Overview of IP traceback mechanism and their applicability

1. Overview of Traceback Mechanism a
nd Their Applicability
IEICE Transactions on Information and Systems, Volume E94.D, Issue 11, pp. 2077-2086
(2011)
Heung-Youl Youm
Ibnu Mubarok – 2012.04.09

2. Introduction
• Goal of the paper
– overview.
– base understanding of existing traceback mechanism
• IP Traceback
• Taxonomy
• Existing traceback mechanism
• Comparison
• Conclusion

3. IP Traceback
• Locate the origin of a packet.
• It’s complicated since IP address can be forged or
spoofed.
• IP Traceback used only for identification of the sources
of the offending packets during and after the attack.
• Mainly used to trace the DDoS, where the packet
(attacker) came from.
• In general, IP traceback is not limited only to DoS and
DDoS attacks.

4. Taxonomy
• Taxonomy of traceback in Autonomous System
– Intra-AS
– Inter-AS
• Capabilities of traceback
mechanism
• Currently there are proposed
standards being reviewed
in ITU-T

5. Controlled Flooding
• Generating a burst of network traffic from the victim’s
network to the upstream network segments.
• Observe the effect of this flooding.
• Flooding a link will cause all packets, including packets
from the attacker, to be dropped with the same
probability.
• if a given link were flooded, and packets from the
attacker slowed, then this link must be part of the
attack path.
• Do this recursively to upstream routers until the
attack path is discovered.
• Only valid for DoS attacks

6. Controlled Flooding

7. Input Debugging
• Link-testing mechanism
• Already exist on many routers
• Router aware of common characteristic of the attack
packet (signature)
• Repeated hop-by-hop at every upstream router in
network until the source or another ISP is reached

8. Overlay Network – (Center Track)
• Forwards packets to a certain network point where
they are monitored in the network
• The tracking router (TR) monitors all traffic that
passes through the network.

9. Probabilistic Packet Marking
• Routers mark packets that pass through them with their
addresses, a part of their addresses or edge (marking)
• Those modified packets are analyzed at the victim node
for path reconstruction.
• This scheme is aimed primarily at DoS and DDoS attack
as it needs many attack packets to reconstruct the full
path.
• It use 16-bit identification field in IP header to store
router’s address.
• Not every packet, but some packet with certain
probability (ex 1/25)

10. Probabilistic Packet Marking

11. Deterministic Packet Marking
• Only the ingress router on the attack path marks
every packet passing through it with its router
IP address.

12. Packet Messaging - ICMP Traceback (iTrace)
• Every router on the network is pick a packet
probabilistically and generate an ICMP traceback
message directed to the same destination as the
selected packet.
• The iTrace message consists of the next and previous
hop information, and a timestamp
• TTL field is set to 255, and is then used to identify the
actual path of the attack

13. Packet Messaging - ICMP Traceback

14. Packet Logging – (hash based)
• Packet Logging  Each router logs information
(signature) of all IP packets that traverse through it 
Enormous amount of storage space
• Stores 20 byte IPv4 header + 8 byte payload =
28 byte packet information
• Using hash followed by Bloom filtering process 
reduced size + provide privacy against eavesdropping
• Every router captures partial packet information of every
packet that passes through the route, to be able in the
future to determine if that packet passed through it.
• Three function in SPIE :
• STM
• SCAR
• DGA

15. Hybrid Traceback
• Combines the some traceback technique
• Packet Marking + Packet Logging
• Partially record network path information at routers
and in packets.
• DLL ( Distributed Link-List ) : store, mark, forward
• Fixed size marking field is allocated in each packet.

16. Evaluation Criteria
• Degree of ISP involvement
• Number of packets required for traceback
• Memory requirement
• Processing overhead for traceback
• Degree of bandwidth increase
• Ability to handles massive DDoS attacks
• Misuse by attacker
• Knowledge of network topology
• Robustness of traceback
• Effect of partial deployment
• Scalability
• Number of functions needed to implement traceback
• Capability to trace transformed packets

17. Comparison of IP Traceback Mechanism

18. Application of Traceback Mechanism

19. Conclusion
• Practical way to track the massive DDoS is to use a
Traceback technique.
• For the problem of IP traceback, several solutions
have been proposed. Each has its own advantages
and disadvantages. No ideal scheme.
• Current technology has good Intrusion detection and
prevention systems for protect system. Do we really
need a ‘location’ of the attacker too? Is it only for Law
enforcement and military people this traceback thing?