As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial of service (DoS) attacks grows. A DoS attack is an attempt by a person or a group of persons to cripple an online service. Consequen

College of Information Technology

packet again on one of the upstream routers. This procedure is repeated recursively on the upstream routers until the tool reaches the attack's actual source IP address.

In hop-by-hop tracing, the more hops there are, the more tracing processes will likely be required. To decrease the number of hops required for tracing, hop-by-hop tracing with an overlay network is being used

[3]. With the IPsec authentication [4], when the IDS detects an attack, the Internet key exchange (IKE) protocol establishes IPsec security associations (SAS) between the target host and some routers in the administrative domain. The last technique being surveyed is the traffic pattern matching in which the trace is done by comparing traffic patterns observed at the entry and exit points of the network with the Internet map [5]. A survey has been done to investigate the DDoS vulnerabilities and IP spoofing as mentioned in

[6, 7, 8, 9, 10].

In this paper, we will develop our own approach to trace suspected packets to their sources. In our approach, routers log data about traversing packets as well as information about other nodes in the packet's path. A distributed management approach will be developed to enable tracing across networks with different access polices. Our approach is a reactive and it relies on hop-by-hop tracing. In our reactive approach, forwarding nodes such as routers log information about traversing packets on the Internet and then use the log data to trace each packet from its final destination to its source, hop-by-hop. Information about the packets remains in forwarding nodes as packets traverse allowing us to trace even a single attack packet to its source.

2. METHODS OF IP TRACEBACK

The purpose of IP traceback is to identify the true IP address of a host originating attack packets. Normally, we can do this by checking the source IP address field of an IP packet. Because a sender can easily forge this information, however, it can hide its identity. If we can identify the true IP address of the attack host, we can also get information about the organization, such as its name and the network administrator's e-mail address, from which the attack originated. With IP traceback technology, which traces an IP packet's path through the network, we can find the true IP address of the host originating the packet. To implement IP traceback in a system, a network administrator updates the firmware on the existing routers to the traceback support version, or deploys special tracing equipment at some point in the network.

Existing IP traceback methods can be categorized as proactive or reactive tracing.

2.1 Hop-by-Hop IP Traceback

The most common and basic method in use today for tracking and tracing attacks is hop-by-hop traceback. This method is only suitable for tracing large, continuous packet flows that are currently in progress, such as those generated by ongoing denial-of-service (DoS) packet flood attacks. In a DoS flood attack, the source IP addresses are typically spoofed (i.e., they are forged addresses inserted into the source address field of a packet to disguise the true IP address of the machine that originated the packets), so tracing is required to find the true origin of the attack.

For example, assume that the victim of a flood attack has just reported the attack to their ISP. First, an ISP administrator identifies the ISP’s router that is closest to the victim’s machine. Using the diagnostic, debugging, or logging features available on many routers, the administrator can characterize the nature of the traffic and determine the input (ingress) link on which the attack is arriving. The administrator then moves on to the upstream router (i.e., the router one previous hop away that is carrying attack packets toward the victim). The administrator repeats the diagnostic procedure on this upstream router, and continues to trace backwards, hop-by-hop, until the source of the attack is found inside the ISP’s administrative domain of control (such as the IP address of a customer of the ISP) or, more likely, until the entry point of the attack into the ISP’s network is identified. The entry point is typically an input link on a router that borders another provider’s network. Once the entry point into the ISP’s network is identified, the bordering provider carrying the attack traffic must be notified and asked to continue the hop-by-hop traceback. Often there is little or no economic incentive for such cooperation.

2.2 Ingress Filtering

Much of the attacks on the Internet by attackers is accomplished using attack packets with spoofed source addresses. The occurrence of packets with spoofed source addresses, and their ability to transit the Internet, The Sixth Annual U.A.E. Research Conference CIT - 101