Beruflich Dokumente
Kultur Dokumente
Sources of Attack
MASTER OF TECHNOLOGY
IN
COMPUTER SCIENCE
2009-2011
DECLARATION
Before getting into the thickest of things, I would like to thank the
personalities who were part of my seminar work in numerous ways, those
who gave me outstanding support from birth of this seminar work.
1. INTRODUCTION
2. EXISTING SYSTEM
3. PROPOSED SYSTEM
4. DESIGN
5. APPLICATIONS
6. CONCLUSION
7. REFERENCES
1. INTRODUCTION
A. Link Testing
Link testing (sometimes referred to as hop-by-hop tracing) is the
basic approach to real time traceback of the source of an attack. Once the
attack has been recognized, it is required, starting from the router closest
to the victim, to test manually its upstream links to other routers until it is
determined which link is used to carry the attacker's traffic. Ideally, this
procedure is repeated recursively on the upstream router until the source
is reached. ISP’s support is required. Link testing is a reactive method
and requires the attack to remain active until the trace is completed. One
implementation of link testing is input debugging [3] whereby
administrators determine incoming network links for specific packets. If
the router operator knows the attack traffic’s specific characteristics
(called the attack signature), then it’s possible to determine the incoming
network link on the router. The ISP must then apply the same process
to the upstream router connected to the network link and so on,
until the traffic’s source is identified—or until the trace leaves the
current ISP’s border. In the later case, the administrator must contact
the upstream ISP to continue the tracing process. This technique’s most
severe drawback is the substantial management overhead in
communicating and coordinating efforts across multiple network
boundaries and ISPs. It requires time and personnel on both the victims’
and ISPs’ side, meaning there is no direct economic incentive for ISPs to
provide such assistance. DDoS attacks compound this problem
because attack traffic could originate from machines under the
jurisdiction of many separate ISPs and thus this technique is less
suitable for distributed denial-of-service attacks.
B. Logging
Another category of IP Traceback employs logging at routers,
which store information about forwarded packets. The victim of an
attack can query a specific router to find out whether that router
forwarded a specific packet. The router would check in its log to find
if the specific packet was routed by that router. Here traceback is
carried out after the attack has taken place. Instead of storing the whole
packet, in hash-based IP Traceback [5,6], it is suggested that only
a hash digest of the packets’ relevant invariant portions be stored in
an efficient memory structure called a Bloom filter. Still this approach is
limited in practice due to the resource-intensive requirements in terms of
processing and storage. It also takes time to query all the different
routers and for the routers to analyze the logged data. Recent work
has focused on improving this technique for example by reducing
the amount of storage capacity required. Thus packet logging schemes
are also not suitable for tracing multiple sources of attacks as is the case
with DDoS.
C. ICMP Traceback
The principle idea behind the ICMP traceback scheme is for
every router to sample (to limit additional network traffic), with low
probability (e.g., 1/20,000), one of the packets it is forwarding and
copy the contents into a special ICMP traceback message (called an
iTrace) which includes information about the adjacent routers (IP and
MAC addresses) along the path to the destination. During a flooding-
style attack, the victim host receives enough iTraces to be able to
reconstruct a path back to the attacker [7]. Concerning DDoS
attack, very few ICMP traceback messages will be obtained from
distant routers, though intention-driven-ICMP scheme could improve the
traceback. The main problem with this mechanism is that ICMP traffic is
increasingly differentiated and may be dropped out by a firewall and
that even using low probability to sample packets it still generates
additional network traffic. Finally, the ICMP messages may have to
be authenticated (key distribution infrastructure needed) to deal with
the problem of attackers sending false ICMP Traceback messages. In
[12] an improved variation of the ICMP traceback is described.
WORKING PROCESS:
However, it was observed that this was not always the case when
the simulation was run even with the improved algorithm. When the
mobile agent was made to consider more than one packet i.e. it sampled
the attack packets with a probability p, the number of attackers ratio
increased. The higher the sampling probability i.e. more packets analyzed
at a node, the higher was the number of attackers’ ratio as shown in
Table 1, 2, 3, 4, 5 and 6 below. Note that multiple attackers were
assumed to be at the same distance or different distance from the victim.
TABLE 1
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.1 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
10 7 0.7
15 7 0.5
20 8 0.4
TABLE 2
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.1 AND 1000
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
5 5 1
10 10 1
15 15 1
20 20 1
TABLE 3
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.2 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
5 5 1
10 9 0.9
15 9 0.6
20 20 0.55
TABLE 4
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.3 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
No. of Attackers No. of Identified No. of Attackers
Attackers Ratio
5 5 1
10 10 1
15 12 0.8
20 14 0.7
TABLE 5
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.4 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
5 5 1
10 10 1
15 15 1
20 17 0.85
TABLE 6
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.5 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
No. of Attackers No. of Identified No. of Attackers
Attackers Ratio
5 5 1
10 10 1
15 15 1
20 20 1
4. DESIGN
USECASE DIAGRAM
SEQUENCE DIAGRAM
ACTIVITY DIAGRAM
DATA FLOW DIAGRAM
5. APPLICATION
• ISP Level.
• DMZ.
• Website Hosts/Web Servers
• Distributed Databases.
• Cloud Computing.
6. CONCLUSION
7. REFERENCES