Efficiency of using Mobile Agents to trace Multiple

Sources of Attack

A Seminar Report Submitted to

JAWAHARLAL NEHRU TECHNOLOGICAL UNVERSITY, ANANTAPUR.

In Partial Fulfillment of the Requirements for the Award of the degree of

MASTER OF TECHNOLOGY

IN

COMPUTER SCIENCE

RUFUS CHAKRAVARTHY SHARMA (09121D0516)

Under the guidance of: Under the supervision of:

Mr. K. Munivara Prasad, M.E., (Ph.D), Prof. K. Delhi Babu, M.S.,(Ph.D)

Assistant Professor (SL), Head of the Department,

Dept of CSE, SVEC. Dept of CSE, SVEC.

SREE VIDYANIKETHAN ENGINEERING COLLEGE

(Affiliated to JNTUA, ANANTAPUR)

Sree Sainath Nagar, Tirupathi – 517 102

2009-2011
 DECLARATION

I hereby declare that this project report titled “Efficiency of using

Mobile Agents to trace Multiple Sources of Attack” is a genuine
seminar work carried out by me, in M.Tech (Computer Science) degree
course of JAWAHARLAL NEHRU TECHNOLOGICAL UNIVERSITY,
ANANTAPUR and has not been submitted to any other course or
University for the award of any degree by me.

Signature of the Student

(RUFUS CHAKRAVARTHY SHARMA)

 ACKNOWLEDGEMENT

Before getting into the thickest of things, I would like to thank the
personalities who were part of my seminar work in numerous ways, those
who gave me outstanding support from birth of this seminar work.

I sincerely thank PADMASRI Dr. M.Mohan Babu, Chairman and

Dr V. Sreenivasulu, Director and Dr. P.C.Krishnamachary, Principal
for providing necessary infrastructure and resources for the
accomplishment of my seminar at Sree Vidyanikethan Engineering
College, Tirupati.

I hereby wish to express our deep sense of gratitude to

Prof. K. Delhi Babu, Head of the CSE department and
Mr. K. Munivara Prasad, M.E., (Ph.D), Assistant Professor (SL),
CSE department without their cooperation, help, suggestions and
involvement we would not have been able to complete this seminar
successfully. We are very much grateful to all the faculty members of the
CSE department for their value based imparting of the theory and
practical subjects, which we have put to use in our project work. We also
thank the members of the non-teaching staff for their cooperation and
timely help.

Finally, I would like to take this opportunity to specially thank our

parents for their kind help, encouragement and moral support. Last, but
not the least, I would like to thank all our friends who extended their help
either directly or indirectly in my seminar work.

RUFUS CHAKRAVARTHY SHARMA

 ABSTRACT

Recently, network resource has become extremely vulnerable to

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks,
which have become a pressing problem due to scarcity of an efficient
method to locate the real attacker. Especially, as network topology
becomes more advanced and complex, IP traceback is difficult but
necessary. For protection against DoS/DDoS even partial information
about the attack path is useful as it allows to throttle such attacks at
distant router. Existing traceback mechanisms have serious drawbacks
such as high false positive, enormous storage requirements at routers,
and huge additional network traffic. As such, we make use of mobile
agents for real-time traceback of multiple attack sources. The mobile
agent traceback scheme presented in [2] and the proposed improvement
in this paper are not only efficient as compared to other existing schemes
but also has the following advantages: it is flexible, autonomous,
lightweight and protocol-independent which makes it particularly suitable
for the Internets’ varieties of the network topology and protocols.
 CONTENTS

1. INTRODUCTION

2. EXISTING SYSTEM

3. PROPOSED SYSTEM

4. DESIGN

5. APPLICATIONS

6. CONCLUSION

7. REFERENCES
 1. INTRODUCTION

DENIAL of Service (DoS) and Distributed Denial of Service (DDoS)

