Int. J. Security and Networks, Vol. 5, No.

1, 2010

A backpressure technique for filtering spoofed traffic at upstream routers S. Malliga* and A. Tamilarasi
Department of Computer Science and Engineering, Kongu Engineering College, Perundurai, Erode 638 052, Tamil Nadu, India E-mail: mallisenthil@yahoo.com E-mail: drtamil@kongu.ac.in *Corresponding author
Abstract: Ever increasing rate of Denial of Service (DoS) attacks presents severe security threats to the internet. In this study, a backpressure scheme to lter DoS attack trafc at the earliest possible is presented. This paper utilises markings stamped in the packets by the routers to detect DoS attacks. To improve the accuracy of detection, the detection process is augmented with hop count values from IP header. A backpressure technique partially deployed at the upstream routers is also proposed to prevent congestion at victim. Simulation studies show that our scheme drops most of the attack trafc at the earliest time. Keywords: DoS; denial of service; security; packet marking; hop count; backpressure; partial deployment. Reference to this paper should be made as follows: Malliga, S. and Tamilarasi, A. (2010) A backpressure technique for ltering spoofed trafc at upstream routers, Int. J. Security and Networks, Vol. 5, No. 1, pp.314. Biographical notes: Malliga Subramanian has obtained her Master Degree in Computer Science and Engineering from Anna University, Chennai, Tamil Nadu, India in the year 2004. Her research interest includes network and data security. She is doing her PhD in network security. She has 13 years of teaching experience in the eld of Computer Science and Engineering. Currently, she is working as an Assistant Professor in the Department of Computer Science and Engineering, Kongu Engineering College, Perundurai, Tamil Nadu, India. She has presented papers on her research area in national and international IEEE conferences and published research papers in International journals. A. Tamilarasi has obtained her PhD in Algebra in 1994 from the University of Madras, Chennai, Tamil Nadu. She was awarded JRF by UGC in the year 1986. Presently, she is working as a Professor in the Department of Computer Science and Engineering, Kongu Engineering College, Perundurai, Tamil Nadu, India. She has published about 30 papers in national and international journals and conferences. Her areas of interest include semi group theory, fuzzy sets and fuzzy logic. She has been guiding PhD and MPhil scholars and is also an approved guide of Anna University, Chennai, Tamil Nadu.

1 Introduction
Denial of Service (DoS) attack on the internet has become a serious issue as a result of a series of attacks in the recent past. The vulnerability of the internet to the DoS attacks has been brought to the notice of users by several security incidents on the websites like Yahoo, eBay, E*Trade etc. (Garber, 2000). A DoS attack is an explicit attempt by attackers who try to deny access to the authorised resources by the legitimate users. In DoS attacks, weakly protected systems are exploited to launch them. These attacks mimic requests from the valid users thereby pressurising the victim system to spend much time on these bogus packets. For example, requesting a

large le from the victim and causing computationally intensive operations on the victim are some ways of executing DoS attacks (Walsh et al., 2005). Simply increasing the victims resources would not be helpful to provide services to the legitimate users. In fact, it makes easier for the offenders to launch many more such attacks. More importantly, IP spoong, which is falsication of source IP address, is used in conjunction with DoS attacks to hinder the true origin of the attacks. Increasingly, the devastating effects of DoS attacks have attracted internet research community and led to the development of many anti-DoS measures, which are generally of two types (Peng et al., 2003). One type involves nding the source IP address of the attack trafc

Copyright 2010 Inderscience Enterprises Ltd.

S. Malliga and A. Tamilarasi (FMHCBP), that is capable of identifying a single attack packet and dropping it. Our idea uses the packets marked by the routers along the path to nd the attack trafc. The packets from a source address should carry the consistent, genuine markings in order to be classied as valid. These markings are used for detecting and ltering the attack packets. To account for the routers instability and congestion, we also add another detection parameter namely hop count value, obtained from the Time To Live (TTL) eld of the IP header. The mappings between the source IP addresses and markings along with the hop count values are used to determine the attack packets. For marking, we use the scheme addressed in Malliga and Tamilarasi (2008). Ideally, we would like to detect and lter the attack trafc near the place of origin. So, we deploy our scheme on intermediate routers partially. When a victim system is severely congested, it may send a backpressure message instructing the previous upstream router to probe and drop the packets. For probing, the upstream routers maintain tables that show the mapping of source IP addresses to the markings and to the hop count values at them. They use these tables to detect and drop the attack packets before they choke the victim. Backpressure does not necessitate the deployment of FMHCBP on all routers. For this purpose, partial deployment would sufce. The experimental results show that our system leads to less false negatives while maximising the throughput of the good trafc. We also demonstrate the power of backpressure technique for blocking the malicious trafc at upstream nodes. A wide range of tools for handling the DoS attacks is presented in Mirkovic (2002). These tools use the trafc proles for detecting the attacks. If found malicious, they raise any alarm, but they do not take any action against them, other than just dropping them to an extent. They do not attempt to drop them at the earliest. Though many existing defenses are suitable for nding the ooding DoS attacks, they are not t for small volume of the attack trafc. There are some systems that attempted to nd single attack packet, but they require a huge storage overhead on the intermediate routers. Even though FMHCBP incurs little processing overhead on the routers, which is unavoidable for a marking technique, it helps an administrator to distinguish the attack trafc from the legitimate by establishing a decision making system and extends its support to track down a single attack packet. To reduce the burden on the victim, the backpressure technique helps Internet Service Provider (ISP) to locate and drop the malicious trafc at earliest time. The remainder of the paper discusses our work in detail. Section 2 enumerates the design goals of an anti-DoS system. In Section 3, we review the schemes that are closely related to our system and their limitations. Section 4 gives an insight into the FMHCBP framework for identifying attack packets from the observed trafc. Section 5 discusses how backpressure technique can be used to protect a victim at the

