Article

Tracing Anonymous Packets to Their Approximate Source

Author:

LISA '00: Proceedings of the 14th USENIX conference on System administration

Pages 319 - 328

Published: 08 December 2000 Publication History

Abstract

Most denial-of-service attacks are characterized by a flood of packets with random, apparently valid source addresses. These addresses are spoofed, created by a malicious program running on an unknown host, and carried by packets that bear no clues that could be used to determine their originating host. Identifying the source of such an attack requires tracing the packets back to the source hop by hop. Current approaches for tracing these attacks require the tedious continued attention and cooperation of each intermediate Internet Service Provider (ISP). This is not always easy given the world-wide scope of the Internet.We outline a technique for tracing spoofed packets back to their actual source host without relying on the cooperation of intervening ISPs. First, we map the paths from the victim to all possible networks. Next, we locate sources of network load, usually hosts or networks offering the UDP chargen service [5]. Finally, we work back through the tree, loading lines or router, observing changes in the rate of invading packets. These observations often allow us to eliminate all but a handful of networks that could be the source of the attacking packet stream. Our technique assumes that routes are largely symmetric, can be discovered, are fairly consistent, and the attacking packet stream arrives from a single source network.We have run some simple and single-blind tests on Lucent's intranet, where our technique usually works, with better chances during busier network time periods; in several tests, we were able to determine the specific network containing the attacker.An attacker who is aware of our technique can easily thwart it, either by covering his traces on the attacking host, initiating a "whack-a-mole" attack from several sources, or using many sources.

References

[1]

Cheswick, B., Burch, H., and Branigan, S., "Mapping and Visualizing the Internet", to appear in Proceedings of USENIX Annual Technical Conference 2000.]]

Digital Library

Google Scholar

[2]

Postel, J., "RFC 791: Internet Protocol," The Internet Society, Sept 1981.]]

Google Scholar

[3]

Postel, J., "RFC 768: User Datagram Protocol," The Internet Society, Aug 1980.]]

Digital Library

Google Scholar

[4]

Postel, J., "RFC 792: Internet Control Message Protocol," The Internet Society, Sept 1981.]]

Digital Library

Google Scholar

[5]

Postel, J., "RFC 864: Character Generator Protocol," The Internet Society, May 1983.]]

Digital Library

Google Scholar

[6]

Govindan, R. and Tangmunarunkit, H., "Heuristics for Internet Map Discovery," Technical Report 99-717, Computer Science Department, University of Southern California.]]

Crossref

Google Scholar

[7]

Claffy, K. "Internet measurement and data analysis: topology, workload, performance and routing statistics," NAE '99 workshop]]

Google Scholar

[8]

CERT, "smurf IP Denial-of-Service Attacks," CERT advisory CA-98.01, Jan, 1998.]]

Google Scholar

[9]

CERT, "Results of the Distributed-Systems Intruder Tools Workshop", The CERT Coordination Center, Dec, 1999.]]

Google Scholar

[10]

Ferguson, P. and Senie, D. "RFC 2267: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," The Internet Society, Jan, 1998.]]

Digital Library

Google Scholar

[11]

CERT, "TCP SYN Flooding and IP Spoofing Attacks," CERT Advisory CA-96.21, Sept, 1996.]]

Google Scholar

[12]

CERT, "IP Spoofing Attacks and Hijacked Terminal Connections," CERT Advisory CA-95.01, Jan, 1995.]]

