Samant Saurabh

Linear and Remainder Packet Marking for fast IP traceback

Several packet marking schemes have been proposed for DoS/DDoS defence to trace back the attackers to their source. One of the major challenge in design of efficient traceback scheme is to minimize the number of packets required for successful traceback. DDoS attacks are becoming highly distributed and increasingly sophisticated. Even though the net sum of attack packets is high enough to overwhelm the resources at the victim, number of packets originating from individual sources is not so high. Hence in order for traceback scheme to be efficient in tracing in case of DDoS attacks, traceback scheme should require minimal number of packets from the attacker to perform IP Traceback. In this paper we propose a novel packet marking scheme called Linear Packet Marking (LPM) which requires number of packets which is equal to hop distance between attacker and the victim which is less than 31 [5]. We also present a randomized version of LPM called Remainder Packet Marking (RPM). Even though RPM requires a bit more number of packets for successful traceback, it is more robust to certain kind of attacks that are possible on LPM. Both the scheme uses IP ID field and TTL values for deciding which router in the path will mark the packet. Using extensive simulation we show that our algorithm performs much better than the existing packet marking schemes in term of packets required for successful traceback and in handling large scale DDoS attacks. Besides it generates no storage overhead and only a small processing overhead at the intermediate routers.

ICMP based IP traceback with negligible overhead for highly distributed reflector attack using bloom filters

Most of the schemes that mitigate DRDoS attack only provide mechanism for filtering the attack traffic. They do not provide any tool for tracing back to the attacker. The few schemes that perform IP traceback requires involvement of the reflectors which is quite difficult to obtain. They require reflectors to store huge amount of traffic logs and cooperate during the attack. Reverse iTrace is one of the only methods that help in identifying the attack source without any involvement of reflectors. However, it generates huge amount of overhead traffic and does not scale well in case of large number of reflectors. These problems have discouraged its deployment in the Internet. In this paper, we propose a system of two bloom filters known as Additive and Multiplicative Bloom Filters, which when incorporated with Reverse iTrace reduces the number of iTrace generated approximately by 100 times. It also prevents iTrace from becoming another DoS attack during the reflector attack. Our system has Attacker Identification Probability of around 95%. Moreover, it is highly scalable. Extensive mathematical analysis and experimental results obtained from traffic traces prove the effectiveness and accuracy of our work.

Professors - the new YouTube stars: education through Web 2.0 and social network

Social networking sites like Facebook, Twitter and YouTube have changed the way people live. Today we depend heavily on social networking sites for our day to day activities. This paper presents a case study where we research the effect of YouTube on education. We have studied one of YouTube’s most famous education channel called Khan Academy, founded by a MIT graduate. It has a huge collection of around 3,200 video lectures. We perform in-depth study of Khan Academy. We provide results regarding viewer-ship and popularity of these lectures by providing statistics on view count, age of videos, user comments and rating of videos. We also study viewer characteristics like age, gender and location distribution. Overall, we believe that the results presented here are crucial in understanding importance and relevance of social network for education system. The results provide valuable information to educationalists in better using the social media to facilitate quality education.

Increasing Accuracy and Reliability of IP Traceback for DDoS Attack Using Completion Condition

Probabilistic Packet Marking (PPM) is one of the most promising schemes for performing IP Traceback. PPM reconstructs the attack graph in order to trace back to the attackers. Finding the Completion Condition Number (i.e. precise number of packets required to complete the traceback) is very important. Without a proper completion-condition, we might reconstruct a wrong attack-graph and attackers can evade detection. One presently being used works only for a single attacker based DoS attack and has an accuracy of just around 70%. We propose a new Completion Condition Number which has an accuracy of 95% and it works even for the multiple attacker based DDoS attacks. We confirm the results using detailed theoretical analysis and extensive simulation work. To the best of our knowledge, we are the first to apply the concept of Completion Condition Number to increase the reliability of IP Traceback for the DDoS attacks.

Increasing the effectiveness of packet marking schemes using wrap-around counting Bloom filter

Latest variants of denial-of-service attack like low-rate denial-of-service attack require very few packets for launching an attack. As a result, reducing the number of packets required for IP traceback has gained considerable importance. In packet marking schemes, routers probabilistically mark the packets. Therefore, a large number of packets is required by the victim to reconstruct the complete attack path. In this paper, we introduce an efficient data structure known as wrap-around counting Bloom filter WCBF to minimize the required number of packets. WCBF maintains a set of cyclic counters to decide which particular mark needs to be sent to the victim for faster IP traceback. We prove the efficacy of our technique by performing detailed theoretical analysis and confirm it using extensive experimental results. In case of probabilistic packet marking, the proposed scheme reduces the number of packets by 5-10 times. Likewise, in case of deterministic packet marking, the number of packets required is reduced by 2-4 times. We also show that WCBF can be incorporated with different variants of probabilistic packet marking and deterministic packet marking to obtain effective results. Finally, we highlight the benefits of WCBF over the other traceback schemes like logging and hybrid traceback. Copyright

