Probabilistic Packet Marking for LargeScale IP Trace back

(Synopsis)

ABSTRACT
IP traceback is an important step in defending against Denial-of-service (DoS) attacks. Probabilistic packet marking (PPM) has been studied as a promising approach to realize IP traceback. In this paper, we propose a new PPM approach that improves the current state of the art in two practical directions: (1) it improves the efficiency and accuracy of IP traceback and (2) it provides incentives for ISPs to deploy IP traceback in their networks. Our PPM approach employs a new IP header encoding scheme to store the whole identification information of a router into a single packet. This eliminates the computation overhead and false positives due to router identification fragmentation. Our approach does not disclose the IP addresses of the routers having marked packets, thereby alleviating the ISPs security concern of disclosing network topology. Our approach is able to control the distribution of marking information. Hence, it is suitable to be deployed as a value-added service which may create revenue for ISPs. Therefore our PPM approach improves the performance and practicability of IP traceback. Denial-of-service (DoS) attacks have disrupted Internet services

severely. Recently, DoS attacks have been used for online extortion and even become the subject of lawsuits. IP traceback is a technique for tracing the paths of IP datagrams back toward their origins. IP traceback is not a goal but a means to defending against DoS attacks. Identifying the origins of attack packets is the first step in making attackers accountable. In addition, after figuring out the network path which the attack t r a f f i c follows, the victim under DoS attack can apply defense measures such as packet filtering further from the victim and closer to the source. That improves the efficacy of defense measures and reduces the collateral damage to innocent tr af fi c .

3 Many IP traceback techniques have been proposed. Among them, the probabilistic packet marking (PPM) approach has been studied mostly. In a PPM approach, the router probabilistically marks packets with its identification information, and then the destination reconstructs the network path by combining a number of such marked packets.

4 INTRODUCTION Internet security is becoming of critical importance in todays computing environment, as our society, government, and economy is increasingly relying on the Internet. Unfortunately, the current Internet infrastructure is vulnerable to attacksin fact, malicious attacks on the Internet have increased in frequency and severity. Large scale Distributed Denial-of-Service (DDoS) attacks disrupt critical Internet services and cause significant financial loss and operational instability. One of the most difficult challenges in defending against DDoS and many other attacks is that attackers often spoof the source IP address of their packets and thus evade traditional packet filters. Unfortunately, the current routing infrastructure cannot detect that a packets source IP address has been spoofed or from where in the Internet a spoofed IP packet has originated from. The combination of these two factors makes IP spoofing easy and effective for attacks. In fact, many different types of Internet attacks utilize spoofed IP addresses for different purposes: OBJECTIVE OF THE PROJECT Attackers can insert arbitrary source addresses into IP packets, they cannot, however, control the actual paths that the packets take to the destination. Based on this observation, Path Identification marking based Filtering has been proposed as a way to mitigate IP spoofing. The intuition in this scheme is that, the packets which pass through the concern routers are marked. Unfortunately, performance degrades substantially if legacy routers are present, as they decrement the TTL but do not mark the packet. So two new techniques that greatly enhance the performance of Pi in the presence of legacy routers the Stack marking and the Routers write-ahead has been

5 proposed. Hence, any packets with source address and destination address that appears in a router is marked based on StackPi and Router write-ahead.

Existing System: There are several existing approaches to the IP trace back problem Pattern-based Filtering and Hop-by-hop Tracing the approach of hop-by-hop tracing, which is also known as link testing, uses a pattern-based approach to do trace back of a DOS attack while it is in progress. This scheme requires immediate action during the attack, and requires considerable coordination between network administrators (to either communicate directly or setup access points for the agents of partnering administrators).This technique also requires some pattern-based way to separate legitimate packets from attack packets. A similar approach is used by Burch and Cheswick to perform trace back by iteratively flooding from V portions of the Internet to see its effects on Vs incoming traffic. Unfortunately, because of their iterative nature, these approaches have limited trace back capabilities in a large-scale DDOS. Proposed System: In the proposed approach the concept of detecting and avoidance of the DDos attacks is splitted up mainly in to three phases .They are attack detection iptraceback, Locating the attacker, filtration. The attack detection is done in the server that is the victim phase and the iptraceback is done based on the PPM implementation, and the filtration process is done based on the interface number that we are implementing in the marking strategy, At once a client is located as an attacker, the packets from him will

6 be dropped at the edge router itself, and this is the focused advantage in the proposed concept.