attacks are among the top threats to the Internet infrastructure [1]. DoS
and DDoS attacks may quickly incapacitate a targeted business, causing
loss of revenue and productivity. Furthermore, such attacks are among
the hardest security problems to address because they are simple to
implement, difficult to prevent, and very difficult to trace. In the past
several years, DoS and DDoS attacks have increased in frequency,
severity and sophistication [1]. Mechanisms for protecting against
DoS/DDoS have focused on tolerating attacks by mitigating their effects
on the victim. This approach can provide an effective stop-gap measure,
but it does not eliminate the problem nor does it discourage attackers. As
such, it would be more efficient to apply network forensics to track down
the source of these attacks – ideally stopping the attacker at the source.
IP traceback is a special network forensic mechanism that enables
victims, administrators or forensic investigators to trace attacks back to
their origins. IP traceback is required as in most cases the source address
in the attack packet is often not the real source of attack as attackers
typically use spoofed IP addresses to cover their trail. Real time source
identification of an attack (DoS/DDoS) can be most helpful for stopping
the attack as well as identifying attackers such that firewalls can be
configured to block packets from such sources in the future. In [2], we
proposed the use of mobile agents for real-time IP traceback of the
source of attack. In this paper we investigate, the efficiency of using
mobile agents for tracing multiple sources of attack.
2. EXISTING SCHEMES

Figure 1 depicts the attack traceback problem for multiple sources

of attack which corresponds to a tree of link lists rooted at the victim (V),
where each leaf represents a link list end point. Every node on the
network can be a potential attack origin (A) and every router an internal
node along a path between some node and the target. The attack path
from node Ai is the unique ordered list of routers between node Ai and the
victim computer. Another attack path for attack originating from node Aj
is path Routerj1, Routerj2, and Routerj3 – as shown in Figure 1.

Fig. 1. An instance of multiple source attack.

A. Link Testing
Link testing (sometimes referred to as hop-by-hop tracing) is the
basic approach to real time traceback of the source of an attack. Once the
attack has been recognized, it is required, starting from the router closest
to the victim, to test manually its upstream links to other routers until it is
determined which link is used to carry the attacker's traffic. Ideally, this
procedure is repeated recursively on the upstream router until the source
is reached. ISP’s support is required. Link testing is a reactive method
and requires the attack to remain active until the trace is completed. One
implementation of link testing is input debugging [3] whereby
administrators determine incoming network links for specific packets. If
the router operator knows the attack traffic’s specific characteristics
(called the attack signature), then it’s possible to determine the incoming
network link on the router. The ISP must then apply the same process
to the upstream router connected to the network link and so on,
until the traffic’s source is identified—or until the trace leaves the
current ISP’s border. In the later case, the administrator must contact
the upstream ISP to continue the tracing process. This technique’s most
severe drawback is the substantial management overhead in
communicating and coordinating efforts across multiple network
boundaries and ISPs. It requires time and personnel on both the victims’
and ISPs’ side, meaning there is no direct economic incentive for ISPs to
provide such assistance. DDoS attacks compound this problem
because attack traffic could originate from machines under the
jurisdiction of many separate ISPs and thus this technique is less
suitable for distributed denial-of-service attacks.

Another technique that falls into the link-testing category is

controlled flooding [4]. This technique works by generating a burst of
network traffic from the victim’s network to the upstream network
segments and observing how this intentionally generated flood
affects the attack traffic’s intensity. This approach is possible only
during ongoing attacks. Using a map of the known Internet topology
around the victim, these packet floods are targeted specifically at
certain hosts upstream from the victim’s network; they iteratively
flood each incoming network link on the routers closest to the victim’s
network. From changes in the attack traffic’s frequency and intensity, the
victim can deduce the incoming network link on the upstream router and
repeat the same process on the router one level above. The most
significant problem with controlled flooding is that the technique itself is
a sort of DoS attack, which can disrupt legitimate traffic on the
unsuspecting upstream routers and networks. This, of course, makes it
unsuitable for widespread routine usage on the Internet. Also, it cannot
find the paths when the attack traffic comes from many links, thus it is
not suitable for tracing DDoS attacks.

B. Logging
Another category of IP Traceback employs logging at routers,
which store information about forwarded packets. The victim of an
attack can query a specific router to find out whether that router
forwarded a specific packet. The router would check in its log to find
if the specific packet was routed by that router. Here traceback is
carried out after the attack has taken place. Instead of storing the whole
packet, in hash-based IP Traceback [5,6], it is suggested that only
a hash digest of the packets’ relevant invariant portions be stored in
an efficient memory structure called a Bloom filter. Still this approach is
limited in practice due to the resource-intensive requirements in terms of
processing and storage. It also takes time to query all the different
routers and for the routers to analyze the logged data. Recent work
has focused on improving this technique for example by reducing
the amount of storage capacity required. Thus packet logging schemes
are also not suitable for tracing multiple sources of attacks as is the case
with DDoS.

