The document presents a technical seminar on a single-packet hybrid IP traceback mechanism applicable to both IPv4 and IPv6 networks, aimed at efficiently tracking the source of DDoS attacks. It reviews various literature on IP traceback methods, proposes a new algorithm for implementation, and compares its performance against existing models, concluding that the new scheme is storage-efficient and significantly reduces logging time. The findings emphasize the importance of recording path information rather than individual packet details to enhance cybersecurity measures.

1. Technical Seminar
Single-packet hybrid IP traceback for IPv4 and IPv6 networks
Nagarjun T N 1BG14CS128

2. Contents
1. Introduction
2. Problem Statement
3. Literature Survey
4. Algorithm and Implementation
5. Comparative Study
6. Conclusion

3. “True cybersecurity is preparing for
what's next ,not what was last .”
-Neil Rerup,Cybersecurity Expert

4. Introduction
● Cybersecurity.
● Malicious users look for vulnerabilities in internet to perform various attacks.
● DDOS is a prominent attack in recent days.
● IP traceback .

5. Problem Statement
To develop a single packet hybrid techniques that have
advantages of being storage-efficient and accurate traceback
mechanism to track the source of attacher in both IPv4 and
IPv6 schemes.

6. Literature Survey
1. An Implementation of IP Traceback in IPv6 Using
Probabilistic Packet Marking
2. IP Traceback based on Packet Logging and Marking
3. Network Support for IP Traceback

7. Survey Paper 1 : An Implementation of IP Traceback in IPv6 Using Probabilistic Packet Marking.
Aim : Handling the traceback in both DOS and DDOS attack.
Procedure:
● Probabilistic Packet Marking approach is used.
● The flow label field is modified to mark the router information.
● The hash function is computed and the distance is applied from the previous router.
● Java Simulator is used.
Conclusion:
The upstream router map is constructed during a spoof of packets occurs in the network.
Emil Albright and Xuan-Hien Dang “An Implementation of IP Traceback in IPv6 Using Probabilistic Packet Marking”, Int Conference of Electronics and Communication,IEEE, December2015

8. Survey Paper 2 : IP Traceback based on Packet Marking and Logging
Chao Gong and Kamil Sarac,“IP Traceback based on Packet Marking and Logging”, IEEE 2005
Aim : Use Packet Marking and Logging Hybrid Approach
Procedure:
● To reduce the storage overhead and reduce the access time.
● Probabilistic Packet Marking approach to mark the packet with the router identification
information.
● Packet Logging operation is to record the packet digest and the mark ,in digest table.
Conclusion:
Attack Graph construction.

9. Survey Paper 3 : Network Support for IP Traceback
Stefan Savage, David Wetherall , Anna Karlin and Tom Anderson ,“Network Support for IP Traceback”,IEEE/ACM Transaction on Networking 2001
Aim : Technique for tracing anonymous DOS attack using IP Traceback.
Procedure:
● Ingress Filtering, Link Testing(input debugging and Controlled flooding), Logging ,
ICMP traceback.
● Node append, Node sampling, edge sampling.
● Compressed edge fragment sampling, IP header Encoding .
Management OverheadNetwork Overhead Router Overhead
Preventive/
Reactive
Ingress Filtering Moderate Low Moderate Preventive
Link testing
Input debugging High Low High Reactive
Controlled
debugging Low High Low Reactive
Logging High Low High Reactive
ICMP Traceback Low Low Low Reactive

