Passive IP traceback (PIT) is a novel solution that can identify the locations of IP spoofers without deploying additional mechanisms. PIT analyzes Internet Control Message Protocol (ICMP) error messages, called path backscatter, that are generated and sent by routers when they fail to forward spoofing packets due to reasons like exceeding time-to-live (TTL). By tracking path backscatter messages based on topology and routing information, PIT can disclose locations closer to the spoofers. The paper demonstrates PIT's processes and effectiveness, and applies it to a path backscatter dataset to find spoofers in specific autonomous systems. PIT provides a useful mechanism to trace spoofers before an Internet-level traceback system is deployed.
Passive ip traceback disclosing the locationsjpstudcorner
This paper proposes a new passive IP traceback technique called Passive IP Traceback (PIT) to trace spoofed IP addresses without requiring deployment on routers. PIT analyzes Internet Control Message Protocol error messages called "path backscatter" that are triggered by spoofing traffic and can disclose the locations of spoofers. Existing IP traceback methods face challenges in router deployment and inter-ISP collaboration. PIT overcomes these challenges by passively collecting path backscatter messages without changes to the network. The paper demonstrates PIT's effectiveness in tracing spoofers using a dataset of path backscatter messages.
The document provides an overview of existing IP traceback mechanisms, including controlled flooding, input debugging, overlay networks, probabilistic packet marking, deterministic packet marking, packet messaging, packet logging, and hybrid approaches. It discusses taxonomy, capabilities, evaluation criteria, comparisons of mechanisms, and applications of traceback. The conclusion questions whether traceback is truly needed given current intrusion detection and prevention capabilities.
Passive ip traceback disclosing the locations of ip spoofers from path backscShakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level.
Passive ip traceback disclosing the locations of ip spoofers from path backsc...Shakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
The document discusses IP traceback security. It provides an overview of traceback systems and classifications of traceback methods including ingress filtering, link testing, logging, ICMP traceback, packet marking algorithms like deterministic packet marking and probabilistic packet marking, flexible deterministic packet marking traceback, and topology based packet marking traceback. It also discusses technologies for preventing network attacks like firewalls and intrusion detection. It covers limitations, challenges, and future work of IP traceback.
Speedy ip trace back(sipt) for identifying sadhanSadan Kumar
The document proposes a new method called Speedy IP Traceback (SIPT) to identify denial-of-service attacks. SIPT works by having routers insert the media access control (MAC) address of the client and the router's IP address into packets. This allows the destination to identify the attacker's boundary router and MAC address, tracing the attack path. Traditionally, mechanisms like ingress filtering, link testing, and packet marking have been used but have not kept pace with evolving attacks. SIPT provides a more direct way to find the router connected to the attacker.
Passive ip traceback disclosing the locationsjpstudcorner
This paper proposes a new passive IP traceback technique called Passive IP Traceback (PIT) to trace spoofed IP addresses without requiring deployment on routers. PIT analyzes Internet Control Message Protocol error messages called "path backscatter" that are triggered by spoofing traffic and can disclose the locations of spoofers. Existing IP traceback methods face challenges in router deployment and inter-ISP collaboration. PIT overcomes these challenges by passively collecting path backscatter messages without changes to the network. The paper demonstrates PIT's effectiveness in tracing spoofers using a dataset of path backscatter messages.
The document provides an overview of existing IP traceback mechanisms, including controlled flooding, input debugging, overlay networks, probabilistic packet marking, deterministic packet marking, packet messaging, packet logging, and hybrid approaches. It discusses taxonomy, capabilities, evaluation criteria, comparisons of mechanisms, and applications of traceback. The conclusion questions whether traceback is truly needed given current intrusion detection and prevention capabilities.
Passive ip traceback disclosing the locations of ip spoofers from path backscShakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level.
Passive ip traceback disclosing the locations of ip spoofers from path backsc...Shakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level. As a result, the mist on the locations of spoofers has never been dissipated till now
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
The document discusses IP traceback security. It provides an overview of traceback systems and classifications of traceback methods including ingress filtering, link testing, logging, ICMP traceback, packet marking algorithms like deterministic packet marking and probabilistic packet marking, flexible deterministic packet marking traceback, and topology based packet marking traceback. It also discusses technologies for preventing network attacks like firewalls and intrusion detection. It covers limitations, challenges, and future work of IP traceback.
Speedy ip trace back(sipt) for identifying sadhanSadan Kumar
The document proposes a new method called Speedy IP Traceback (SIPT) to identify denial-of-service attacks. SIPT works by having routers insert the media access control (MAC) address of the client and the router's IP address into packets. This allows the destination to identify the attacker's boundary router and MAC address, tracing the attack path. Traditionally, mechanisms like ingress filtering, link testing, and packet marking have been used but have not kept pace with evolving attacks. SIPT provides a more direct way to find the router connected to the attacker.
Abstract: Forged source IP addresses are used by the attackers to hide the locations. For finding the locations of the attackers IP Traceback Mechanism have been used. IP Traceback approaches can be classified in to Packet Marking, ICMP Traceback, Logging on the Router, Link Testing, Overlay and Hybrid Tracing, Based on the captured backscatter messages spoofing activities are still frequently observed. The IP Traceback system on the internet contain with two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. It introduces considerable overhead to the routers generation, packet logging, especially in the high performance networks. The second one is the difficulty to make Internet Service Providers(ISP) collobrate. Attackers spread over every corner of the world, single ISPs to deploy its own traceback system is meaningless. ISPs are generally lack of explicit incentive to help clients of the others to trace attackers in their managed system. There are lot of IP traceback mechanisms and large number of spoofing activities observed , but the real locations of spoofers still remain mystery. Due to the some of the drawbacks it has not been widely used to trace the IP traceback solution. Finally, it was not used to find the locations of the attackers. To overcome the drawback of IP traceback mechanism we propose a Passive IP Traceback Mechanism(PIT). The router may generate an ICMP error message and send the message to the spoofed source addresses. The routers can be close to the attackers, the path backscatter messages may disclose the locations of the attackers. PIT can work in a number of spoofing activities. This technique uses the ICMP features and find the attackers by applying PIT on the ICMP dataset, a number of locations of attackers are captured and presented. As a result, these technique reveal IP spoofing, but it was not well understood. In future, it may be the most suitable mechanism for tracing the attackers on the Internet Level Traceback System.
Keywords: IP Traceback, packet logging, path backscatter, hybrid tracing, link testing.
Title: REVEALING THE LOCATIONS OF IP SPOOFERS FROM ICMP
Author: J Saranya, Dr. A J Deepa
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
This document discusses distributed denial-of-service (DDoS) attacks and methods to defend against them. It defines a DDoS attack as utilizing many compromised machines to flood a target with traffic in order to overwhelm it. The document then outlines techniques like IP traceback, probabilistic packet marking, and pushback that can help identify attackers and rate limit malicious traffic closer to its source in order to mitigate DDoS attacks.
An enhanced ip traceback mechanism for tracking the attack source using packe...IAEME Publication
The document discusses an enhanced IP traceback mechanism (EITM) to more efficiently trace the source of distributed denial of service (DDoS) attacks. EITM aims to reduce the number of packets required for traceback by improving existing linear and remainder packet marking schemes. It analyzes challenges in tracing attackers due to the stateless nature of the internet and proposes that an effective traceback scheme minimizes required packets. The main goal is a mechanism that needs a number of packets almost equal to the number of hops to reconstruct the attack path more efficiently.
This document describes the implementation of a packet sniffer using Python. It explains what packet sniffing is and how it works by capturing network packets and examining the packet headers. It then outlines the steps to create a raw socket in Python and parse the TCP/IP headers to retrieve information from incoming packets like source/destination addresses and ports. The results of the packet sniffer are demonstrated and examples of common uses for network troubleshooting and traffic analysis are provided.
The document describes a packet sniffer program and how it works. It explains that packet sniffing involves capturing network traffic and analyzing it to gather useful information. It then discusses how packet sniffers work by listening to broadcast data on a local network. Finally, it provides details on the types of information that can be gathered from sniffed packets, such as usernames, passwords, emails, and websites visited.
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijripublishers Ijri
There is a necessity to think over IP traceback technique that help us to track or predict IP address details of malicious
attackers and reveal their actual locations. In spite of lot of research over IP traceback solutions, still there is a necessity
to find an optimal solution that could be implemented at the level of Internet. Real identity of spoofers couldn’t be
revealed by conventional techniques used until today. Through this paper we emphasize primarily on traceback of passive
IP (PIPT) that avoid the procedural risks involved in implementing IP traceback solutions. Path Backscatter (Internet
Control Message Protocol (ICMP) error messages) is probed by PIPT. Spoofing traffic fires these Backscatter, in order to
find the details of spoofer’s topological physical identity and bypasses procedural risks.
Impacts of normal mode and complication mode over Router topological structure are visualized. Nodal info tracker
over parameter i.e Bandwidth, digital sign, source IP, Dest IP and attack status on three network parameters. Spoofing
has been performed on IP addresses, packet data and bandwidth .These three parameter i.e IP addresses, packet data,
bandwidth status and topological nature are been demonstrated through technical stimulation. From the study made
we are able to assure optimized technique of traceback system through PIPT, in order to face the challenges of deployment
at internet level.
BYPASSING OF DEPLOYMENT DIFFICULTIES OF IP TRACEBACK TECHNIQUES USING NEW PAS...Journal For Research
Because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
Efficient packet marking for large scale ip trace back(synopsis)Mumbai Academisc
This document proposes a new probabilistic packet marking (PPM) approach for large-scale IP traceback that improves efficiency and accuracy of traceback and provides incentives for ISPs to deploy traceback. The approach uses a new IP header encoding scheme to store a router's full identification in a single packet, eliminating issues from fragmented IDs. It also does not disclose router IP addresses, alleviating security concerns for ISPs. The approach can control the distribution of marking information to potentially create revenue as a value-added service for ISPs.
The document proposes two new autonomous system (AS) traceback techniques to identify the AS of the attacker launching a denial-of-service (DoS) attack. The first technique, called Prevent Overwriting AS Traceback (POAST), marks packets with a dynamic probability and protects marked packets from being overwritten. It encodes the attacking AS number instead of router IP addresses. The second technique, called Efficient AS Traceback (EAST), is also described but not in detail. Both are evaluated to have better performance than existing probabilistic packet marking techniques for traceback by reducing the number of packets and routers required.
because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
This document discusses packet filtering and summarizes key points in 3 parts. Part 1 covers motivating examples and generic architecture design. Part 2 lists popular libraries like Libpcap() and Libipq() that provide interfaces for packet monitoring, filtering and verdicts. Part 3 discusses loopholes in dynamic filtering and efficiency, and proposes solutions like Bloom filters to reduce packet forwarding and constant memory usage.
A precise termination condition of the probabilistic packet marking algorithm...Mumbai Academisc
This document summarizes a research project that proposes a precise termination condition for the probabilistic packet marking (PPM) algorithm. The PPM algorithm allows routers to encode path information onto packets during a denial of service (DoS) attack, enabling the victim to reconstruct the attack graph. However, the existing PPM algorithm lacks a well-defined termination condition, and cannot handle multiple attackers. The proposed project aims to define a termination condition to ensure the reconstructed graph accurately represents the actual attack paths. It also extends the algorithm to support tracing packets from multiple attackers.
IRJET-A Survey On Opportunistic Piggyback Marking For IP Trace BackIRJET Journal
This document summarizes a survey on opportunistic piggyback marking for IP traceback. It discusses how existing marking-based traceback approaches have issues with slow traceback completion times and high router overhead. The paper proposes opportunistic piggyback marking to address these issues by decoupling traceback message encoding from delivery and exploiting opportunities to piggyback messages to expedite and robust delivery with low overhead. Simulation results demonstrate this approach reduces completion delay and router processing compared to baselines.
The document summarizes a seminar report on packet sniffing submitted by four students. It discusses different packet sniffing methods like IP-based, MAC-based, and ARP-based sniffing. It also explains how Anti-Sniff tries to detect these sniffing programs using MAC address detection and DNS detection methods. The report analyzes how packet sniffers work on both shared and switched Ethernet networks and their various uses for both network troubleshooting and unauthorized access purposes. Common sniffing tools like tcpdump, sniffit, and ethereal are also mentioned.
This document summarizes a research paper that proposes improvements to the probabilistic packet marking (PPM) algorithm for detecting the path of distributed denial-of-service attacks. The PPM algorithm allows routers to mark attack packets with identification information based on a predetermined probability. However, its termination condition is not well-defined, which can result in an incorrectly constructed attack path. The paper proposes a modified PPM algorithm called rectified PPM (RPPM) that defines a precise termination condition to guarantee the constructed attack path is correct with a specified level of confidence. An experimental framework is designed to test the RPPM algorithm under different packet marking probabilities and network structures.
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.
A firewall of any description is a must for any user connecting to the Internet.
DPI proves to be a better security centric technology than SPI. However, from a security point of view
However, for a truly effective platform a dedicated hardware firewall with DPI provides the best all-round solution and goes a long way to securing networks from the more sophisticated and damaging Internet threats.
