Article

Free access

Practical network support for IP traceback

Authors:

David Wetherall,

Tom AndersonAuthors Info & Claims

SIGCOMM '00: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication

Pages 295 - 306

https://doi.org/10.1145/347059.347560

Published: 28 August 2000 Publication History

Abstract

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology.

References

[1]

F. Baker. Requirements for IP Version 4 Routers. RFC 1812, June 1995.]]

Digital Library

[2]

G. Banga, P. Druschel, and J. Mogul. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 45-58, Feb. 1999.]]

Digital Library

[3]

S. M. Bellovin. Security Problems in the TCP/IP Protocol Suite. ACM Computer Communications Review, 19(2):32-48, Apr. 1989.]]

Digital Library

[4]

S. M. Bellovin. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt, Mar. 2000.]]

[5]

R. Braden. Requirements for Internet Hosts - Communication Layers. RFC 1122, Oct. 1989.]]

Digital Library

[6]

H. Burch and B. Cheswick. Tracing Anonymous Packets to Their Approximate Source. Unpublished paper, Dec. 1999.]]

[7]

R. L. Carter and M. E. Crovella. Dynamic Server Selection Using Dynamic Path Characterization in Wide-Area Networks. In Proceedings of the 1997 IEEE INFOCOM Conference, Kobe, Japan, Apr. 1997.]]

Digital Library

[8]

B. Cheswick and H. Burch. Internet Mapping Project. http://cm.bell-labs.com/who/ches/map/ index.html, 2000.]]

[9]

Cisco Systems. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation, Dec. 1997.]]

[10]

K. Claffy and S. McCreary. Sampled Measurements from June 1999 to December 1999 at the AMES Inter-exchange Point. Personal Communication, Jan. 2000.]]

[11]

Computer Emergency Response Team. CERT Advisory CA-96.26 Denial-of-Service Attack via pings. http://www.cert.org/advisories/CA-96.26. ping.html, Dec. 1996.]]

[12]

Computer Emergency Response Team. CERT Advisory CA-97.28 IP Denial-of-Service Attacks. http://www. cert.org/advisories/CA-97.28.smurf.html, Dec. 1997.]]

[13]

Computer Emergency Response Team. CERT Advisory CA-98.01 smurf IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-98.01. smurf.html, Jan. 1998.]]

[14]

Computer Emergency Response Team. CERT Advisory CA-2000-01 Denial-of-Service Developments. http:// www.cert.org/advisories/CA-2000-01.html, Jan. 2000.]]

[15]

Computer Emergency Response Team. CERT Incident Note IN-2000-04 Denial-of-Service Attacks using Nameservers. http://www.cert.org/incident_notes/ IN-200-04.html, Apr. 2000.]]

[16]

Computer Security Institute and Federal Bureau of Investigation. 1999 CSI/FBI Computer Crime and Security Survey. Computer Security Institute publication, Mar. 1999.]]

[17]

Cooperative Associationfor Internet Data Analysis. Skitter Analysis. http: //www.caida.org/Tools/Skitter/Summary/, 2000.]]

[18]

S. Deering. Internet protocol, version 6 (ipv6). RFC 2460, Dec. 1998.]]

[19]

W. Feller. An Introduction to Probability Theory and Its Applications (2nd edition), volume 1. Wiley and Sons, 1966.]]

[20]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2267, Jan. 1998.]]

Digital Library

[21]

J. Glave. Smurfing Cripples ISPs. Wired Technolgy News: (http://www.wired.com/news/news/ technology/story/9506.html), Jan. 1998.]]

[22]

I. Goldberg and A. Shostack. Freedom Network 1.0 Architecture and Protocols. Zero-Knowledge Systems White Paper, Nov. 1999.]]

[23]

R. Govindan and H. Tangmunarunkit. Heuristics for Internet Map Discovery. In Proceedings of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.]]

