27-09-2016, 10:55 AM
[attachment=71758]
Abstract
About a long period of time attackers (IP Spoofers) use forged IP address to hide their real location. To capture the spoofers, many IP traceback mechanisms have been proposed. However, due to the difficulties in deployment, there has not been any widely adopted IP traceback solution, at least at the Internet level. As a result, there is no efficient mechanism to find the real address of IP spoofers till now. This paper proposes passive IP traceback (PIT) that overcomes the deployment difficulties in IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) which is triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way,without any deployment requirement PIT can find the spoofers . This paper illustrates the causes, collection, and the statistical results of path backscatter, demonstrates the processes and effectiveness of PIT, and by applying PIT on the path backscatter data set it shows the captured locations of spoofers . These results can help further reveal IP spoofing. Though PIT cannot work in all the spoofing attacks, it may be the most useful method to trace spoofers.
Introduction
IP spoofing, which means attackers launching attacks with forged source IP addresses, has been recognized as a serious security problem on the Internet for long. By using addresses that are assigned to others or not assigned at all, attackers can avoid exposing their real locations thus protecting them from being traced, or enhance the effect of attacking, or launch reflection based attacks. A number of scandalous attacks rely on IP spoofing, including SYN flooding, SMURF, DNS amplification etc. A Domain Name System (DNS) amplification attack which severely degraded the service of a Top Level Domain (TLD) name server is reported in. Though there has been a popular conventional wisdom that DoS attacks [1] are launched from botnets and spoofing is no longer critical, the report of ARBOR on NANOG 50th meeting shows spoofing is still significant in observed DoS attacks. Indeed, based on the captured backscatter messages from UCSD Network Telescopes [2], spoofing activities are still frequently observed. To capture the origins of IP spoofing traffic is of great importance. As long as the actual and real locations of spoofers are not disclosed, they cannot be deterred, stopped and prevented from launching further attacks. Even just approaching the spoofers, for example, determining the ASes or networks they reside in, attackers can be located and traced in a smaller area, and filters can be placed and arranged closer to the attacker before attacking traffic get aggregated. The last but not the least, identifying the origins of spoofing traffic can help build a reputation system for ASes, which would be helpful to push the corresponding ISPs to verify IP source address [3]. This is the first article known which deeply investigates path backscatter messages. These messages are important and valuable to help understand and analyze the spoofing activities. Backscatter messages, which are produced and generated by the targets of spoofing messages, to study Denial of Services (DoS) [4] [5], path backscatter messages, which are sent by intermediate devices during the information exchange and transfer rather than the targets, have not been used in traceback. A practical and effective IP traceback solution based on path backscatter messages, i.e., PIT, is proposed. PIT bypasses the deployment difficulties of existing IP traceback RESEARCH ARTICLE OPEN ACCESS International Journal of Computer Science Trends and Technology (IJCST) – Volume 3 Issue 5, Sep-Oct 2015 ISSN: 2347-8578 www.ijcstjournal.org Page 308 mechanisms [6] and actually is already in force. Though given the limitation that path backscatter messages are not generated with stable possibility, PIT cannot work in all the attacks, but it does work in a number of spoofing activities. At least it may be the most useful traceback mechanism before an AS-level traceback system has been deployed in real. Through applying PIT on the path backscatter dataset, a number of locations of spoofers are captured and presented. Though this is not a complete list, it is the first known list disclosing the locations of spoofers.
Related work
Existing IP traceback approaches can be classified into five main categories: packet marking, ICMP traceback, logging on the router, link testing, overlay, and hybrid tracing.
Packet marking methods require routers modify the header of the packet to contain the information of the router and forwarding decision.
Different from packet marking methods, ICMP traceback generates addition ICMP messages to a collector or the destination.
Attacking path can be reconstructed from log on the router when router makes a record on the packets forwarded.
Link testing is an approach which determines the upstream of attacking traffic hop-by-hop while the attack is in progress.
CenterTrack proposes offloading the suspect traffic from edge routers to special tracking routers through a overlay network.
IV. DISADVANTAGES OF EXISTING SYSTEM 1)
Based on the captured backscatter messages from UCSD Network Telescopes, spoofing activities are still frequently observed. To build an IP traceback system on the Internet faces at least two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. Existing traceback mechanisms are either not widely 2) Supported by current commodity routers, or will introduce considerable overhead to the routers (Internet Control Message Protocol (ICMP) generation, packet logging, especially in high-performance networks. The second one is the difficulty to make Internet service providers (ISPs) collaborate. 3) Since the spoofers could spread over every corner of the world, a single ISP to deploy its own traceback system is almost meaningless. 4) However, ISPs, which are commercial entities with competitive relationships, are generally lack of explicit economic incentive to help clients of the others to trace attacker in their managed ASes. 5) Since the deployment of traceback mechanisms is not of clear gains but apparently high overhead, to the best knowledge of authors, there has been no deployed Internet-scale IP traceback system till now. 6) Despite that there are a lot of IP traceback mechanisms proposed and a large number of spoofing activities observed, the real locations of spoofers still remain a mystery.
