2010 10th Annual International Symposium on Applications and the Internet

A Design of History Based Trac Filtering with Probabilistic Packet Marking against DoS Attacks
Tadashi Kiuchi , Yoshiaki Hori , Kouichi Sakurai School of Information Science and Electrical Engineering, Kyushu University, Japan, Fukuoka Email: kiuchi@itslab.csce.kyushu-u.ac.jp Graduate School of Information Science and Electrical Engineering, Kyushu University, Japan, Fukuoka Email: {hori, sakurai}@inf.kyushu-u.ac.jp
Graduate

AbstractRecently, one of threats on the increasing network includes DoS(Denial of Service) attacks. A large amount of packets is transmitted to a server that becomes a target of DoS attacks. Therefore, a packet ltering that intercepts the communication of a doubtful packet is researched. We investigate two packet ltering methods. In the history based ltering, it looks for IP addresses that frequently appears at a router. DoS attack trac is ltered by ltering IP address not observed usually so much. However, the ltering method is weak when the attacker know how to ltering. In the ltering approach that uses the probabilistic packet marking, a communication from an attack path is intercepted and the technique for intercepting the attack is proposed. However, an non-attackers communication is also intercepted, and there is a problem that the number of packets necessary for the route construction increases according to a superscription of mark information. Then, to solve both problems of the expression, it proposes the probabilistic packet marking with and the ltering approach using the observation of transmission source IP address. The attack path is specied from mark information when an attack starts, and an attack packet is ltered from the record and mark information on an address of the router. It becomes possible to prevent packets being ltered when packets sent by a result and regular those who communicate is marked on the attack path. This technique achieve low false positive of benign trac. Keywords-DoS Attack; trac ltering; probabilistic packet marking;

A. Issue of DoS attack To against DoS attack, a sending source of attack packets must be discovered. Attack packets which are used for an attack spoof the source IP address. It is dicult to specify a discovering aggressor in the source IP address. There are many researches to prevent DoS attack[1][2]. To specify a source address of spoofed packets, IP traceback technology is researched. And, the packet ltering that intercepts the attack packet is researched. On the other hand, to prevent DoS attack is dicult from a practical standpoint. In July 2009, government sites were attacked by DDoS attack1 . DoS attack is unresolved issue, now. B. Issue on ltering of DoS trac It introduces two researches that use a packet ltering to intercept attack packets of DoS attack rst of all in this thesis. First method is an IP address data base in the history based technique . The source address that passes a router is observed by using the IP address data base. This method divides packets on the record whether an IP address appears frequently or not at the router. As a result, a normal communication can be defended while the DoS attack is being done. Second method uses probabilistic packet marking that is one of IP traceback. A transmission route of the packet is divided when an attack is detected and inuenced routes is divided into routes not inuenced by an attacker. A trac from an attack path is intercepted and the trac of the DoS attack is intercepted. There is a possibility of receiving an attack when an attacker knows the method of history based lter. There is a problem intercepted when packets from a benign trac origin is marked by an attack path in the method by marking. C. Summary of contribution To solve both problems of the expression, it proposes the probabilistic packet marking and the ltering approach
1 July

I. Introduction The Internet spreads, and threats through the network increases. There is a threat of DoS(Denial of Service) attack in the one. A large amount of packet is transmitted to the server that becomes a target with the DoS attack. And, it is an attack technique for obstructing providing with the service by consuming the resource of communication lines and the server in excess. Attacks from two or more in addition to DoS attack sent from past, single part points The DDoS(Distributed Denial of Service) attack from which the packet is transmitted becomes a big problem, too.
978-0-7695-4107-5/10 $26.00 2010 Unrecognized Copyright Information IEEE DOI 10.1109/SAINT.2010.44 261 257 208

2009 DoS: http://en.wikipedia.org/wiki/July 2009 caber attacks

B. Packet ltering Packet ltering is researched as one of the means to oppose DoS attacks. Packet ltering often use attackers information traceback takes. This technique distinguishes packets with an illegal source and a correct source by the node that becomes a boundary on a network. As a result, it is a technique for intercepting the attack packet. If we can setting not to be able to counterfeit IP address in source addresses on all networks beforehand, IP traceback technology is unnecessary. However, if the input lter is not set in all interfaces with which the host is connected, it is entrusted to the network administrators hand work in the problem solving with a input lter to permit the counterfeit of IP address. However, it is dicult to do all work by a hand work. Therefore, ltering methods is researched because it automates. III. Related work using the observation of IP address at the router. In this proposal technique, the probabilistic packet marking is used and marked by a router on the way. In addition, a source IP address of the transmitted packet is always observed in the router of the victim neighborhood and IP address that appears frequently is examined. When a DoS attack starts, packets are ltered by stored information. Packets with a source address that doesnt appear frequently is ltered based on mark information. II. Background A. IP traceback Packets used for DoS attacks usually spoof the source address. IP traceback technology is a technology that ascertains source of the packets. A typical method includes the following.

