In recent years, much interest and consideration has been paid to the topic of securing the Internet infrastructure that continues to become a medium for a broad range of transactions. A number of approaches to security have been proposed, each attempting to mitigate a specific set of concerns. The specific threat, which is the main focus of this application, is anonymous attacks. In anonymous attacks, the identity of the attacker(s) is not immediately available to the victim since the Source Address (SA) field in the attack packets is spoofed. (Distributed) Denial of Service ((D)DoS) attacks are anonymous attacks, which currently attract much attention since there is no obvious way to prevent them or to trace them.
Currently there are several ways of dealing with anonymous attacks. They include source address filtering, SYN Flood Protection, and implementing a BlackHole Router server. Source address filtering, introduced in P. Ferguson and D. Senie, Network Ingress Filtering: defeating denial of service attacks which employ IP source address spoofing, RFC 2827, May, 2000, prevents packets with values of the SA field outside the preset appropriate range from entering the Internet. If deployed on every ingress interface, this would drastically reduce the number of anonymous packets in the Internet. Unfortunately, source address filtering incurs high overhead and administrative burden and is ineffective, unless carried out almost everywhere. SYN Flood Protection monitors half-open TCP connections and does not allow more than a certain number of them to exist simultaneously. SYN Flood protection prevents only SYN Flood type (D)DoS attacks and is useless against other types of anonymous attacks. Finally, the ISPs can determine the interface, where the DoS attack packets entered its network, by “Black Holing” a router on its network, if the customer reports the attack. This method involves human interaction, works only for the backscatter attacks, as discussed in D. Moore, G. M. Voelker and S. Savage, Inferring Internet Denial of Service Activity, Proc. of 10th {USENIX} Security Symposium, 2001, pp. 9-22, must be performed while the attack is still in progress, and is limited to the boundaries of the given ISP.
The currently available methods for dealing with anonymous attacks are not comprehensive. They either deal with a very limited set of the problems or are too expensive to implement and enforce. While it may be simply impossible to prevent attackers from attempting an attack, it might be possible to lessen, or even completely eliminate the effects of the attack by not allowing the packets to reach the victim(s). This is the proactive approach discussed in detail in R. K. C. Chang, Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial, IEEE Commun. Mag, Vol. 40, No. 10, pp. 42-51, October 2002. The reality, however, is that prevention of all attacks on the Internet is far from reality. When prevention fails, a mechanism to identify the source(s) of the attack is needed to at least insure accountability for these attacks. This is the motivation for designing IP Traceback schemes.
After several high-profile DDoS attacks on major U.S. web sites in 2000, numerous EP traceback approaches have been suggested to identify the attacker(s). See A. Belenky and N. Ansari, On IP traceback, IEEE Commun. Mag, vol 41, no, 7, pp. 142-153, July 2003. IP Traceback is defined in Chang (op. cit.) as identifying a source of any packet on the Internet. The previously proposed schemes can be categorized in four broad groups. One group of the solutions relies on the routers in the network to send their identities to the destinations of certain packets, either encoding this information directly in rarely used bits of the IP header, or by generating a new packet to the same destination. The biggest limitation of solutions of this type is that they are focused only on flood-based DoS and DDoS attacks, and cannot handle attacks comprised of a small number of packets. Moreover, for large scale DDoS attacks, these schemes are not very effective.
The second group involves logging some fields of every packet, or the digest of every packet on all the routers that a packet traverses. During the traceback, all of the routers are polled and the path of a given packet is reconstructed by correlating the routers, which have stored the information about this packet. The solutions of this group are not easily scalable, have relatively high ISP involvement, and have no post-mortem traceback capabilities. The third group involves the centralized management of the traceback process and changing the routing in the network with tunneling to be able to identify the packets' origin. The shortcomings of these schemes are high ISP involvement and high bandwidth and processing overhead associated with tunneling. The final group is referred to as the state of network inference schemes. Controlled flooding, described in H. Burch and B. Cheswick, Tracing Anonymous Packets to Their Approximate Source, Proc. of 2000 USENIX LISA Conference, December 2000, pp. 319-327, is the only scheme in this group. The scheme only works for DoS attacks. The attack path is determined while the attack is still in progress by systematically loading different links on the network and observing the effect on the victim. If loading of a particular link results in decrease in the rate of the attack traffic, then this link is on the attack path. Controlled flooding is limited to tracing DoS attacks only, and it is manual. It also utilizes a questionable approach of inducing DoS attacks for the purposes of traceback.