Cryptography

,Network Security
and Cyber Law

DDoS Attack
Prevention/Detection Puneeth Reddy H
22.4.3 : IP Traceback C

(1RR16CS052)
IP TRACEBACK

IP traceback is any method for reliably determining the origin of

01 a packet on the Internet.

The IP protocol does not provide for the authentication of the

source IP address of an IP packet, enabling the source address to

02
be falsified in a strategy called IP address spoofing, and creating
potential internet security and stability problems.

IP traceback is critical for identifying sources of attacks and

instituting protection measures for the Internet. Most existing

03
approaches to this problem have been tailored toward DoS
attack detection.
 THERE ARE TWO PRINCIPAL
APPROACHES TO IP TRACEBACK

01 Probabilistic Packet
Marking

02 Packet Logging
PROBABILISTIC PACKET MARKING
Either the packet keeps track of the routers it has visited or each router keeps
track of the packets passing through it. Solutions under the first approach use
packet marking.
Consider, for a moment that every intermediate router were to append its 32-bit
IP address to each packet it forwards. A packet on the Internet traverses about 10
hops on the average, so an extra40 bytes would be needed to keep track of its
path from source to destination.
The IP header has a 16-bit ID field. This field provides support for packet
fragmentation and re-assembly. Different networks have different restrictions on
the size of the datagrams they can carry.
They may split a datagram into two or more fragments and send each fragment
separately . The router at the destination end has the responsibility for re-
assembling the fragments to create the original packet.
 ?
Traceback schemes employing PPM use
the ID field to store partial information
on intermediate routers. But, given that
the length of each IP address is 4 bytes,
how can a packet store router address
information in a 16-bit ID field ?
 ANS
The answer lies in computing a global fingerprint for each
router - this is, say, 16 or fewer bits of the hash of a
router's IP address.

An intermediate router writes its fingerprint value into the ID

field of a packet with probability p. Note that it would
overwrite a previously written finger print of a router closer to
the source of the attack.

To identify the perpetrator of the attack, the ingress router

at the victim end will need to collect a sufficient number of
packets that are all part of the same flooding attack.
PACKET LOGGING
An alternative to packet marking is packet logging. Here, each router attempts to
keep track of every packet that passes through it.

While packet marking made use of the idea of a router fingerprint, packet logging
makes use of the idea of a packet fingerprint or digest.

This is computed using a well-designed hash function one that distributes the
hash values uniformly across all possible hash inputs.

An interesting feature of packet logging is that it can help track even a single
rogue packet. First , assume that each router stores each packet received by it in
the last 5 minutes.
UPSTREAM
Thank You