On Evaluating IP Traceback Schemes: A Practical Perspective

In this paper, we outline the recent efforts of our research in defense against Distributed Denial of Service (DDoS) attacks. In particular, we present a novel approach to IP traceback, namely Unique Flow Marking (UFM), and we evaluate UFM against other marking schemes. Our results show that the UFM can reduce the number of marked packets compared to the other marking schemes, while achieving a better performance in terms of its ability to trace back the attack.

show abstract

“…UFM is developed based on our previous proposal, DFM [1]- [3]. DFM marks every flow, instead of every packet.…”

Section: Unique Flow Marking Ufmmentioning

confidence: 99%

Investigating unique flow marking for tracing back DDoS attacks

Aghaei-Foroushani

Zincir-Heywood

2015

2015 IFIP/IEEE International Symposium on Integrated Network Management (IM)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Proposed by Vahid Aghaei-Foroushani et al [12], DFM is an improved scheme of DPM. Like DPM, the marking process of DFM is carried out at edge routers for ingress traffic.…”

Section: B Deterministic Flow Marking (Dfm) Techniquementioning

confidence: 99%

“…TABLE I. shows the required numbef of packets K for a successfully-marked flow depending on the usage of the fields in IP header for marking. Marking just only K first packets in each flow, in comparison to DPM, the number of marked packets decreases by as much as nearly 90% [12]. Therefore, the computational overhead of marking at edge routers is also reduced.…”

Section: B Deterministic Flow Marking (Dfm) Techniquementioning

confidence: 99%

An enhanced Deterministic Flow Marking technique to efficiently support detection of network spoofing attacks

Tuyen

Hương

Hung

et al. 2014

2014 International Conference on Advanced Technologies for Communications (ATC 2014)

View full text Add to dashboard Cite

Abstract-In order to detect and prevent DoS/DDoS attacks that exploit IP address spoofing, the IP traceback technique has been introduced and developed with variety of methods including packet marking. By means of inserting marking information on the travel path into rarely used fields in the header of IP packets, the destination host can trace back the original-source location of received packets, which is useful for supporting detection of attacks. Many schemes of packet marking IP traceback have been proposed, but still have nevertheless some drawbacks such as low traceback rate, heavy computational overhead due to high-required number of marked packets and marking size. In this paper, we proposed PLA DFM, a novel efficient enhanced solution of Deterministic Flow Marking based on adaptation with real traffic characteristics. The analytic result shows that the proposed solution provides a far higher successful mark rate, lower computational overhead compared to the original scheme and other marking techniques with unnoticeable increased traffic size.

show abstract

“…DFM is a deterministic approach, which marks every flow (in contrast with making every packet) and performs on the edge router near the source of traffic. We have shown that using DFM may reduce as many as 90% of marked packets on average required for tracing attacks with no false positives, while it eliminates the spoofed marking embedded by the attacker as well as compromised routers in the attack path in [27].…”

Section: Literature Review On Ip Tracebackmentioning

confidence: 99%

“…So we cannot compare the performance of the PPM directly with the DPM and DFM under the same conditions on the same network. Thus, we only compared the performance of DFM and DPM under the same conditions and on the same network platform [27]. Figure 7 is a schematic illustration of both DPM and DFM approaches, and is a comparison between two methods.…”

Section: Practical Comparison Of Dfm and Dpmmentioning

confidence: 99%

IP traceback through (authenticated) deterministic flow marking: an empirical evaluation

Aghaei-Foroushani

Zincir-Heywood

2013

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

In this paper, we present a novel approach to IP traceback -deterministic flow marking (DFM). We evaluate this novel approach against two well-known IP traceback schemes. These are the probabilistic packet marking (PPM) and the deterministic packet marking (DPM) techniques. In order to do so, we analyzed these techniques in detail in terms of their performances and feasibilities on five Internet traces. These traces consist of Darpa 1999 traffic traces, CAIDA October 2012 traffic traces, MAWI December 2012 traffic traces, and Dal2010 traffic traces. We have employed 16 performance metrics to evaluate their performances. The empirical results show that the novel DFM technique can reduce the number of marked packets by 91% compared to the DPM, while achieving the same or better performance in terms of its ability to trace back the attack. Additionally, DFM provides an optional authentication so that a compromised router cannot forge markings of other uncompromised routers. Unlike PPM and DPM that trace the attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin of incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a network behind a network address translation (NAT) server. Our results show that DFM can reach up to approximately 99% traceback rate with no false positives.

show abstract

On Evaluating IP Traceback Schemes: A Practical Perspective

Cited by 13 publications

References 24 publications

Investigating unique flow marking for tracing back DDoS attacks

Investigating unique flow marking for tracing back DDoS attacks

An enhanced Deterministic Flow Marking technique to efficiently support detection of network spoofing attacks

IP traceback through (authenticated) deterministic flow marking: an empirical evaluation

Contact Info

Product

Resources

About