Google Scholar

Cited By

View all

Wang RWang ZWang DLiu Y(2021)In-band Network Telemetry Based Fine-Grained Traceability Against IP Address Spooling AttackProceedings of the 2021 ACM International Conference on Intelligent Computing and its Emerging Applications10.1145/3491396.3506531(229-233)Online publication date: 28-Dec-2021
https://dl.acm.org/doi/10.1145/3491396.3506531
Nur ATozal M(2018)Record route IP tracebackComputers and Security10.1016/j.cose.2017.08.01272:C(13-25)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.cose.2017.08.012
Patil RDevane SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Unmasking of source identity, a step beyond in cyber forensicProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136870(157-164)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136870
Show More Cited By

Tracing Anonymous Packets to Their Approximate Source
1. Networks
  1. Network services
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Tracing the true source of an IPv6 datagram using policy based management system
APNOMS'06: Proceedings of the 9th Asia-Pacific international conference on Network Operations and Management: management of Convergence Networks and Services

In any (D)DoS attack, invaders may use incorrect or spoofed IP addresses in the attacking packets and thus disguise the factual origin of the attacks. Due to the stateless nature of the internet, it is an intricate problem to determine the source of ...
RFC 6791: Stateless Source Address Mapping for ICMPv6 Packets
RFC 5562: Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets

Comments

Information & Contributors

Information

Published In

LISA '00: Proceedings of the 14th USENIX conference on System administration

December 2000

379 pages

Publisher

USENIX Association

United States

Publication History

Published: 08 December 2000

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

67
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wang RWang ZWang DLiu Y(2021)In-band Network Telemetry Based Fine-Grained Traceability Against IP Address Spooling AttackProceedings of the 2021 ACM International Conference on Intelligent Computing and its Emerging Applications10.1145/3491396.3506531(229-233)Online publication date: 28-Dec-2021
https://dl.acm.org/doi/10.1145/3491396.3506531
Nur ATozal M(2018)Record route IP tracebackComputers and Security10.1016/j.cose.2017.08.01272:C(13-25)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.cose.2017.08.012
Patil RDevane SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Unmasking of source identity, a step beyond in cyber forensicProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136870(157-164)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136870
Savola RSavolainen PSalonen JBahsoon RWeinreich R(2016)Towards security metrics-supported IP tracebackProccedings of the 10th European Conference on Software Architecture Workshops10.1145/2993412.2993416(1-5)Online publication date: 28-Nov-2016
https://dl.acm.org/doi/10.1145/2993412.2993416
Sairam ARoy SSahay R(2015)Coloring networks for attacker identification and responseSecurity and Communication Networks10.1002/sec.10228:5(751-768)Online publication date: 25-Mar-2015
https://dl.acm.org/doi/10.1002/sec.1022
Varadharajan VTupakula U(2015)Securing wireless mobile nodes from distributed denial-of-service attacksConcurrency and Computation: Practice & Experience10.1002/cpe.335327:15(3794-3815)Online publication date: 1-Oct-2015
https://dl.acm.org/doi/10.1002/cpe.3353
Saurabh SRoy SSairam A(2014)Extended deterministic edge router markingInternational Journal of Communication Networks and Distributed Systems10.5555/2661487.266149013:2(169-186)Online publication date: 1-Jul-2014
https://dl.acm.org/doi/10.5555/2661487.2661490
Fallah MKahani N(2014)TDPFSecurity and Communication Networks10.1002/sec.7257:2(245-264)Online publication date: 1-Feb-2014
https://dl.acm.org/doi/10.1002/sec.725
Garcia-Jimenez SMagaña EMorato DIzal MCano JPazzi RMammeri A(2013)Alias resolution techniquesProceedings of the 8th ACM workshop on Performance monitoring and measurement of heterogeneous wireless and wired networks10.1145/2512840.2512842(5-12)Online publication date: 3-Nov-2013
https://dl.acm.org/doi/10.1145/2512840.2512842
Parvin SHussain FAli S(2012)A methodology to counter DoS attacks in mobile IP communicationMobile Information Systems10.5555/2595063.25950668:2(127-152)Online publication date: 1-Apr-2012
https://dl.acm.org/doi/10.5555/2595063.2595066
Show More Cited By

Abstract

References

Cited By

Recommendations

Tracing the true source of an IPv6 datagram using policy based management system

RFC 6791: Stateless Source Address Mapping for ICMPv6 Packets

RFC 5562: Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations