KR101217688B1 - Method for tracing internet protocol under wide range multipath attack by using sparsely tagged fragment marking scheme - Google Patents

Abstract

PURPOSE: An IP(Internet Protocol) tracing method against wide range multi-path attacks by intermittent tag transplant is provided to solve following problems at once; combination explosion, increase in wrong restoration percentage, a rapid increase in wrong restoration percentage of routers using the same tag, and uneasiness in submitting and maintaining a router map. CONSTITUTION: Each router performs a first algorithm. The first algorithm either performs or does not perform marking in all packets passing through. By the marking, an IP piece of a router, an offset value which indicates the position of the piece, and a 4-bit hash value tag of the router are attached to the packets. An attacked system performs a second algorithm. The second algorithm restores IPs of routers used in the attack, by using packets collected from the moment the attack is recognized. [Reference numerals] (AA) Start; (BB) Successively marking a point according to an offset value order of a router IP piece in each router by marking a point on all packets according to a specific probability; (CC) When a marking process is terminated according to the probability of P1, all packets which pass through each router are divided into a marking packet and a non-marking packet as a result; (DD) End

Description

Method for tracing internet protocol under wide range multipath attack by using sparsely tagged fragment marking scheme}

The present invention relates to a countermeasure for preventing an internet attack, and more particularly, to minimize the damage by tracking the attacker's IP in real time during an internet attack such as a wide range of distributed denial of service (DDoS) attacks. It is about IP tracking method to secure identity.

In recent years, as the use of the Internet spreads, almost all of the core infrastructures such as banks, electric power facilities, and industrial facilities are connected through the Internet.

Here, being connected to the Internet means being exposed to the outside, and it can be easily seen that the social wave will be very large if there is a failure of the Internet service in these facilities.

In other words, for example, distributed denial of service (DDoS) attacks not only on private companies such as Yahoo and eBay, but also on public facilities such as financial institutions and national institutions, have deepened these concerns.

Here, as an effective countermeasure against such a wide range of DDoS attacks, there is a method of tracking an attacker's IP.

In other words, IP tracking technology is a technology that tracks the original IP in real time even if an attacker uses a fake IP to hide its location, and it can secure the identity of the attacker as well as minimize the damage of the attack. It has the effect of disabling the attacker's willingness to attack by proclaiming that it exists.

Various techniques have been proposed for the IP tracking, and among them, PPM (Probabilistic Packet Marking) technique has been evaluated as superior to other methods because there is no increase in additional network traffic and the protocol change is relatively small.

However, the PPM technique has a problem in that its performance is severely deteriorated when applied to a mass packet transmission attack through a multipath, which is a trend of recent DDoS attacks.

That is, in order for the PPM technique to be applied to an actual situation, optimization has to be performed in three aspects: the number of packets collected for IP address recovery, the number of fragment combinations necessary for accurate IP address recovery, and the restoration rate.

Therefore, many studies have been conducted on improvement of these three problems, and such studies can be classified into three categories as follows.

The first is the dynamic marking probability technique, which dynamically adjusts the marking probability to reduce the number of packet collections.

In other words, the dynamic marking probability technique dynamically adjusts the marking probability so that the proportion of packets reaching the point of damage from each router can be kept equal, thus effectively reducing the number of packets collected to recover the original IP. have.

However, even with the dynamic marking probability method, problems such as the combination explosion and the increase of the restoration rate still cannot be solved.

The second method is to reduce the number of fragment combinations by the router tag porting, that is, the tag is ported so that routers can determine that the packet has gone through every packet passing through it.

More specifically, for example, a 16-bit identification field requires a portion of the router's IP (fragment IP) and other necessary information, so the field available as a router tag is about 4 bits, 4 bits unique to each router. Since tags cannot be assigned, each router issues a random number (any number between 0-15) that can be represented by 4 bits and uses it as its tag value.

Therefore, at the point of damage, this tag can be used to classify packets into groups of up to 16 routers, and fragmentation can be significantly reduced because fragmentation only needs to be performed within each group.

However, the above-mentioned method has a problem that the routers using the same tag still have to recover the IP address through the IP fragment combination, and the restoration rate is sharply increased in the process.