C. ICMP Traceback
The principle idea behind the ICMP traceback scheme is for
every router to sample (to limit additional network traffic), with low
probability (e.g., 1/20,000), one of the packets it is forwarding and
copy the contents into a special ICMP traceback message (called an
iTrace) which includes information about the adjacent routers (IP and
MAC addresses) along the path to the destination. During a flooding-
style attack, the victim host receives enough iTraces to be able to
reconstruct a path back to the attacker [7]. Concerning DDoS
attack, very few ICMP traceback messages will be obtained from
distant routers, though intention-driven-ICMP scheme could improve the
traceback. The main problem with this mechanism is that ICMP traffic is
increasingly differentiated and may be dropped out by a firewall and
that even using low probability to sample packets it still generates
additional network traffic. Finally, the ICMP messages may have to
be authenticated (key distribution infrastructure needed) to deal with
the problem of attackers sending false ICMP Traceback messages. In
[12] an improved variation of the ICMP traceback is described.

D. Packet Marking Scheme

Packet marking schemes [8, 9, 10, 11, 13] involves routers
“marking” one or more packets by augmenting them with additional
information about the path they are traveling. The destination could then
use the information appended in the marked packets to reconstruct the
path to the attacker using a path reconstruction procedure. The
convergence time of the path reconstruction algorithm is the number
of packets that the victim must observe to reconstruct the attack path.
Packet marking scheme does allow to detect multiple sources of
attack but it has many disadvantages including the processing overhead
of the routers, the high number of packets often required to reconstruct
the attack path, and the large number of bits that is required to be stored
in the IP header fields. Moreover, this mechanism may produce false-
positive paths (that are not part of the attack paths), cannot handle
fragmented packets, does not work with IPv6 and is not compatible with
IPSec.
3. EXISTING SCHEMES

In [2], we propose the use of mobile agents for tracing single

source and multiple source of attack summarized as follows. As soon as
an attack is detected, a mobile agent is initialized with the attack packet
signature and launched to the router (gateway router) which sent the
attack packet to the network. The mobile agent, being autonomous, scans
for the incoming packets at that router to determine the previous router
which sent the packet to the current router. Once this is determined the
mobile agent halts its execution and moves to the previous router address
in the network and so on until the first router which routed the attack
packet is determined. Mobile agents are convenient and appropriate for
tracing single as well as multiple sources of attack due to their cloning
capability.
 Fig. 2. Coping with multiple source of attack. Agent clones itself and
investigates different attack paths.

For multiple source attack, when the attack is discovered, an agent

is launched. When the agent discovers multiple packets corresponding to
the packet signature but with different incoming port/router addresses,
the agent can clone itself and move to each of the different routers on the
attack paths as shown in Figure 2. For security measures, the agents
should have a control parameter which determines the number of times
an agent can clone itself.
During experimentation in [2] though, it was observed that in the
case of multiple source of attack, at least one source of attack was
identified but not all even though the agents were programmed to clone
when they detect attack packets coming from different upstream routers.
This is because once the mobile agent identifies one attack packet based
on the signature; the mobile agent acts on that specific attack packet and
moves on, ignoring other attack packets being sent from other sources as
in the case of a DDoS attack. As indicated in [2], in the case of multiple
attacks with the algorithm, at least 1 source of attack was always
identified, and all sources of attack were rarely identified.
Thus, for traceback of multiple sources of attack, the mobile agent
has to be programmed to sample the attack packets for a specified period
of time (t) on each router. If all the attack packets sampled are observed
to be from the same source of attack, then it can be concluded that attack
originates from single source and the agent moves upstream. But if attack
packets are observed to arrive from several upstream routers, then this
indicates multiple sources of attack and the agent will clone itself as many
times as the number of different identified upstream links and move to
the different upstream routers. Figure 3 depicts the traceback algorithm
modified from [2] to cater for traceback of DDoS (multiple sources) of
attack. The next section evaluates the efficiency of the improved
algorithm.
 Fig. 3. Improved Traceback Algorithm of the mobile agent for tracing
multiple sources of attack.