[24]

L. T. Heberlein and M. Bishop. Attack Class: Address Spoofing. In 1996 National Information Systems Security Conference, pages 371-378, Baltimore, MD, Oct. 1996.]]

[25]

J. D. Howard. An Analysis of Security Incidents on the Internet. PhD thesis, Carnegie Mellon University, Aug. 1998.]]

Digital Library

[26]

P. Karn and W. Simpson. Photuris: Session-Key Management Protocol. RFC 2522, Mar. 1999.]]

Digital Library

[27]

C. Kent and J. Mogul. Fragmentation Considered Harmful. In Proceedings of the 1987 ACM SIGCOMM Conference, pages 390-401, Stowe, VT, Aug. 1987.]]

Digital Library

[28]

S. Kent and R. Atkinson. Security architecture for the internet protocol. RFC 2401, Nov. 1998.]]

Digital Library

[29]

C. Meadows. A Formal Framework and Evaluation Method for Network Denial of Service. In Proceedings of the 1999 IEEE Computer Security Foundations Workshop, Mordano, Italy, June 1999.]]

Digital Library

[30]

J. Mogul and S. Deering. Path MTU Discovery. RFC 1191, Nov. 1990.]]

Digital Library

[31]

R. T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report Computer Science #117, AT&T Bell Labs, Feb. 1985.]]

[32]

V. Paxson. End-to-End Routing Behavior in the Internet. IEEE/ACM Transactions on Networking, 5(5):601-615, Oct. 1997.]]

Digital Library

[33]

C. Perkins. IP Mobility Support. RFC 2002, Oct. 1996.]]

[34]

J. Postel. Internet Protocol. RFC 791, Sept. 1981.]]

[35]

M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous Connections and Onion Routing. IEEE Journal on Selected Areas in Communications, 16(4):482-494, May 1998.]]

Digital Library

[36]

E. C. Rosen, Y. Rekhter, D. Tappan, D. Farinacci, G. Fedorkow, T. Li, and A. Conta. MPLS Label Stack Encoding. Internet Draft: draft-ietf-mpls-label-encaps-07.txt (expires March 2000), Sept. 1998.]]

Digital Library

[37]

G. Sager. Security Fun with OCxmon and cflowd. Presentation at the Internet 2 Working Group, Nov. 1998.]]

[38]

O. Spatscheck and L. Peterson. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 59-72, Feb. 1999.]]

Digital Library

[39]

S. Staniford-Chen and L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 39-49, Oakland, CA, May 1995.]]

Digital Library

[40]

I. Stoica and H. Zhang. Providing Guaranteed Services Without Per Flow Management. In Proceedings of the 1999 ACM SIGCOMM Conference, pages 81-94, Boston, MA, Aug. 1999.]]

Digital Library

[41]

R. Stone. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In to appear in Proceedings of thje 2000 USENIX Security Symposium, Denver, CO, July 2000.]]

Digital Library

[42]

W. Theilmann and K. Rothermel. Dynamic Distance Maps of the Internet. In Proceedings of the 2000 IEEE INFOCOM Conference, Tel Aviv, Israel, Mar. 2000.]]

[43]

C. Villamizar. Personal Communication, Feb. 2000.]]

[44]

M. Vivo, E. Carrasco, G. Isern, and G. O. Vivo. A review of port scanning techniques. ACM Computer Communications Review, 29(2):41-48, Apr. 1999.]]

Digital Library

[45]

Y. Zhang and V. Paxson. Stepping Stone Detection. In to appear in Proceedings of thje 2000 USENIX Security Symposium, Denver, CO, July 2000.]]