The third method is to use a router map, which is similar to the second in that each router uses an identifier (tag), in which case the identifier is a unique number within the currently defined router map. The difference is that the IP fragment is not inserted into the packet instead of the identifier.

Therefore, because the identifier is a unique number in the router map, at the point of damage, the identifier can directly calculate the router's IP address, there is no error recovery rate, and no IP fragment combination is required.

In other words, no matter how widespread an attack is, if only a router map can be created, and if a router can be given a unique identifier, it is possible to calculate IPs of routers in the attack path quickly and accurately.

However, this method has a problem that it is never easy to create and maintain such a router map, and it is expensive.

As described above, the conventional methods still do not satisfy the three problems of PPM at the same time, therefore, it is desirable to provide a new IP tracking technique that satisfies the above three problems simultaneously but does not incur additional costs such as router map. Although desirable, IP tracking techniques that satisfy all such requirements have not been provided.

[ references ]

[1] S. M. Bellovin, "The ICMP Traceback Messages", Internet Draft: draft-bellovin-itrace-00.txt, http://www.research.att.com, Mar. 2000.

[2] A. Belenky and N. Ansari, "IP Traceback with Deterministic Packet Marking," IEEE Communications Letters, Vol. 7, NO. 4, April 2003.

[3] A. Belenky and N. Ansari, "Tracing Multiple Attackers with Deterministic Packet Marking," IEEE PACRIM'02, August 2003.

[4] Hal Burch and Bill Cheswick, "Tracing anonymous packets to their approximate source", Unpublished paper, Dec. 1999.

[5] David A. Curry, "Unix System Security", Addison Wesley, pp. 36-80, 1992.

[6] Drew Dean, Matt Franklin, and Adam Stubblefield, "An algebraic approach to ip traceback", in Network and Distributed System Security Symposium, NDSS, Feb. 2001.

[7] Z. Gao and N. Ansari, "Tracing cyber attacks from the practical perspectives", IEEE Communications Magazine, Vol. 41, No. 5, 2005.

[8] Chao Gong and Kamil Sarac, "Toward a More Practical Marking Scheme for IP Traceback," in Proceedings of 3rd International Conference on Broadband Communications, Networks and Systems, 2006.

[9] B. Kim, S. Kim, J. Hwang, and K. Kim, "Tagged Fragment Marking Scheme with Distance-Weighted Sampling for a Fast IP Traceback", LNCS 2642, Apr. 2003.

[10] T. Korkmaz, C. Gong, K. Sarac, and S. Dykes, "Single packet IP traceback in AS-level partial deployment scenario", International Journal of Security and Networks, Vol. 2, No. 2, Mar. 2007.

[11] Tsern-Huei Lee, Tze-Yau William Huang, and Iven Lin, "A Deterministic Packet Marking Scheme for Tracing Multiple Internet Attackers," International Conference on Communications, 2005.

[12] J. Li, M. Sung, J. Xu, L. Li, and Q. Zhao, "Large-scale IP traceback in high-speed internet: practical techniques and theoretical foundation", Proc. of IEEE Symposium on Security and Privacy, Oakland, CA. 2004.

[13] J. Liu, Z. Lee, and Y. Chung, "Dynamic probabilistic packet marking for efficient IP traceback", The International Journal of Computer and Telecommunication Networking, Vol. 51, No. 3, Feb. 2007.

[14] V. Paruchuri, A. durresi, S. Chellappan, "TTL Based Packet Marking for IP Traceback," IEEE Globecom, 2008.

[15] Pegah Sattari, Minas Gjoka, Athina Markopoulou, "A Network Coding Approach to IP Traceback," in Proceedings of IEEE International Symposium on Network Coding, 2010.

[16] L.A. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jones, F. Tchakountio, S. t. Kent, and W.t. Strayer, "Hash-based IP Traceback," Proceedings of 2001 Conference on Applications, Technologies, Architecture, and Protocols for Computer Communication, 2001.

[17] Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson, "Practical network support for IP traceback", in Proc. of ACM SIGCOMM, pp. 295-306, Aug. 2000.

[18] R. Stone, "CenterTrack: An IP Overlay Network for Tracking DoD Floods", in Proceedings of the 2000 USENIX Security Symposium, Denver, CO, July. 2000.