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
This document discusses security issues related to the migration from IPv4 to IPv6 networks. It analyzes common network attacks in IPv4 and how they may impact IPv6 networks. These attacks include reconnaissance attacks, host initialization attacks, broadcast amplification attacks, header manipulation attacks, routing attacks, and firewall evasion through fragmentation. The document provides guidelines to mitigate each of these attacks, such as using random node IDs, securing neighbor discovery protocols, ingress filtering of packets, and deep packet inspection. It addresses that while IPv6 aims to improve security over IPv4, vulnerabilities will still exist and many attacks will continue in a polymorphic manner during the migration process when both protocols must coexist.
Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backs...1crore projects
PIT is a passive IP traceback technique that tracks the locations of IP spoofers using path backscatter messages generated by routers. When spoofing traffic fails to be forwarded, routers may generate ICMP error messages containing path information and send them to the spoofed source address. PIT collects these path backscatter messages and uses topology and routing data to infer the locations of spoofers without any additional deployment. By applying PIT to an existing path backscatter dataset, several ASes where spoofers were located were identified, representing the first public disclosure of spoofer locations.
This document proposes a novel method to defend against IP spoofing attacks using packet filtering and marking techniques. It involves a network architecture model with trusted nodes that can access each other after authentication. The proposed method uses packet tracing and cooperation between trusted adjacent nodes to detect and block spoofed packets entering the trusted network from external sources. It aims to effectively defend against distributed denial of service attacks and IP spoofing attacks.
This document summarizes a research paper that proposes an inter-domain packet filter (IDPF) architecture to mitigate IP spoofing on the Internet. The IDPF constructs packet filters from information in Border Gateway Protocol (BGP) route updates and deploys them in network border routers. The IDPF framework is shown to correctly filter packets with valid source addresses, based on the single-path routing assumption. Simulation results demonstrate that even partial IDPF deployment can effectively limit spoofing capability and help localize attack origins. The paper establishes the relationship between IDPF effectiveness and the power-law topology of Internet autonomous systems.
IP spoofing is a method of attacking a network by disguising the source IP address of packets sent to a target. The attacker determines the IP address of a trusted machine and spoofs packets to appear to come from that machine. This allows the attacker to potentially gain unauthorized access to the target system. Successful IP spoofing exploits flaws in the TCP/IP protocol that allow modification of source IP addresses but rely on the destination address for routing responses. Defenses include packet filtering, filtering at routers, encryption, and cryptographic methods.
Abstract: Forged source IP addresses are used by the attackers to hide the locations. For finding the locations of the attackers IP Traceback Mechanism have been used. IP Traceback approaches can be classified in to Packet Marking, ICMP Traceback, Logging on the Router, Link Testing, Overlay and Hybrid Tracing, Based on the captured backscatter messages spoofing activities are still frequently observed. The IP Traceback system on the internet contain with two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. It introduces considerable overhead to the routers generation, packet logging, especially in the high performance networks. The second one is the difficulty to make Internet Service Providers(ISP) collobrate. Attackers spread over every corner of the world, single ISPs to deploy its own traceback system is meaningless. ISPs are generally lack of explicit incentive to help clients of the others to trace attackers in their managed system. There are lot of IP traceback mechanisms and large number of spoofing activities observed , but the real locations of spoofers still remain mystery. Due to the some of the drawbacks it has not been widely used to trace the IP traceback solution. Finally, it was not used to find the locations of the attackers. To overcome the drawback of IP traceback mechanism we propose a Passive IP Traceback Mechanism(PIT). The router may generate an ICMP error message and send the message to the spoofed source addresses. The routers can be close to the attackers, the path backscatter messages may disclose the locations of the attackers. PIT can work in a number of spoofing activities. This technique uses the ICMP features and find the attackers by applying PIT on the ICMP dataset, a number of locations of attackers are captured and presented. As a result, these technique reveal IP spoofing, but it was not well understood. In future, it may be the most suitable mechanism for tracing the attackers on the Internet Level Traceback System.
Keywords: IP Traceback, packet logging, path backscatter, hybrid tracing, link testing.
Title: REVEALING THE LOCATIONS OF IP SPOOFERS FROM ICMP
Author: J Saranya, Dr. A J Deepa
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
This document discusses distributed denial-of-service (DDoS) attacks and methods to defend against them. It defines a DDoS attack as utilizing many compromised machines to flood a target with traffic in order to overwhelm it. The document then outlines techniques like IP traceback, probabilistic packet marking, and pushback that can help identify attackers and rate limit malicious traffic closer to its source in order to mitigate DDoS attacks.
An enhanced ip traceback mechanism for tracking the attack source using packe...IAEME Publication
The document discusses an enhanced IP traceback mechanism (EITM) to more efficiently trace the source of distributed denial of service (DDoS) attacks. EITM aims to reduce the number of packets required for traceback by improving existing linear and remainder packet marking schemes. It analyzes challenges in tracing attackers due to the stateless nature of the internet and proposes that an effective traceback scheme minimizes required packets. The main goal is a mechanism that needs a number of packets almost equal to the number of hops to reconstruct the attack path more efficiently.
This document describes the implementation of a packet sniffer using Python. It explains what packet sniffing is and how it works by capturing network packets and examining the packet headers. It then outlines the steps to create a raw socket in Python and parse the TCP/IP headers to retrieve information from incoming packets like source/destination addresses and ports. The results of the packet sniffer are demonstrated and examples of common uses for network troubleshooting and traffic analysis are provided.
The document describes a packet sniffer program and how it works. It explains that packet sniffing involves capturing network traffic and analyzing it to gather useful information. It then discusses how packet sniffers work by listening to broadcast data on a local network. Finally, it provides details on the types of information that can be gathered from sniffed packets, such as usernames, passwords, emails, and websites visited.
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijripublishers Ijri
There is a necessity to think over IP traceback technique that help us to track or predict IP address details of malicious
attackers and reveal their actual locations. In spite of lot of research over IP traceback solutions, still there is a necessity
to find an optimal solution that could be implemented at the level of Internet. Real identity of spoofers couldn’t be
revealed by conventional techniques used until today. Through this paper we emphasize primarily on traceback of passive
IP (PIPT) that avoid the procedural risks involved in implementing IP traceback solutions. Path Backscatter (Internet
Control Message Protocol (ICMP) error messages) is probed by PIPT. Spoofing traffic fires these Backscatter, in order to
find the details of spoofer’s topological physical identity and bypasses procedural risks.
Impacts of normal mode and complication mode over Router topological structure are visualized. Nodal info tracker
over parameter i.e Bandwidth, digital sign, source IP, Dest IP and attack status on three network parameters. Spoofing
has been performed on IP addresses, packet data and bandwidth .These three parameter i.e IP addresses, packet data,
bandwidth status and topological nature are been demonstrated through technical stimulation. From the study made
we are able to assure optimized technique of traceback system through PIPT, in order to face the challenges of deployment
at internet level.
BYPASSING OF DEPLOYMENT DIFFICULTIES OF IP TRACEBACK TECHNIQUES USING NEW PAS...Journal For Research
Because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
Efficient packet marking for large scale ip trace back(synopsis)Mumbai Academisc
This document proposes a new probabilistic packet marking (PPM) approach for large-scale IP traceback that improves efficiency and accuracy of traceback and provides incentives for ISPs to deploy traceback. The approach uses a new IP header encoding scheme to store a router's full identification in a single packet, eliminating issues from fragmented IDs. It also does not disclose router IP addresses, alleviating security concerns for ISPs. The approach can control the distribution of marking information to potentially create revenue as a value-added service for ISPs.
The document proposes two new autonomous system (AS) traceback techniques to identify the AS of the attacker launching a denial-of-service (DoS) attack. The first technique, called Prevent Overwriting AS Traceback (POAST), marks packets with a dynamic probability and protects marked packets from being overwritten. It encodes the attacking AS number instead of router IP addresses. The second technique, called Efficient AS Traceback (EAST), is also described but not in detail. Both are evaluated to have better performance than existing probabilistic packet marking techniques for traceback by reducing the number of packets and routers required.
because so many decades World Wide Web has been used broadly in numerous fields, network safety problems include the main matter. IP traceback is just the actual method to understand the actual purpose, it reconstructs IP packets traversed path inside the World Wide Web to determine their own roots. IP Traceback may be an important ability for characteristics sources of attacks and Starting protection measures for the Internet. This paper discovers different IP Traceback approaches. This comparative paper provides as well as extends many technologies to prevent the secured information from the network issues by using different IP traceback techniques.
This document discusses packet filtering and summarizes key points in 3 parts. Part 1 covers motivating examples and generic architecture design. Part 2 lists popular libraries like Libpcap() and Libipq() that provide interfaces for packet monitoring, filtering and verdicts. Part 3 discusses loopholes in dynamic filtering and efficiency, and proposes solutions like Bloom filters to reduce packet forwarding and constant memory usage.
A precise termination condition of the probabilistic packet marking algorithm...Mumbai Academisc
This document summarizes a research project that proposes a precise termination condition for the probabilistic packet marking (PPM) algorithm. The PPM algorithm allows routers to encode path information onto packets during a denial of service (DoS) attack, enabling the victim to reconstruct the attack graph. However, the existing PPM algorithm lacks a well-defined termination condition, and cannot handle multiple attackers. The proposed project aims to define a termination condition to ensure the reconstructed graph accurately represents the actual attack paths. It also extends the algorithm to support tracing packets from multiple attackers.
IRJET-A Survey On Opportunistic Piggyback Marking For IP Trace BackIRJET Journal
This document summarizes a survey on opportunistic piggyback marking for IP traceback. It discusses how existing marking-based traceback approaches have issues with slow traceback completion times and high router overhead. The paper proposes opportunistic piggyback marking to address these issues by decoupling traceback message encoding from delivery and exploiting opportunities to piggyback messages to expedite and robust delivery with low overhead. Simulation results demonstrate this approach reduces completion delay and router processing compared to baselines.
The document summarizes a seminar report on packet sniffing submitted by four students. It discusses different packet sniffing methods like IP-based, MAC-based, and ARP-based sniffing. It also explains how Anti-Sniff tries to detect these sniffing programs using MAC address detection and DNS detection methods. The report analyzes how packet sniffers work on both shared and switched Ethernet networks and their various uses for both network troubleshooting and unauthorized access purposes. Common sniffing tools like tcpdump, sniffit, and ethereal are also mentioned.
This document summarizes a research paper that proposes improvements to the probabilistic packet marking (PPM) algorithm for detecting the path of distributed denial-of-service attacks. The PPM algorithm allows routers to mark attack packets with identification information based on a predetermined probability. However, its termination condition is not well-defined, which can result in an incorrectly constructed attack path. The paper proposes a modified PPM algorithm called rectified PPM (RPPM) that defines a precise termination condition to guarantee the constructed attack path is correct with a specified level of confidence. An experimental framework is designed to test the RPPM algorithm under different packet marking probabilities and network structures.
Packet capture is a computer networking term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.
A firewall of any description is a must for any user connecting to the Internet.
DPI proves to be a better security centric technology than SPI. However, from a security point of view
However, for a truly effective platform a dedicated hardware firewall with DPI provides the best all-round solution and goes a long way to securing networks from the more sophisticated and damaging Internet threats.
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
This document discusses security issues related to the migration from IPv4 to IPv6 networks. It analyzes common network attacks in IPv4 and how they may impact IPv6 networks. These attacks include reconnaissance attacks, host initialization attacks, broadcast amplification attacks, header manipulation attacks, routing attacks, and firewall evasion through fragmentation. The document provides guidelines to mitigate each of these attacks, such as using random node IDs, securing neighbor discovery protocols, ingress filtering of packets, and deep packet inspection. It addresses that while IPv6 aims to improve security over IPv4, vulnerabilities will still exist and many attacks will continue in a polymorphic manner during the migration process when both protocols must coexist.
Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backs...1crore projects
PIT is a passive IP traceback technique that tracks the locations of IP spoofers using path backscatter messages generated by routers. When spoofing traffic fails to be forwarded, routers may generate ICMP error messages containing path information and send them to the spoofed source address. PIT collects these path backscatter messages and uses topology and routing data to infer the locations of spoofers without any additional deployment. By applying PIT to an existing path backscatter dataset, several ASes where spoofers were located were identified, representing the first public disclosure of spoofer locations.
This document proposes a novel method to defend against IP spoofing attacks using packet filtering and marking techniques. It involves a network architecture model with trusted nodes that can access each other after authentication. The proposed method uses packet tracing and cooperation between trusted adjacent nodes to detect and block spoofed packets entering the trusted network from external sources. It aims to effectively defend against distributed denial of service attacks and IP spoofing attacks.
This document summarizes a research paper that proposes an inter-domain packet filter (IDPF) architecture to mitigate IP spoofing on the Internet. The IDPF constructs packet filters from information in Border Gateway Protocol (BGP) route updates and deploys them in network border routers. The IDPF framework is shown to correctly filter packets with valid source addresses, based on the single-path routing assumption. Simulation results demonstrate that even partial IDPF deployment can effectively limit spoofing capability and help localize attack origins. The paper establishes the relationship between IDPF effectiveness and the power-law topology of Internet autonomous systems.
IP spoofing is a method of attacking a network by disguising the source IP address of packets sent to a target. The attacker determines the IP address of a trusted machine and spoofs packets to appear to come from that machine. This allows the attacker to potentially gain unauthorized access to the target system. Successful IP spoofing exploits flaws in the TCP/IP protocol that allow modification of source IP addresses but rely on the destination address for routing responses. Defenses include packet filtering, filtering at routers, encryption, and cryptographic methods.
