The International Arab Journal of Information Technology (IAJIT)


STF-DM: A Sparsely Tagged Fragmentation with Dynamic Marking an IP Traceback Approach

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are serious threats to the Internet. The frequency of DoS and DDoS attacks is increasing day by day. Automated tools are also available that enable non-technical people to implement such attacks easily. Hence, it is not only important to prevent such attacks, but also need to trace back the attackers. Tracing back the sources of the attacks, which is known as an IP traceback problem is a hard problem because of the stateless nature of the Internet and spoofed Internet Protocol (IP) packets.Various approaches have been proposed for IP traceback. Probabilistic Packet Marking (PPM) approach incurs the minimum network and management overhead. Hence, we focus on PPM approach. Sparsely-Tagged Fragmentation Marking Scheme (S-TFMS), a PPM based approach, requires low overhead at the victim and achieve zero false-positives. However, it requires a large number of packets to recover the IP addresses. In this paper, we propose a Sparsely-Tagged Fragmentation Marking approach with dynamic marking probability. Our approach requires less number of packets than required by S-TFMS. Further, to reduce the number of packets required by victim, we extend our basic approach with the new marking format. Our extended approach requires less than one-tenth time number of packets than those in S-TFMS approach to recover the IP addresses. Our approaches recover the IP address quickly with zero false-positives in the presence of multiple attackers. We show mathematical as well as experimental analysis of our approaches.

[1] Belenky A. and Ansari N., IP Traceback with Deterministic Packet Marking, IEEE Communications Letters, vol. 7, no. 4, pp. 162- 164, 2003.

[2] Belenky A. and Ansari N., On Deterministic Packet Marking, Computer Networks, vol. 51, no. 10, pp. 2677-2700, 2007.

[3] Bellovin M., Leech M., and Taylor T., ICMP traceback messages, Available:, Last Visited, 2003.

[4] Burch H. and Cheswick B., Tracing Anonymous Packets to Their Approximate Source, in Proceedings of the 14th USENIX Conference on System Administration, New Orleans, pp. 319- 327, 2000.

[5] Criscuolo P., Distributed Denial of Service: Trinoo, Tribe Flood Network, Tribe Flood Network 2000, and Stacheldraht, Lawrence Livermore National Laboratory, 2000.

[6] Ferguson P., Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing, RFC-2827, 2000.

[7] Gong C. and Sarac K., Toward a More Practical Marking Scheme for IP Traceback, in Proceedings of 3rd International Conference on Broadband Communications, Networks and Systems, San Jose, pp. 1-10, 2006.

[8] Goodrich M., Efficient Packet Marking for Large-Scale IP Traceback, in Proceedings of the 9th ACM Conference on Computer and Communications Security, New York, pp. 117- 126, 2002.

[9] Iwamoto K., Soshi M., and Satoh T., An Efficient and Adaptive IP Traceback Scheme, in Proceedings of IEEE 7th International Conference on Service-Oriented Computing and Applications, Matsue, pp. 235-240, 2014.

[10] Kim K., Hwang, J., Kim B., and Kim S., Tagged Fragment Marking Scheme with Distance- Weighted Sampling for a Fast IP Traceback, in Proceedings of Web Technologies and Applications, Xi an, pp. 442-452, 2003.

[11] Kim K., Kim J., and Hwang J., IP Traceback with Sparsely-Tagged Fragment Marking Scheme under Massively Multiple Attack Paths, Cluster Computing, vol. 16, no. 2, pp. 229-239, 2013.

[12] Korkmaz T., Gong C., Sarac K., and Dykes S., Single Packet IP Traceback in AS-Level Partial Deployment Scenario, International Journal of Security and Networks, vol. 2, no. 1, pp. 95-108, 2007.

[13] Liu J., Lee Z., and Chung Y., Dynamic Probabilistic Packet Marking for Efficient IP Traceback, Computer Networks, vol. 51, no. 3, pp. 866-882, 2007.

