As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial of service (DoS) attacks grows. A DoS attack is an attempt by a person or a group of persons to cripple an online service. Consequen

College of Information Technology

Tracking and Tracing Spoofed IP Packets to Their Sources

Alaaeldin A. Aly, College of IT, aly@uaeu.ac.ae

Ezedin Barka, College of IT, ebarka@uaeu.ac.ae

U.A.E. University, Al-Ain, P.O. Box: 17555, U.A.E.

Abstract

As the Internet becomes increasingly important as a business infrastructure, the number of

attacks on it, especially denial of service (DoS) attacks grows. A DoS attack is an attempt by a

person or a group of persons to cripple an online service. Consequently, there are currently a

lot of efforts being made to come up with mechanisms to detect and mitigate such attacks.

Research on IP traceback has been rather active since the late 1999 DOS attacks. Several

approaches have been proposed to trace IP packets to their origins. This paper examines the

current best practices and the most promising research approaches in a search for near-term

and long-term solutions to the traceback problem. However, it is clear that technical

approaches alone can never offer a complete solution to the problem. Along with the proposed

technical solutions, the policy implications and issues brought by the technology are

discussed.

This paper discusses a variety of methods that can help determine if received packets have

spoofed source addresses. Our approach that depends on analyzing routers' log files is also

discussed.

1. INTRODUCTION

Although access control technologies such as firewalls, are commonly used to prevent network attacks, they cannot prevent some specific attacks, including TCP SYN flooding. Consequently, more companies are deploying intrusion detection systems (IDS). The IDSs detect network attacks; however, they don't let us identify the attack source. This is especially problematic with Denial of Service (DoS) attacks, for example, because the attacker doesn't need to receive packets from the target host and thus can remain hidden. Several efforts are in progress in many different research and business places around the world to develop source-identification technologies to trace packets even when an attacker fakes its IP address.

The purpose of IP traceback is to identify the true IP address of a host originating attack packets. Normally, we can do this by checking the source IP address field of an IP packet. Because of a sender can easily fake this information, however, it can hide its identity. If we can identify the true IP address of the attack host, we can also get information about the organization, such as its name, and the network's administrator email address, from which the attack originated. Existing IP traceback methods can be categorized as proactive or reactive tracing. The proactive tracing detects attacks when packets are in transit while the reactive tracing starts after an attack is detected.

Existing IP traceback methods can be categorized as proactive or reactive tracing. The proactive tracing prepares information for tracing when packets are in transit. If packets tracing is required, the attack victim (target) can refer to this information to identify the attack source. Two proactive methods – packet marking

[1] and messaging [2] – have been studied and reviewed. In packet matching [1], packets store information about each router they pass as they travel through the network. The recipient of the marked packet can use this router information to follow the packet's path to its source. Routers must be able to mark packets, however, without disturbing normal packet processing. In messaging approaches [2], routers create and send messages containing information about the forwarding nodes a packet travels through. The approach relies on the Internet control message protocol (ICMP).

The reactive tracing starts tracing after an attack is detected. Most of the methods trace the attack path from the target to its source (origin). The challenges are to develop effective traceback algorithms and packet-matching techniques. Various proposals attempt to solve these problems. Among those studied techniques are hop-by-hop tracing, hop-by-hop tracing with an overlay network [3], IPsec authentication [4], and traffic pattern matching [5]. In hop-by-hop tracing, a tracing tool logs into the router closest to the attached host and monitoring the incoming packets. If the tool detects the spoofed packet, it logs into upstream routers and monitors packets. If the spoofed flooding attack is still occurring, the tool can detect the spoofed

CIT - 100 The Sixth Annual U.A.E. Research Conference