2. Denial-of-service (DoS) is a type of attack in
networks in which an attacker may be able to
prevent legitimate users from accessing email, web
sites, online accounts(banking, etc.)
Unfortunately, mechanisms for dealing with DoS
attacks haven’t advanced at the same pace as the
attacks themselves.
This paper presents a new method for identifying
denial-of-service attacks that uses the attacker’s
media access control address for identification and
trace back.
2
4. In a denial-of-service (DoS) attack, an
attacker attempts to prevent legitimate user
from accessing information or services by
targeting his computer and its network
connection, or the computers and network
of the sites that he is trying to use.
Eg: flooding the network with information.
4
5. In a distributed denial-of-service
(DDoS) attack, an attacker may use
other user’s computer to attack another
computer. By taking advantage of security
vulnerabilities or weaknesses, an attacker
could take control of other computers,
thereby sending huge amounts of data to a
web site or send spam to particular email
addresses.
5
6. Speedy IP Trace back (SIPT) method
finds boundary router (the router
connected directly to the client).
Once we know the boundary router and
the attacker’s media access control (MAC)
address, we can identify the attacker and
find the attack path.
6
7. Boundary router:
A router that connects the internet to a company’s intranet(a
private computer network that uses IP technologies to
secure any part of organization’s information).
Media Access Control Address(MAC):
MAC is a unique identifier assigned to network interfaces for
communication on the physical network segment.
7
8. With SIPT, each router determines whether
the packet came from a client, the router
inserts a data link connection identifier for the
source (client) and the IP address of its own
incoming interface.
With this additional source link address
information in the packet, the destination can
identify the attacker’s boundary router.
8
10. The ingress filtering approach configures
routers to block packets that arrive with
illegitimate source addresses. This requires a
router with enough power to examine the source
address of every packet, and sufficient
knowledge to distinguish between legitimate and
illegitimate addresses
10
11. Administrators use two different types of link tests:
input debugging and
controlled flooding.
Input Debugging: With this test, administrators
capture and record specific details on IP packets that
traverse networks.
Once administrators know that an attack is in
progress, they must find a unique characteristic
common across attack packets. This is called the
attack signature, which is used to differentiate
attack traffic and determine the inbound interface
11
12. This involves sending large bursts of traffic link by
link upstream and monitoring the impact on the
rate of received attacking packets. While an attack
is in progress, an administrator can run extended
pings across each upstream link to see which has
an effect on attacking traffic.
Once the administrator finds this link on the router
closest to the victim, the process is repeated with
the next router upstream.
12
14. The router plays a vital role in SIPT.
The router inserts the client’s data link identifier
and its own IP address into the packet’s IP
header using one of the several available
packet-marking techniques.
14
15. Every packet that the server receives is hence
marked with the MAC address of the machine
that sent it and the IP address of the router the
machine is connected to.
The marking must be done at the first router
because it alone knows the client’s MAC address.
Subsequently, the attacker’s source MAC address
will be lost when the MAC header is replaced in
the next hop.
15
16. The server retrieves the IP address of
the router the attacker is directly
connected to and the attacker’s MAC
address. The system can identify the
attacker with just these two pieces of
information.
16
17. Since our method has backward compatibility
and supports incremental deployment, the
probability of finding an attacker will increase with
the percentage of routers.
The SIPT approach doesn’t constitute a
hop-by-hop trace back. Instead, it directly finds
the boundary router connected to the attacker.
17
18. 1. S. Specht and R. Lee, “Distributed Denial of
Service: Taxonomies of Attacks, Tools, and
Countermeasures,”
2. P. Ferguson and D. Senie, Network Ingress
Filtering.
3. S. Savage et al., “Network Support for IP Trace
back,”
4. C. Gong and K. Sarac, “IP Trace back with
Packet Marking
and Logging,”
18