using packet marking and Internet Control Message Protocol (ICMP) messages. The other type attempts to rate limit the attack trafc upon congestion. Packet marking techniques are based on the idea that routers mark packets that traverse through them. The marking may be Deterministic (DPM) or Probabilistic (PPM). In DPM, a router marks all the packets that pass through it. A DPM proposed in Ansari and Belenky (2003), allows an edge router to mark all the packets passing through it with the aim of reconstructing the ingress address of the router closest to the source. In PPM, the packets for marking are chosen with some xed probability. The victim, in spite of the source addresses being spoofed, can then reconstruct the actual path on receiving ample number of marked packets. Few PPM schemes are addressed in Anderson et al. (2001), Choi and Dai (2004), Perrig and Song (2001). The packet marking schemes would be useful for IP traceback, which is the name given to the process of identifying the real source of any trafc. When forwarding packets, routers can, with a low probability, generate a Traceback message that is sent along to the destination. With enough Traceback messages from enough routers along the path, the trafc source and path can be determined. The main idea behind the ICMP messaging (Bellovin, 2000) is that every router samples one of the forwarding packets with a low probability, copies the information about the adjacent routers into a special ICMP traceback message and forwards it to the destination. With enough ICMP messages from the routers along the path, the graph of attack path is determined. Rate limiting mechanisms impose a rate limit on the trafc that has been characterised either as malicious or as causing congestion at the routers and victim (Mittal, 2005). Congestion is, in turn, caused by aggregates (Mahajan et al., 2003), which is a collection of packets from one or more ows. These ows have some properties like source or destination address prexes in common. On identifying the high bandwidth aggregates of a ow, a rate limit is imposed on the ow thereby reducing its aggressiveness. Nevertheless, the rate limiting schemes are based on the assumption that there is tremendously a large volume of attack trafc along the path. While the early studies showed that DoS attacks are created by ooding the network with a huge volume of attack packets, there are other forms of network attacks, which may require small amount of attack ows. Even a single packet may be sufcient to create such attacks and paralyse the nodes. For instance, MS Windows has been crashed with Teardrop attack with just one packet (Microsoft Corporation, 2006). Hence it is essential to nd the single attack packet also. Kent et al. (2002) proposes a hash based technique that gathers trails of the network trafc by the process of logging to nd the origin of a packet. In our proposal, we address a new system called, Filtering on Marking and Hop Count with Backpressure

A backpressure technique for ltering spoofed trafc at upstream routers earliest. Our experimental platform and demonstration of the efcacy of FMHCBP, based on the simulation results, are presented in Section 6. Section 7 analyses the issues for the practical deployment of FMHCBP. Finally, in Section 8, we summarise our work and address problems that researchers need to tackle.

2 Design goals of anti-DoS measures

Ideally, a DoS defense should be able to identify even single attack packet and drop it. Keeping this as a predominant design goal, in this section, we outline a set of other design goals required to be addressed by any anti-DoS system. A DoS defense should not degrade the performance when there is no attack incur as little network complexity as possible be extendable to protect additional resources continue to work even in the case of forging be able to quickly react and minimise victims load.

It is worth noting here that there are already many large scale DoS detection mechanisms. As discussed in the previous section, detecting a single packet DoS attack is also equally important. In addition to the above design goals, we attempt to propose a DoS detection and ltering system that has the granularity of detecting a single packet DoS attack also.

3 Pushback techniques: a survey

Many research projects have been designed to manage the DoS problem (Mittal, 2005). We refer the readers to see Mirkovic (2002) for a complete survey of most of the defensive systems. In this section, we address the early work done in the area of DoS attacks that are closely related to the proposed scheme. These schemes work on pushback techniques to control the ooding DoS attacks. Pushback or backpressure is a cooperative scheme that is used to control an aggregate (Mahajan et al., 2003). In pushback, a congested system requests its upstream node to control the ow of aggregates by rate limiting. By recursive propagation, a receiving router sends the pushback signal to its upstream router to rate limit the trafc. Defensive Cooperative Overlay Mesh (DefCOM) (Mirkovic et al., 2005a) deploys distributed defense nodes in the core internet and in the edge routers. These defensive nodes form an overlay mesh to exchange attack related messages. An alert generator at the victim system detects the attacks and alerts the other defensive nodes of the overlay. Then, the rate limiters at the core nodes and the classiers at the nodes nearer to the attack source deplete the trafc through them. Specically, the defense