Figure 1.

DoS attack

A. History based ltering This method observe source address of packets that pass by a usual communication on a border router. This record is called IP address data base(IAD). The observed address is divided into the one that appears frequently or not by the router. When an attack is detected, trac of packets with an address not usually observed is intercepted. This method shows about 10 percent false positive of benign trac in paper[7]. B. Filtering with probabilistic packet marking The probabilistic packet marking that is one of the techniques of the IP traceback in this technique is used and ltered. This method has three modules. EPM(Enhanced Probabilistic Marking) module marks to packet with IP traceback technique. AMD(Attack Mitigation Decision-making) module detects DoS attack. PPF(Preferential Packet Filtering) module drops packets marked on attack path. When a packet is transmitted, EMP router writes location information of the router in an unused area of the packet. An attack path is specied from information written to detect DoS attack on AMD. This method shows about 30 percent from 20 percent false positive of benign trac in the paper[8]. IV. Proposal method A. Issue of existing method In ltering technique of the history base, if attacker know how to ltering, attacker can DoS attack with dummy trac. In IP traceback base ltering, if legal packet marked at attack path reach ltering router during DoS attack, packets are ltered at the router. Therefore, it proposes ltering technique to have used the observation of senders IP address by probabilistic packet marking and a router as the one which solves the problem of both methods in combining each technique.

Input debug method[3] Logging method[4] ICMP packet method[5] Probabilistic packet marking method[6]

Probabilistic packet marking: It explains the probabilistic packet marking used by a ltering method of the IP traceback base. Information for specic of the attack path is passed on in this technique and information is passed on to the victim by using an unused bit in the header of packets that passes the router. There is an advantage that an extra load to network need not be added. When a packet passes in the router, a clue is written at a constant probability. A clue is written in IP identication eld that is header information used in a fragmentation of a packet are written. This design is done based on assumption that there must not be problem in a misappropriation of the IP identication eld for trac to which a packet made a fragmentation ows on Internet because it is a small amount.

262 258 209

This module records source address of a packet that usually passes and distinguishes the address that appears frequently. This is arranged where or it arranges it in the ltering module this time though there is room to study. A packet with transmission source address recorded in the whitelist referring is passed while DoS attack. A packet with an address not recorded is dropped by marked information. C. design of module The design of each module to achieve working of each module described in the foregoing paragraph recently is described. 1) ltering module: Input Each transmission source IP address is counted ,and the module checks a IP address which appears frequently or not. When an input of the instruction of a ltering is received from the attack detection module, ltering starts. Output A packet not ltered is transmitted. Stored information Whitelist: Transmission source IP address and each occurrence count observed in normal circumstances are recorded. Attack path information: The attack path is used for specication ltering based on information marked to the packet that reaches the router after detecting an attack. Parameter d:Days to which a certain source address is observed. A packet to which it is marked on the attack route and it has not been observed more than d days for the observation period are dropped. u:Number of packets to which packet with a certain source address is observed. The packet to which u piece or more is not observed is dropped. About ltering Packets that dont appear frequently are dropped by passing the attack route. Packets that dont pass the attack route are not ltered and transmitted. Packets with the source address of the packet of more than d day and u piece or more can be transmitted at this module. 2) Attack detection module: Input A input of an attack packet or non-attack packet is assumed to be able to do the attack detection by IDS with built-in receiving. Output Input packets are transmitted. The module is informed of a ltering module to begin ltering when the attack is detected. stored information Information that IDS needs is preserved.

Figure 2.

Example of setting modules

There is a case where it is intercepted for communicate of the mark on an attack path normal in ltering a marking base in an existing technique. In the technique of the history base, a packet from a legal source in trac not communicated with the host usually frequently is intercepted. A normal communication of about from 30 percent to 20 percent is intercepted in the technique of the marking base while attacking DoS. About 10 percent is intercepted in the technique of the history base. Then, it proposes a technique for decreasing interception rate of a normal packet by using the both hands method. It lters by using the technique of the history base when a victim receives DoS attack. When the packet not usually observed is ltered, information that uses marking is used and ltered. As a result, the probability being intercepted for communicate of no usual observation legal is decreased. B. Role of each module We show the role of each module below. Attack detection module This module is arranged in a victim neighborhood defended by using ltering. This observes input packets, and distinguishes whether to have received DoS attack. The module is informed of the ltering module to begin ltering when an attack is detected. Marking module This module is marked to a packet at constant probability q. The exclusive-OR of IP address with the before router is written in an unused part of the packet. Filtering module This module is arranged in the area border router. When a victim detected DoS attack, the attack path is specied from information marked by marking modules. Trac that appears frequently by using stored information is transmitted. A communication not frequent is dropped by marked information. White list making module