IP SPOOFING A spoofing attack involves forging one's source address. It is the act of using one machine to impersonate. To understand the spoofing process, First know about the TCP and IP authentication process and then how an attacker can spoof you network. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Client and server can now send service-specific data "The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgment. If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgment; the initial number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgment; the server's initial sequence number plus one. SPOOFING ATTACK There are a few variations on the types of attacks that successfully employ IP spoofing. Although some are relatively dated, others are very pertinent to current security concerns.

NON-BLIND SPOOFING

This type of attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. This is accomplished by corrupting the DataStream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the connection. BLIND SPOOFING This is a more sophisticated attack, because the sequence and acknowledgement numbers are unreachable. In order to avoid this, several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. MAN IN THE MIDDLE ATTACK Both types of spoofing are forms of a common security violation known as a man in the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by spoofing the identity of the original sender, who is presumably trusted by the recipient.

DENIAL OF SERVICE ATTACK

IP spoofing is almost always used in what is currently one of the most difficult attacks to defend against denial of service attacks, or DoS. Since crackers are concerned only with consuming bandwidth and resources, they need not worry about properly completing handshakes and transactions. Rather, they wish to flood the victim with as many packets as possible in a short amount of time. In order to prolong the effectiveness of the attack, they spoof source IP addresses to make tracing and stopping the DoS as difficult as possible. When multiple compromised hosts are participating in the attack, all sending spoofed traffic it is very challenging to quickly block traffic. In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, web sites, online accounts (banking, etc), or other services that rely on the affected computers. The most common and obvious type of DoS attack occurs when an attacker floods a network with information. When you type a URL for a particular web site in your browser, you are sending a request to that sites computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it cant process your requests. This is denial of service because you cant access that site. [1]

Figure 2.6 Denial of Service Attack DISTRIBUTED DENIAL OF SERVICE ATTACK In a distributed denial of service (DDoS) attack, an attacker may use your computer to attack another computer. By taking advantage of security vulnerable or weakness, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a web site or send spam to particular email address or computers. The attack is distributed because the attacker is using multiple computers, including yours, to launch the denial-of-service attack. A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple, sometimes thousands of compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service OVERVIEW OF Pi

1 It is a per-packet deterministic mechanism. Each packet traveling along the same path carries the same identifier. This allows the victim to take a proactive role in defending against a DDoS attack by using the Pi mark to filter out packets matching the attackers identifiers on a per packet basis. The Pi scheme performs well under large-scale DDoS attacks consisting of thousands of attackers, and is effective even when only half the routers in the Internet participate in packet marking. Pi marking and filtering are both extremely light-weight and require negligible state

PACKET FILTERING A packet filter is a mechanism used to provide a level of digital security by controlling the flow of information (data packets) via the examination of key information in packet headers. A packet filter determines if these packets are allowed to go through a given point based on certain access control policies. Typically, this point is a firewall, router or gateway into a network or workstation. IP TRACEBACK IP traceback is a name given to any method for reliably determining the origin of a packet on the Internet. The datagram nature of the Internet makes it difficult to determine the originating host of a packet the source id supplied in an IP packet can be falsified (Internet protocol spoofing) allowing for Denial Of Service attacks (DoS) or one-way attacks (where the response from the victim host is so well known that return packets need not be received to continue the attack). The problem of finding the source of a packet is called the IP traceback problem. IP Traceback is a critical ability for identifying

1 sources of attacks and instituting protection measures for the Internet. Most existing approaches to this problem have been tailored toward DoS attack detection. Such solutions require high numbers of packets (tens of thousands) to converge on the attack path(s). By nature, a solution requiring large packet volume is specifically targeted toward DoS attacks and tend to be probablistic in nature. BASIC MARKING SCHEME Each router treats the IP Identification field as though it were a stack. Upon receipt of a packet, a router shifts the IP Identification field (hereon referred to as the marking field) of the packets header to the left by n bits, and writes a pre-calculated set of n bits (represented by the marking m) into the least significant bits that were cleared by the shifting. This is the equivalent of pushing a marking onto the stack. Every following router in the path does the same until the packet reaches its destination. Because of the finite size of the marking field, after b16/nc routers have pushed their markings onto the marking field, additional markings simply cause the oldest markings (the ones pushed first onto the stack) to be lost. The packets StackPi mark is merely the concatenation of all the markings in the marking field when the packet arrives at its destination. Because routers always push their markings onto the least significant n bits of the marking field, their markings will always appear in the same order; and because every routers bit markings are precalculated, each StackPi marking is deterministic packets that follow the same path will have the same marking.