nodes at the edge network deploy DWARD (Mirkovic, 2002) to classify the trafc as attack or legitimate. The TCP connections that send high volume of trafc and receive no or less replies would be classied as malicious, whereas the connections that receive sufcient number of replies from the destination would be classied as legitimate. But if an attacker spoofs large replies then it would force DWARD to classify him as valid and in turn, would degrade the services to the legitimate requests. Local Aggregate based Congestion (ACC) (Mahajan et al., 2003) provides a solution that is employed at a router to detect and rate limit the trafc with high volume. The routers identify the high bandwidth aggregates that cause a majority of packet drops and impose rate limits on those aggregates. If a congested router cannot control the aggressiveness of the aggregates, then it sends a pushback signal to the upstream routers that carry the trafc of aggregates, thus leading to pushback ACC. A router receiving a pushback request decides whether to rate limit the aggregates or to propagate the requests to further upstreams. The propagation process of pushback signal is similar to the discovery of trafc tree in DefCOM (Mirkovic et al., 2005a). The pushback ACC would inict the legitimate trafc that share with the attack path. Specically, the attack trafc with less volume would not be imposed any rate limit thus meting out the victim. Lam et al. (2006) proposes a Coordinated Detection and Response (CDR) scheme which consists of detection and response agents that are distributed in stub and transit networks. This scheme employs two types of agents namely Stub Agents (SA) and Transit Agents (TA). The SAs are deployed at the border routers of the stub networks for detecting and responding to attack ows that originate from the networks. The TAs are deployed in transit networks to identify and lter the malicious ow. To detect the TCP rate anomaly, SAs use non-parametric CUmulative SUM (CUSUM) algorithm, which monitors the disproportionate ratio of the number of TCP packets having a destination IP address D to the number of TCP packets having the source address D. The TAs act upon the receipt of attack messages from the SAs. Peng et al. (2002) suggests a selective pushback technique which identies the congestion and then pushes back a signal to the routers closest to the source that create congestion. Untrustworthiness of the source address leads to the use of PPM for nding the upstream routers. The path reconstructed by the PPM is used to direct the pushback signal to the upstream routers and block the malicious trafc. During the normal condition, the victim collects and builds up a normal prole for the incoming trafc using the marks stamped in the packets by the routers. From the prole, the victim learns a distribution of number of packets from each router. During the congestion, the victim starts a temporary prole of the packets arriving from the routers. The rate of change in each router would then be used to detect the attacks and the pushback is initiated.

S. Malliga and A. Tamilarasi To let the packets from different hosts belonging to a network have different markings at a victim system, the edge router, which inserts the packets into the core network, uses a different way of marking. To do that, the edge router maintains a table that has a mapping of 48-bit Medium Access Control (MAC) or Hardware address of each host of the network to a unique number assigned to each of these addresses. MAC address is a unique identier assigned to a network interface card. When a packet arrives at the edge router, it stamps the unique number mapped to the MAC address of the sending host in the packet and forwards the packet. In order to reduce the processing overhead due to marking on intermediate routers, an edge router marks the packets with certain probability. All the other routers use modulo technique as described earlier to continue marking. An intermediate router chooses to mark a packet if it has been already marked by the edge router. This is understood using the ag bit as shown below. Flag (1 bit) Previous marking Number of interfaces of the router + Unique number assigned to the inbound interface (31 bits)

But the changes in routing would lead to unacceptable results. If offenders use the same path as valid requests, they may go undetected. To summarise, all the above systems would be useful for detecting a large scale DoS attacks, but not suitable for detecting DoS attacks caused by a single or few packets. Also, these schemes would fail, if an attacker spoofs the IP address of a host belonging to the same network where he resides.

4 Design principles of FMHCBP

This section attempts to integrate the goals of DoS defenses into design principles. We propose a distributed ltering scheme based on markings and hop count values to detect and block spoofed DoS attacks. The proposed scheme has two functionalities namely packet marking and packet ltering based on the markings along with the hop count values. These two procedures are described below.

4.1 Modulo technique for packet marking

Packet marking lets the routers along the path mark the packets that pass through them with their addresses either probabilistically or deterministically. These markings are then used by the victim to reconstruct the attack path. For marking, we use the proposal we made in Malliga and Tamilarasi (2008). Rather marking the address, a router marks the hardware input or inbound interface that leads the packet into the router. To enable this, a small table that has a unique interface number assigned to each of the input interfaces of the router is maintained at the router. When a router marks, it nds the unique number assigned to the inbound interface of the packet and marks it in the packet using modulo method as given in equation (1). Since only less than 0.25% of packets are fragmented (Stoica and Zhang, 1999), we use ID and fragmentation elds of the IP header for marking the packets. The marking stamped by a router is given below. New marking = Previous markings Number of interfaces of the router + Unique number assigned to the inbound interface. (1) In order to carry the markings made by all the routers to a victim, we use modulo technique. According to this technique, when a router decides to mark, it gets the marking by the previous router which tells the marking made by all the upstream routers. It then calculates new marking, stamps it in the packet and forwards the packet to the next downstream router. This way of marking lets the router mark a single quantity and also nd the upstream router that marked a packet using reverse modulo technique as explained in Section 5.

