Kamil Sarac

A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking

Tracing IP packets to their origins is an important step in defending Internet against denial-of-service attacks. Two kinds of IP traceback techniques have been proposed as packet marking and packet logging. In packet marking, routers probabilistically write their identification information into forwarded packets. This approach incurs little overhead but requires large flow of packets to collect the complete path information. In packet logging, routers record digests of the forwarded packets. This approach makes it possible to trace a single packet and is considered more powerful. At routers forwarding large volume of traffic, the high storage overhead and access time requirement for recording packet digests introduce practicality problems. In this paper, we present a novel scheme to improve the practicality of log-based IP traceback by reducing its overhead on routers. Our approach makes an intelligent use of packet marking to improve scalability of log-based IP traceback. We use mathematical analysis and simulations to evaluate our approach. Our evaluation results show that, compared to the state-of-the-art log-based approach called hash-based IP traceback, our approach maintains the ability to trace single IP packet while reducing the storage overhead by half and the access time overhead by a factor of the number of neighboring routers.

Single packet IP traceback in AS-level partial deployment scenario

Denial-of-Service (DoS) attacks commonly use IP spoofing to hide the identity and the location of the attack origin. To defend against various DoS attacks and make the attacker accountable, it is necessary to trace IP packets regardless of their source addresses. In this direction, log-based IP traceback is a promising and powerful approach due to its ability to traceback even a single packet. However, the global deployment of log-based IP traceback at all the routers in the internet requires a significant amount of modifications in the routers and introduces a serious operation and management overhead. To facilitate global deployment, we consider the Autonomous Systems (AS) level deployment of log-based IP traceback and accordingly propose a new mechanism called AS-level Single Packet Traceback (AS-SPT). We then evaluate the performance and overhead of the proposed AS-SPT under various partial deployment scenarios.

Resolving IP aliases in building traceroute-based internet maps

Alias resolution, the task of identifying IP addresses belonging to the same router, is an important step in building traceroute-based Internet topology maps. Inaccuracies in alias resolution affect the representativeness of constructed topology maps. This in turn affects the conclusions derived from studies that use these maps. This paper presents two complementary studies on alias resolution. First, we present an experimental study to demonstrate the impact of alias resolution on topology measurement studies. Then, we introduce an alias resolution approach called analytic and probe-based alias resolver (APAR). APAR consists of an analytical component and a probe-based component. Given a set of path traces, the analytical component utilizes the common IP address assignment scheme to infer IP aliases. The probe-based component introduces a minimal probing overhead to improve the accuracy of APAR. Compared to the existing state-of-the-art tool ally, APAR uses an orthogonal approach to resolve a large number of IP aliases that ally fails to identify. Our extensive verification study on sample data sets shows that our approach is effective in resolving many aliases with good accuracy. Our evaluations also indicate that the two approaches (ally and APAR) should be used together to maximize the success of the alias resolution process.

Analytical IP Alias Resolution

IP alias resolution is an important step in generating sample Internet topologies from collected path traces. Inaccuracies in IP alias resolution may significantly affect the characteristics of the resulting sample topologies. This in turn affects the accuracy of measurement results obtained using such topologies. Existing tools for alias resolution use an active probing approach. They induce significant traffic overhead into the network and critically depend on the participation of the routers. Recent studies have reported on the limited effectiveness of these approaches [1], [2]. In this paper, we present a novel approach, called Analytical Alias Resolver (AAR), for IP alias resolution. Given a set of path traces, AAR utilizes the common IP address assignment scheme to infer IP aliases from the collected path traces. AAR does not incur traffic overhead due to active probing for alias resolution. Our experimental evaluations on a set of collected Internet path traces show that, compared to existing approaches, AAR can detect significantly more number of IP aliases.