WORKING PROCESS:

We evaluate the performance of the proposed scheme through

simple simulation experiments. The aim is to study the efficiency of the
multiple attack traceback process when using mobile agents. The JADE
(Java Development Environment) [14, 15] has been used to implement
the agent system. The router was simulated as consisting of a stationary
agent (router agent) with which the mobile agent interacts with, to find
the attack packet and the upstream router. The ns-2 (network simulator)
[16] was also used to determine the network dynamics such as time
taken to traceback. A random attack tree with m attackers and one victim
was generated. The attack paths are made to converge at the victim to
form an attack tree as shown in Figure 2. The ‘number of attackers’ ratio
defined as per equation 1 should ideally be 1 if all attackers are
successfully identified.

However, it was observed that this was not always the case when
the simulation was run even with the improved algorithm. When the
mobile agent was made to consider more than one packet i.e. it sampled
the attack packets with a probability p, the number of attackers ratio
increased. The higher the sampling probability i.e. more packets analyzed
at a node, the higher was the number of attackers’ ratio as shown in
Table 1, 2, 3, 4, 5 and 6 below. Note that multiple attackers were
assumed to be at the same distance or different distance from the victim.

TABLE 1
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.1 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH

No. of Attackers No. of Identified No. of Attackers

Attackers Ratio
5 4 0.8

10 7 0.7

15 7 0.5

20 8 0.4

Since DDoS attack often implies numerous attack packets sent by

multiple attackers, it can be seen that sampling attack packets at a low
probability is sufficient to be able to identify all the sources of attack as
shown in Table 2. Otherwise, using a higher sampling probability ensures
that more sources of attack are identified. A sampling probability of 0.5
i.e. half of the attack packets are sampled, leads to the identification of all
sources of attack considering that the attackers send about 100 attack
packets each as shown in Table 6. Figure 4 below depicts some of the
experiment results.

TABLE 2
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.1 AND 1000
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH

No. of Attackers No. of Identified No. of Attackers

Attackers Ratio

5 5 1

10 10 1

15 15 1

20 20 1

TABLE 3
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.2 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH

No. of Attackers No. of Identified No. of Attackers

Attackers Ratio

5 5 1

10 9 0.9

15 9 0.6

20 20 0.55

TABLE 4
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.3 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
 No. of Attackers No. of Identified No. of Attackers
Attackers Ratio

5 5 1

10 10 1

15 12 0.8

20 14 0.7

TABLE 5
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.4 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH

No. of Attackers No. of Identified No. of Attackers

Attackers Ratio

5 5 1

10 10 1

15 15 1

20 17 0.85

TABLE 6
NUMBER OF ATTACKERS’ RATIO WHEN PROBABILITY = 0.5 AND 100
ATTACK PACKETS ARE OBTAINED BY THE ROUTER IN THE ATTACK PATH
 No. of Attackers No. of Identified No. of Attackers
Attackers Ratio

5 5 1

10 10 1

15 15 1

20 20 1

Fig. 4. No. of attackers’ ratio for varying sampling rate

Some DoS/DDoS attacks involved 1 000 packets per second, though

some attacks ran as much as 600 000 packets per second [17]. A low
sampling probability may often be enough to identify all sources of attack.
A low sampling probability also implies less processing overhead.
 For capture of all sources of attack, in the case of sporadic DDoS
attack where there are many attack sources and each attacker contribute
few attack packets, it is concluded that the mobile agent should to stay
on the router during the whole duration of the attack and analyze each
attack packet. As soon as a new upstream router is identified, the router
should clone and dispatch the cloned mobile agent to new upstream
router while the mobile agent stays and continues to sample the attack
packet for new upstream links.

4. DESIGN
USECASE DIAGRAM
SEQUENCE DIAGRAM
ACTIVITY DIAGRAM
DATA FLOW DIAGRAM
5. APPLICATION

• ISP Level.
 • DMZ.
• Website Hosts/Web Servers
• Distributed Databases.
• Cloud Computing.