EFFICIENT DEFENSE SYSTEM FOR IP SPOOFING IN NETWORKScscpconf
In this age of gigabit Ethernet and broadband internet, network security has been the top
priority for most of the researchers. Technology advancements have advantages as well as
disadvantages. Most of the communication of present world, the e-world, takes place online,
through the internet. Thus the context of network intrusions and attacks to hack into servers also
came into existence. A technique to perform this activity is made possible by preventing the
discovery of the sender’s identity through IP Spoofing [7]. Many popular internet sites have
been hacked and attackers try to forge or spoof the source addresses in IP packets. Using
spoofing detection technique, the user can retrieve the list of IP addresses and able to identify
the malicious IP addresses.Hence mechanisms must be designed to prevent hacking. This paper
proposes a novel technique to detect IP spoofing based on traffic verification and filtering
A Survey on Cloud-Based IP Trace Back FrameworkIRJET Journal
This document summarizes a survey of cloud-based IP traceback frameworks. It proposes a cloud-based traceback architecture with three layers: an intra-AS layer where traceback servers in each Autonomous System (AS) collect and store traffic flow data; a traceback as a service layer where ASes expose their traceback capabilities; and an inter-AS logical links layer to facilitate efficient traceback across ASes. It then focuses on access control to prevent unauthorized users from requesting traceback information. To address this, it proposes a temporal token-based authentication framework called FACT that embeds tokens in traffic flows and delivers them to end hosts to authenticate traceback queries. The framework aims to ensure only actual recipients of packets can initiate traceback for those packets.
THE FIGHT AGAINST IP SPOOFING ATTACKS: NETWORK INGRESS FILTERING VERSUS FIRST...ijsptm
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by
another sender’s address. This technique allows the attacker to send a message without being intercepted
by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress
Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently
extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve
safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks,
and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address
Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember
the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network
Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have
adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages,
disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering"
technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but
requires some improvements, for dealing with limitations it presents.
The Fight against IP Spoofing Attacks: Network Ingress Filtering Versus First...ClaraZara1
The IP(Internet Protocol) spoofing is a technique that consists in replacing the IP address of the sender by another sender’s address. This technique allows the attacker to send a message without being intercepted by the firewall. The most used method to deal with such attacks is the technique called "Network Ingress Filtering". This technique has been used, initially, forIPv4 networks, but its principles, are currently extended toIPv6 networks.Unfortunately, it has some limitations, the main is its accuracy. To improve safety conditions, we applied the "First-Come First-Serve (FCFS)" technique, applied for IPV6 networks, and developed by the "Internet Engineering Task Force (IETF)" within its working group "Source Address Validation Improvements (SAVI)", which is currently being standardization. In this paper, we remember the course of an attack by IP Spoofing and expose the threats it entails.Then, we explain the "Network Ingress Filtering" technique. Next, We present the FCFS SAVI method and methodology that we have adopted for its implementation.Finally, we, followingthe results, discuss and compare the advantages, disadvantages andlimitations of the FCFSSAVI methodto thoseknown in the "Network Ingress Filtering" technique. FCFS SAVI method is more effective than the technique of "Network Ingress Filtering", but requires some improvements, for dealing with limitations it presents.
BasepaperControlling IP Spoofing through Interdomain Packet Filtersbhasker nalaveli
This document discusses controlling IP spoofing through interdomain packet filters (IDPFs). It proposes an IDPF architecture that can mitigate IP spoofing without requiring global routing information. IDPFs are constructed using information from Border Gateway Protocol (BGP) route updates and deployed in border routers. Simulation results show that even partial deployment of IDPFs can limit spoofing capability of attackers and help localize the origin of attack packets.
An improved ip traceback mechanism for network securityeSAT Journals
This document summarizes several existing IP traceback techniques and proposes a new hybrid approach. It discusses disadvantages of current techniques like high storage and bandwidth overhead. The proposed approach aims to reduce these overheads while maintaining single-packet traceability. It would reduce the number of routers queried and storage required by 2/3 compared to existing approaches. The approach was analyzed using the CAIDA dataset but has not been tested in a real-time network. The document concludes future work could develop a real-time traceback mechanism to identify attacks within a network.
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
Due to extensive growth of the Internet and increasing availability of tools and methods for intruding and attacking
networks, intrusion detection has become a critical component of network security parameters. TCP/IP protocol suite is the defacto
standard for communication on the Internet. The underlying vulnerabilities in the protocols is the root cause of intrusions. Therefor
Intrusion detection system becomes an important element in network security that controls real time data and leads to huge
dimensional problem. Processing large number of packets and data in real time is very difficult and costly. Therefor data preprocessing
is necessary to remove redundant and unwanted information from packets and clean network data. Here, we are focusing on
two important aspects of intrusion detection; one is accuracy and other is performance. The layered approach of TCP/IP model can be
applied to packet pre-processing to achieve early and faster intrusion detection. Motivation for the paper comes from the large impact
data preprocessing has on the accuracy and capability of anomaly-based NIPS. In this paper it is demonstrated that high attack
detection accuracy can be achieved by using layered approach for data preprocessing in Internet. To reduce false positive rate and to
increase efficiency of detection, the paper proposed framework for preprocessing in intrusion prevention system. We experimented
with real time network traffic as well as he KDDcup99 dataset for our research.
This document discusses security issues related to the migration from IPv4 to IPv6 networks. It analyzes common network attacks in IPv4 and how they may impact IPv6 networks. These attacks include reconnaissance attacks, host initialization attacks, broadcast amplification attacks, header manipulation attacks, routing attacks, and firewall evasion through fragmentation. The document provides guidelines to mitigate these attacks, such as using random node IDs, securing neighbor discovery and DHCPv6, ingress filtering of packets, and parsing entire extension header chains. It addresses that while IPv6 introduces new vulnerabilities, existing IPv4 threats will also impact IPv6 networks, and secure migration techniques are needed as IPv4 and IPv6 networks coexist during the transition period.
A Novel IP Traceback Scheme for Spoofing AttackIJAEMSJORNAL
This document proposes a new hybrid IP traceback scheme with efficient packet logging. The scheme aims to have a fixed storage requirement for each router without needing to refresh logged tracking information. It also aims to achieve zero false positive and false negative rates in reconstructing attack paths. The scheme structure includes modules for network topology construction, path selection, packet sending, packet marking and logging at each router, and path reconstruction. The proposed scheme is analyzed and compared to existing schemes, finding it can accurately trace paths with low storage requirements and fast computation.
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionIJERA Editor
Distributed (P2P) botnets have as of late been received by botmasters for their versatility against take-down
endeavors. Other than being harder to bring down, p2p botnets tend to be stealthier in the way they perform
vindictive exercises, making current discovery approaches ineffectual. In this paper, we simulate our proposal
by detecting a gray hole attack in an Ad Hoc network using NS2.The detected malicious node is listed in a black
hole list and notices all other nodes in the network to stop communicating with them. Our botnet location
framework has been equipped for identifying stealthy P2P botnets (Gray Hole nodes) and can reduce packet loss
caused by malicious nodes and have a better packet delivery ratio (PDR) within less period of time.
A Survey On Opportunistic Piggyback Marking For IP Trace BackIRJET Journal
This document summarizes a survey on opportunistic piggyback marking for IP traceback. It discusses how existing marking-based traceback approaches have issues with slow traceback completion times and high router overhead. The paper proposes opportunistic piggyback marking to address these issues by decoupling traceback message encoding from delivery and exploiting opportunities to piggyback messages to expedite and robust delivery with reduced overhead. Simulation results demonstrate this approach reduces completion delay and router processing compared to baselines.
Advanced routing worm and its security challengesUltraUploader
An advanced routing worm is presented that can propagate faster than traditional worms. It does this by only scanning addresses that are routable based on Border Gateway Protocol (BGP) routing tables, reducing the scanning space. This allows the routing worm to spread up to three times faster than worms that scan the entire IPv4 address space. Additionally, the geographic information from BGP tables enables selective attacks targeting specific countries, companies, or networks. Routing worms pose new security challenges and are important to study for simulating internet-scale worm propagation.
This document proposes an inter-domain packet filter (IDPF) architecture to mitigate IP spoofing on the internet. The IDPFs are constructed using information from BGP route updates exchanged between autonomous systems, without requiring global routing information. Simulation results show that even partial deployment of IDPFs can limit an attacker's ability to spoof packets and help localize the origin of attack packets.
CONTROLLING IP FALSIFYING USING REALISTIC SIMULATIONIJNSA Journal
This document discusses a proposal to develop a new distributed Internet simulator to study large-scale network events like distributed denial-of-service (DDoS) attacks and worm propagation. Existing network simulators have limited scalability and lack realistic Internet models. The proposed simulator would have a built-in Internet topology model and customizeable modules to simulate specific events while cutting down on unnecessary details. It aims to make large-scale network simulation more accessible to researchers and improve the realism of simulations compared to current tools.
CONTROLLING IP FALSIFYING USING REALISTIC SIMULATIONIJNSA Journal
This document discusses a proposal to develop a new distributed Internet simulator to study large-scale network events like distributed denial-of-service (DDoS) attacks and worm propagation. Existing network simulators have limited scalability and lack realistic Internet models. The proposed simulator would have a built-in Internet topology model and customizeable modules to simulate specific events while cutting down on unnecessary details. It aims to make large-scale network simulation more accessible to researchers and improve the realism of simulations compared to simplified models currently used. The simulator could help study defenses against problems like IP spoofing, DDoS attacks, and worms.
This document discusses tracking down sources of spoofed IP packets. It begins with an introduction to IP spoofing and denial of service attacks. It then describes existing traceback methods, including proactive techniques like packet marking and messaging. A new approach is presented where a network operator can induce routing changes and measure traffic volumes to correlate networks with spoofed traffic. Operational considerations for deployment are discussed. The conclusion is that the proposed techniques can effectively manipulate routes to track spoofed traffic sources.
Similar to Passive ip traceback disclosing the locations of ip spoofers from path backscatter (20)
This document proposes a reduced latency list decoding algorithm and high throughput decoder architecture for polar codes. The reduced latency list decoding algorithm visits fewer nodes in the decoding tree and considers fewer possibilities of information bits than existing successive cancellation list decoding algorithms, significantly reducing decoding latency and improving throughput with little performance degradation. An implementation of the proposed decoder architecture in a 90nm CMOS technology demonstrates significant latency reduction and area efficiency improvement compared to other list polar decoders.
A researcher developed a radix-8 divider for binary64 division units to improve energy efficiency at high clock rates. Simulation results showed the radix-8 divider requires less energy per division than radix-4 or radix-16 approaches. The researcher used Xilinx 10.1 and ModelSim 6.4b tools and VHDL/Verilog languages to develop and test the minimally redundant radix-8 divider.
Hybrid FPGA architectures containing a mixture of lookup tables (LUTs) and hardened multiplexers are evaluated to improve logic density and reduce chip area. Simulation results show that non-fracturable hybrid architectures naturally save up to 8% area after placement and routing without optimizing the technology mapper, and additional area is saved with architecture-aware mapping optimizations. Fracturable hybrid architectures only provide marginal area gains of up to 2% after placement and routing. For the most area-efficient hybrid architectures, timing performance is minimally impacted.
Input-Based Dynamic Reconfiguration of Approximate Arithmetic Units for Video...Pvrtechnologies Nellore
This document proposes a reconfigurable approximate architecture for MPEG encoders that optimizes power consumption while maintaining a particular Peak Signal-to-Noise Ratio threshold for any input video. It designs reconfigurable adder/subtractor blocks that can modulate their degree of approximation, and integrates them into the motion estimation and discrete cosine transform modules of the MPEG encoder. Experimental results show the approach dynamically adjusts the degree of hardware approximation based on the input video to respect the given quality bound across different videos while achieving up to a 38% power saving over a conventional non-approximated MPEG encoder architecture.
This document lists 69 MATLAB projects related to various domains including image processing, biometrics, medical image processing, computer vision, and more. It provides the project titles, domains or sub-domains, programming languages and years. It also lists the support that will be provided to registered students including the IEEE base paper, documentation, source code, execution help, and publication support. The projects involve techniques such as image segmentation, super resolution, steganography, action recognition, and license plate detection. Support includes documentation templates, software installation guides, and assistance with conferences or journal publications.
This document lists 50 VLSI projects from 2016-2017 across various domains such as low power, high speed data transmission, area efficient/timing and delay reduction, audio/video processing, networking, verification, and Tanner/Microwind. The projects cover a range of topics including ECG acquisition systems, modular multiplication, adaptive radios, arrhythmia prediction, electrical capacitance tomography, approximate computing using memoization, FFT processors, error correction coding, carry skip adders, dynamic voltage and frequency scaling, code compression, turbo decoding, variable digital filters, parallel FFTs, MIMO communications, timing error correction, LU decomposition, FPGA logic architectures, LDPC decoding, minimum energy systems, elliptic curve multiplication, NB
This document lists 97 potential final year projects for students in various domains including embedded systems, Internet of Things, robotics, ZigBee, GSM and GPS, consumer electronics, automation, and more. It provides contact information for the project coordinator and describes the domain and programming language/year for each potential project. Students who register will receive support including an IEEE base paper, documentation, source code, and assistance with publication.