4.2 Packet ltering

In what follows, we provide the strategy employed for classifying and ltering the packets. To be classied as valid, a packet should carry the genuine and consistent marking. When a packet arrives at a victim system, it checks the presence of the source IP address of the packet in a table called, Marking Table having the mappings of source IP addresses to the genuine markings from these IP addresses. If the source address exists in the table, it examines the genuineness of the marking and then decides either to allow or drop the packet. To strengthen the detection capability, we use another table called, Hop Count Table. The idea of using the hop count for detecting the spoofed trafc is obtained from Ali et al. (2007) and Jin et al. (2007). The hop count represents the number of hops a packet makes to reach the destination. We combine the hop count values with the markings for decision making. The attackers can not mislead TTL, though they spoof IP address. This has motivated us to use the hop count for escalating the decision making process. Obtaining the hop count value from the TTL is explained in Templeton and Levitt (2003). The Hop Count Table has a list of source addresses with specic hop count values. After examining the Marking Table, a packet is also examined against the Hop Count Table, if needed. If the packet has the valid hop count, then the packet is allowed into the victim or dropped. The structure of FMHCBP is shown in Figure 1. We also present the decision making process of FMHCBP in Table 1. As can be seen from Table 1, the packets that are found to be suspicious are dropped. To alleviate

A backpressure technique for ltering spoofed trafc at upstream routers

Figure 1 System model of FMHCBP

Table 1 Packet classication procedure Marking Table Source IP address Contains Contains Contains Contains Not contains Not contains Not contains Marking Matches No matches No matches No matches Source IP address Exists Exists Not exists Exists Exists Not exists Hop Count Table Hop Count value Matches ( Mismatches Matches ( Mismatches some constant) ( some constant) some constant) ( some constant) Decision Accept Accept Drop Drop Accept Drop Accept

misclassication, a counter called, Mismatch score, is maintained for each IP address, which is incremented whenever a doubtful decision is taken, that is, when no match is found on the Marking and/or Hop Count Tables. Also, when a packet from an IP address that is not in both the tables arrives, it is accepted and the mismatch score for the IP is incremented. On exceeding the threshold, a simple verication process begins. The ICMP Echo request and response packets used for the verication are given in Table 2 with types and codes.
Table 2 ICMP messages for seeking genuineness Packet name Reqg Resg ICMP type 8 0 ICMP code 1 1 Description ICMP Echo request to seek genuineness ICMP Echo response to conrm genuineness

We follow the simple verication process adopted in Chen et al. (2008). For the source IP address whose

score exceeds the threshold, an entry is added to an Authentication list, which contains the details of the marking from the IP addresses, a counter to update the number of ICMP Echo messages sent and content of the echo request message. Subsequently, an ICMP Echo request packet is sent to the source IP and the counter is incremented. On receiving the echo response, the markings are veried and the tables are updated, if needed. Following this, the mismatch score is reset to 0. The entry corresponding to the IP in the Authentication list is purged, leaving space for further requests. If the victim gets no response for the echo request within Round Trip Time (RTT), then it resends the echo request and the counter for the IP is incremented in the Authentication list. When no response is seen for n requests, this means that the IP is not active and the entry is removed from the Authentication list. Further, all the packets from the IP address are dropped. The purpose of keeping the content of the echo message in the list is to prevent the imitation of the response by an attacker. It also helps to compare it with the content of the reply and ensure that the attacker has not forged the reply packets.

S. Malliga and A. Tamilarasi

5 The backpressure technique

When a victim seems to drop a large number of attack packets from a specic host after examining against the tables or when it has information about the on going DoS attacks (Mahajan et al., 2003), it may decide to invoke the backpressure or pushback technique. It is a method wherein the victim generally sends the attack signatures to the upstream routers and instructs them to lter the attack packets from congesting the links at the earliest possible time in a recursive way. In the backpressure technique, when a victim sees more packets coming from a specic host that are mostly dropped, it assumes that these packets are offending. Subsequently, this technique issues a backpressure request to the upstream router that forwarded the packets to the victim. This request packet is an ICMP Router solicitation packet with type 10 and code 1. When the victim decides to issue a backpressure request, it sends the source IP and marking in the dropped packets of the suspected host to the router that forwarded these packets. On receiving the request, the router nds the markings carried by the packets on its own using the markings obtained from the backpressure request as shown below. Markings at a router = Marking from the backpressure request/Number of interfaces of the router. (2) Once the markings on the packets are found, the upcoming packets from the suspected host are probed at the router for their genuine markings. If they do not carry the genuine marking, the packets are dropped at the router rather than allowing them into the victim. Further, we use the Hop Count Table at the router as in the victim. This would increase the accuracy of detection. Each upstream router uses the strategy presented in Table 1 for detecting the spoofed trafc. If the upstream router is also clogged, then it issues the backpressure request to further upstream router at the behest of the victim. To nd the upstream router that sent the packets to a router, the reverse modulo technique is used. This technique helps to nd the interface that connects the router to the upstream router and is given below. Inbound interface = Mod(Marking in the packet, Number of interfaces of the router). (3) In this way, the attack trafc is dropped at the earliest time before it chokes the victim. By propagating the backpressure messages, a tree is constructed in which the root is the victim who initiated the request and the interior nodes are the upstream routers that forwarded the packets. Since the routers closer to the victim witness more trafc than far off routers, the constructed tree need not contain all the routers along the path. This implies that even partial deployment of the proposed scheme would yield better results. We discuss the effectiveness of the partial deployment in Section 7.