6. CONCLUSION

An efficient traceback scheme is required to identify the sources of

DoS attacks which impose an imminent threat to the availability of
Internet services. In this paper, we have evaluated the efficiency of a real
time IP traceback scheme using mobile agents for multiple source attack.
One of the most important advantages of the scheme is the fact that it
provides autonomous tracing due to the mobile agents as compared to
the existing traceback schemes. Traceback occurs in a few seconds. For
instance, to trace a 13-hop attack path, may take 19 seconds. The time
taken depends on the network though. If there is more network load, the
traceback time is higher. The improved algorithm in this paper increases
the number of attackers that can be traced in the case of a DDoS given
that the mobile agent is made to sample the attack packets on each node
in the attack path starting from the node closest to the victim, as shown
by simulation results. The proposed scheme can also easily be adapted on
IPv6 networks. Future work also being considered is the use of mobile
agents for traceback of attacks originating from mobile devices using
mobile IP.

7. REFERENCES

[1] Armoogum S., Mohamudally N., “Efficiency of using Mobile Agents to

trace Multiple Sources of Attack”, 2009
[1] CSI/FBI Computer Crime and Survey report, 2008.
[2] Armoogum S., Mohamudally N., November 2008b. “Mobile Agents for
IP Traceback.” In the proceedings of the third IEEE International
Conference on Digital Information Management ICDIM2008.
[3] R. Stone, “CenterTrack: An IP Overlay Network for Tracking DoS
Floods,” Proc. 9th Usenix Security Symp., Usenix Assoc., 2000, pp.199–
212.
[4] H. Burch and B. Cheswick, “Tracing Anonymous Packets to Their
Approximate Source,” Proceedings of the 14th Conference on Systems
Administration, Usenix Assoc., 2000, pp. 313–322.
[5] Alex C.Snoeren, Craig Partridge, Luis A.Sanchez, Christine E.Jones,
Fabrice Tchakountio, Stephen T.Kent and W.Timothy Strayer, “Hash-
Based IP Traceback”, SIGCOMM, August 2001
[6] Luis A.Sanchez , Walter C.Milliken, Alex C.Snoeren, Fabrice
Tchakountio, Christine E.Jones, Stephen T.Kent, Craig Partridge, and
W.Timothy Strayer, “Hardware Support for a Hash-Based IP
Traceback” , In the proceedings of the DARPA InformationSurvivability
Conference and Exposition, 2001
[7] Steve Bellovin et al., “ICMP Traceback Messages”, IETF Internet
Dratf, Version 4, Feb 2003 (Work in progress)
[8] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson,
“Practical network support for IP traceback,” In the Proceedings of the
2000 ACM SIGCOMM Conference, August 2000.
[9] W. Lee and K. Park, “On the Effectiveness of Probabilistic Packet
Marking for IP Traceback under Denial of Service Attack,” Proc.
IEEE INFOCOM, IEEE CS Press, 2001, pp. 338–347.
[10] M. Adler, “Tradeoffs in Probabilistic Packet Marking for IP
Traceback,” Proc. 34th ACM Symp. Theory of Computing, ACM Press,
2002, pp. 407–418.
[11] D. Song and A. Perrig, “Advanced and Authenticated Marking
Schemes for IP Traceback,” Proc. IEEE INFOCOM, IEEE CS Press,
2001, pp. 878–886.
[12] Cheol-Joo Chae, Seoung-Hyeon Lee, Jae-Seung Lee, Jae-Kwang Lee,
“A Study of Defense DDoS Attacks using IP Traceback”, The 2007
International Conference on Intelligent Pervasive Computing. IPC, pp.
402-408
[13] Yang Xiang, Wanlei Zhou, Zhongwen Li and Qun Zeng, “On
the Effectiveness of Flexible Deterministic Packet Marking for DDoS
Defense”, the 2007 IFIP International Conference on Network and
Parallel Computing Workshops.
[14] JADE (Java Agent DEvelopment Framework), available at
< http://jade.tilab.com/>
[15] Fabio Luigi Bellifemine, Giovanni Caire, Dominic Greenwood:
“Developing Multi-Agent systems with Jade.” ISBN: 978-0-470-
05747-6
[16] ns-2, user information available at
< http://nsnam.isi.edu/nsnam/index.php/User_Information>
[17] Moore D., Voelker G. M., and Savage S., 2001. “Inferring Internet
Denial-of-Service Activity,” In the Proceedings of the 2001 USENIX
Security Symposium.