1. Field of the Invention
The present invention relates to a method for tracing-back an Internet protocol (IP) on an Internet protocol version 6 (IPv6) network, and more particularly, to a method for tracing-back an IP using marking information of a router stored on a hop-by-hop option header, which is one of IPv6 extension headers.
2. Description of the Related Art
The Internet provides advantages such as exchange of various information without limitation of place and time, but disadvantages such as hacking of a system, information leakage, illegal intrusion, and distribution of a malignant virus are gradually increased as distribution systems increase and the Internet is widely used.
A representative example of the disadvantages caused by the Internet is denial of service (DoS), which rapidly exhausts resources of a host and a network through distributed attacks to generate reduction or denial of service performance. The above-described attack pattern is easy to realize using an attack program on the Internet, but difficult to defence and trace, because transmission control protocol (TCP)/Internet protocol (IP) protocol does not provide a security structure that can deal with the DoS attack. A DoS attacker can easily change a transmitter address of an IP packet and send the changed address to a system of a victim (referred to as “spoofing”). In this case, since an IP address contained in the transmitted IP packet is not an IP address of a real attacker who has actually transmitted the IP packet, it is difficult to trace an IP of the real attacker of the spoofed packet using only the transmitter IP address.
FIG. 1 shows an examplary attack type of distributed denial of services (DDoS) made on a victim's host on a network. Referring to FIG. 1, attackers 1 to 3 make DDoS attacks on the victim's host. Actually, the DDoS attacks may be performed by numerous attackers, and thus an amount of traffic received by the victim's host may be enormous. When a measure is not taken rapidly against the attack, the victim's host may not provide service any more.
To prevent the above-described DDos attack, a passive defence such as conventional fire wall and intrusion detection system has been employed but it does not solve a fundamental problem. Therefore, an active technology for fining out an attacker and removing a fundamental threatening factor is required. A technology for tracing-back IP is studied to accurately find out a source of an attack. Currently, a variety of technologies for tracing-back an IP are proposed. The technologies for tracing-back the IP include a probabilistic packet marking (PPM), Internet control message protocol (ICMP), and hash-based tracing-back.
FIG. 2 illustrates an IPv4 network used for explaining the probabilistic packet marking. Referring to FIG. 2, the IPv4 network includes an attacker and a plurality of routers R1 to R10 transmitting a packet from the attacker to a victim's host. When the packet transmitted from the attacker is delivered to the victim's host via the routers R1, R2, R7, and R10, each router through which the packet has passed marks an IP address of the router itself on a changeable field, e.g., an identification (ID) field contained in an IP header of the packet. Since enormous overhead occurs when each router marks an IP address of the router itself on all packets, the router performs sampling of the packets with a predetermined probability and perform marking on the sampled packets in order to maintain a smooth operation of network.
FIG. 3 is a flowchart explaining a method for tracing-back an attacker's IP on an IPv4 network using PPM.
When a huge amount of packets is instantly transmitted to a victim's host and thus overload occurs on an IPv4 network, an agent managing the router R10 connected to the victim's host detects a DDoS attack (operation 1). When the DDoS attack is detected, an ID field contained in a header of a received packet is analyzed (operation 3). When recording information on a packet, a router records the information on the ID field of the packet header. Since a probability that the ID field representing sameness of a packet is used for division of an IP header is only about 0.25%, an IP address of a router is marked on the ID field. The ID field includes a 5-bit distance field and an 11-bit edge field. The distance field represents a distance from a victim's host to a router that performs marking, and the edge field represents an address of a router that performs marking. A 32-bit router address is encrypted into 11 bits using a hash function and then recorded on the edge field.
A path through which an attack packet is received is reconstructed using the router address contained in the edge field, and the distance from a victim's host to a router that performs marking contained in the distance field (operation 5). An IP of an attacker's host is back-traced using a reception path of the reconstructed packet (operation 7).
The above-described method for tracing-back an IP using PPM on the IPv4 provides a method for tracing-back an IP of an attacker's host using an ID field of an IP header. However, since a header structure of IPv6 is different from that of IPv4, the method for tracing-back an IP using PPM on the IPv4 cannot be directly used on an IPv6 network.