[14] Lu N., Wang Y., Su S., and Yang F., A Novel Path Based Approach for Single Packet IP Traceback, Security and Communication Networks, vol. 7, no. 2, pp. 309-321, 2014.

[15] Medina A., Lakhina A., Matta I., and Byers J., BRITE: An Approach to Universal Topology Generation, in Proceedings of 9th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems, Cincinnati, pp. 346-353, 2001.

[16] Paruchuri V., Durresi A., and Chellappan S., TTL based Packet Marking for IP Traceback, in Proceedings of IEEE GLOBECOM Global Telecommunications Conference, New Orleans, pp. 1-5, 2008.

[17] Sachdeva M., Singh G., Kumar K., and Singh K., DDoS Incidents and Their Impact: A Review, The International Arab Journal of Information Technology, vol. 7, no. 1, pp. 14-20, 2010.

[18] Sattari P., Gjoka M., and Markopoulou A., A Network Coding Approach to IP Traceback, in Proceedings of IEEE International Symposium on Network Coding, Toronto, pp. 1-6, 2010.

[19] Saurabh S. and Sairam A., ICMP Based IP Traceback with Negligible Overhead for Highly Distributed Reflector Attack using Bloom Filters, Computer Communications, vol. 42, pp. 60-69, 2014.

[20] Savage S., Wetherall D., Karlin A., and Anderson T., Practical Network Support for IP Traceback, in Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, Stockholm, pp. 295-306, 2000.

[21] Snoeren A., Partridge C., Sanchez L., Jones C., Tchakountio F., Schwartz B., and Strayer W., Single-Packet IP Traceback, IEEE/ACM Transactions on Networking, vol. 10, no. 6, pp. 721-734, 2002.

[22] Song D. and Perrig A., Advanced and Authenticated Marking Schemes for IP Traceback, in Proceedings of INFOCOM, 20th Annual Joint Conference of the IEEE Computer and Communications Societies, Anchorage, pp. 878-886, 2001.

[23] Stone R., CenterTrack: An IP Overlay Network for Tracking DoS Floods, In USENIX Security Symposium, vol. 21, pp. 114, 2000.

[24] Tian H., Bi J., and Jiang X., An Adaptive Probabilistic Marking Scheme for Fast and 728 The International Arab Journal of Information Technology, Vol. 15, No. 4, July 2018 Secure Traceback, Networking Science, vol. 2, no. 1-2, pp. 42-51, 2013.

[25] Yaar A., Perrig A., and Song D., FIT: Fast Internet Traceback, in Proceedings of INFOCOM, 24th Annual Joint Conference of the IEEE Computer and Communications Societies, Miami, pp. 1395-1406, 2005.

[26] Yan D., Wang Y., Su S., and Yang F., A Precise and Practical IP Traceback Technique Based on Packet Marking and Logging, Journal of Information Science and Engineering, vol. 28, no. 3, pp. 453-470, 2012.

[27] Yang M. and Yang M., RIHT: a Novel Hybrid IP Traceback Scheme, IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 789-797, 2012.

[28] Yang M., Storage-Efficient 16-Bit Hybrid IP Traceback with Single Packet, The Scientific World Journal, vol. 2014, pp. 1-14, 2014. Devesh Jinwala has been working as a Professor in Computer Engineering at the Department of Computer Engineering, S V National Institute of Technology, Surat, India since 1991. His principal research areas of interest are broadly Security, Cryptography, Algorithms and Software Engineering. Specifically his work focuses on Security and Privacy Issues in Resource-constrained environments (Wireless Sensor Networks) and in Data Mining, Attribute-based Encryption techniques, Requirements Specification, and Ontologies in Software Engineering. He has been/is the principal Investigator of several sponsored research projects funded by ISRO, GUJCOST, Govt of Gujarat and DiETY-MCIT-Govt of India. Hasmukh Patel has been working as an Assistant Professor in Computer Engineering Department at Gujarat Power Engineering and Research Institute, Mewad (India). His major areas of interests are security protocols verification and Network Security.