Abstract
About a long period of time attackers (IP Spoofers) use forged IP address to hide their real location. To capture the spoofers, many IP traceback mechanisms have been proposed. However, due to the difficulties in deployment, there has not been any widely adopted IP traceback solution, at least at the Internet level. As a result, there is no efficient mechanism to find the real address of IP spoofers till now. This paper proposes passive IP traceback (PIT) that overcomes the deployment difficulties in IP traceback techniques. PIT investigates Internet Control Message Protocol error messages (named path backscatter) which is triggered by spoofing traffic, and tracks the spoofers based on public available information (e.g., topology). In this way,without any deployment requirement PIT can find the spoofers . This paper illustrates the causes, collection, and the statistical results of path backscatter, demonstrates the processes and effectiveness of PIT, and by applying PIT on the path backscatter data set it shows the captured locations of spoofers . These results can help further reveal IP spoofing. Though PIT cannot work in all the spoofing attacks, it may be the most useful method to trace spoofers.
Introduction
IP spoofing, which means attackers launching attacks with forged source IP addresses, has been recognized as a serious security problem on the Internet for long. By using addresses that are assigned to others or not assigned at all, attackers can avoid exposing their real locations thus protecting them from being traced, or enhance the effect of attacking, or launch reflection based attacks. A number of scandalous attacks rely on IP spoofing, including SYN flooding, SMURF, DNS amplification etc. A Domain Name System (DNS) amplification attack which severely degraded the service of a Top Level Domain (TLD) name server is reported in. Though there has been a popular conventional wisdom that DoS attacks [1] are launched from botnets and spoofing is no longer critical, the report of ARBOR on NANOG 50th meeting shows spoofing is still significant in observed DoS attacks. Indeed, based on the captured backscatter messages from UCSD Network Telescopes [2], spoofing activities are still frequently observed. To capture the origins of IP spoofing traffic is of great importance. As long as the actual and real locations of spoofers are not disclosed, they cannot be deterred, stopped and prevented from launching further attacks. Even just approaching the spoofers, for example, determining the ASes or networks they reside in, attackers can be located and traced in a smaller area, and filters can be placed and arranged closer to the attacker before attacking traffic get aggregated. The last but not the least, identifying the origins of spoofing traffic can help build a reputation system for ASes, which would be helpful to push the corresponding ISPs to verify IP source address [3]. This is the first article known which deeply investigates path backscatter messages. These messages are important and valuable to help understand and analyze the spoofing activities. Backscatter messages, which are produced and generated by the targets of spoofing messages, to study Denial of Services (DoS) [4] [5], path backscatter messages, which are sent by intermediate devices during the information exchange and transfer rather than the targets, have not been used in traceback. A practical and effective IP traceback solution based on path backscatter messages, i.e., PIT, is proposed. PIT bypasses the deployment difficulties of existing IP traceback RESEARCH ARTICLE OPEN ACCESS International Journal of Computer Science Trends and Technology (IJCST) – Volume 3 Issue 5, Sep-Oct 2015 ISSN: 2347-8578 www.ijcstjournal.org Page 308 mechanisms [6] and actually is already in force. Though given the limitation that path backscatter messages are not generated with stable possibility, PIT cannot work in all the attacks, but it does work in a number of spoofing activities. At least it may be the most useful traceback mechanism before an AS-level traceback system has been deployed in real. Through applying PIT on the path backscatter dataset, a number of locations of spoofers are captured and presented. Though this is not a complete list, it is the first known list disclosing the locations of spoofers.
Related work
Existing IP traceback approaches can be classified into five main categories: packet marking, ICMP traceback, logging on the router, link testing, overlay, and hybrid tracing.
Packet marking methods require routers modify the header of the packet to contain the information of the router and forwarding decision.
Different from packet marking methods, ICMP traceback generates addition ICMP messages to a collector or the destination.
Attacking path can be reconstructed from log on the router when router makes a record on the packets forwarded.
Link testing is an approach which determines the upstream of attacking traffic hop-by-hop while the attack is in progress.
CenterTrack proposes offloading the suspect traffic from edge routers to special tracking routers through a overlay network.
IV. DISADVANTAGES OF EXISTING SYSTEM 1)
Based on the captured backscatter messages from UCSD Network Telescopes, spoofing activities are still frequently observed. To build an IP traceback system on the Internet faces at least two critical challenges. The first one is the cost to adopt a traceback mechanism in the routing system. Existing traceback mechanisms are either not widely 2) Supported by current commodity routers, or will introduce considerable overhead to the routers (Internet Control Message Protocol (ICMP) generation, packet logging, especially in high-performance networks. The second one is the difficulty to make Internet service providers (ISPs) collaborate. 3) Since the spoofers could spread over every corner of the world, a single ISP to deploy its own traceback system is almost meaningless. 4) However, ISPs, which are commercial entities with competitive relationships, are generally lack of explicit economic incentive to help clients of the others to trace attacker in their managed ASes. 5) Since the deployment of traceback mechanisms is not of clear gains but apparently high overhead, to the best knowledge of authors, there has been no deployed Internet-scale IP traceback system till now. 6) Despite that there are a lot of IP traceback mechanisms proposed and a large number of spoofing activities observed, the real locations of spoofers still remain a mystery.