29-10-2014, 04:23 PM
IP Traceback based on
Packet Marking and Logging
1408229364-PacketMarking.pdf (Size: 705.29 KB / Downloads: 37)
Introduction
The goal of IP traceback is to trace the path of an IP
packet to its origin.
● The most important usage of IP traceback is to deal with
certain denial-of-service (DoS) attacks, where the source
IP address is spoofed by attackers.
● Identifying the sources of attack packets is a significant
step in making attackers accountable.
Two main kinds of IP traceback techniques have been
proposed in two dimensions:
Packet Marking
The router marks packets with its identification
information as they pass through that router.
● The mark overloads a rarely used field in IP packet
header, i.e., 16-bit IP identification field.
● The identification of a router could be 32-bit IP address,
hash value of IP address, or uniquely assigned number.
Probabilistic Packet Marking
Since the marking space in packet header is too small to
record the entire path, routers mark packets with some
probability so that each marked packet carries the
information of one node in the path.
● Due to its probabilistic nature, it can only trace the
traffic that consists of a large volume of packets.
Packet Logging
Packets are logged at each router through which they pass.
● Hash-based IP traceback stores packet digests, instead of packets
themselves, in a space-efficient data structure, bloom filter.
● For each arriving packet, the router uses the first 24 invariant byte
of the packet (20-byte IP header with 4 bytes masked out) plus the
first 8 bytes of payload as input to the digesting function.
● The 32-bit packet digest is stored into the digest table which is
realized with bloom filter.
This approach could track a single IP packet and
therefore is considered to be more powerful compared
to the PPM approach.
Hybrid IP Traceback
Overheads on Routers
Since the router keeps separate table for each neighbor, packets
coming from different neighbor routers can be recorded in
corresponding digest tables simultaneously as long as each
digest table has it own read/write hardware support.
● Thereby the access time requirement for recording
packet digests is reduced by a factor of the number of
neighbor routers.