CIT- 100 Tracking and Tracing Spoofed IP Packets to Their So(6)

As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial of service (DoS) attacks grows. A DoS attack is an attempt by a person or a group of persons to cripple an online service. Consequen

College of Information Technology

combination with reactive methods we can construct an efficient spoofed packet detection system. The reactive method can be initiated only when the packet seems suspicious. This minimizes the amount of probing required, and allows us to test packets using a number of methods. The specifics or our implementation are described in sections 5 and 7. One of the strengths of passive TTL methods is that they are resistant to network routing attacks. These occur when packets intended for a particular host are routed to another host posing as the first. Such an attack is not strictly packet spoofing because the packets are coming from the effective IP address of the sender. However, if the network distance between the two hosts has changed, we will identify these packets as spoofed. This allows passive spoofed packet detection to also act as a routing change detector.

OS Idiosyncrasies

We have identified a number of other features that can be used to find suspicious (possibly spoofed) packets. These include the expected source port for a TCP or UDP communication, expected ID values for certain packets, and type of service (ToS) or differential service code point (DSCP) values. The TCP window size has also been observed to be highly predictable given the source. Other useful features are likely. Basically, any that is specific to a particular host, OS, NIC, etc. is a potential identifier for that host. How useful a particular feature is depends on how predictable a particular feature is and how likely another computer will generate the same value as the claimed source. Features with values common to many computers will tend to generate false negatives while those that vary significantly will tend to generate false positives.

4. THE PROPOSED APPROACH

Denial-of-service (DOS) attacks are a pressing problem in today’s Internet. Their impact is often more serious than network congestion due to their targeted and concentrated nature. In a distributed DOS (DDOS) attack, the attacker uses a number of compromised slaves to increase the transmission power and orchestrate a coordinated flooding attack. Particularly, DDOS attacks with hundreds or thousands of compromised hosts, often residing on different networks, may lead to the target system overload and crash.

Because the current Internet routing infrastructure has few capabilities to defend against IP spoofing and DDoS attacks, we need to design a new defense mechanism against these attacks. In particular, our proposed approach is to defend against these attacks and should satisfy the following properties:

Fast response: The proposed approach should be able to rapidly respond and defend against

attacks. Every second of Internet service disruption causes economic damage. We would like to immediately block the attack.

Scalable: Some attacks, such as TCP hijacking, involve only a small amount of packets. However,

many DDoS attacks are large scale and involve thousands of distributed attackers and an even larger number of attack packets. A good defense mechanism must be effective against low packet count attacks but scalable to handle much larger ones.

Victim filtering: Almost all DDoS defense schemes assume that once the attack path is revealed, upstream routers will install filters in the network to drop attack traffic. This is a weak assumption

because such a procedure may be slow, since the upstream ISPs have no motivation to offer this service to non-customer hosts and networks.

Efficient: The proposed approach should have very low processing and state overhead for both the routers in the Internet and, to a lesser degree, the victims of the attacks.

Support incremental deployment: The proposed approach is only useful and practical if it provides a benefit when only a subset of routers implement it. As an increasing number of routers deploy

the scheme, there should be a corresponding increase in performance.

Also, the deployment of the solution should not leak proprietary information about an ISP’s internal network, as some ISPs keep their network topology secret to retain a competitive advantage.

CONCLUSION

IP traceback has several limitations, such as the problem with tracing beyond corporate firewalls. To accomplish IP traceback, we need to reach the host where the attack originated. It is difficult, however, to trace packets through firewalls into corporate intranets the last-traced IP address might be the firewall's address. Knowing the IP address of the organization's network entry point, however, allows us to obtain information about the organization where the attacker's host is located, such as the organization's name and The Sixth Annual U.A.E. Research Conference CIT - 105