A Denial-of-Service-Resistant IP Traceback Approach
Distributed Denial-of- Service (DDoS) attack is among the hardest research topics in the Internet security area, due to the stateless nature of IP networks and to the confusing and dffising effect of DDoS attacks. In this paper, we select ten essential factors to analyze a newly-designed Dos-resistant ICMP messaging scheme and demonstrate its feasibility, effectiveness, security, and iminunity to Denial-ofiservice (DOS) attacks.
A Denial-of-Service (DOS) attack is designed to render a computer or network incapable of providing normal service to legitimate users. DDoS (Distributed DOS) attacks employ many computers to launch a coordinated DOS attack, which produces and sends attack packets from hundreds of different networks or IP addresses rather than just one. IP traceback is a technique attempting to identify the origin of a specific IP packet.
However, most of them and our approach are actually designed for DOS attacks and are only feasible to trace DOS attacks because we assume that the victim or attack tracer should receive a large number of packets from attack sources when it’s under siege.Even though each approach has solved some essential IP traceback difficulties, sometimes they also introduce new problems.
For instance, the route reference approach does not require ISPs to participate in the traceback process, but in fact, originates a new DOS attack on its own network. Theoretically, the SPIE can achieve the ultimate goal of the IP traceback – the single-packet IP Traceback – and reduce the storage requirement significantly, but the overhead is still considerable, particularly for routers in the core of the Internet.
Therefore, we consider the following requirements for our IP traceback scheme:
1. Incremental deployment. Due to the cost and time required for upgrading network equipment, it is not practical to assume that most equipment can be updated with new hardware or software promptly. Therefore, incremental deployment is essential to all pragmatic new designs.
2. Workload equilibrium. Some network equipment, particular those devices at the core of the Internet, is time-sensitive and incapable of performing additional functionalities; hence, new designs should draw on edges routers rather than core routers.
3. Security. One of the most common problems of all proposed mechanisms is the mark or message authentication; but only one method explicitly consider cryptographic algorithms to verify the marks or information, since those algorithms are relatively expensive.
4. Robustness. Savage et al.’s PPM seems to be the most elegant IP traceback scheme because routers continue to be stateless and the sizes of the marked packets remain unchanged. However, due to very limited available space in the IP packet header, the PPM breaks information into pieces, but that causes – very high rate of false positives for path reconstruct.
5. Bandwidth overhead. For most methods, a cri’ 1′ issue is whether or not extra traffic load consume: significant bandwidth. However, without sufficient space for adding information to IP packet headers, producing extra messages seems inevitable, but the number of additional messages for IP traceback should be restricted.
6. Computational overhead. Except for the authenticating process, the most significant computational overhead is the attack path construction process, which needs to gather and assemble scattered information in considerable numbers of packets or messages received by the victim or trace agents.
7. Storage overhead. Besides the SPIE storing information at forwarding routers, the PPM and the iTrace also consume a lot of memory space at the victim or trace agents, which collect and store information for later path reconstruction.
8. Dos-resistance. Ironically, although IP traceback mechanisms are designed to defend against (identify the sources of) DoS/DDoS attacks, most of them suffer from DoS/DDoS attacks as well because they do not prevent information from tampering with and they need to consume resources, such as network bandwidth, computation power, and memory space, even when no attack is involved.
In this paper, analyze a new ICMP message – the ICMP Caddie messages scheme – which provides a simple and straightforward solution for IP Traceback. While the proposed scheme still needs some router modifications, the potential overhead on routers has been minimized. For example, our approach has very low network bandwidth and router storage overhead and supports incremental deployment. Compared to other methods, the Caddie messages scheme has higher precision and lower computation overhead. Particularly, it balances the workload in the network. Furthermore, the scheme cannot be the target of a DOS attack.