6 Simulation results
Through simulation experiments, we analyse and present the effectiveness of FMHCBP below.

6.1 Simulation conguration and trafc trace set

To determine the success rate of our system, we set up a network which has more than hundreds of nodes generating both legitimate and attack trafc using Network Simulator (NS, 2008). To simulate realistic network trafc, we have conducted trace driven simulation experiments. The network trafc set used in our study is collected from NLANR (NLANR, 2005). These trafc traces are used for simulating legitimate trafc whereas the attack trafc is created using the trafc generators from the Network Simulator.

6.2 Selection of parameters and their impact

There are control parameters that play an important role in determining the accuracy and efciency of FMHCBP. We have tested the effects of changing the values of the parameters on a trial and error basis with network trafc traces. The parameters that decide the success of FMHCBP along with their values are presented in Table 3.
Table 3 Setting of control parameters Parameters Marking probability Size of the Marking Table Size of the Hop Count Table Threshold for mismatch score Allowable hop count limit Values 0.3 100 entries 5 entries for each TTL 30 3

The above table shows the values that we have come up with on the trial and error based experiments.

6.3 Comparative evaluation of FMHCBP and other related schemes

In this section, we attempt to provide a comparative evaluation of FMHCBP with other closely related systems based on the pushback technique. To compare, we consider ACC, CDR, Selective Pushback and DefCOM schemes proposed by Mahajan et al. (2003), Lam et al. (2006), Peng et al. (2002) and Mirkovic et al. (2005a) respectively.

6.3.1 Performance under spoofed and randomised attacks

In order to validate the performance of the system under spoong and randomised attacks, some IP addresses are spoofed for sending malicious packets. Along with spoong, we also use some random IP addresses for generating randomised attack trafc. The results of

A backpressure technique for ltering spoofed trafc at upstream routers this comparison are presented in Table 4 in terms of acceptance and rejection ratio of the spoofed and randomised attack trafc by different approaches.
Table 4 Acceptance and rejection ratio of spoofed and randomised attack trafc Spoofed and randomised attack trafc Approaches FMHCBP (with prob. 0.3) ACC Selective pushback CDR DefCOM Acceptance ratio 0.21 0.62 0.72 0.43 0.68 Rejection ratio 0.79 0.38 0.28 0.57 0.32

to validate FMHCBP against the attack trafc, we have conducted a test using the attack trafc and observed the performance of our system and all the other systems taken for comparison. The attack trafc throughputs of various systems are depicted in Figures 36.
Figure 3 Attack trafc throughput for FMHCBP vs. Selective Pushback

As has been shown in the above table, FMHCBP allows comparatively fewer attack trafc than other closely related systems.

6.3.2 Throughput analysis

We have tested FMHCBP and other systems taken for comparison to nd the throughout offered for the good and bad trafc. Except the Selective Pushback scheme addressed in Peng et al. (2002), all the other systems provide more or less a fair treatment to the legitimate trafc. Hence, we provide a comparison between the good trafc throughput of FMHCBP and Selective Pushback alone. As the Selective Pushback scheme uses the normal prole collected during the learning period to nd the rate of change of packets from each router and detect the attacks, any good trafc, whose volume exceeds the normal prole would be inicted. But FMHCBP supports the good trafc without penalising it. This is shown in Figure 2.
Figure 2 Good trafc throughput for FMHCBP vs. Selective Pushback

Figure 4 Attack trafc throughput for FMHCBP vs. ACC

Figure 5 Attack trafc throughput for FMHCBP vs. CDR

Providing a fair treatment to the good trafc alone would not make a system more effective. But, minimisation of the attack trafc throughput would also. So, in order

10

S. Malliga and A. Tamilarasi attempts to spoof more number of hosts within the same network.
Figure 8 False negative rate of various systems for 5 spoofed hosts

Figure 6 Attack trafc throughput for FMHCBP vs. DefCOM

All these above gures clearly depict that FMHCBP provides less attack trafc throughput than that of other systems. Increasing the probability of marking at the routers can further reduce the attack trafc throughput.

7 Practical implementation: issues 6.3.3 False alarm rate 7.1 Partial deployment scenario
In order to make the system effective, we also need to keep false positives and negatives as low as possible. False positives occur if valid packets are classied as attack and dropped. Classifying attack packets as valid and allowing them can lead to false negatives. As discussed, almost all the systems treat the legitimate trafc alike; we here consider only false negatives. To determine the rate of false alarm for the attack packets (i.e.) false negatives, we have gradually increased the number of spoofed users and calculated the rate of attack trafc allowed into a victim for various schemes. Figures 7 and 8 show the false negative rate of various schemes for the increased number of spoofed hosts.
Figure 7 False negative rate of various systems for 3 spoofed hosts

It is clear from Figures 7 and 8 that FMHCBP raises lower false alarm than other systems even if attackers

