Denial-of-service (DoS) and distributed denial-of-service (DDoS) are two of the most severe attacks against computer networks, especially the Internet. Despite its destructive effect, planning these attacks is a feasible task. Given that most attackers usually spoof the source address in packet headers, countermeasures can be based on two steps. First of all, some information from the attack space of the offender must be gathered. Fortunately, packets that reach a victim carry important data that can be acquired by means of a data collection process. One possibility is to use the probabilistic packet marking (PPM) approach for data acquisition. Once this is achieved, the next step consists of reconstructing the attack path, which can be carried out by several methods available in the literature. However, none of them provides a precise solution. In this paper, a new theoretical tracking model for the identifi cation of DoS attackers is presented. The model unites the PPM approach and the concept of winding number, derived from the well-known Cauchy's integral theorem. The winding number is a hydraulic analogy of the amount of attacking packets growing from a router. A suitable transformation allows seeing the packet traffi c, in the attack environment, as a fl uid fl ux in the space of complex variables. The method of solving the tracking problem and identifying the sources of attack presents an additional motivation: the use of continuous techniques when approaching a problem that occurs in a discrete environment. Such association will contribute to the development of further solutions possibly more robust than the one dealt with here. This paper shows that the new model can correctly identify the IP address of the router from which the attack comes by using an integral equation derived from the winding number expression. A1 A2 A3 R5 R6 R7 R3 R4 R2 R1 V Figure 1. Topology of the DoS attack environment AN INNOVATIVE APPROACH TO IDENTIFY THE IP ADDRESS IN DoS ATTACKS 341The goal of the injective function Φ is to associate each router R k , of set A, to a complex number of the form z k = x k + i.y k , in U. The elements that constitute the real, R (z k ) = x k , and imaginary, S (z k ) = y k , parts of the complex number z k correspond to Cartesian coordinates. These coordinates can be obtained, for instance, by means of instruments that detect the geographic global positioning (e.g., GPS receptors).On the other hand, once each point in the virtual space corresponds to a router that is represented by an IP address, the injective function Φ : A → U determines actually the (univocal) association of a pair of Cartesian coordinates. In order to fi nd a practical meaning for such an association, it is necessary to represent the injective function Φ by means of some mathematical expression. In the next section, an expression for Φ is presented, among others that could be considered for this task.
DEFINITION OF THE FUNCTION Φ342 M. M. VIANA ET AL.a modifi cation on the protocol. Moreover, care must be taken regarding spoo...
