On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack

K. Park, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

223 Citations (Scopus)

Abstract

Effective mitigation of denial of service (DoS) attack is a pressing problem on the Internet. In many instances, DoS attacks can be prevented if the spoofed source IP address is traced back to its origin which allows assigning penalties to the offending party or isolating the compromised hosts and domains from the rest of the network. Recently IP traceback mechanisms based on probabilistic packet marking (PPM) have been proposed for achieving traceback of DoS attacks. In this paper, we show that probabilistic packet marking-of interest due to its efficiency and implementability vis-à-vis deterministic packet marking and logging or messaging based schemes-suffers under spoofing of the marking field in the IP header by the attacker which can impede traceback by the victim. We show that there is a trade-off between the ability of the victim to localize the attacker and the severity of the DoX attack, which is represented as a function of the marking probability, path length, and traffic volume. The optimal decision problem-the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume-can be expressed as a constrained minimas optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. We show that the attacker's ability to hide his location is curtailed by increased the marking probability, however, the latter is upper-bounded due to sampling constraints. In typical IP internets, the attacker's address can be localized to within 2-5 equally likely sites which renders PPM effective against single source attacks. Under distributed DoS attacks, the uncertainty achievable by the attacker can be amplified, which diminishes the effectiveness of PPM.

Original languageEnglish
Title of host publicationProceedings - IEEE INFOCOM
Pages338-347
Number of pages10
Volume1
Publication statusPublished - 2001
Externally publishedYes
Event20th Annual Joint Conference on the IEEE Computer and Communications Societies (IEEE INFOCOM 2001) - Anchorage, AK, United States
Duration: 2001 Apr 222001 Apr 26

Other

Other20th Annual Joint Conference on the IEEE Computer and Communications Societies (IEEE INFOCOM 2001)
CountryUnited States
CityAnchorage, AK
Period01/4/2201/4/26

Fingerprint

Internet
Constrained optimization
Sampling
Denial-of-service attack
Uncertainty

Keywords

  • Denial of service attack
  • IP spoofing
  • Network security
  • Probabilistic packet marking
  • Traceback analysis

ASJC Scopus subject areas

  • Hardware and Architecture
  • Electrical and Electronic Engineering

Cite this

On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. / Park, K.; Lee, Heejo.

Proceedings - IEEE INFOCOM. Vol. 1 2001. p. 338-347.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Park, K & Lee, H 2001, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. in Proceedings - IEEE INFOCOM. vol. 1, pp. 338-347, 20th Annual Joint Conference on the IEEE Computer and Communications Societies (IEEE INFOCOM 2001), Anchorage, AK, United States, 01/4/22.
@inproceedings{60bd5f83646f4819a3456304e7ab2f97,
title = "On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack",
abstract = "Effective mitigation of denial of service (DoS) attack is a pressing problem on the Internet. In many instances, DoS attacks can be prevented if the spoofed source IP address is traced back to its origin which allows assigning penalties to the offending party or isolating the compromised hosts and domains from the rest of the network. Recently IP traceback mechanisms based on probabilistic packet marking (PPM) have been proposed for achieving traceback of DoS attacks. In this paper, we show that probabilistic packet marking-of interest due to its efficiency and implementability vis-{\`a}-vis deterministic packet marking and logging or messaging based schemes-suffers under spoofing of the marking field in the IP header by the attacker which can impede traceback by the victim. We show that there is a trade-off between the ability of the victim to localize the attacker and the severity of the DoX attack, which is represented as a function of the marking probability, path length, and traffic volume. The optimal decision problem-the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume-can be expressed as a constrained minimas optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. We show that the attacker's ability to hide his location is curtailed by increased the marking probability, however, the latter is upper-bounded due to sampling constraints. In typical IP internets, the attacker's address can be localized to within 2-5 equally likely sites which renders PPM effective against single source attacks. Under distributed DoS attacks, the uncertainty achievable by the attacker can be amplified, which diminishes the effectiveness of PPM.",
keywords = "Denial of service attack, IP spoofing, Network security, Probabilistic packet marking, Traceback analysis",
author = "K. Park and Heejo Lee",
year = "2001",
language = "English",
volume = "1",
pages = "338--347",
booktitle = "Proceedings - IEEE INFOCOM",

}

TY - GEN

T1 - On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack

AU - Park, K.

AU - Lee, Heejo

PY - 2001

Y1 - 2001

N2 - Effective mitigation of denial of service (DoS) attack is a pressing problem on the Internet. In many instances, DoS attacks can be prevented if the spoofed source IP address is traced back to its origin which allows assigning penalties to the offending party or isolating the compromised hosts and domains from the rest of the network. Recently IP traceback mechanisms based on probabilistic packet marking (PPM) have been proposed for achieving traceback of DoS attacks. In this paper, we show that probabilistic packet marking-of interest due to its efficiency and implementability vis-à-vis deterministic packet marking and logging or messaging based schemes-suffers under spoofing of the marking field in the IP header by the attacker which can impede traceback by the victim. We show that there is a trade-off between the ability of the victim to localize the attacker and the severity of the DoX attack, which is represented as a function of the marking probability, path length, and traffic volume. The optimal decision problem-the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume-can be expressed as a constrained minimas optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. We show that the attacker's ability to hide his location is curtailed by increased the marking probability, however, the latter is upper-bounded due to sampling constraints. In typical IP internets, the attacker's address can be localized to within 2-5 equally likely sites which renders PPM effective against single source attacks. Under distributed DoS attacks, the uncertainty achievable by the attacker can be amplified, which diminishes the effectiveness of PPM.

AB - Effective mitigation of denial of service (DoS) attack is a pressing problem on the Internet. In many instances, DoS attacks can be prevented if the spoofed source IP address is traced back to its origin which allows assigning penalties to the offending party or isolating the compromised hosts and domains from the rest of the network. Recently IP traceback mechanisms based on probabilistic packet marking (PPM) have been proposed for achieving traceback of DoS attacks. In this paper, we show that probabilistic packet marking-of interest due to its efficiency and implementability vis-à-vis deterministic packet marking and logging or messaging based schemes-suffers under spoofing of the marking field in the IP header by the attacker which can impede traceback by the victim. We show that there is a trade-off between the ability of the victim to localize the attacker and the severity of the DoX attack, which is represented as a function of the marking probability, path length, and traffic volume. The optimal decision problem-the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume-can be expressed as a constrained minimas optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. We show that the attacker's ability to hide his location is curtailed by increased the marking probability, however, the latter is upper-bounded due to sampling constraints. In typical IP internets, the attacker's address can be localized to within 2-5 equally likely sites which renders PPM effective against single source attacks. Under distributed DoS attacks, the uncertainty achievable by the attacker can be amplified, which diminishes the effectiveness of PPM.

KW - Denial of service attack

KW - IP spoofing

KW - Network security

KW - Probabilistic packet marking

KW - Traceback analysis

UR - http://www.scopus.com/inward/record.url?scp=0035010963&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0035010963&partnerID=8YFLogxK

M3 - Conference contribution

VL - 1

SP - 338

EP - 347

BT - Proceedings - IEEE INFOCOM

ER -