Survey on Packet Marking Algorithms for IP Traceback

Distributed Denial of Service (DDoS) attack is an unavoidable attack. Among various attacks on the network, DDoS attacks are difficult to detect because of IP spoofing. The IP traceback is the only technique to identify DDoS attacks. The path affected by DDoS attack is identified by IP traceback approaches like Probabilistic Packet marking algorithm (PPM) and Deterministic Packet Marking algorithm (DPM). The PPM approach finds the complete attack path from victim to the source where as DPM finds only the source of the attacker. Using DPM algorithm finding the source of the attacker is difficult, if the router get compromised. Using PPM algorithm we construct the complete attack path, so the compromised router can be identified. In this paper, we review PPM and DPM techniques and compare the strengths and weaknesses of each proposal.


INTRODUCTION
Distributed Denial of service (DDoS) attacks are becoming a major problem now a days.This type of attacks not only allows the authorized users from accessing the specific network services or resources but also propel a large amount of traffic on the network.There is a huge growth of internet users day to day.As the number of users are growing, the crime is also growing.Many techniques like input debugging, controlled flooding and ICMP messaging have been developed to identify attackers 1,4 but none of these techniques have been succeeded.To find the DDoS attackers the only method is IP traceback because the source address can be spoofed.IP traceback is the process of finding the source router of the attacker who created a heavy traffic by sending spoofed packets.The IP traceback can be done in two ways using Probabilistic Packet Marking algorithm (PPM) and Deterministic Packet Marking algorithm (DPM).In both techniques the routers on the path to the victim stores the traceback data in the identification field of IPv4 and may also use fields like Type of Service and Reserve flag fields shown in fig. 1.The victim after receiving the marked packets using the traceback data finds the source router of the attacker.In this paper we will review the PPM and DPM techniques.

Probabilistic Packet Marking(PPM)
Probabilistic Packet Marking algorithm helps in reconstructing the attack path from victim to the source.In this technique each router in the attack path as shown in fig. 2 marks the packet with the partial IP address information called the marking information.This marking information is placed into the IP packet with a fixed probability 5,12 .After receiving the partial path information from the marked packets the victim reconstructs the attack path.Some of the Probabilistic Packet Marking techniques are discussed hereafter.

Practical network support for IP Traceback schemes by Savage, Wetherall, Karlin, Anderson
Savage et.al 4 .in their method proposed two components, marking procedure and path reconstruction procedure.In marking procedure each router in the attack path generates a random number X.If the random number X is less than the marking probability P m then the router marks the packet with the part (fragment) of the marking information, if not the upstream routers' marking information is exclusive 'OR'ed with its corresponding part of the marking information.The marking information consists of IP address (32 bits) and a random hash value (32 bits) which is Bit interleaved (72 bits).The receiver after receiving this marking information constructs the attack path.
The expected number of packets needed to reconstruct the attack path with probability q is where d is the distance

Advantages
ISP support not required.

Advanced and Authenticated marking schemes for IP Traceback by Song, Perrig
Song and Perrig 5 in their Advanced scheme-I marks the packet with the hash value of the IP address instead of the IP address itself.A 11 bit hash value is calculated to each IP address in the attack path.In this technique two independent hash functions are used to distinguish the order of two routers in the XOR result.The advanced marking scheme-II technique uses many number of hash functions.This approach uses flag field to indicate which hash function is used for the marking.If the FID is known then the R i is simply calculated using h(<FID, R i >).Thus different FIDs indicated different independent hash functions.In authenticated marking scheme, Song and Perrig proposed a technique to authenticate the packet marking so that the victim can detect the compromised routers.

Advantages
Low network and router overhead • Lower computation overhead • Authenticated marking scheme provides • efficient authentication of routers' markings.

Disadvantages
In this technique the 11 bit hash value is not • sufficient to avoid collision (i.e., the different router address may encode the same hash value).
Though efficient and accurate than savage et • al technique, still gives many false positives in DDoS attacks.Network map is needed to reconstruct the • attack path.
Hash-Based IP Traceback by Snoeren, Partridge, Sanchez, Jones, Tchakountio, Kent Snoeren et al 6 .proposed a Source Path Isolation Engine (SPIE) to trace the source of a particular IP packet.Packet's destination and time of receipt is provided to the routers to trace the path.

Advantages
Traceback is performed by using just a single packet.

Disadvantages
Requires large amount of storage space • and hardware changes for packet logging at router.

A precise termination condition of the probabilistic packet marking algorithm by Wong Tsz-Yeung, Wong Man-Hon, Lui Chi-Shing
This algorithm 7 uses the savage et.al. marking procedure but uses a precise termination condition while constructing the attack graph.It takes less number of packets and guarantees that the constructed graph is correct.