This document describes a high-speed FPGA implementation of an elliptic curve cryptography processor based on redundant signed digit representation. The processor employs pipelining techniques to achieve high throughput for Karatsuba–Ofman multiplication. It also includes an efficient modular adder without comparison and a high throughput modular divider to maximize frequency. The processor supports the NIST P256 curve and performs single-point multiplication in 2.26 ms at a maximum frequency of 160 MHz on a Xilinx Virtex 5 FPGA.
Retiming of digital circuits is conventionally based on the estimates of propagation delays across different paths in the data-flow graphs (DFGs) obtained by discrete component
timing model, which implicitly assumes that operation of a node can begin only after the completion of the operation(s) of its preceding node(s) to obey the data dependence requirement. Such a discrete component timing model very often gives much higher
estimates of the propagation delays than the actuals particularly when the computations in the DFG nodes correspond to fixed point arithmetic operations like additions and multiplications
Pre encoded multipliers based on non-redundant radix-4 signed-digit encodingPvrtechnologies Nellore
This paper introduces an architecture for pre-encoded multipliers used in digital signal processing based on offline encoding of coefficients using a non-redundant radix-4 signed-digit encoding technique. Experimental analysis shows the proposed multipliers using this encoding technique, along with a coefficients memory, are more efficient in terms of area and power compared to conventional Modified Booth encoding schemes.
Quality of-protection-driven data forwarding for intermittently connected wir...Pvrtechnologies Nellore
The document proposes a quality-of-protection (QoP)-driven data forwarding strategy for intermittent wireless networks. The existing system relies on collaborative data delivery, but non-cooperative behavior impairs network QoP and user quality of experience (QoE). The proposed system evaluates process-based and relationship-based credibility of nodes in a distributed manner using locally recorded forwarding behavior information. An intrusion detection mechanism helps select reliable relay nodes for transmission, improving QoP, QoE, reducing network load, and enhancing resource utilization. Numerical results show the proposed approach provides reliable data transmission with high QoP and improved user QoE.
The document provides information about an IT services company called Coalesce Technologies. It discusses Coalesce's services, commitment to client satisfaction, growing network, and customized solutions. It also describes the library management system project, including the problems with existing systems, proposed new system features, and UML diagrams for modeling the system. Key aspects of the proposed system include automating transactions, providing a simple GUI, efficient database updating, and restricting administrative access for security.
The document discusses an e-voting system project that aims to provide a secure and user-friendly online voting system. It outlines the existing paper-based voting system and proposes an online voting system where voters can cast their votes from anywhere in India through a database that stores voter information and votes. The proposed system is designed to accurately record and retrieve voter information and votes in a planned, reliable, and redundant manner. It requires hardware like a PC and Windows OS along with Java programming language to develop the online voting software.
PVR Technology lists 26 new web-based projects including an airline automation system, attendance management system, automated college admission system, clustering datasets using machine learning algorithms, corporate transportation system, courier information system, e-voting system, e-complaints system in PHP, e-learning system in PHP, exam result application, hairstylesalon system, inventory management system, library management system, medical reference system, online placement and training system, online admission system, online bank system, vehicle investigation system, resource management system in PHP, online vegetables purchase system, online shopping for gadgets system, online seat booking system, online requitment system, online quiz system, online placement and training cell system, online movie ticket system,
The document proposes a new medium access control (MAC) protocol called PoCMAC that uses distributed power control to manage interference in full-duplex WiFi networks. PoCMAC allows simultaneous uplink and downlink transmissions between an access point and half-duplex clients. It identifies regimes where power control provides throughput gains and develops a full 802.11-based protocol for distributed selection of three-node topologies. Simulations and software-defined radio experiments show PoCMAC achieves higher capacity and throughput compared to half-duplex networks, while maintaining similar fairness.
This document contains information about PVR Technology, including their head office location, website, email, and phone number. It then lists 20 project titles related to power electronics and renewable energy systems. The projects cover topics like power quality improvement, single-stage converters, grid-connected inverters, maximum power point tracking, stand-alone energy sources, power factor correction, resonant inverters, DC-DC converters, AC-DC converters, filters, and induction heating applications.
Control cloud-data-access-privilege-and-anonymity-with-fully-anonymous-attrib...Pvrtechnologies Nellore
This document proposes a scheme called AnonyControl to address privacy concerns with cloud data access. It aims to control access privileges while preserving user identity privacy. AnonyControl decentralizes the central authority across multiple attribute authorities to limit identity leakage and achieve semi-anonymity. It also generalizes file access control to privilege control to manage cloud data operations in a fine-grained way. The document describes existing access control schemes, disadvantages related to identity privacy, and how AnonyControl improves on previous work by protecting user identities through attribute distribution across authorities.
Control cloud data access privilege and anonymity with fully anonymous attrib...Pvrtechnologies Nellore
This document proposes two schemes, AnonyControl and AnonyControl-F, to address privacy issues in existing access control schemes for cloud storage. AnonyControl decentralizes the central authority to limit identity leakage and achieve semi-anonymity. It also generalizes file access control to privilege control. AnonyControl-F fully prevents identity leakage and achieves full anonymity. The schemes use attribute-based encryption and a multi-authority system to securely control user access privileges without revealing identity information. Security analysis shows the schemes are secure under certain cryptographic assumptions.
The document proposes CloudKeyBank, a key management framework that addresses the confidentiality, search privacy, and owner authorization of outsourced encryption keys. It does so using a new cryptographic primitive called Searchable Conditional Proxy Re-Encryption (SC-PRE) that combines Hidden Vector Encryption and Proxy Re-Encryption. The framework allows key owners to encrypt keys for outsourcing while maintaining privacy and granting controlled authorization. It aims to solve security issues not addressed by traditional outsourced data solutions.
Circuit ciphertext policy attribute-based hybrid encryption with verifiablePvrtechnologies Nellore
The document proposes a scheme for circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud computing. It aims to ensure data confidentiality, fine-grained access control, and verifiability of delegated computation results. The scheme uses a combination of ciphertext-policy attribute-based encryption, symmetric encryption, and verifiable computation. It is proven secure based on computational assumptions and simulations show it is practical for cloud computing applications.
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTjpsjournal1
The rivalry between prominent international actors for dominance over Central Asia's hydrocarbon
reserves and the ancient silk trade route, along with China's diplomatic endeavours in the area, has been
referred to as the "New Great Game." This research centres on the power struggle, considering
geopolitical, geostrategic, and geoeconomic variables. Topics including trade, political hegemony, oil
politics, and conventional and nontraditional security are all explored and explained by the researcher.
Using Mackinder's Heartland, Spykman Rimland, and Hegemonic Stability theories, examines China's role
in Central Asia. This study adheres to the empirical epistemological method and has taken care of
objectivity. This study analyze primary and secondary research documents critically to elaborate role of
china’s geo economic outreach in central Asian countries and its future prospect. China is thriving in trade,
pipeline politics, and winning states, according to this study, thanks to important instruments like the
Shanghai Cooperation Organisation and the Belt and Road Economic Initiative. According to this study,
China is seeing significant success in commerce, pipeline politics, and gaining influence on other
governments. This success may be attributed to the effective utilisation of key tools such as the Shanghai
Cooperation Organisation and the Belt and Road Economic Initiative.
Low power architecture of logic gates using adiabatic techniquesnooriasukmaningtyas
The growing significance of portable systems to limit power consumption in ultra-large-scale-integration chips of very high density, has recently led to rapid and inventive progresses in low-power design. The most effective technique is adiabatic logic circuit design in energy-efficient hardware. This paper presents two adiabatic approaches for the design of low power circuits, modified positive feedback adiabatic logic (modified PFAL) and the other is direct current diode based positive feedback adiabatic logic (DC-DB PFAL). Logic gates are the preliminary components in any digital circuit design. By improving the performance of basic gates, one can improvise the whole system performance. In this paper proposed circuit design of the low power architecture of OR/NOR, AND/NAND, and XOR/XNOR gates are presented using the said approaches and their results are analyzed for powerdissipation, delay, power-delay-product and rise time and compared with the other adiabatic techniques along with the conventional complementary metal oxide semiconductor (CMOS) designs reported in the literature. It has been found that the designs with DC-DB PFAL technique outperform with the percentage improvement of 65% for NOR gate and 7% for NAND gate and 34% for XNOR gate over the modified PFAL techniques at 10 MHz respectively.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
DEEP LEARNING FOR SMART GRID INTRUSION DETECTION: A HYBRID CNN-LSTM-BASED MODELgerogepatton
As digital technology becomes more deeply embedded in power systems, protecting the communication
networks of Smart Grids (SG) has emerged as a critical concern. Distributed Network Protocol 3 (DNP3)
represents a multi-tiered application layer protocol extensively utilized in Supervisory Control and Data
Acquisition (SCADA)-based smart grids to facilitate real-time data gathering and control functionalities.
Robust Intrusion Detection Systems (IDS) are necessary for early threat detection and mitigation because
of the interconnection of these networks, which makes them vulnerable to a variety of cyberattacks. To
solve this issue, this paper develops a hybrid Deep Learning (DL) model specifically designed for intrusion
detection in smart grids. The proposed approach is a combination of the Convolutional Neural Network
(CNN) and the Long-Short-Term Memory algorithms (LSTM). We employed a recent intrusion detection
dataset (DNP3), which focuses on unauthorized commands and Denial of Service (DoS) cyberattacks, to
train and test our model. The results of our experiments show that our CNN-LSTM method is much better
at finding smart grid intrusions than other deep learning algorithms used for classification. In addition,
our proposed approach improves accuracy, precision, recall, and F1 score, achieving a high detection
accuracy rate of 99.50%.
2. 472 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
tracking the spoofers without deploying any additional
mechanism. In another word, we try to disclose the location
of spoofers from the traces generated by existing widely
adopted functions on commodity routers when spoofing
attacks happen.
C. Our Work
Instead of proposing another IP traceback mechanism with
improved tracking capability, we propose a novel solution,
named Passive IP Traceback (PIT), to bypass the challenges in
deployment. Routers may fail to forward an IP spoofing packet
due to various reasons, e.g., TTL exceeding. In such cases,
the routers may generate an ICMP error message (named
path backscatter) and send the message to the spoofed source
address. Because the routers can be close to the spoofers,
the path backscatter messages may potentially disclose the
locations of the spoofers. PIT exploits these path backscatter
messages to find the location of the spoofers. With the loca-
tions of the spoofers known, the victim can seek help from the
corresponding ISP to filter out the attacking packets, or take
other counterattacks. PIT is especially useful for the victims
in reflection based spoofing attacks, e.g., DNS amplification
attacks. The victims can find the locations of the spoofers
directly from the attacking traffic.
In this article, at first we illustrate the generation, types,
collection, and the security issues of path backscatter messages
in section III. Then in section IV, we present PIT, which
tracks the location of the spoofers based on path backscatter
messages together with the topology and routing information.
We discuss how to apply PIT when both topology and routing
are known, or only topology is known, or neither are known
respectively. We also present two effective algorithms to apply
PIT in large scale networks. In the following section, at first
we show the statistical results on path backscatter messages.
Then we evaluate the two key mechanisms of PIT which work
without routing information. At last, we give the tracking result
when applying PIT on the path backscatter message dataset:
a number of ASes in which spoofers are found.
Our work has the following contributions:
1) This is the first article known which deeply investi-
gates path backscatter messages. These messages are
valuable to help understand spoofing activities. Though
Moore et al. [8] has exploited backscatter messages,
which are generated by the targets of spoofing messages,
to study Denial of Services (DoS), path backscatter
messages, which are sent by intermediate devices rather
than the targets, have not been used in traceback.
2) A practical and effective IP traceback solution based
on path backscatter messages, i.e., PIT, is proposed.
PIT bypasses the deployment difficulties of existing
IP traceback mechanisms and actually is already in
force. Though given the limitation that path backscatter
messages are not generated with stable possibility, PIT
cannot work in all the attacks, but it does work in a
number of spoofing activities. At least it may be the
most useful traceback mechanism before an AS-level
traceback system has been deployed in real.
3) Through applying PIT on the path backscatter dataset,
a number of locations of spoofers are captured and
presented. Though this is not a complete list, it is the
first known list disclosing the locations of spoofers.
II. RELATED WORK
Though PIT is used to perform IP traceback, it is very
different from existing IP traceback mechanisms. PIT is
inspired by a number of IP spoofing observation activities.
Thus, the related work is composed by two parts. The
first briefly introduces existing IP traceback mechanisms,
and the second introduces the IP spoofing observation
activities.
A. IP Traceback
IP traceback techniques are designed to disclose the real
origin of IP traffic or track the path. Existing IP traceback
approaches can be classified into five main categories: packet
marking, ICMP traceback, logging on the router, link testing,
overlay, and hybrid tracing.
Packet marking methods require routers modify the header
of the packet to contain the information of the router and
forwarding decision. Hence the receiver of the packet can
then reconstruct the path of a packet (or an attacking flow)
from the received packets. There are two classes of packet
marking schemes: probabilistic packet marking [5], [9]–[14]
and deterministic packet marking [15]–[18]. Packet marking
methods are generally considered to be lightweight because
they do not cost storage resource on routers and the link
bandwidth resource. However, packet marking is not a widely
supported function on routers; thus, it is difficult to enable
packet marking traceback in the network.
