Source Locator Autonomous System Traceback

• Main Authors: Wili Delima, 林威利
• Other Authors: Shi-Jinn Horng
• Format: Others
• Language: en_US
• Published: 2010
• Online Access: http://ndltd.ncl.edu.tw/handle/45943528009802816464

碩士 === 國立臺灣科技大學 === 資訊工程系 === 98 === Distributed Denial of Service (DDoS) attacks in the real world have become a major threat in Internet society. While the attack itself is rather easy to be performed by anyone, it is difficult for the victim to overcome the attacks. Researchers have to make some ways to face this problem such as building attack detection, prevention, mitigation, and follow-ups toward the attack. This research talks about one of follow-up action called Attack Traceback which tries to locate the original source of packet senders and reveals the path traversed by these packets during the attack. We propose a traceback system called Source Locator Autonomous System Traceback (SLAST) which uses Autonomous System (AS) as the unit of tracing. This proposed system utilizes deterministic packet marking along with dynamic packet marking scheme where every packet have chance to be marked with partial node’s information when it passed through a marking router. We use 25 bits of marking information inside IP header in every packet to store information regarding the AS number and router ID. Because we overload the information inside the IP header field, thus this system doesn’t require additional bandwidth in its implementation. Our proposed system can greatly suppress the number of false positive by utilizing hash number to find the attacker candidates and discarding the invalid nodes or path as well. Thus making this scheme has an optimal processing time and able to reconstruct the attacking path as well as the original source information. The proposed system is capable of tracing hundreds of nodes involved in attacks and can distinguish between the real source and the packet forwarder nodes with low false positives in the reconstruction result. Our system result is analyzed and verified with simulation using real AS traceroute dataset from The Cooperative Association for Internet Data Analysis (CAIDA). We compare our system with another system called FAST (Fast Autonomous System Traceback) and showed that our system outperforms the performance of FAST in speed, false positives, and path length problem. In addition, our system also provides the marking router ID of the attacker’s AS so the victim will have more information about the source of attack.