This section investigates the performance of FMHCBP under the partial deployment scenario. The number of routers that participate in the detection and ltering process is important in partial deployment as we cannot demand all the routers to participate in this process. This would increase the overhead of the routers. Therefore, we have tested the different participation scenarios and presented two of them. As more packets from the same source address seem to be dropped, the victim sends a backpressure request to the upstream router as explained in Section 5. Now, the upstream router nds the genuine marking of the source host that would be at itself, from the backpressure request using equation (2). Using the marking, the upstream router probes the validity of the packets further from the host and drops them if necessary. Subsequently, we avoid the propagation of the attack trafc to the victim, thus relieving it from the burden of handling the attack trafc. Upon receiving a backpressure request, an upstream router starts the detection and ltering process. The router can even decide to propagate the request to further upstreams when it is congested. This depletes the congestion at the downstream routers. As the detection process is propagated to the upstream routers, the downstream routers become less burdened. This does not imply that all the routers must deploy our system. The routers that are close to the victim may employ as these systems witness more trafc than the routers that are close to the source hosts. In Figure 9, we present the amount of attack trafc that would propagate through the routers towards the victim. Figure 9 depicts that the attack trafc throughput at the victim would be less when the defensive system is

A backpressure technique for ltering spoofed trafc at upstream routers installed at the victim or closer to it. But this allows the attack trafc traverse through the links towards the victim. The earlier the defense, the lesser the trafc on the link towards the victim and at the victim.
Figure 9 Amount of trafc towards the victim using Backpressure technique

11

would change the hop count value at the victim, it would be very marginal. We consider this fact and allow the packet. This would provide fair treatment to the host by maximising its throughput, without dropping the packets from it. But, if the deviation of the hop count value is signicant, then FMHCBP tends to drop the legitimate trafc, thus punishing it. On the other hand, once the mismatch score for the host exceeds the threshold, an ICMP Echo request packet is sent to the host seeking for genuineness, as described earlier in the Subsection 4.2. Even though it seems that FMHCBP penalises the good ow, it is done only for few packets. After receiving the echo response for the reply packet, the packets are further allowed or dropped. Based on the response, the tables are appropriately updated.

7.3 Learning and size of the Marking and Hop Count Tables
Since the Marking and Hop Count Tables play a signicant role in distinguishing the packets as good or attack, they need to keep records of genuine values. We populate these tables by extensive simulation studies with no attacks. To account for instability in routing, we intentionally make some routers fail and nd the path taken by the packets to reach the destination. From this, we calculate the difference in hop count and use this as boundary for hop count values. The addition of new hosts, which are not seen during the learning period, is also allowed into these tables. The Hop Count Table has only 256 entries since TTL eld is of 8 bits. Each entry has a list of source IP addresses with a specic hop count value. The size of each entry is limited. To limit the growing of the entries in both tables, we x a size. Once they get lled, the oldest entry would be replaced by a new entry.

Obviously, if more nodes deploy FMHCBP, the scalability of the system is improved. This, in turn, would increase the processing and storage overhead on those nodes. But, even sparse deployment of FMHCBP would provide signicant benets to the network users as shown in Figure 9.

7.2 Dynamic routing

Routers are generally assumed to be stable in most of the packet marking algorithms to enable the correct attack path construction. Since the routing protocol is dynamic and due to stochastic nature of the internet, the route a packet takes depends on the network status. This may lead to more than one path between the systems and hence a victim may not be able to nd the true origin. But, in our algorithm, we take care of dynamic routing too and provide the maximum throughput for the good trafc, while reducing the bandwidth of bad trafc. We provide an example to illustrate the strength of FMHCBP under the route changes. Suppose a host sends packets with genuine marking to a destination host. While receiving the packets, the destination examines for the consistency in marking. If so, it allows the packets. Here it is not necessary to check hop count values. But our system would have observed the packets and recorded the hop count values into the Hop Count Table. When there is a change in routing, the packets would not carry genuine markings. Since there is no match on marking, rather than dropping the packets, we compare the hop count values. As the route is changed, the hop count would also have almost changed. But, our system considers this. That is, if a route is changed for any reasons such as congestion, removal of nodes, failure of the links or nodes etc., the packets would be forwarded via neighbour routers. Even though this

7.4 Overhead and complexity

As the routers need to mark the packets that traverse through them, it may incur additional overhead on the routers. But it is unavoidable for any marking scheme. However, by choosing the marking probability appropriately, the overhead may be reduced. The backpressure technique would also signicantly reduce the number of routers marking the packets. Considering the storage requirement, the Marking and Hop Count Tables need to be maintained at a victim. This may incur storage overhead at the victim. But this would be affordable and tolerable when compared with safety threats root from allowing the attack trafc into the victim. Implementing backpressure would decrease the storage requirements at the victim. An upstream router is not required to maintain the complete copy of the tables as in the victim. But it can maintain the records for the trafc that passes through it, thereby distributing the storage requirement across the upstream routers. Further, due to the way the marking is done, occasionally the IP ID and fragmentation elds may not

12

S. Malliga and A. Tamilarasi notication packets, a simple CSR can be used. As there is no wide deployment of Public Key Infrastructure and CRS requires a secret code needs to be known by both parties involved in the communication, a random number is generated by the party initiating the communication and sent to the recipient of the communication. This random number serves as a secret code. The steps involved in mutual authentication are described below. 1 The sending host (i.e.) the victim sends a challenge Vc to a receiver (i.e.) the nearest router which is supposed to block the packets. The router generates a challenge Rc and computes the response to the victim as Rr = hash (Rc, Vc, secret code). The router sends Rr and Rc to the victim. The victim calculates the expected value of Rr, compares it with actual Rr and ensures the authenticity of the router. The victim computes Vr = hash (Vc, Rc, secret code) and sends it to the router. The router calculates expected value of Vr, compares it with actual Vr and ensures the authenticity of the victim.

be sufcient to hold the marking information. We refer the readers to see Malliga and Tamilarasi (2008) the strategy adopted to address this. A comparison of the proposed marking scheme with other competing systems is also presented in this reference.