Different from packet marking methods, ICMP traceback
[6], [19], [20] generates addition ICMP messages to a
collector or the destination. The ICMP messages can be used
to reconstruct the attacking path. For example, if iTrace [6] is
enabled, routers generate ICMP samples to destinations with
a certain probability. The shortcoming of ICMP traceback is
considerable additional traffic will be generated to consume
the already stressed bandwidth resource. Moreover, when the
attack is against the bandwidth of the victim, the increased
traffic will make the attack more serious. ICMP generation
can be performed by the processor, but significant overhead
will be introduced to the processor.
Attacking path can be reconstructed from log on the router
when router makes a record on the packets forwarded [7].
Bloom filter is used to reduce the number of bits to store
a packet. Nevertheless, to achieve a low enough collision
probability in current high-speed networks, the storage cost
is still too large for commodity routers.
Link testing is an approach which determines the upstream
of attacking traffic hop-by-hop while the attack is in progress.
A controlled flooding mechanism based on performing UDP
Chargen request flooding iteratively on the victim rooted tree
to see the effects on attacking traffic is proposed in [21].
Because of the huge scale of the Internet, this approach is
hard to perform at the Internet level.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
3. YAO et al.: DISCLOSING THE LOCATIONS OF IP SPOOFERS 473
CenterTrack [22] proposes offloading the suspect traffic
from edge routers to special tracking routers through a
overlay network. Though such a mechanism can reduce the
requirement on edge routers, the management of the tunnels
and the overlay network will be significantly increase the
network management overhead. Ref. [23] proposes building an
AS-level overlay to trace spoofers. It is found if hundreds
of ASes can join the overlay network, the spoofers can be
accurately located. However, the challenge in practice is how
to make the ASes cooperate. The intra-domain version of this
work [24] can avoid this problem, but it is necessary to update
routers to adopt modification on OSPF.
The above mechanisms can be combined to achieve better
tracing capacity and/or reduce the cost. There are a number
of hybrid mechanisms employ both packet marking and
logging [25]–[28]. Though the overhead on routers can be
reduced, they require the routers to support both mechanisms;
thus the barrier to adopt them is higher than adopting a single
mechanism.
Though there have been a large number of promising trace-
back mechanisms, there is still a long way to get the proposed
mechanisms widely deployed, especially at the Internet level.
Currently, there is still lack of a ready mechanism to track the
spoofers.
B. IP Spoofing Observation
Network telescope [4] is a fundamental technique for pas-
sive observation of spoofing activities on the Internet. Network
telescope captures non-solicited messages, which are mainly
generated by victim attacked by traffic with source prefix
set in the scope owned by the telescope. Then, it can be
determined a part of nodes which are attacked by spoofing
traffic. Currently, the largest scale telescope is the CAIDA
UCSD telescope, which owns 1/256 of all the IP addresses
and is mainly used to observe DDoS activities and worms.
Moore el at. [8] presented a technique named “backscatter
analysis” which infers characteristics of DoS attacks based
on traces collected by the network telescope. Though ICMP
error messages are mentioned in the paper, it does not further
investigate these messages to trace spoofers. CAIDA provides
publicly accessible data. The main analysis and experimental
work of this article are performed on the data supplied
by CAIDA.
The MIT Spoofer Project [29] tries to disclose which
networks are able to launch spoofing based attacks. Volunteer
participants install a client that tests the spoofing ability of
their hosts and networks. The statistic result shows 6700 ASs
out of 30205 do not filter spoofing.
A recent report from Arbor network based on more than
5000 attacks shows an intriguing result [3]. Unrealistic per
IP traffic of 4Gbps is observed in 10% attacks, and sig-
nificant rate of TCP connections are launched from just
a few validated hosts. Though this is not direct evidence
of spoofing, it suggests spoofing may be used in such
attacks.
In our previous work [30], we presented a preliminary sta-
tistical result on path backscatter messages and discussed it is
possible to trace spoofers based on the messages. However, the
Fig. 1. The scenario of path backscatter generation and collection.
Fig. 2. The format of path backscatter messages.
generation and collection of path backscatter messages are
not well investigated, and the traceback mechanisms are not
designed. In this article, we make a thorough analysis on path
backscatter messages, present the traceback mechanisms and
give the traceback results.
It can be found existing observations are performed
sideways, there is no work has disclosed the locations of
spoofers.
III. PATH BACKSCATTER
A. Overview
Not all the packets reach their destinations. A network
device may fail to forward a packet due to various reasons.
Under certain conditions, it may generate an ICMP error
message, i.e., path backscatter messages. The path backscatter
messages will be sent to the source IP address indicated in the
original packet. If the source address is forged, the messages
will be sent to the node who actually owns the address. This
means the victims of reflection based attacks, and the hosts
whose addresses are used by spoofers, are possibly to collect
such messages. This scenario is illustrated in Fig. 1.
As specified by RFC792 [31], the format of the path
backscatter messages, is illustrated in Fig. 2. Each message
contains the source address of the reflecting device, and
the IP header of the original packet. Thus, from each path
backscatter, we can get 1) the IP address of the reflecting
device which is on the path from the attacker to the destination
of the spoofing packet; 2) the IP address of the original
destination of the spoofing packet. The original IP
header also contains other valuable information, e.g., the
remaining TTL of the spoofing packet. Note that due to some
network devices may perform address rewrite (e.g., NAT), the
original source address and the destination address may be
different.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
4. 474 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
TABLE I
PATH BACKSCATTER CLASSES
B. Classes and Causes of Path Backscatter
Path backscatter messages can be triggered for various
reasons. Based on RFC792, there can be totally 5 types of
path backscatter messages, as listed in the following sections.
There are a number of codes associated with each type. The
combination of type and code specifies the cause that the router
decides to send the ICMP message. We name the combination
of type and code by class. We use the names defined in [32]
to denote the classes of path backscatter messages. In the
path backscatter dataset from CAIDA [4], totally 23 classes
of path backscatter messages are found, 11 of them are listed
in Table I. Messages belonging to the other 12 types are very
rare. We do not find all the possible classes.
We try to explain the causes of the classes of path backscat-
ter messages listed in Table I based on analyzing the dataset.
Especially, we try to make out the reasons that they are
generated near the spoofers. However, although we have tried
our best to explore the possible reasons, considering the
sophistication of attacks and the complexity of networks, we
do not claim we found all the (or even the main) reasons for the
generation of the messages. It should be noted that in general
a majority of path backscatter messages are generated near
the victim. However, considering the huge number of spoofing
messages, if only a small ratio of them trigger path backscatter
messages near the spoofer, the total path backscatter dataset
will be valuable. Even for the path backscatter messages gen-
erated far away from the spoofers, their generation locations
are at least closer to the spoofers than the victims. Thus, they
can be used in the first step of traceback.
1) Time Exceeded: TIMXCEED_INTRANS messages are
triggered by packets with zero TTL value. Such messages
are the most common path backscatter messages. Though the
attackers can set the initial TTL value to be large enough to
avoid triggering such messages, they may intentionally send
packets with small initial TTL values, which trigger routers
on the path to generate TTL Exceeding messages to consume
the processor resource of the router. In general such attacks
target the routers rather than hosts. We also find the attack
against a host and the attack against the nearby routers of
the target host can be combined. We think the attacker may
want to degrade the forwarding performance of the routers
near the target host, and then less aggregated spoofing traffic
are require to prevent legitimate traffic from reaching the host.
Besides, to determine the correct initial TTL value to make
sure the TTL exceeding events happen on the targeted router,
the attacking hosts should perform some traces. The traces
using real address can be cloaked with a number of traces
using forged addresses to avoid tracking. This could be the
reason that we found a number of TIMXCEED_INTRANS
messages from cascading routers in the dataset.
2) Destination Unreachable: UNREACH_FILTER_
PROHIB, UNREACH_NET_PROHIB and UNREACH_
HOST_PROHIB messages are mainly triggered by filtering
mechanisms deployed between the spoofing origin and the
victim, e.g., Access Control List (ACL). A result of the MIT
Spoofer project shows 80% filters are deployed one IP hop
from the source, and over 95% of blocked packets are
filtered at the source AS. Thus, such messages can be from
the gateways near the spoofers. It should be noted that at
least part of the spoofing traffic from the spoofers has been
filtered. Considering the filtering granularity may be coarse,
the remaining spoofing messages can still reach the victims.
Thus, traceback in such a scenario is still valuable.
UNREACH_HOST and UNREACH_NET messages are
generated if there is no route to the destination. Such messages
are mostly triggered by attacking traffic launched against a
private or unallocated address prefix. Whenever a spoofer
sends packets to a private address, if the spoofer is attached
to a public network or the victim address is not in the same
private network of the spoofer, such ICMP messages will
be generated when the spoofing packets arrive at the DFZ
(Default-free Zone). We find a large number of such messages
whose original destination is a private address. Such messages
may be triggered by attacks against hosts behind NAT or
in VPN.
UNREACH_NEEDFRAG messages are generated if the
size of the attacking packets are larger than the MTU of a
hop on the path, but the Don’t Fragment flag is set. Such
messages may be generated due to attacks against the routers.
Besides, we think such messages can be triggered occasionally.
Attackers use large packet to consume the bandwidth of the
target. Due to forged addresses are used, the attackers cannot
get the ICMP message and are unaware of that the attacking
packets are dropped on path.
3) Source Quench: SOURCEQUENCH messages are gen-
erated when the router has no buffer to queue the original
packet. It can be resulted from the aggregated attacking traffic
is too large to be forwarded by the router. In general such
messages are generated near the victim. However, if there are
a large number of attackers in the same network/AS, it is
possible to trigger such messages on the gateways near the
attackers.
4) Redirect: REDIRECT_HOST and REDIRECT_NET
messages are generated if the spoofing origin has two or more
gateways and a gateway, G1, finds the spoofing packet should
be sent to another gateway, G2, as this is the shortest path.
As multi-homed networks become common, such messages
may be generated with higher probability. Because this
message is generated by gateways near the spoofing origin,
it is particularly helpful to find the location of the origin.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
5. YAO et al.: DISCLOSING THE LOCATIONS OF IP SPOOFERS 475
Fig. 3. Network telescope captures path backscatter in random spoofing
attacks.
As specified in RFC792, G1 should check the address of the
packet and G2 are in the same network. However, the dataset
is collected by a network telescope, and apparently any G2
and the address of a network telescope must not in the same
network. It may be due to misconfiguration or implementations
inconsistent with the standard.
5) Parameter Problem: PARAMPROB messages are gener-
ated if the router finds a problem with the header parameters
in the original packet. Such messages are rare in the dataset.
Possibly they are triggered by malformed attacking packets or
just some type of attack.
C. Collection of Path Backscatter Messages
Though path backscatter can happen in any spoofing based
attacks, it is not always possible to collect the path backscatter
messages, as they are sent to the spoofed addresses. We clas-
sify spoofing based attacks into four categories, and discuss
whether path backscatter messages can be collected in each
category of attacks.
1) Multiple Sources, Single Destination: In such attacks,
the source address of spoofing packets is chosen from
a set of candidate addresses. Particularly, this set con-
tains all the addresses. Such attacks are named random
spoofing. Random spoofing is typically used to deplete
the resource of the target, e.g., SYN flooding.
Network Telescopes (or darknets) can be used to
capture path backscatter messages in random spoofing
attacks. As illustrated in Fig. 3, in random spoofing
attacks, the path backscatter messages are sent to the
randomly spoofed addresses. Because the addresses
owned by network telescopes can be used in random
spoofing attacks, the network telescopes are possibly
able to capture part of the path backscatter messages.
Potentially, volunteers can make use of packet capturing
tools to collect non-solicited messages, and then they can
help in traceback rather than completely relying on the
network telescopes. However, this topic is beyond the
scope of this work.
2) Single Source, Multiple Destinations: In such attacks, all
the spoofing packets have the same source IP address.
The packets are sent to different destinations. Such
packets are typically used to launch reflection attacks.
Fig. 4. The victim captures path backscatter in reflection attacks.
Reflection attacks, e.g., DNS amplification, are the most
prevalent IP spoofing attacks in recent years.
The victim in a reflection attack is the host who owns
the spoofed address. The victim itself is able to capture
all the path backscatter messages in reflection attacks.
As illustrated in Fig. 4, because all the spoofing packets
are set the address of the victim, all the path backscatter
messages will be sent to the victim. Then the victim can
get the path backscatter messages through checking if it
has sent messages to the original destination IP address
field in received ICMP messages.
3) Multiple Sources, Multiple Destinations: Spoofing
attacks can be launched against multiple destination
IP addresses belonging to the same website or service
provider (e.g., cloud). Generally, such attacks can be
regarded as the combination of multiple attacks belong-
ing to the above two types.
4) Single Source, Single Destination: Such attacks are often
used to hijack or break a session between the source and
the destination, e.g., Man-in-the-Middle(MitM), TCP
hijack, replay attack. The spoofed origin is able to cap-
ture the path backscatter messages. However, because
the spoofing packets are generally scarce compared with
the other types of attacks, path backscatter messages
could be quite rare. On the other hand, because the
attacker and the spoofed origin often reside in the
same network, it is possible to track the attacker more
efficiently than using path backscatter.
In summary, path backscatter messages can be effectively
collected in random spoofing attacks, reflection attacks and
their combinations, which cover the majority of IP spoofing
attacks.
D. Security Issues With Path Backscatter Messages
It should be noted it is almost as easy to fabricate a
path backscatter message as to generate a spoofing data
packet. Thus, the collector should filter out the forged packet
backscatter messages to avoid false positive.