PROBABILISTIC PACKET MARKING Burch et al. suggested the possibility of IP traceback based on packet marking. The intuition is to notify the packet destination of the network path by recording the existence of the routers on the route in forwarded packets.

1 One feasible packet marking scheme is that the router probabilistically marks packets with its identification information as they are forwarded by that router. The marking information overloads a rarely used field in IP header. While each marked packet represents only a small portion of the path it has traversed, the whole network path can be reconstructed by combining a modest number of marked packets. This kind of approach is referred to as probabilistic packet marking (PPM). Because of the probabilistic nature of PPM, a packet may arrive at the destination without having been marked by any of the intermediate routers. Wily attackers are able to insert false routers into the network path by sending packets with carefully forged marking values. Most PPM approaches reserve a distance field in the marking space to limit the effect of fake marking values. When a router decides to mark a packet, it writes a zero into the distance field; otherwise, the router increments the distance field using a saturating addition. In this way, any packet written by the attacker will have a distance greater than the length of the true attack path. Therefore, it is impossible for an attacker to forge a router closer than the first traceback enabled router through which its packets have to pass. In a DDoS attack, there are multiple attackers and the attack t r a f f i c traverses multiple paths before converging at the victim. The goal of IP traceback is to reconstruct the attack tree which is rooted at the victim and composed of the attack paths from all of the attackers to the victim. Therefore, in order to track multiple attackers in a DDoS attack, the PPM approach needs a mechanism to classify the routers in different attack paths. Two kinds of schemes are employed

1 in PPM approaches to reconstruct attack trees. One is edge marking and the other one is node marking supplemented with a network map. In the edge marking scheme, which is used in CEFS, a marked packet carries the information about an edge in the network path. An edge is represented with the two routers at each end of a link. This scheme can distinguish multiple attack paths because the edges in the same path can be jointed together and the routers in different paths produce disjoint edges. In the node marking scheme, which is used in FIT, a marked packet carries the information of an individual router. The victim consults an upstream router map (a tree topology rooted at the victim) to discern routers in different paths. The PPM approach has following advantages: Low overhead at routers. Packet marking does not incur any storage overhead at routers and the marking procedure (a write and checksum update) can be easily executed at current routers. No additional network traffic . The marking information is encoded in IP header and piggy-backed on passing packets. Supporting incremental deployment. The marking information encoded in packets can pass through legacy routers not supporting PPM and arrives at the destination eventually. Given a subset of the routers in a path, an approximate path can be determined. However, there are two challenges in applying PPM approaches for IP traceback in practice. (1) Scalability. Current PPM approaches are not scalable to large-scale DDoS attacks. There is no place in the current IP header designated to store marking information. To store marking information in an IP option is not feasible because most routers handle packets with IP options very slowly. In PPM approaches, the marking information overloads a rarely used field in IP header, i.e., 16-bit IP identification field. A single packet usually cannot t the identification

1 information of a router (e.g., a 32-bit IP address or an IP address hash with similar length). The usual solution is to split the router identification into multiple non-overlapping fragments. When a router decides to mark a packet, the router randomly selects one fragment and marks the packet with the selected fragment plus its offset in the original identification. Those fragments are reassembled at the receiver to restore the router identification. In a DDoS attack, the attack t r a f f i c originates from multiple sources and the victim receives identification fragments from multiple routers at the same distance. The victim needs to try all combinations of the fragments at each distance with disjoint offset values, check their correctness, and then accepts correct ones. There are two kinds of schemes to verify the correctness of fragment combinations. One scheme is using integrity verification codes to correlate the fragments of the same router identification. An integrity verification code, such as a hash or a checksum of router identification, is included into the marking value. All packets marked by the same router carry integrity verification codes which are identical or compatible with each other. The other scheme is using predefined sets to check the correctness of fragment combinations. A fragment combination is considered correct if it is in the set. The set could be the routers at the same distance from the victim in an upstream router map or the polynomials with a degree of specific values in algebraic domain. Neither scheme is 100% accurate, more or less, in verifying the correctness of fragment combinations. False positive fragment combinations introduce nonexistent routers in reconstructed attack paths. In addition, the process of combining router identification fragments and verifying their correctness incurs computation