7.5 MAC spoong

MAC Spoong is a technique for changing an assigned MAC address of a device connected to a network to a different one. The changing of the assigned MAC address allows it to impersonate another system. As the proposed scheme begins the marking with the MAC address of the sending host, it would fail if the MAC address is spoofed. A simple way to detect whether a MAC address is being spoofed is to run Reverse Address Resolution Protocol (RARP) against it. RARP maps a MAC address to an IP Address. Since a MAC address should map to a single IP Address, RARP should return one IP address for one network device. If multiple IP addresses are returned, it indicates that it is necessary to pursue further investigation.

3 4

5 6

7.6 Non-spoofed attacks

This study proposes a mechanism to thwart DoS attacks which employ spoong. But, there are situations wherein the attack packets carry real source IP addresses. Detecting such non-spoofed DoS trafc is difcult as it resembles valid trafc. Monitoring the trafc would be useful to detect them. If a victim is not severely affected, it would treat both good and bad trafc alike. This implies that, as we have no means of detecting each non-spoofed attack packet and as long as, it does not inict service degradation at a victim, the non-spoofed-trafc can be ignored. On the other hand, if the trafc affects the victim severely, then no or a few replies would be sent by the victim to the sender (Mirkovic and Reiher, 2005b). Reframing feature of managing the communication between two hosts of TCP/IP protocol is used in this situation (Protecting the Network from Denial of Service Attacks, 2001). The legitimate hosts would reframe the trafc, if the destination host slows down the acknowledgement rate, whereas the trafc originating from the ooding hosts cannot reframe and therefore it leads to the attack detection.

By means of this simple mutual authentication, the forging of packets by the attackers can be prevented. The mutual authentication between the intermediate routers can also be performed by the above mechanism. Also, to avoid faking the ICMP Echo reply and response packets, we plan to employ this simple authentication scheme. The current version of the proposed scheme has not used any mutual authentication between the systems involved in the communication. We plan to address this during further study.

7.8 Other issues

There are situations where a high drop rate of packets from specic hosts or a victim understands that there is congestion, would invoke the backpressure technique. The contents of the backpressure request should not incur any trafc overhead on the network. Taking this into account, we include only the source address and the marking from that address. The contents of the backpressure request is smaller than the contents of the pushback signal used by the ACC in Mahajan et al. (2003), which includes congestion signature, bandwidth limit, expiration time, pushback type etc. The systems in Lam et al. (2006), Peng et al. (2002) and Mirkovic et al. (2005a) also require congestion signature or aggregates that need to be pushed back. Moreover, these methods admit the attack trafc into the victim until there is congestion and then they either apply rate limit or issue pushback request whereas FMHCBP attempts to drop most of the attack packets whenever they arrive at the victim or at the upstream routers.

7.7 Mutual authentication

To avoid attackers forging the backpressure notication packets, a mutual authentication is needed between the systems. Authentication is the process of determining whether someone is who it is declared to be. Mutual authentication is performed using Challenge Response System (CRS) in both directions. The sender ensures that the receiver knows the secret code and vice-versa. The CRS employs nonce to ensure the uniqueness and prevents the attackers from employing man-in-the-middle and replay attacks. In order to avoid forging the

A backpressure technique for ltering spoofed trafc at upstream routers

13

8 Conclusions and future work

The infrastructure of current internet makes it unfeasible to completely eliminate DoS attacks and hence it is vulnerable to the attacks. The destructive nature of these vulnerabilities led to the development of many anti-DoS solutions. The analysis of the earlier DoS solutions in Section 3 revealed the inherent problems of those schemes. To address these problems, we presented a system, FMHCBP that detects and lters the DoS packets with the capability of handling a single DoS packet. FMHCBP marks the packets with inbound interface of the routers and uses these markings to detect the attack packets. In addition, the hop count is used to decide the genuineness of the packet if marking does not help. Further, by backpressure, we have attempted to block the trafc at the upstream routers, thus avoiding congestion at the victim. We have also demonstrated the effectiveness of FMHCBP against the DoS attacks, especially, the power of the system to ght against false negatives. Additionally, FMHCBP is more resistant to the spoong attacks within the same network. But the other systems are not so effective against such IP spoong attacks. Currently we have experimented our proposal on the network simulator. As a part of this study, we intend to implement FMHCBP on Testbed environment and evaluate its performance. Yet, this is not a complete solution as several constraints remain to be addressed. The main area of future work will focus on the reduction of storage and processing overhead on the core routers. To address the storage overhead, an efcient data structure for storing the tables and the authentication list needs to be investigated. By integrating with source-end defenses, which lter the spurios packets at earliest time, the processing and storage overhead may be further reduced. Our future work will examine the possibility of such integration. We also plan to extend our research through a comprehensive authentication mechanism that can avoid forging by the attackers. In summary, this study introduces a protective scheme that lters spoofed trafc and leads to several alternate approaches in the future that deal with DoS attacks.