For reflection attack, the victim can get the valid hop count
from the routers to itself through tracing or passive learning.
Then the mapping from router to hop count can be used to
filter out a large part of spoofing packets based on the mech-
anism proposed in [33]. The attacker must get the correct hop
count from each router to the victim to bypass such a filtering
mechanism. However, it is difficult and costly for the attacker
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
6. 476 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
to achieve this information, as it cannot get the hop count
between the victim and the router from tracing directly. Hop
count based filtering can not discard all the spoofing messages,
but anyway it makes the spoofing of path backscatter message
harder. Moreover, to bypass such filtering, the spoofers have
to send some trace or trial messages, and such messages
may expose their locations and objectives. Another strategy
of the attackers is sending forged path backscatter messages
with all the possible TTL values, but the victim can check
whether there are path backscatter messages from a node but
with various TTL values and/or hop counts to identify such
attacks.
For path backscatter messages captured by network tele-
scope in random spoofing, hop count based filtering can also
be used by the network telescope itself. However, a third-
party who is performing tracing does not know the hop count
from each router to the network telescope. In this article, we
make use of clustering based mechanism to filter out forged
path backscatter messages. We extract all the prefixes from
the BGP dataset. For backscatter messages from each prefix,
1) We divided the whole dataset into 1-hour slices. The
routing and address assignment are dynamic on the
Internet. We chose one hour as the time interval in
order to make a trade-off between getting enough data
and mitigating the effects of network changes. Note that
because network telescopes collect all the non-solicited
messages, the dataset contains all the messages, in which
only a small portion are path backscatter messages.
2) We inferred the addresses of NAT from each slice. First,
we inferred the initial TTL value and hop count of each
message (not only path backscatter messages) based
on the mechanism proposed in [33]. If an address has
multiple initial TTL values but approximate hop counts,
the address is considered as a NAT address.
3) For each address other than NAT addresses, we got
the mode of hop count value. We filtered out the path
backscatter messages whose hop count is deviated from
the mode more than 1. We didn’t use exact match
for taking the network changes into account. For NAT
addresses, we got multiple modes of hop count, and
filtered messages whose hop count is deviated from the
nearest mode more than 1.
The rationale of this mechanism is the address space of
network telescope is hidden. Thus, it will not be targeted, and
the received forged path backscatter messages are rare. On the
other hand, we make use backscatter messages from hosts
together with path backscatter messages. Thus, the dataset
is large and the messages are from almost every corner of
the Internet. Then the majority of learned hop count should
be valid, avoiding pollution from forged path backscatter
messages. Although forged path backscatter messages may
be of matched hop count accidentally, the possibility will
be quite low. To effectively pollute the captured dataset, an
attacker will have to send messages with all the possible TTL
values to every corner of the Internet. This requires tremendous
effort, but the forged messages can still be effectively identified
through checking whether messages from a node are with
wide-ranged hop counts.
A misunderstanding about the packet backscatter messages
is that the normal ICMP error messages, e.g., Time-exceeded
messages generated in traceroute, may be regarded as triggered
by spoofing packets. However, hosts are using the real source
IP address in normal behaviors, and the normal ICMP error
messages will go to the hosts themselves rather than the
collectors. Thus, innocent hosts triggering normal ICMP error
messages will not be regarded as spoofers.
IV. PIT: TRACKING BASED ON PATH BACKSCATTER
We name the IP traceback solution based on exploiting
path backscatter messages by Passive IP Traceback (PIT).
PIT is actually composed by a set of mechanisms. The
basic mechanism, which is based on topology and routing
information, is illustrated in section IV-A. However, generally
the routing information is hard to achieve. The mechanisms
work in case the routing information in unknown are specified
in section IV-B. In very special cases, it is possible to track
the spoofer without topology and routing information. The
mechanism for these cases is discussed in section IV-C.
A. Basic Tracking Mechanism
Whenever a path backscatter message whose source is
router r (named reflector) and the original destination is
od is captured, the most direct inference is that the packet
from attacker to od should bypass r. We use a very simple
mechanism in spoofing origin tracking.
The network is abstracted as a graph G(V, E), where V is
the set of all the network nodes and E is the set of all the
links. A network node can be a router or an AS, depending
on the tracking scenario. From each path backscatter message,
the node r,r ∈ V which generates the packet and the original
destination od, od ∈ V of the spoofing packet can be got.
Denote the location of the spoofer, i.e., the nearest router or
the origin AS, by a, a ∈ V.
We make use of path information to help track the location
of the spoofer. Use path(v, u) to denote the sequence of nodes
on one of the path from v to u, and use P AT H(v, u) to denote
the set of all the paths from v to u. Use ϕ(r, od) to denote the
set of nodes from each of which a packet to od can bypass r,
i.e.,
ϕ(r, od)={v|r ∈ path(v, od), path(v, od) ∈ P AT H(v, od)}.
ϕ(r, od) actually determines the minimal set which must
contain the spoofer. We name the result set of ϕ(r, od) by
suspect set. As illustrated in Fig. 5, if all the paths are
loop-free, the suspect set determined by the path backscatter
message is {Attacker, Router A}. If the topology and routes
of the network are known, this mechanism can be used to
effectively determine the suspect set. For example, an ISP can
make this model to locate spoofers in its managed network.
However, for most cases, the one who performs tracing does
not know the routing choices of the other networks, which
are non-public information. Moreover, the topologies of most
of the ASes are unknown to the public. In the following
sections, we discuss how to track without routing information
in section IV-B, and how to track with neither topology nor
routing information in section IV-C.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
7. YAO et al.: DISCLOSING THE LOCATIONS OF IP SPOOFERS 477
Fig. 5. The suspect set determined by a path backscatter message.
B. Tracking Without Routing Information
It is possible to get the topology of the network in some
traceback scenarios. For example, the router-level topology
can be got from traceroute, and the AS-level topology can
be inferred from the BGP data and supplementary means.
Besides, a number of ASes make public their topologies [34].
However, the routes of a network are always treated as
business secret and are non-public. In this section, we discuss
how to perform PIT if topology is known but the detailed
routing is unknown.
It should be noted that if the routing has not constraint,
packets from any node v ∈ V to od can bypass any intermedi-
ate node r. Then the tracking is meaningless. Fortunately, it is
not the case in real networks. We make use of two assumptions
on the routing respectively:
1) Loop-Free Assumption: This assumption states there is
no loop in the paths. This assumption always holds
unless misconfiguration or the routing has not con-
verged.
2) Valley-Free Assumption: This assumption states there
should be no valley in the AS level paths [35]. Though
the increased complexity of AS relationship has reduced
the universality of this assumption, it is still the most
common model of AS level routing.
In the following subsections, we discuss how to perform
PIT based on each of the assumption respectively.
1) Tracking on Loop-Free Assumption: Based on the loop-
free assumption, a vertex v is in the ϕ(r, od) if and only if
there is at least one loop-free path from v to od passing r.
Denote a loop-free path from v to u by l fpath(v, u), which is
a sequence of verticals along the path. Then the suspect set is
ϕ(r, od) = {v|∃l fpath(v, od),r ∈ l fpath(v, od)}.
To find all the satisfying verticals through enumerating is
almost impossible for large-scale networks. We designed an
algorithm specified in Fig. 6. This algorithm first finds a
shortest path from r to od. From the second vertex along
the path, it checks if the removal of the vertex can break
r and od. Whenever such a vertex c is found, removing the
vertex from G, and the set containing all the verticals which
are still connected with r is just the suspect set.
Fig. 6. The algorithm to determine the suspect set based on loop-free
assumption.
The following theorem can be proofed to illustrate the
correctness of the algorithm. The proof of this theorem is
placed at the Appendix A.
Theorem 1: From the second vertex along path(r, od),
remove the first articulation point c whose removal will break
r and od. Denote the subgraph containing r by SG(r). If and
only if v is in SG(r), there exists a loop-free path from v to
od containing r.
Apparently, to determine a suspect set whose size is no
larger than N requires the vertex number connected with r is
no more than N in G − Cut Edge(r, od). Especially, if the
size of suspect set is 1, the degree of r must be one, and od
must not be r.
2) Tracking on Valley-Free Assumption: Based on the
valley-free assumption, a vertex v is in the ϕ(r, od) if and only
if there is at least one valley-free path from v to od passing r.
Denote a valley-free path from v to u by v fpath(v, u), which
is a sequence of verticals along the path. Then the suspect
set is
ϕ(r, od) = {v|∃v fpath(v, od),r ∈ v fpath(v, od)}.
The valley-free assumption can be only used in AS-level
topology. Considering the scale of AS-level Internet topology,
for a path backscatter message (r, od), it is very costly to find
all the ASes that has a valley-free path to od through r. At first
we introduce the concept of customer cone [36], which means
“AS A, plus A’s customers, plus its customers’ customers, and
so on”. The customer cone of AS v is denoted by Cone(v).
Then we can proof the following theorem:
Theorem 2: When od /∈ Cone(r), if and only if v ∈
Cone(r), there is a valley-free path from v to od passing r.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
8. 478 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
Fig. 7. The algorithm to determine suspect set based on valley-free
assumption.
Fig. 8. The suspect set determined by a path backscatter message with
valley-free assumption.
The proof of this theorem is placed at Appendix B. Based
on this theorem, when od /∈ Cone(r), the suspect set is just
Cone(r). When od ∈ Cone(r), because any valley-free path
followed by a downhill path is still a valley-free path, the
suspect set is the whole node set (Note that loop-free is not
considered here). Thus, the algorithm is as specified in Fig. 7.
Fig. 8 illustrate the suspect set tracked based on the valley-
free assumption. To determine a suspect set whose size is not
larger than N requires the customer cone size of r is no larger
than N. Especially, if the size of suspect set is 1, the r should
be a stub AS.
C. Tracking Without Topology and Routing Knowledge
The above tracking mechanisms actually have two limita-
tions. The first is the network topology and mapping from
addresses of r and od must be known. The second is the
tracking is actually performed based on loose assumptions
on paths. Thus, only when path backscatter messages are
from very special vertex, i.e., stub AS, the spoofer can be
accurately located. In this section, we discuss how to break
these limitations through using other information contained in
path backscatter messages.
We found there are three special types of path backscatter
messages which are more useful for tracing spoofers:
1) The path backscatter messages whose original hop count
is 0 or 1. Such messages are generated 1 or 2 hops from
the spoofers. Very possibly they are from the gateway
of the spoofer.
2) The path backscatter messages whose type is ‘Redirect’.
Such messages must be from a gateway of the spoofer.
TABLE II
DATASETS
3) The path backscatter messages whose original destina-
tion is a private address or unallocated address. Such
messages are typically generated by the first DFZ router
on the path from the spoofer to the original destination,
e.g., the egress router of the AS in which the spoofer
resides.
Though such path backscatter messages are generated in
very special cases, they are not rare. Especially, there are a
large number of path backscatter messages whose original
destination is a private address.
V. EVALUATION
PIT is very different from any existing traceback mecha-
nism. The main difference is the generation of path backscatter
message is not of a certain probability. Thus, we separate the
evaluation into 3 parts: the first is the statistical results on
path backscatter messages; the second is the evaluation on
the traceback mechanisms presented in section IV-B without
considering uncertainness of path backscatter generation, since
effectiveness of the mechanisms is actually determined by the
structure features of the networks; the last is the result of
performing the traceback mechanisms on the path backscatter
message dataset. The datasets used in the evaluation are listed
in Table II. The path backscatter messages are extracted from
the newest backscatter dataset from CAIDA, which contains
messages collected in 37 days across 5 months in 2008.
A. Statistical Results on Path Backscatter Messages
1) Overview: Though the generation of path backscatter
is of no inevitability, the total volume of path backscatter
is quite notable. In the backscatter dataset, we found totally
175,695,985 path backscatter messages, involving 283,689
reflector IP addresses and 3,205,540 original destination
IP addresses. The number of special messages mentioned
in Section IV-C is 1,199,039. The number (reflector IP, original
destination IP) tuples (named path backscatter IP tuples, or
simply IP tuples) is 3,721,827.
At AS level, there are 32526 (reflector AS, original desti-
nation AS) tuples (named path backscatter AS tuples, or sim-
plyAS tuples), involving 7042 reflector ASes and 9198 original
destination ASes. 26376 path backscatter AS tuples have
different reflector AS and original destination AS. There are
4327 path backscatter AS tuples whose source IP or original
destination IP is private or unallocated, involving 4,159,844
path backscatter messages and 319,570 path backscatter
IP tuples.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
9. YAO et al.: DISCLOSING THE LOCATIONS OF IP SPOOFERS 479
Fig. 9. Path backscatter IP tuples aggregated in/16 granularity.
Fig. 10. Path backscatter AS tuples.
2) Distribution of Related IP Addresses and ASes: We plot
the path backscatter IP tuples (aggregated in/16 granularity)
in Fig. 9. It can be found both the reflector IP addresses and the
original destination IP addresses are scattered in the IP address
space. The path backscatter AS tuples are plotted in Fig. 10.
The reflector ASes and the original destination ASes are also
scattered. This result shows the networks which are capable
of generating path backscatter messages are very diversified.
Besides, it implies a victim can suffer attacks from a large
number of corners of the Internet.
3) Geolocations of Reflector IP Addresses: Fig. 11 plots
the geolocations of the reflector IP addresses. The geolocation
data of IP addresses here and later is got from IPInfoDB [37].
