RIHT: A Novel Hybrid IP Traceback Scheme

Because the Internet has been widely applied in various fields, more and more network security issues emerge and catch peopleís attention. However, adversaries often hide themselves by spoofing their own IP addresses and then launch attacks. For this reason, researchers have proposed a lot of traceback schemes to trace the source of these attacks. Some use only one packet in their packet logging schemes to achieve IP tracking. Others combine packetmarking with packet logging and therefore create hybrid IP traceback schemes demanding less storage but requiring a longer search.

In this paper, we propose a new hybrid IP traceback scheme with efficient packet logging aiming to have a fixed storage requirement for each router (under 320 KB, according to CAIDAís skitter data set) in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction. In addition, we use a packetís marking field to censor attack traffic on its upstream routers. Lastly, we simulate and analyze our scheme, in comparison with other related research, in the following aspects: storage requirement, computation, and accuracy.

Existing System:

Most of current single packet traceback schemes tend to log packetsí information on routers. Most current tracing schemes that are designed for software exploits can be categorized into three groups: single packet, packet logging and hybrid IP traceback . The basic idea of packet logging is to log a packetís information on routers. The methods used in the existing systems include Huffman Code, Modulo/ Reverse modulo Technique (MRT) and MOdulo/REverse modulo (MORE). These methods use interface numbers of routers, instead of partial IP or link information, to mark a packetís route information. Each of these methods marks routersí interface numbers on a packetís IP header along a route.

However, a packetís IP header has rather limited space for marking and therefore cannot always afford to record the full route information. So, they integrate packet logging into their marking schemes by allowing a packetís marking field temporarily logged on routers. From this, it is found that these tracing methods still require high storage on logged routers. Apart from this, also found that, exhaustive searching is quite inefficient in path reconstruction.

Proposed System:

In the proposed system, we provide a new hybrid IP traceback scheme with efficient packet logging aiming to have a fixed storage requirement for each router (under 320 KB, according to CAIDAís skitter data set) in packet logging without the need to refresh the logged tracking information and to achieve zero false positive and false negative rates in attack-path reconstruction.

In this paper, we propose a new hybrid IP traceback scheme with efficient packet logging aiming to have a fixed storage requirement for each router in packet logging without the need to refresh the logged tracking information. In addition, we use a packetís marking field to censor attack traffic on its upstream routers.

Like MRT and MORE, RIHT marks interface numbers of routers on packets so as to trace the path of packets. Since the marking field on each packet is limited, our packet-marking scheme may need to log the marking field into a hash table and store the table index on the packet. We repeat this marking/logging process until the packet reaches its destination. After that, we can reverse such process to trace back to the origin of attack packets.

Modules:

  • Network topology Construction
  • Path Selection
  • Packet Sending
  • Packet Marking and Logging
  • Path Reconstruction

Tools Used:

Front End : Java