Advantages
Does not require any prior knowledge about • the network topology.Upon ter mination of the algorithm the • constructed graph is the attack graph.

Disadvantages
Because it is using the PPM algorithm, all the • disadvantages of PPM algorithm are brought into this method also.

IP Traceback based on Chinese Remainder
Theorem by Lih-Chyau, Liu Tzong-Jye, Yang Jyun-Yan In Lih-Chyau Wuu et.al 8 .technique the characteristic of the IP address is passed with the IP address inorder to reduce the false combination.The IP address characteristic is calculated using the Chinese Remainder Theorem.The marking information is divided into five fragments.The victim after receiving the IP address parts combines them and finds the characteristic of the combined IP address.If the calculated IP address characteristic is equal to the received IP address characteristic then that IP address is considered as valid.

Advantages
This technique has reduced the number of • combinations and hence the number of false positives.
It takes less number of packets to reconstruct • the attack path.

Disadvantages
It cannot be applied directly to IPv6.•

IP Traceback through Modified Probabilistic Packet Marking algorithm using Chinese Remainder Theorem by Bhavani, Janaki, Sridevi
In this technique 9 a unique X value calculated using Chinese remainder theorem is It can be applied to IPv6.•

Disadvantages
Network map is needed to reconstruct the • attack path.

Deterministic Packet Marking (DPM)
Deterministic Packet Marking helps in finding the source router of an attacker's packet but it will not find the attack path from victim to attacker as done in PPM.In this technique only the ingress router as shown in fig. 3 marks the packet with its IP address 13,16 .

IP Traceback with Deterministic Packet Marking
Andrey Belenky and Nirwan Ansari 13 proposed a technique where the ingress router marks the packet with its IP address parts.The IP address is divided into two parts.When the first part is sent the reserved flag is set to "0" and to "1" if the second part is sent.At the victim the two parts are combined to find the attacker.

Advantages
It is easy to implement.

Disadvantages
Requires knowledge about ingress routers.

•
If the ingress router is compromised then • attacker is not found.

Improved Deterministic Packet Marking Algorithm
IDPM technique 14 is effective in finding the spoof packets.In this technique the ingress router will deterministically mark the packets with the IP address and the hash value of the IP address.The intermediate routers will calculate the hash value of the IP address in Identification field.If the calculated hash value is not equal to the hash value in identification field then it is assumed as a spoofed packet and it is dropped.

Advantages
It is simple and scalable.

•
It is suitable to find other types of attacks than • DDOS attacks.

Disadvantages
Requires knowledge about ingress routers.• False positives may be more.• The MOD server identifies the unique mark and stores the mark, source address and time stamp into its database.With the sudden increase amount of attack flows, finally, the other router may discover the attack and intimate MOD server.The MOD server will store this information in its database.When the victim performs the traceback process it requests the MOD server about the IP addresses related to this unique marks.In this way the victim is able to find the source attacker.

Advantages
It is simple and scalable.

•
Number of packets to reconstruct the attack • path is very less.

Disadvantages
MOD server is a bottleneck.• All packets will be enlarged, which will increase • the network overhead.

Less overhead because
As attackers send enormous all the routers participate number of packets marking in marking with all the packets is time some probability.
consuming and overhead at ingress router.Network overhead is less All packets will be enlarged, than that of in DPM, because which will increase only some packets are the network marked at each router. overhead.

If the router gets compromised
If the ingress router gets then it can be identified compromised then it while constructing is impossible to the path back.
find the attacker The number of packets The number of packets needed needed to reconstruct to find the ingress router the attack path (source router) is very large.
is very less Finds complete Finds only the attack path.
source router Flexible Deterministic Packet Marking: An IP Traceback system to find the real source of attacks FDPM technique 15 is effective in finding the real sources of the attackers.In this technique the marking of packets depend on the load of the router.If the load of the router exceeds some threshold value then that router differentiates between the normal packets and the attack packets.Only the attack packets are marked.

Advantages
Requires a small number of packets to • complete the traceback process.
Traces a large number of sources in one • traceback process.Low false positive rate.•

Disadvantages
All packets will be enlarged, which will increase • the network overhead.
If the ingress router is compromised then • attacker is not found.

CONCLUSIONS
Many packet marking techniques have been studied.These mechanisms differ in their working principle but are used to detect source of the attacker.In this paper, the advantages and disadvantages of PPM and DPM techniques have been discussed.The comparative study of these techniques is shown in Table1.Scope of the future work is to reduce the number of packets to reconstruct the attack path using PPM.

Fig. 3 :
Fig. 3: Deterministic Packet Marking process.Packets are marked by only the ingress routers deterministically with their IP address information as they pass through them