It can be found the reflectors are distributed all over the world.
Their locations at least tell the locations are capable to generate
ICMP error messages.
4) Statistics on Classes: Fig. 12 illustrates the number
of path backscatter messages and IP tuples of each class.
TIMXCEED_INTRANS and UNREACH_HOST cover a
majority of all the messages and IP tuples. We use ‘Stub mes-
sages’ to denote the path backscatter messages whose source
AS is a stub but the original destination is not the same AS.
Fig. 11. The geolocations of reflectors.
Fig. 12. The classes and their proportions in all the path backscatter
messages.
Fig. 13. The CDF of involved original destinations/reflectors of the top
reflectors/original destinations. (a) The top reflectors. (b) The top original
destinations.
Such messages must be from the routers in the same AS as
the spoofer. It should be noted that not only such messages are
near the spoofers. The special classes listed in Section IV-C
are also near the spoofers. We use ‘Stub IP tuple’ to denote
such IP tuples. It can be found such messages are non-trivial.
5) The Top Reflectors and Original Destinations: We ana-
lyzed the top 10,000 reflectors and original destinations which
appear the most frequently in IP tuples. The CDF(Cumulative
Distribution Function) of involved original destinations
IP numbers of the top reflectors are plotted in Fig. 13(a), and
the CDF of involved reflectors IP numbers of the top original
destinations are plotted in Fig. 13(b).
The result in Fig. 13(a) shows that a small number of
reflectors forwarded spoofing traffic to a large number of
original destinations. We do not claim the reflectors are the
attackers, but they are very likely near the spoofers because
the spoofing traffic traverse them to reach a large number
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
10. 480 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
Fig. 14. The geolocations of the top 10000 reflectors. The radius of each
node represents the number of reflected IP tuples.
Fig. 15. The geolocations of the top non-private original destination and the
corresponding reflectors.
of destinations (though they can be the gateway of a large
network). There may be a convenient assumption that the
top reflectors may distribute in a few areas, but they are not.
Fig. 14 plots the geolocations of the top 10000 reflectors. It can
be found they are widely distributed.
The result in Fig. 13(b) shows a small number of addresses
are facing attacks from a large number of corners. However,
we found the top original destinations are mostly private
addresses. Anyway, the result implies the number of potential
attackers are large. Other than private original destination
addresses, the top original destinations did not involve a large
number of reflectors. These numbers are far less than the total
number of reflectors. This implies the attackers in each attack
are not many. This result coincides with the report from Arbor.
Fig. 15 shows the geolocation of the top non-private original
destination and the involved reflectors. The total number of
reflector IP addresses are 625 (assigned in 10 ASes). This
number is just about 0.2% of the total number of reflectors.
Besides, it can be found the reflectors are not distributed all
over the world.
6) On the Filtering of Path Backscatter Messages:
We found two NAT reflectors (both in China). However,
we did not filter out any path backscatter message based
on the mechanism proposed in section III-D. We found
that, other than the cases in which the original destination
is private address, the largest number of IP tuples whose
original destinations are same is less than 650. Considering
an attacker can easily generate much more tuples, it implies
the dataset can be trustful to some extend. Anyway, because
the filtering mechanism certainly can not found all the forged
path backscatter messages, we do not claim all the messages
used in our experiments are trustable. However, we think this
fault will not make the whole solution worthless.
B. Evaluation on PIT
Though there are huge amounts of path backscatter
messages generated, their generation does not have a certain
probability. Thus, it is impossible to evaluate PIT similar as
the other IP traceback mechanisms which have stable packet
marking/ICMP generation probability. For this reason, we do
not evaluate how well PIT will work in each attack. To exclude
the uncertain factors of path backscatter message generation,
we evaluate the possibility of locating the attacker after we
get a random path backscatter (reflector, original destination)
tuple. To achieve this, we make the following assumptions on
IP spoofing attacks and path backscatter generation:
1) Assumption I: the locations of attackers are random;
2) Assumption II: attackers choose random destinations to
send spoofing packets;
3) Assumption III: the captured (reflector, original desti-
nation) tuple is generated on a random hop from the
attacker to the original destination.
We evaluate the mechanisms proposed in section IV-B based
on these assumptions. We begin with deducing the probability
of accurate locating. We compare the estimated result based
on the deduction with the simulation result. The simulations
are performed as follows: we choose a random node to be
attacker, choose a random destination, and choose a random
hop to be the reflector; then we check the (reflector, original
destination) tuple can be used to accurately locate the attacker
based on the proposed mechanisms. In section V-B1 and V-B2,
we present the probability of accurate locating the attacker;
and in section V-B3, we present the distribution of suspect set
size. We found that, without considering the occasional factors
of path backscatter message generation, the effectiveness of
the mechanisms are actually determined by the structure of
the networks. Though very limited information can be used
in the tracing, the attacker tracking is found to be effective
largely due to the power-law structure of the networks.
1) The Probability of Accurate Locating on Loop-Free
Assumption: Based on the Loop-free assumption, to accurately
locate the attacker from a path backscatter message (r, od),
there are three conditions:
1) LF-C1: the degree of the attacker a is 1;
2) LF-C2: od is not a;
3) LF-C3: r is a.
Based on the Assumption I, the probability of LF − C1 is
equal to the ratio of the network nodes whose degree is 1.
To estimate this probability, we introduce the power law of
degree distribution from [38],
fd ∝ dO
where fd is the frequency of degree d, and O is the outdegree
exponent. Transform it to
fd = λdO
+ bd
where λ and bd are two constants. Then, f1 = λ + bd.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
11. YAO et al.: DISCLOSING THE LOCATIONS OF IP SPOOFERS 481
Fig. 16. The estimated probability of accurate locating in AS level topology
based on the loop-free assumption and the simulation result.
Fig. 17. The CDF of estimated probability of accurate locating based on a
random tuple in topology zoo and the simulation result.
Based on the Assumption II, the probability of LF − C2
is simply (N − 1)/N. Based on the Assumption III, the
probability of LF − C3 is equal to 1/(1 +len(path(a, od))).
Because a and od are random chosen, the expectation of
len(path(a, od) is the effective diameter of the network,
δef [38].
Based on the three assumptions, these conditions are mutu-
ally independent. Thus, the expectation of the probability of
accurate locating the attacker is
E(PLF−accurate) =
N − 1
N
∗
λ + bd
1 + δef
.
This form gives some insight on the probability of accurate
locating. If the power-law becomes stronger, λ will get larger
and δef will get smaller. Then the probability of accurate
locating will be larger.
We plot this estimated value and the corresponding simu-
lation result for AS-level topologies of each year in Fig. 16.
The probability is stably around 0.05.
We plot this value for networks in the topology zoo dataset
in Fig. 17. It can be found in more than 40% of the topologies,
the probability of accurate locating the attacker based on a
random tuple is larger than 0.1.
These results show, because of the power-law structure of
the networks, even just using the loose loop-free assumption
Fig. 18. The CCDF of the distribution of customer cone size.
Fig. 19. The estimated probability of accurate locating in AS level topology
based on the valley-free assumption and the simulation result.
Fig. 20. Suspect set size distribution. (a) Suspect set size distribution based
on loop-free assumption. (b) Suspect set size distribution based on valley-free
assumption.
on routing, the probability of accurate locating the attacker
based on a random tuple is non-trivial.
2) The Probability of Accurate Locating Based on
Valley-Free Assumption: Similarly, based on the valley-
free assumption, to accurately locate the attacker from
a path backscatter message (r, od), there are three
conditions:
1) VF-C1: the size of Cone(a) is 1;
2) VF-C2: od is not a;
3) VF-C3: r is a.
However, there is no convenient power law on the
distribution of customer cone size. Fig. 18 plots the CCDF
(Complementary Cumulative Distribution Function) of the
customer cone size based on the result from CAIDA in
log-log scale. It can be found that, when the customer cone
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
12. 482 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
Fig. 21. The tracked ASes in the attacks on 194.97.X.Y. The ASes with spoofers located are filled red and the victim AS is filled blue.
size is smaller than 1000, the CCDF is almost straight in the
log-log plot; thus, the CCDF well follows power-law.
Based on this discovery, we define the Customer Cone
Power Law:
Definition (Customer Cone Power Law): The CCDF (Com-
plementary Cumulative Density Function) of customer cone
size of a size follows power-law when the size is much smaller
than the number of ASs:
Rk ∝ kC
where Rk denotes the ratio of ASs whose size of customer
cone is larger than k, and C is the customer cone exponent.
Translate it to
Rk = γ kC
+ bc
where γ and bc are two constants.
If the spoofer can be located exactly, the size of customer
cone must be 1. The ratio of such ASs is 1− R1 = 1−γ −bc.
Then, similarly, the probability of accurate locating is:
E(PV F−accurate) =
N − 1
N
∗
(1 − γ − bc)
1 + δef
.
We plot this value for AS-level topologies of each year
and the simulation result in Fig. 19. This value is stably
around 18%. It should be noted that PIT does not require
deploying additional infrastructures. This traceback capability
is achieved with trivial additional effort. Compared with zero
traceback capability without PIT, this is a significant result.
3) The Distribution of Suspect Set Size: If the (reflector,
original destination) tuple cannot be used to accurately locat-
ing the spoofer, the size of the suspect set size is meaningful.
We present the distribution of the suspect set size in Fig. 20.
It can be found a tuple will either determine a small suspect
set, or be almost useless. Such a distribution is also caused by
the power-law structure of the Internet.
C. Performing PIT on the Dataset
In this section, we present a number of meaningful results
after performing PIT on the path backscatter dataset.
1) Where Are the Spoofers?: In this section, we
present the locations of the spoofers captured. This result
is achieved through combining the tracking mechanisms
proposed in section IV.
The procedure is as follows. For each path backscatter
message, at first we check whether it belongs to the special
classes listed in section IV-C. If yes, the reflector should be
near the attacker. We simply use the source AS of the message
as the location of the spoofer. If the message does not belong to
the types, it is mapped into an AS tuple. Determine whether the
AS tuple can accurately locate the source AS of the attacker
based on the mechanisms proposed in section IV-B. Because
we perform tracking at the AS level, we only use the valley-
free assumption which results in better tracking capability than
the loop-free assumption. Then if the AS tuple can accurately
locate the source AS of the message, the source AS of the
spoofer is just this AS. Then we also use the source AS as
the location of the spoofer. We do not further investigate the
location of the spoofers inside the AS because we do not
know the inner structure and address allocation in the ASes.
However, at least the messages of the special classes listed
in section IV-C can help locate the network of the spoofer.
We got 2788 ASes in which there are spoofers. 914
of them are located by the mechanisms in section IV-B,
and 2148 are located based on the special classes of path
backscatter messages. There are 274 ASes located by both
mechanisms. The full list of the ASes can be fetched from
http://tinyurl.com/lp959y4.
The captured ASes are only a small portion of all the ASes.
We believe this result underestimated the total number of
ASes with spoofers reside in. Considering the limitation of
the backscatter collection capability of the CAIDA network
telescope, the uncertainness of path backscatter generation
and the available datasets we can access, we are not able to
provide a complete list of all the ASes in which there are
spoofers. Here we just present this partial result to illustrate
the effectiveness of this proposed tracking mechanism. It can
be the basis for further potential works.
Besides, it should be noted that the ASes with spoofers in
are not the ASes which indulge spoofing. Actually, there are
a number of path backscatter messages are generated because
of the filtering performed by the ASes.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
13. YAO et al.: DISCLOSING THE LOCATIONS OF IP SPOOFERS 483
2) An Aggregated Attack: We performed tracking based on
all the path backscatter messages whose original destination
is 194.97.X.Y, which is assigned in AS5430. There are totally
13511 such path backscatter messages, and 30 ASes are
located (15 of them are located by the special classes of
path backscatter messages, and 19 of them are located based
on the valley-free assumption. 4 of them can be located by
both mechanisms). We plot them in the AS-level topology as
Fig. 21. We make use of shortest valley-free path to connect
the ASes with spoofers located and the victim AS.
This proposed mechanism certainly does not work in all
the attacks and can not capture all the spoofers, but it does
tell something about the spoofing attacks. At least, the luckiest
victims are able to locate some of the spoofers. This is valuable
until an AS-level traceback system is established.
VI. CONCLUSION
We try to dissipate the mist on the the locations of spoofers
based on investigating the path backscatter messages. In this
article, we proposed Passive IP Traceback (PIT) which tracks
spoofers based on path backscatter messages and public
available information. We illustrate causes, collection, and
statistical results on path backscatter. We specified how to
apply PIT when the topology and routing are both known,
or the routing is unknown, or neither of them are known.
We presented two effective algorithms to apply PIT in large
scale networks and proofed their correctness. We demonstrated
the effectiveness of PIT based on deduction and simulation.
We showed the captured locations of spoofers through apply-
ing PIT on the path backscatter dataset. These results can help
further reveal IP spoofing, which has been studied for long but
never well understood.
APPENDIX A
PROOF OF THEOREM 1
Proof (1) Necessity:=> In G, there are at least two loop-
free paths P1, P2 from r to c which contains no identical
verticals other than r and c. Otherwise, the removal of one
of the the identical verticals c will break r and c. Because
any path from r to od must pass c, then the removal of c
will also break r and od. Besides, c must be contained in the
path(r, od). Then c cannot be the first vertex whose removal
breaks r and od.
