Improved Single Packet Traceback Scheme with Bloom Filters

Luo, Jia-Ning; Yang, Ming‐Ta

doi:10.1007/978-3-030-00410-1_21

Cited by 1 publication

(1 citation statement)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To resolve the complication whereby these devices process only the link-layer packet header, link-layer tracing technology was employed in this study. TAP was used for packet mirroring for the switch, and the packet log table, and the bloom filter was used to record the port of the switch from which the packet had entered to traceback the packet source in the link layer [44][46] [47]. To efficiently identify the movement path of attack packets traversing the entire Internet and entering the LAN, the researchers proposed a packet traceback that integrates the network layer and link layer to trace the attacker device sending attack packets.…”

Section: A Marking and Logging Mechanismsmentioning

confidence: 99%

Hybrid Multilayer Network Traceback to the Real Sources of Attack Devices

et al. 2020

Self Cite

View full text Add to dashboard Cite

In recent years, multiple connected devices and diversified network services have made the Internet an indispensable part of people's daily lives. As a result, copious valuable or personal data are stored online, attracting many malicious attackers and causing serious security threats. However, because attackers can conceal their actual attack locations by spoofing IP addresses, law enforcement cannot easily track them. Therefore, a method to trace stealth attacks is required. However, the traceback methods detailed in other studies all possess disadvantages. For example, they can only trace the attacker's edge router and cannot traceback to the actual device that launched the attack. In an environment where the core network includes a switch, several current IP traceback methods cannot correctly traceback the true attacker. Conventional IP traceback methods that traceback only attackers on the network layer and cannot infer the path information of a packet traversing the switch. This paper proposes a method to simultaneously traceback attack sources at the network layer and the data link layer. Using the method proposed in this paper, only a single packet is required to traceback the source of a stealth attack. Even if the core network contains a switch or if multiple attackers launch attacks from different locations, the method can correctly traceback the true devices responsible for the attacks, and its achievements include a zero false negative rate and a low false positive rate.

show abstract

Section: A Marking and Logging Mechanismsmentioning

confidence: 99%