Speedy IP Trace Back(SIPT) For Identifying DoS Attacks

Sadankumar.B08C41A1263

2

Denial-of-service (DoS) is a type of attack in networks in which an attacker may be able to prevent legitimate users from accessing email, web sites, online accounts(banking, etc.)

Unfortunately, mechanisms for dealing with DoS attacks haven’t advanced at the same pace as the attacks themselves.

This paper presents a new method for identifying denial-of-service attacks that uses the attacker’s media access control address for identification and trace back.

Abstract:

3

Introduction DoS. DDoS. SIPT for identifying the boundary router. Existing mechanisms. Conclusion. References.

Contents:

4

In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate user from accessing information or services by targeting his computer and its network connection, or the computers and network of the sites that he is trying to use.

Eg: flooding the network with information.

Introduction:

5

In a distributed denial-of-service (DDoS) attack, an attacker may use other user’s computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of other computers, thereby sending huge amounts of data to a web site or send spam to particular email addresses.

6

Speedy IP Trace back (SIPT) method finds boundary router (the router connected directly to the client).

Once we know the boundary router and the attacker’s media access control (MAC) address, we can identify the attacker and find the attack path.

SIPT for identifying the boundary router:

7

A router that connects the internet to a company’s intranet(a private computer network that uses IP technologies to secure any part of organization’s information).

Media Access Control Address(MAC):

MAC is a unique identifier assigned to network interfaces for communication on the physical network segment.

Boundary router:

8

With SIPT, each router determines whether the packet came from a client, the router inserts a data link connection identifier for the source (client) and the IP address of its own incoming interface. With this additional source link address information in the packet, the destination can identify the attacker’s boundary router.

9

1) Ingress filtering2) Link Testing3) Packet marking

Existing Mechanisms

10

The ingress filtering approach configures routers to block packets that arrive with illegitimate source addresses. This requires a router with enough power to examine the source address of every packet, and sufficient knowledge to distinguish between legitimate and illegitimate addresses

Ingress Filtering:

11

Administrators use two different types of link tests:

input debugging and controlled flooding. Input Debugging: With this test, administrators

capture and record specific details on IP packets that traverse networks.

Once administrators know that an attack is in progress, they must find a unique characteristic common across attack packets. This is called the attack signature, which is used to differentiate attack traffic and determine the inbound interface

Link Testing:

12

This involves sending large bursts of traffic

link by link upstream and monitoring the impact on the rate of received attacking packets. While an attack is in progress, an administrator can run extended pings across each upstream link to see which has an effect on attacking traffic.

Once the administrator finds this link on the router closest to the victim, the process is repeated with the next router upstream.

Controlled Flooding:

13

Packet marking

Click icon to add picture

14

The router plays a vital role in SIPT.

The router inserts the client’s data link identifier and its own IP address into the packet’s IP header using one of the several available packet-marking techniques.

How SIPT Works:

15

Every packet that the server receives is hence marked with the MAC address of the machine that sent it and the IP address of the router the machine is connected to.

The marking must be done at the first router because it alone knows the client’s MAC address. Subsequently, the attacker’s source MAC address will be lost when the MAC header is replaced in the next hop.

16

The server retrieves the IP address of the router the attacker is directly connected to and the attacker’s MAC address. The system can identify the attacker with just these two pieces of information.

17

Since our method has backward compatibility and supports incremental deployment, the probability of finding an attacker will increase with the percentage of routers.

The SIPT approach doesn’t constitute a hop-by-hop trace back. Instead, it directly finds the boundary router connected to the attacker.

Conclusion:

18

1. S. Specht and R. Lee, “Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures,”

2. P. Ferguson and D. Senie, Network Ingress Filtering.

3. S. Savage et al., “Network Support for IP Trace back,”

4. C. Gong and K. Sarac, “IP Trace back with Packet Marking

and Logging,”

References:

Thank you…