A Dynamic Probabilistic Marking Approach with Multi-Tag for Tracing ICMP-Based DoS Attacks
CHEN Xiuzhen1,2, MA Jin2†, LI Shenghong2, CHEN Ken3, SERHROUCHNI Ahmed4 1. State Key Laboratory for Manufacturing Systems Engineering, Xi’an Jiaotong University, Xi’an 710049, Shaanxi, China; 2. School of Information Security Engineering, Shanghai Jiao Tong University, Shanghai 200240, China; 3. Les Laboratoires de l’Institut Galilée, Université Paris 13, Paris 93430, France; 4. Network and Computer Science Department, Telecom ParisTech, Paris 75634, France
This paper presents a dynamic probabilistic marking algorithm with multiple routing address tags, which allows the vic- tim to traceback the origin of ICMP (Internet Control Message Pro- tocol)-based direct and reflective DoS attacks. The proposed ap- proach makes full use of scalable data space of ICMP packet to achieve multiple information tags. The difference between this pro- posal and previous proposals lies in two points. First, the number of packets needed by the victim to reconstruct the attack path is greatly reduced because of three key mechanisms: multi-tag, uniform left- over probability, and tag location choice based on the module of accommodated tag numbers within a packet. Second, the true origin of both direct and reflective ICMP-based DoS attacks can be traced.
Key words: network security; denial of service; IP traceback; dynamic probabilistic marking; multi-tag
 Alomari E, Manickam S, Gupta B B, et al. Botnet-based distributed denial of service (DDoS) attacks on Web servers: Classification and art [J]. International Journal of Computer Applications, 2012, 49(7): 24-32.
 Douligeris C, Mitrokotsa A. DDoS attacks and defense me- chanisms: classification and state-of-the-art [J]. Computer Networks, 2004, 44: 643-666.
 Peng T, Leckie C, Ramamohananrao K. Survey of net- work-based defense mechanisms countering the DoS and DDoS problems [J]. ACM Computing Surveys, 2007, 39(1): 1-42.
 Vincent S, Immanuel J, Raja J. A survey of IP traceback mechanisms to overcome denial-of-service attacks [C]// 12th International Conference on Networking, VLSI and Signal Processing (ICNVS’10). Cambrige: World Scientific and Engineering Academy and Society (WSEAS), 2010.
 Malliga S, Tamilarasi A. A hybrid scheme using packet marking and logging for IP traceback [J]. International Journal of Internet Protocol Technology, 2010, 5(1): 81-91.
 Jiang H, Li M Z, Wang X. A PPM probabilistic packet marking improving scheme [J]. Journal of Shandong Uni- versity (Natural Science Edition), 2011, 46(9): 85-88(Ch).
 Yan Q, He X M, Ning T. An improved dynamic probabilis- tic packet marking for IP traceback [J]. International Jour- nal Computer Network and Information Security, 2010, 2(2): 47-53.
 Liu J, Lee Z J, Chung Y C. Dynamic probabilistic packet marking for efficient IP traceback [J].Computer Networks, 2007, 51(3): 866-882.
 Guerid H, Serhrouchni A, Achemlal M, et al. A Novel Tra- ceback Approach for Direct and Reflected ICMP Attacks [C]//2011 Conference on Network and Information Systems Security (SAR-SSI). Piscataway: IEEE Press, 2011.
 Katz-Bassett E. Practical reverse traceroute [EB/OL]. [2013-01-15]. http://www.nanog.org/meetings/nanog45/pr- esentations/Tuesday/Katz_reversetraceroute_N45.pdf.