263 259 210

3) Marking module: Input When the module received a packet, the exclusive-OR of IP address of the router marked with a before router at constant probability q is written in an unused area. Output When input packets are transmitted, the marked packet is transmitted. Parameter q:Probability of packet marking. D. Discussion Comparing a proposal method and existing method the performance refers to following values. We show evaluation gure below. False negative ratio: Ratio in which attack packet is intercepted The arrival of an unnecessary packet is decreased by ltering attack packets. False positive ratio: Ratio in which benign trac is intercepted The quality of communication while it becomes dicult for a regular packet to be intercepted and DoS is attacked can be kept. Weak of IAD If attacker knows history based ltering, the methods are attacked or not. number of parameters How many parameters do the methods have. More parameters make system setting more harder. The false negative ratio of the technique of the history base becomes 90 percent from 80 percent. About 90 percent can be intercepted in the technique of the marking base. It is thought that about 90 percent from 80 percent can be intercepted in the proposal technique. The ratio in which the attack packet is intercepted becomes about 10 percent in the technique of the history base. The technique of the marking base can intercept to drop below about 30 from 20 percent. When packets through a router, they are marked by 4 percent. If a packet from benign senders to victim passes through attack path which is 10 hops, the packet is ltered at 33.5 percent. If a packet from benign senders to victim pass through attack path which is 20 hops, the packet is ltered at 57.8 percent. Most packets reach less than 20 hops. Therefore false positive ratio of proposal method expect from 4 to 6 percent. IP traceback based method dosent use history information. Our method and history based method has vulnerability. Attacker who knows ltering method can send a large amount packets. But our method which use IP traceback information can more intercept attack packets than history method. History based method has two parameters, and ltering with marking method has one parameter. Our method has three parameters. However, the parameter of history method and the parameters of marking method are not aect each other. So setting of the parameters of our method dont become more complex.

Table I Comparing proposal method and existing methods Proposal method 80-90 % 4-6 % exist 3 History based ltering 80-90 % 10 % attacked easily 2 Filtering with marking 90 % 30 % 1

false negative false positive Weak of IAD number of parameters

V. Conclusion We proposed a DoS ltering system to achieve low false positive of benign trac, and design it. In history based ltering, if attacker know how to ltering, attacker can DoS attack with dummy trac. In IP traceback base ltering, if legal packet marked at attack path, the packet is ltered at router. Then, it proposed the probabilistic packet marking and the ltering approach using the observation of trac source IP address by a router to solve both problems of the expression. We design a ltering to decrease low false positive of benign trac. We will compare from false negative ratio with simulation as a future work. References
[1] J. Mirkovic and P. Reiher. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2) pp.39-53, April 2004. [2] Indrajeet B. Mopari, S. G. Pukale, M. L. Dhore, Detection of DDoS attack and defense against IP spoong, International Conference on Advances in Computing, Communication and Control , pp.489-493, March 2009 [3] Stone,R An IP Overlay Network for Tracking DoS Floods, In Proceedings of USENIX Security Symposium00. August 2000 [4] A. Snoeren, C. Partridge, L. Sanchez, C. Jones, F. Tchakountio, B. Schwartz, S. Kent, and W. Strayer, Single-packet IP traceback, IEEE/ACM Trans. on Networking, Vol. 10, no. 6, pp. 721-734, December 2002. [5] Allison Mankin, Dan Massey, Chien-Long Wu, S. Felix Wu, and Lixia Zhang, On design and evaluation of intention driven ICMP traceback, in Proc. IEEE International Conference on Computer Communications and Networks, October. 2001. [6] S Savage, D Wetherall, A Karlin, T Anderson Network suport for IP traceback, IEEE/ACM Transactions on Networking, Vol.9, No.3, pp.226-237,June 2001. [7] Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao Protection from Distributed Denial of Service Attack Using History-based IP Filtering, Proc . of the IEEE International Conference on Communications, p.p. 482-486 , May 2003 [8] Minho Sung and Jun Xu, Member, IEEE IP TracebackBased Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks, IEEE Transactions on Parallel And Distributed Systems, Vol. 14, NO. 9, pp. 861872, September 2003

264 260 211