10. ALGORITHMS
1. Marking and Logging Scheme
1. Path Reconstruction

11. MARK_AND_LOG (Pi , UIK)
1. Begin
2. marknew <- Pi.mark X (D(Rk)+1)+UIk+1
3. first <-Pi.mark % m;
4. if marknew > 65535
5. l<- Pi.mark % m;
6. Skip<-1+(Pi.mark % (m-1));
7. Probe<-0;
8. While (HT[l] != null OR HT[l]!=Pi.mark AND Probe<m)
9. Increment probe by 1;
10. L<-(first +probe*skip)%m;
11. End while
12. If HT[l]= null then
13. HT[l]<-Pi.mark;
14. Endif
15. marknew<-l*(D(RK)+1)
16. Endif
17. Pi.mark<-marknew ;
18. Forward packet to next router with packet marked as Pi.mark
19. End
PATH_RECONSTRUCT (marknew)
1. Begin
2. UIk <- markreq%(D(Rk)+1)-1
3. If UIk = -1 then
4. L<- markreq/ (D(Rk)+1)
5. If l!=0 then
6. Set markold to HT[l].mark and UIk to HT[l].UIk
7. CALL PATH_RECONSTRUCT (markold) on adjacent router linked via UIk
8. Else
9. The current router is attacker’s source
router
10. Endif
11. Else
12. Markold<- markreq/(D(Rk)+1)
13. CALL PATH_RECONSTRUCT(markold) on adjacent router linked via UIk
14. Endif
15. end

12. Comparative Study
IPv4 Implementation
IPv6 Implementation

13. IPv4 Analysis
● Usage of option field instead of the Identification field .
● Option Copy(1 bit) , Option class(2 bit) , Option Number(5 bit) as specified by
IANA(Internet Assigned Number Authority).
● The Simulation Environment consisted of a PC with Intel CORE i5 processor,
8GB RAM, OMNeT++ and INET Framework.

14. Analysis of Average Logging Time
● Logging time .
● This model is compared to the pre-existing model RIHT.
● This system requires a average of ~15.04% less logging time than RIHT.
● This model uses double hashing technique and RIHT uses quadratic probing.
● The storage/Memory utilisation of RIHT is suffered from secondary clustering.

15. Accuracy Analysis
● Accuracy is defined in terms of false positives and false negatives.
● RIHT and this model achieved zero false negatives.
● In RIHT where packet fragmentation leads to false positives and the rate is equal to
0.25%.
● This system uses options field so there is no problem of false positive results during
reassembly of the fragmented packets.

16. IPv6 Analysis
● This model uses hop-by-hop extension header for marking.
● The model was simulated in the IPv6 environment in OMNeT++ and INET
Framework.
● The existing model that are compared are PPM-IPv6 and PHIT-IPv6.

17. Analysis of number of packets required for Traceback
● In PPM-IPv6 probabilistic packet marking happens so large numbers of packets
are required.
● PHIT-IPv6 requires a minimum of 16 packets to find out upstream router.
● This model is independent of the path length and depends on the packet mark of
individual packet.

18. Analysis of Storage Requirement
● In this scheme hash table and interface table account for storage.
● In PHIT-IPv6 only log table exists, here every packet that enters will be logged so
the size of the table increases exponentially.
● The simulation results indicate that PHIT-IPv6 requires about 143-700kB and
this scheme requires only 25kB.
● This scheme needs 82.5% less storage for traceback than PHIT-IPv6.

19. Conclusions
● This scheme is improved and efficient implementation of the single packet
hybrid IP Traceback.
● The scheme was well suited for both IPv4 and IPv6.
● The scheme was abiding to the standard specifications.
● The scheme is storage efficient, and considerably reduces the logging time in
router.
● The main idea is to record the path information and not the individual packet
information.
● The path information is distributed in the marking fields of the packets and
logging tables in router.

20. References
1. Stefan savage,David Wetherall, Anna KArlin and Tom Anderson,
“Network Support for IP Traceback”, IEEE/ACM Transaction on
Networking,2001
2. Emil Albright and Xuan-Hien Dang, “An Implementation of IP Traceback
in IPv6 using probabilistic Packet Marking”, Int Conference of Electronics
and Communication,IEEE ,2015.
3. Chao Gong and Kamil Sarac, “IP Traceback based on Packet Marking and
Logging”, IEEE,2005.
4. Kamaldeep,Manisha Malik and Maitreyee Dutta, “Implementation of single
packet hybrid IP traceback for IPv4 and IPv6 networks”, IET Journals,
2017.
5. C. Vaiyapuri and R.Mohandas, “IP Traceback scheme using Packet
Logging and Packet Marking using RIHT”, IJCSMC, 2013.

21. Thank you!