In SG(r), there exists one loop-free path from any vertex
to r, which has identical verticals with at most one of P1 and
P2. It is because whenever a path comes across P1, it can travel
upstream P1 to reach r without necessity of crossing P2; and
vice versa. Then a loop-free path from any vertex v to c can be
constructed through composing the loop-free path path(v,r)
with either P1 or P2. Join this path with the segment from
c to od in path(r, od), and a loop-free path from v to od can
be constructed.
(2) Sufficiency<=: In SG(r), if a vertex v is no connected
with r, then in G, c must be contained in path(v,r) and
path(r, od). Thus there is a loop in any path from v to od
passing r.
APPENDIX B
PROOF OF THEOREM 2
Proof (1) Necessity:=> Assume when od is not in Cone(r),
v is not in Cone(r). Based on the valley-free assumption, the
path from v to od passing r must a valley-free path.
Because v is not in Cone(r), the path from v to r can be:
1) a downhill path; 2) an uphill path followed by a downhill
path; 3) an uphill path followed by a peer-peer edge; 4) a
peer-peer edge followed by a downhill path; 5) an uphill path
followed by a peer-peer edge, which is followed a downhill
path.
Because od is not in Cone(r), the path from r to od can
be: 1) an uphill path; 2) an uphill path followed by a downhill
path; 3) an uphill path followed by a peer-peer edge; 4) a
peer-peer edge followed by a downhill path; 5) an uphill path
followed by a peer-peer edge, which is followed a downhill
path.
However, any combination of the two paths be a valley-free
path. Thus, the assumption that v is not in Cone(r) is invalid.
It means v must be in Cone(r).
(2) Sufficiency<=: When od /∈ Cone(r) and there is a
valley-free path from v to od passing r, the path from r to od
can be: 1) an uphill path; 2) an uphill path followed by
a downhill path; 3) an uphill path followed by a peer-peer
edge; 4) a peer-peer edge followed by a downhill path; 5) an
uphill path followed by a peer-peer edge, which is followed a
downhill path.
The path from v to r must be a valley-free path, thus, it
can be 1) an uphill path; 2) a downhill path; 3) an uphill
path followed by a downhill path; 4) an uphill path followed
by a peer-to-peer edge; 5) a peer-to-peer edge followed by a
downhill path; or 6) an uphill path followed by a peer-to-peer
edge, which is followed by a downhill path.
However, only when the path from v to r is an uphill path,
the combined path from v to od can be a valley-free path.
Then v must be in cone(r).
ACKNOWLEDGMENT
The authors would like to thank the anonymous reviewers
and the editors for their valuable comments and suggestions
to improve the quality of this paper. They are also grateful to
Dan Massey and Bingyang Liu for reviewing the paper.
REFERENCES
[1] S. M. Bellovin, “Security problems in the TCP/IP protocol suite,”
ACM SIGCOMM Comput. Commun. Rev., vol. 19, no. 2, pp. 32–48,
Apr. 1989.
[2] ICANN Security and Stability Advisory Committee, “Distributed denial
of service (DDOS) attacks,” SSAC, Tech. Rep. SSAC Advisory SAC008,
Mar. 2006.
[3] C. Labovitz, “Bots, DDoS and ground truth,” presented at the 50th
NANOG, Oct. 2010.
[4] The UCSD Network Telescope. [Online]. Available:
http://www.caida.org/projects/network_telescope/
[5] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical network
support for IP traceback,” in Proc. Conf. Appl., Technol., Archit.,
Protocols Comput. Commun. (SIGCOMM), 2000, pp. 295–306.
[6] S. Bellovin. ICMP Traceback Messages. [Online]. Available:
http://tools.ietf.org/html/draft-ietf-itrace-04, accessed Feb. 2003.
[7] A. C. Snoeren et al., “Hash-based IP traceback,” SIGCOMM Comput.
Commun. Rev., vol. 31, no. 4, pp. 3–14, Aug. 2001.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457
14. 484 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 3, MARCH 2015
[8] D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage,
“Inferring internet denial-of-service activity,” ACM Trans. Comput.
Syst., vol. 24, no. 2, pp. 115–139, May 2006. [Online]. Available:
http://doi.acm.org/10.1145/1132026.1132027
[9] M. T. Goodrich, “Efficient packet marking for large-scale IP trace-
back,” in Proc. 9th ACM Conf. Comput. Commun. Secur. (CCS), 2002,
pp. 117–126.
[10] D. X. Song and A. Perrig, “Advanced and authenticated marking
schemes for IP traceback,” in Proc. IEEE 20th Annu. Joint Conf. IEEE
Comput. Commun. Soc. (INFOCOM), vol. 2. Apr. 2001, pp. 878–886.
[11] A. Yaar, A. Perrig, and D. Song, “FIT: Fast internet traceback,” in Proc.
IEEE 24th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM),
vol. 2. Mar. 2005, pp. 1395–1406.
[12] J. Liu, Z.-J. Lee, and Y.-C. Chung, “Dynamic probabilistic packet
marking for efficient IP traceback,” Comput. Netw., vol. 51, no. 3,
pp. 866–882, 2007.
[13] K. Park and H. Lee, “On the effectiveness of probabilistic packet
marking for IP traceback under denial of service attack,” in Proc. IEEE
20th Annu. Joint Conf. IEEE Comput. Commun. Soc. (INFOCOM),
vol. 1. Apr. 2001, pp. 338–347.
[14] M. Adler, “Trade-offs in probabilistic packet marking for IP traceback,”
J. ACM, vol. 52, no. 2, pp. 217–244, Mar. 2005.
[15] A. Belenky and N. Ansari, “IP traceback with deterministic packet
marking,” IEEE Commun. Lett., vol. 7, no. 4, pp. 162–164, Apr. 2003.
[16] Y. Xiang, W. Zhou, and M. Guo, “Flexible deterministic packet marking:
An IP traceback system to find the real source of attacks,” IEEE Trans.
Parallel Distrib. Syst., vol. 20, no. 4, pp. 567–580, Apr. 2009.
[17] R. P. Laufer et al., “Towards stateless single-packet IP traceback,” in
Proc. 32nd IEEE Conf. Local Comput. Netw. (LCN), Oct. 2007,
pp. 548–555. [Online]. Available: http://dx.doi.org/10.1109/
LCN.2007.160
[18] M. D. D. Moreira, R. P. Laufer, N. C. Fernandes, and
O. C. M. B. Duarte, “A stateless traceback technique for identifying
the origin of attacks from a single packet,” in Proc. IEEE Int. Conf.
Commun. (ICC), Jun. 2011, pp. 1–6.
[19] A. Mankin, D. Massey, C.-L. Wu, S. F. Wu, and L. Zhang, “On design
and evaluation of ‘intention-driven’ ICMP traceback,” in Proc. 10th Int.
Conf. Comput. Commun. Netw., Oct. 2001, pp. 159–165.
[20] H. C. J. Lee, V. L. L. Thing, Y. Xu, and M. Ma, “ICMP traceback with
cumulative path, an efficient solution for IP traceback,” in Information
and Communications Security. Berlin, Germany: Springer-Verlag, 2003,
pp. 124–135.
[21] H. Burch and B. Cheswick, “Tracing anonymous packets to their
approximate source,” in Proc. LISA, 2000, pp. 319–327.
[22] R. Stone, “CenterTrack: An IP overlay network for tracking DoS floods,”
in Proc. 9th USENIX Secur. Symp., vol. 9. 2000, pp. 199–212.
[23] A. Castelucio, A. Ziviani, and R. M. Salles, “An AS-level overlay net-
work for IP traceback,” IEEE Netw., vol. 23, no. 1, pp. 36–41, Jan. 2009.
[Online]. Available: http://dx.doi.org/10.1109/MNET.2009.4804322
[24] A. Castelucio, A. T. A. Gomes, A. Ziviani, and R. M. Salles, “Intra-
domain IP traceback using OSPF,” Comput. Commun., vol. 35, no. 5,
pp. 554–564, 2012. [Online]. Available: http://www.sciencedirect.com/
science/article/pii/S0140366410003804
[25] J. Li, M. Sung, J. Xu, and L. Li, “Large-scale IP traceback in high-speed
internet: Practical techniques and theoretical foundation,” in Proc. IEEE
Symp. Secur. Privacy, May 2004, pp. 115–129.
[26] B. Al-Duwairi and M. Govindarasu, “Novel hybrid schemes employing
packet marking and logging for IP traceback,” IEEE Trans. Parallel
Distrib. Syst., vol. 17, no. 5, pp. 403–418, May 2006.
[27] M.-H. Yang and M.-C. Yang, “Riht: A novel hybrid IP trace-
back scheme,” IEEE Trans. Inf. Forensics Security, vol. 7, no. 2,
pp. 789–797, Apr. 2012.
[28] C. Gong and K. Sarac, “A more practical approach for single-packet
IP traceback using packet logging and marking,” IEEE Trans. Parallel
Distrib. Syst., vol. 19, no. 10, pp. 1310–1324, Oct. 2008.
[29] R. Beverly, A. Berger, Y. Hyun, and K. Claffy, “Understanding the
efficacy of deployed internet source address validation filtering,” in
Proc. 9th ACM SIGCOMM Conf. Internet Meas. Conf. (IMC), 2009,
pp. 356–369.
[30] G. Yao, J. Bi, and Z. Zhou, “Passive IP traceback: Capturing the
origin of anonymous traffic through network telescopes,” in Proc. ACM
SIGCOMM Conf. (SIGCOMM), 2010, pp. 413–414. [Online]. Available:
http://doi.acm.org/10.1145/1851182.1851237
[31] J. Postel. Internet Control Message Protocol, RFC792. [Online].
Available: https://tools.ietf.org/html/rfc792, accessed Sep. 1981.
[32] W. Richard Stevens, TCP/IP Illustrated: The Protocols, vol. 1. Boston,
MA, USA: Addison-Wesley, 1993.
[33] H. Wang, C. Jin, and K. G. Shin, “Defense against spoofed IP traffic
using hop-count filtering,” IEEE/ACM Trans. Netw., vol. 15, no. 1,
pp. 40–53, Feb. 2007.
[34] S. Knight, H. X. Nguyen, N. Falkner, R. Bowden, and M. Roughan,
“The internet topology zoo,” IEEE J. Sel. Areas Commun., vol. 29, no. 9,
pp. 1765–1775, Oct. 2011.
[35] L. Gao, “On inferring autonomous system relationships in the internet,”
IEEE/ACM Trans. Netw., vol. 9, no. 6, pp. 733–745, Dec. 2001.
[36] X. Dimitropoulos et al., “AS relationships: Inference and validation,”
ACM SIGCOMM Comput. Commun. Rev., vol. 37, no. 1, pp. 29–40,
Jan. 2007.
[37] IPInfoDB. IP Geolocation Dataset. [Online]. Available:
http://www.ipinfodb.com/
[38] M. Faloutsos, P. Faloutsos, and C. Faloutsos, “On power-law relation-
ships of the internet topology,” ACM SIGCOMM Comput. Commun.
Rev., vol. 29, no. 4, pp. 251–262, 1999.
Guang Yao received the Ph.D. degree in computer
science from Tsinghua University, Beijing, China,
in 2012, where he is currently a Post-Doctoral
Researcher with the Network Research Center. His
research interests include IP traceback and software
defined networking.
Jun Bi (M’00–SM’14) received the B.S., M.S., and
Ph.D. degrees in computer science from Tsinghua
University, Beijing, China. He was a Post-Doctoral
Scholar with the Department of High Speed Net-
work, Bell Labs Research, Murray Hill, NJ, USA,
and a Research Scientist with the Bell Labs Research
Communication Science Division and the Bell Labs
Advanced Communication Technologies Center.
He is currently a Full Professor and the Director
of the Network Architecture and IPv6 Research
Laboratory with the Network Research Center, and
a Ph.D. Supervisor with the Department of Computer Science, Tsinghua
University. His research interests include network architecture, Internet routing
and addressing, IPv6, and future Internet. He is also a Senior Member of the
Association for Computing Machinery.
Athanasios V. Vasilakos (M’00–SM’10) is
currently a Professor with the University of Western
Macedonia, Kozani, Greece. He has authored or
coauthored over 200 technical papers in major
international journals and conferences. He has
authored or coauthored five books and 20 book
chapters in the areas of communications. He has
served as the General Chair, the Technical Program
Committee (TPC) Chair, and a TPC Member
(i.e., INFOCOM, SECON, and MOBIHOC) for
many international conferences. He served as
an Editor or a Guest Editor for many technical journals, such as the
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, the
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY,
the IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS,
PART B, the IEEE TRANSACTIONS ON INFORMATION TECHNOLOGY IN
BIOMEDICINE, the IEEE TRANSACTIONS ON COMPUTERS, the ACM
Transactions on Autonomous and Adaptive Systems, the IEEE JOURNAL
ON SELECTED AREAS IN COMMUNICATIONS, the IEEE Communications
Magazine, the ACM Wireless Networks (Springer), and the ACM Mobile
Networks and Applications (Springer). He is a Founding Editor-in-Chief
of the International Journal of Autonomous and Adaptive Communication
Systems and the International Journal of Arts and Technology. He is also the
General Chair of the Council of Computing of the European Alliances for
Innovation.
For More Details Contact G.Venkat Rao
PVR TECHNOLOGIES 8143271457