References
Ali, K., Hassanein, H. and Zulkernine, M. (2007) Packet ltering based on source router marking and hop-count, The 32nd IEEE Conference on Local Computer Networks, Dublin, October, pp.10611068. Anderson, T., Karlin, A., Savage, S. and Wetherall, D. (2001) Practical network for IP Traceback, IEEE/ACM Transactions on Networking, Vol. 9, No. 3, pp.226237. Ansari, N. and Belenky, A. (2003) IP traceback with deterministic packet marking, IEEE Communications Letter, Vol. 7, No. 4, pp.162164. Bellovin, S.M. (2000) ICMP Traceback Message, Internet Draft, Consulted in: March, http://tools.ietf.org/draft/ draft-bellovin-itrace/draft-bellovin-itrace-00.txt

Chen, Y., Das, S., Dhar, P., Saddik, A.E. and Nayak, A. (2008) Detecting and preventing IP-Spoofed distributed DoS attacks, International Journal of Network Security, Vol. 7, No. 1, pp. 7081. Choi, K.H. and Dai, H.K. (2004) A marking scheme using huffman codes for IP traceback, The 7th International Symposium on Parallel Architectures, Algorithms and Networks (SPAN04), Hong Kong, SAR, China, May, pp.421428. Garber, L. (2000) Denial of service attack rip in the internet, IEEE Computer, Vol. 33, No. 4, April, pp.1217. Jin, C., Shin, K.G., and Wang, H. (2007) Defense against spoofed IP trafc using Hop-count ltering, IEEE /ACM Transactions on Networking, Vol. 15, No. 1, pp.4053. Kent, S.T., Jones, C.E., Partridge, C., Sanchez, L.A., Schwartz, B., Snoren, A.C., Strayer, W.T. and Tchakountio, F. (2002) Single-packet IP traceback, IEEE/ACM Transactions on Networking, Vol. 10, No. 6, pp.721734. Lam, H., Li, C., Chanson, S.T. and Yeung, D. (2006) A coordinated detection and response scheme for distributed denial of service attacks, The IEEE International Conference on Communications (ICC06), Istanbul, June, Vol. 5, pp.21652170. Mahajan, R., Bellovin, S.M. and Floyd, S. (2003) Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, Vol. 32, No. 3, pp.6273. Malliga, S. and Tamilarasi, A. (2008) A proposal for new marking scheme with its performance evaluation for IP Traceback, WSEAS Transactions on Computer Research, Vol. 3, No. 4, pp.259272. Microsoft Corporation (2006) Stop 0A in tcpip.sys When Receiving Out of Band (OOB) Data, Consulted in: 31st October, http://support.microsoft.com/support/kb/ articles/Q143/4/78.asp Mirkovic, J. (2002) D-WARD: DDoS Network Attack Recognition and Defense, PhD Dissertation Prospectus, Computer Science Department, University of California, Los Angeles, January. Mirkovic, J., Robinson, M., Reiher, P. and Oiknomou, G. (2005a) Distributed Defense Against DDoS Attacks, Technical Report, Consulted in: www.cis.udel.edu/sunshine/publications/udel-tech-report2005-02.pdf Mirkovic, J. and Reiher, P. (2005b) D-WARD: a source-end defense against ooding denial of service attacks, IEEE Transactions on Dependable and Secure Computing, Vol. 2, No. 3, pp.216232. Mittal, P. (2005) Defense Against Distributed Denial of Service Attacks, A Seminar Report, IIT, April, Guwahati, India. National Laboratory for Applied Network Research (2005) NLANR Packet Traces, Consulted in: http://pma.nlanr. net/Traces/traces/long Network Simulator (2008) Consulted in: http://www.isi.edu/ nsnam/ns/ Peng, T., Leckie, C. and Ramamohanarao, K. (2002) Defending against distributed denial of service attacks using selective pushback, The Ninth IEEE International Conference on Telecommunication (ICT02), Beijing, China, pp.411429.

14

S. Malliga and A. Tamilarasi

Stoica, I. and Zhang, H. (1999) Providing guaranteed services without per ow management, ACM SIGCOMM Computer Communication Review, Cambridge, MA, USA, October, Vol. 29, No. 4, pp.8194. Templeton, S.J. and Levitt, K.E. (2003) Detecting spoofed packets, The DARPA Information Survivability Conference and Exposition, Vol. 1, pp.164175. Walsh, M., Balakrishnan, H., Karger, D. and Shenker, S. (2005) DoS: ghting re with re, The Fourth ACM Workshop on Hot Topics in Networks (HotNets), College Park, Maryland, November.

Peng, T., Leckie, C. and Ramamohanarao, K. (2003) Detecting reector attacks by sharing beliefs, The Global Telecommunications Conference (GLOBECOM03), December, San Francisco, Vol. 3, pp.13581362. Perrig, A. and Song, D.X. (2001) Advanced and authenticated marking scheme for IP Traceback, The 20th Annual Conference of IEEE Communications and Computer Societies (INFOCOM01), Alaska, April, Vol. 2, pp.878886. Protecting the Network from Denial of Service Attacks (2001) The Captus Networks TRaP Technology, Consulted in: http://comnet.technion.ac.il/projects/winter03/cn10w03/ PDF/TLIDSWhitePapers.pdf