IP traceback based on packet marking and logging

Two main kinds of IP traceback techniques have been proposed in two dimensions: packet marking and packet logging. IP traceback based on packet marking is often referred to as probabilistic packet marking (PPM) approach where packets are probabilistically marked with partial path information as they are forwarded by routers. This approach incurs little overhead at routers. But due to its probabilistic nature, it can only determine the source of the traffic composed of a number of packets. IP traceback based on packet logging is often referred to as hash-based approach where routers compute and store digest for each forwarded packet. This approach can trace an individual packet to its source. However, the storage space requirement for packet digests and the access time requirement for recording packets commensurate with their arriving rate are prohibitive at routers with high speed links. We propose an IP traceback approach based on both packet marking and packet logging. Compared with the PPM approach, our approach is able to track individual packets. Compared with the hash-based approach, our approach incurs less storage overhead and less access time overhead at routers. Specifically, the storage overhead is reduced to roughly one half, and the access time requirement is decreased by a factor of the number of neighbor routers.

Importance of IP Alias Resolution in Sampling Internet Topologies

Internet measurement studies utilize traceroute-based path traces to build representative Internet maps. These maps are then used to analyze various topological characteristics of the Internet. IP alias resolution is an important step in building a map from a set of collected path traces. In this paper, we study the impact of incomplete IP alias resolution on Internet measurement studies. Using a set of synthetic topologies and a genuine topology map, we experimentally show that the accuracy/completeness of alias resolution has an important effect on the observed topological characteristics. The results obtained in this work point out the importance of IP alias resolution and call for further research in alias resolution.

A survey on the design, applications, and enhancements of application-layer overlay networks

This article presents a survey of recent advancements in application-layer overlay networks. Some of the most important applications that have been proposed for overlays include multicast, QoS support, denial-of-service (DoS) defense, and resilient routing. We look at some of the important approaches proposed for these applications and compare the advantages and disadvantages of these approaches. We also examine some of the enhancements that have been proposed in overlay topology design, enhanced routing performance, failure resistance, and the issues related to coexistence of overlay and native layers in the Internet. We conclude the article with a comment on the purist vs pluralist argument of overlay networks that has received much debate recently. Finally, we propose a new deployment model for service overlays that seeks to interpose between these two approaches.

Inferring subnets in router-level topology collection studies

Internet measurement studies require availability of representative topology maps. Depending on the map resolution (e.g., autonomous system level or router level), the procedure of collecting and processing an Internet topology map involves different tasks. In this paper, we present a new task, i.e., subnet inference, to advance the current state of the art in topology collection studies. Utilizing a technique to infer the subnet relations among the routers in the resulting topology map, we identify IP addresses that are connected over the same connection medium. We believe that the successful inclusion of subnet relations among the routers will yield topology maps that are closer, at the network layer, to the sampled segments of the Internet in router level topology measurement studies.

Tracetree: a scalable mechanism to discover multicast tree topologies in the internet

The successful deployment of multicast in the Internet requires the availability of good network management solutions. Discovering multicast tree topologies is an important component of this task. Network managers can use topology information to monitor and debug potential multicast forwarding problems. In addition, the collected topology has several other uses, for example, in reliable multicast transport protocols, in multicast congestion control protocols, and in discovering network characteristics. We present a mechanism for discovering multicast tree topologies using the forwarding state in the network. We call our approach tracetree. First, we present the basic operation of tracetree. Then, we explore various issues related to its functionality (e.g., scalability, security, etc.). Next, we provide a detailed evaluation by comparing it to the currently available alternatives. Finally, we discuss a number of deployment issues. We believe that tracetree provides an efficient and scalable mechanism for discovering multicast tree topologies and therefore fills an important void in the area of multicast network management.

Analyzing Router Responsiveness to Active Measurement Probes

Active probing has increasingly been used to collect information about the topological and functional characteristics of the Internet. Given the need for active probing and the lack of a widely accepted mechanism to minimize the overhead of such probes, the traffic and processing overhead introduced on the routers are believed to become an important issue for network operators. In this paper, we conduct an experimental study to understand the responsiveness of routers to active probing both from a historical perspective and current practices. One main finding is that network operators are increasingly configuring their devices not to respond to active direct probes. In addition, ICMP based probes seem to elicit most responses and UDP based probes elicit the least.