Extended deterministic edge router marking

In this paper, a novel deterministic edge router marking scheme to mitigate denial of service (DoS) attacks and perform traceback is proposed. The scheme is compatible to packet fragmentation and at the same time does not add space overhead. The proposed technique produces low false positive as well as adds very low processing and storage overhead at the edge router. An issue with existing filtering scheme for DoS attacks is that they suffer from heavy collateral damage. Our proposed scheme minimises collateral damage using signature pushback and allows legitimate traffic to be served smoothly. We optimise pushback by using Lamport hash chain and filtering time by sorting the attack feature based on its entropy. Empirical results confirm that our system is fast, accurate, scalable and greatly reduces blocking of legitimate traffic during the filtering phase.

PT: A Path Tracing and Filtering Mechanism to Defend against DDoS Attacks

Distributed Denial of Service Attack continues to plague the world. Defense against the DDoS attacks gets complicated due to IP spoofing. We propose a new packet marking technique PT (called Path Tracer) which imprints the fingerprint of the path taken by attack traffic in each packet, thereby enabling the victim to identify the attack traffic on per packet basis even in presence of IP Spoofing. Our Packet Marking Technique has many unique features. It helps the victim to proactively filter out the attack packets based on the unique path mark. A single packet contains information about complete attack path. The marking algorithm is very simple. Our approach does not create overhead in the packet and it does not require any extra storage. Analysis of our scheme proves the effectiveness of PT in filtering out DDoS traffic while allowing the legitimate traffic to be processed normally.

FC-DERM: Fragmentation compatible deterministic edge router marking

Distributed Denial-of-Service (DDoS) attacks are one of the major threats the Internet is facing today. The problem of tracing the attackers is particularly difficult since attackers spoof the source addresses. Researchers all over the world have proposed several packet marking based techniques for DDoS attack mitigation using IP Traceback, however even after a decade of active research no commercial product incorporates any of these packet marking techniques; either because they add overhead in network traffic or they break some of the existing internet features like IP fragmentation. In this paper, we propose a novel scheme which performs IP Traceback but adds no space overhead and yet is fragmentation compatible. We show that our scheme produces negligible false positive and causes almost no collision in ID field for fragmentation and reassembly. As this scheme is simple to implement and has very less processing and storage overhead at the victim and routers, it makes it a suitable candidate for widespread acceptance in the internet community and industry for DDoS attack prevention and mitigation.

Eagle Eyes: Protocol Independent Packet Marking Scheme to Filter Attack Packets and Reduce Collateral Damage During Flooding Based DoS and DDoS Attacks

Defences against Denial and Distributed Denial of Service (DDoS) attacks commonly responds to flooding by dropping excess traffic. Such rate limiting schemes drop all excess-traffic when the request arrival rate goes above a certain empirically calculated threshold. Flooding based DoS/DDoS attacks like TCP SYN Attack does not exhibit any special signature except that their arrival-rate is high enough to overwhelm the victim. Hence it is very difficult to differentiate between legitimate and attack traffic as they share the same signature. As a result, rate limiting schemes cause heavy collateral damage by dropping out legitimate traffic [15]. In this paper we propose a novel packet marking mechanism which not only mitigates DoS/DDoS attacks by filtering but also reduces collateral damage significantly by selectively dropping attack packets based on its packet mark while allowing the legitimate traffic to be processed smoothly. Our packet mark contains fingerprint of the path in each single packet which allows us in identifying attack packets coming from various sources even in case of IP spoofing. Our scheme does not require any protocol specific knowledge and can generically filter out attack packets for all kinds of flooding attacks. We have extensively evaluated our packet marking scheme. Results show effectiveness of our scheme in filtering attack traffic. Our scheme inflicts extremely low collateral damage to legitimate traffic while quickly detecting and selectively filtering attack traffic.

Global Distributed Indexing for In-Network Storage in Sensor Networks

The Introduction of energy-efficient flash memory has greatly facilitated archival storage of sensor data that is necessary for applications that query, mine, and analyze such data for interesting features and trends. This trend has necessitated the need for a global distributed index for in-network storage in power constrained sensor networks. We propose and evaluate the architecture for such networks and a distributed indexing for the architecture that allows distributed queries to proceed in a fault-tolerant and energy efficient manner with low latency. We discuss the rationale behind the choice of our indexing scheme and evaluate some of the characteristics of the scheme.