1 overhead on the victim. The more the attackers in a DDoS attack, the higher the computation overhead and the more the number of false positives. Hence, router identification fragmentation prevents PPM approaches from being scalable to large-scale DDoS attacks.
(2) Incentives.

ISPs lack incentives to deploy PPM approaches in

their networks. In general, ISPs are not willing to support a new protocol that cannot be sold as a service. IP traceback accelerates victims reaction to DoS attacks and improves the efficacy of DoS defense measures. Although some customers may clamor for IP traceback, it is not easy for ISPs to offer PPM-based IP traceback as a value-added service to create benefit. Since it is unrealistic to maintain per-flow state at routers, the routers supporting PPM have to mark each forwarded packet with the same probability, disregarding whether the packet destination is paying for IP traceback service or not. ISPs need a mechanism to restrict the use of IP traceback service only to paying customers. More importantly, ISPs would not like to disclose the details of their networks because of security concerns. In current PPM approaches, the router marks packets with its IP address or related variants (e.g., hash of IP address). Any dedicated end system can construct an upstream router map and derive the IP addresses of those routers in the map using the marking information in received packets. Attackers may utilize that mapping feature to set ISPs routers as targets.

3.1 MODULES: 1. Client a. Normal phase b. Attack phase 2. Router a. Implementation of PPM b. Iptraceback c. Filteration (at edgerouters) 3. Server a. Attack detection Module Description: 3.1.1 Client: a. Normal Phase In this normal phase the packets will be sent normally that is the client acts as a good node and it sends good packets b. Attack Phase In this phase the clients performs attacks the Dos it could be of type redundant packet sending, Ip spoofing, sending overloaded packets beyond the servers limits. Input: Normal packets sent to Server via Routers. Attack packets sent to Server via Routers. Output: Data sent to Server successfully. If Attack packets sent then it is traced. 3.1.2 Router a. Implementation of PPM

1 Each and every packet passing through the each and every router will be marked based on the PPM (i.e Probabilistic Packet Marking), and based on this marking strategy each and every packet is marked with the routers Ip address, checksum value, HMAC to check the integrity and the index value to support packet shuffling, and at edge routers the interface value is also added with the packet header so that we will be able to locate the attacker properly. b. Ip traceback Once the server or the victim locates the attacker the trace back starts with the ip address in the packet header and the checksum value in the marked packet, the trace back is done in a tree structured pattern as the packet may not be sent in a single path. c. Filteration: At the edge router when the packets reached the edge router it checks for the interface ID in its register to locate the attacker. At once it located the attacker it stores it the black list and once for all the packets sent by that node will be dropped in the edge router itself. Input: Incoming packets from Client either it is Normal or Attack Packets. Output: If the client sent normal packets then it is sent to the server via router after the normal procedures like PPM implementation has done.

1 If the incoming packet is attack one and once if the server detects it, then the IP Traceback and Filtration process has done at the router end. 3.1.3 Server a. Attack detection Each and every packet that reaches the victim is analyzed, to detect whether it is an attack packet, and the type of attack is detected. And it starts the trace back process based on the marked elements. Input: Incoming packets from the router. Output: Here once the packet is received from Router, Attack Detection is done with the incoming packets. If the packet is detected as attack packets then IP Traceback is done in the edge router.

HARDWARE / SOFTWARE REQUIREMENTS Tool Platform Java Windows

o o

MODULE IMPLEMENTATION DETAILS The project is implemented based on the design procedure developed. The implementation is the process of implementing the design details. The software is implemented using Java. The project focuses on developing Packet Marking and Filtering Mechanisms for DDoS Attack. We present a new technique, called Pi marking using StackPi and Router Write-Ahead marking that provides a conservative estimate of denial-of-service. Use this technique, we have deny the unauthorized persons entered in the network and deny their services.