Cited By

Landau-Feibish SLiu ZRexford J(2025)Compact Data Structures for Network TelemetryACM Computing Surveys10.1145/3716819Online publication date: 12-Feb-2025
https://doi.org/10.1145/3716819
Zhang ZXiao GSong SCan Aygun RStavrou AZhang LOsterweil E(2025)Revealing Protocol Architecture’s Design Patterns in the Volumetric DDoS Defense Design SpaceIEEE Communications Surveys & Tutorials10.1109/COMST.2024.339225327:1(353-371)Online publication date: Feb-2025
https://doi.org/10.1109/COMST.2024.3392253
Bellovin S(2025)IP TracebackEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_268(1294-1297)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_268
Show More Cited By

Index Terms

Practical network support for IP traceback

Recommendations

Practical network support for IP traceback

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing ...
Network support for IP traceback

This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back toward their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing ...
IP Traceback: A New Denial-of-Service Deterrent?

The increasing frequency of malicious computer attacks has caused severe economic waste and unique social threats. IP traceback- the ability to trace IP packets from source to destination-is a significant step toward identifying and, thus, stopping, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '00: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication

August 2000

348 pages

ISBN:1581132239

DOI:10.1145/347059

Chairman:
Craig Partridge
BBN Technologies, Cambridge, MA

ACM SIGCOMM Computer Communication Review Volume 30, Issue 4
October 2000
319 pages
ISSN:0146-4833
DOI:10.1145/347057
Editor:
Roch Guerin
Univ. of Pennsylvania, Philadelphia
Issue’s Table of Contents

Copyright © 2000 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 August 2000

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

SIGCOMM00

Sponsor:

SIGCOMM

SIGCOMM00: ACM SIGCOMM 2000

August 28 - September 1, 2000

Stockholm, Sweden

Acceptance Rates

SIGCOMM '00 Paper Acceptance Rate 26 of 238 submissions, 11%;

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

700
Total Citations
View Citations
4,974
Total Downloads

Downloads (Last 12 months)322
Downloads (Last 6 weeks)34

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Landau-Feibish SLiu ZRexford J(2025)Compact Data Structures for Network TelemetryACM Computing Surveys10.1145/3716819Online publication date: 12-Feb-2025
https://doi.org/10.1145/3716819
Zhang ZXiao GSong SCan Aygun RStavrou AZhang LOsterweil E(2025)Revealing Protocol Architecture’s Design Patterns in the Volumetric DDoS Defense Design SpaceIEEE Communications Surveys & Tutorials10.1109/COMST.2024.339225327:1(353-371)Online publication date: Feb-2025
https://doi.org/10.1109/COMST.2024.3392253
Bellovin S(2025)IP TracebackEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_268(1294-1297)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_268
Mirkovic J(2025)Collaborative DoS DefensesEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_263(374-378)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_263
Wang XXu KGuo YWang HFu SLi QWu BWu J(2024)Toward Practical Inter-Domain Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2024.337711632:4(3126-3141)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3377116
Pan YRossow C(2024)TCP Spoofing: Reliable Payload Transmission Past the Spoofed TCP Handshake2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00265(4497-4515)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00265
Lakshmi SDurga TSrilatha PKumari CLaxmi Lydia EAkhmetshin E(2024)Assessment of a Semi-supervised Machine Learning Method for Thwarting Network DDoS AssaultsEvolution in Signal Processing and Telecommunication Networks10.1007/978-981-97-0644-0_28(307-318)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-981-97-0644-0_28
Barak-Pelleg DBerend D(2023)The Time for Reconstructing the Attack Graph in DDoS AttacksJournal of Mathematical Analysis and Applications10.1016/j.jmaa.2023.127889(127889)Online publication date: Oct-2023
https://doi.org/10.1016/j.jmaa.2023.127889
Zhao ZLi ZZhou ZYu JSong ZXie XZhang FZhang R(2023)DDoS Family: A Novel Perspective for Massive Types of DDoS AttacksComputers & Security10.1016/j.cose.2023.103663(103663)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103663
AlArnaout ZMostafa NAlabed SAly WShdefat A(2022)RAPT: A Robust Attack Path Tracing Algorithm to Mitigate SYN-Flood DDoS CyberattacksSensors10.3390/s2301010223:1(102)Online publication date: 22-Dec-2022
https://doi.org/10.3390/s23010102
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten