin Doss,Weijia Jia, "Traceback of DDoS Attacks using Entropy Variations " IEEE
Transactions on Parallel and Distributed Systems, vol. 22 pp. 412 - 425, 20 May 2010 March 2011.
141
12. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
[8] H. ALJIFRI, "IP Traceback: A New Denial-of-Service Deterrent?," Security & Privacy, vol. 1, pp. 24-
31, 2003.
[9] X. Wang, et al., "A Fast Deterministic Packet Marking Scheme for IP Traceback," in International
Conference on Multimedia Information Networking and Security, Hubei, China 2009, pp. 526-529.
[10] J. Liu, et al., "Dynamic probabilistic packet marking for efficient IP traceback," Computer Networks,
vol. 51, pp. 866-882, 2007.
[11] V. Paruchuri, et al., "Authenticated autonomous system traceback," in 18th International Conference
on Advanced Information Networking and Application (AINA’04), 2004, pp. 406-413 Vol. 1.
[12] W. Mühlbauer, et al., "Building an AS-topology model that captures route diversity," ACM
SIGCOMM Computer Communication Review, vol. 36, pp. 195-206, 2006.
[13] B. Zhang, et al., "Collecting the internet AS-level topology," ACM SIGCOMM Computer
Communication Review, vol. 35, pp. 53-61, 2005.
[14] G. Huston, "Exploring Autonomous System Numbers," The Internet Protocol Journal vol. Volume
9,Number 1, pp. 2-23, March 2006.
[15] A. D. a. S. C. Vamsi Paruchuri, "TTL based Packet Marking for IP Traceback," presented at the
GLOBECOM '08 New Orleans, LO, 2008.
[16] Z. Gao and N. Ansari, "A practical and robust inter-domain marking scheme for IP traceback,"
Computer Networks, vol. 51, pp. 732-750, 2007.
[17] J. B. Hongcheng Tian, Xiaoke Jiang and Wei Zhang, "A Probabilistic Marking Scheme for Fast
Traceback," in 2nd International Conference on Evolving Internet, Valencia. Spain, 2010.
Authors
Mohammed Alenezi received his B.E. in Computer Engineer from Kuwait University, College of
Engineering & Petroleum in 2001. He got his Master degree in Information Networks from Essex
University , UK, in 2008. Currently, he is a PhD student at Essex University.
Dr Martin Reed is a Senior Lecturer in the School of Computer Science and Electronic Engineering at
the University of Essex in the UK. His main research interests are network control, network security and
audio/video media transport. He has been involved in, a number of EU or EPSRC research funded projects
in these areas. Current projects include the EU FP-7 funded project PURSUIT and a project with BT in the
area of audio transport over networks.
142