[19] Dawn Xiaodong Song and Adrian Perrig, "Advanced and Authenticated Marking Schemes for IP Traceback", in Proc. IEEE INFOCOM, Apr. 2001.

[20] A. Yaar, A. Perrig, and D. Song, "FIT: Fast Internet Traceback," in Proceedings of IEEE INFOCOM, 2005.

The present invention is to solve the problems of the prior art as described above, the object of the present invention, the problem of increasing the combination explosion or recovery rate, and the problem that the recovery rate is rapidly increased for routers using the same tag And it is to provide a new IP tracking technique that can simultaneously solve the three problems of the prior art, such as difficult to create and maintain a router map.

It is also an object of the present invention to solve the problems of the prior art as described above, and to provide a new IP tracking technique that does not incur additional costs such as a router map.

In order to achieve the object as described above, according to the present invention, in the IP tracking method under a wide multipath attack by the Sparsely-Tagged Fragment Marking Scheme (STFMS), in each router, all packets passing through Performing a first algorithm of marking (ON) or not (OFF) the IP fragment of the router, an offset value indicating the position of the router, and a tag that is a 4-bit hash value of the router. And performing a second algorithm of recovering the IPs of the routers used in the attack by using packets collected from the moment of recognition of the attack in the victim system. An IP tracking method is provided below.

Here, the first algorithm, at each router, performs marking with a certain probability of P1 for each packet passing, and once marking starts, all subsequent packets are successively marked according to the offset value order of the corresponding router IP fragment. When the marking is finished with the probability of P1, non-marking is started again with the probability of (1-P1), and as a result, all packets passing through each router are classified into a marking packet and an unmarking packet. It is done.

Further, the first algorithm performs marking with a probability of 1 when the current state is ON, increases the offset value, keeps the state ON, and converts the state back to OFF when marking is performed up to the IP fragment corresponding to the final offset. If the current state is OFF, the process of marking the probability P1 is repeated.

In addition, the first algorithm is a period during which the tag is marked with the IP fragment information in the identification field of the packet passing through each router, and the marking period is turned on. By keeping it very short as compared with the above, it is characterized in that the number of packets performing marking is reduced.

Further, the second algorithm maintains an Intermediate-IP-Table having an offset value and a tag value of IP fragments collected for each tag for every possible tag, and sequentially receives packets from a packet buffer to receive the Intermediate- table. Filling the value at the corresponding position in the IP-Table, and once all the fragments in a particular tag are filled, move the value to the Final-IP-Table where the restored IPs from the Intermediate-IP-Table are stored and finally restored. And determining whether the received IP is sequentially increased, and if there is no offset value incremented sequentially in a specific tag or when different IP fragments collide with the same offset value, discarding all data of the corresponding tag and starting a new one. .

In addition, the tracking method, when a total of N routers were used in the attack, the number of packets needed to recover 95% of the IP of the routers without fragmentation combination and zero recovery rate is 8N when the marking probability is 1 / N It is characterized by.

As described above, according to the present invention, the problem of increasing the combination explosion or the restoration rate, which is a typical problem of the prior art, the problem of rapidly increasing the restoration rate for routers using the same tag, and easy creation and maintenance of the router map. It can provide a new IP tracking technique that can simultaneously solve the problem that failed.

In addition, according to the present invention, while solving the problems of the prior art as described above, it is possible to provide a new IP tracking technique that does not incur additional costs such as a router map.

1 is a diagram showing the structure of a data packet used in the IP tracking technique under a wide multipath attack by intermittent tag transplantation according to the present invention.
2 is a flowchart showing the processing procedure of the first algorithm of the IP tracking technique under the widespread multipath attack by intermittent tag transplantation according to the present invention.
3 is a flowchart showing the processing procedure of the second algorithm of the IP tracking technique under the widespread multipath attack by intermittent tag transplantation according to the present invention.

Hereinafter, with reference to the accompanying drawings, it will be described in detail the IP tracking method under a wide multi-path attack by intermittent tag transplantation in accordance with the present invention.

Here, in the following description, it should be noted that the same contents as those in the prior art or the contents obvious to those skilled in the art have been described in detail for the purpose of simplifying the description and omitting the description thereof.

It should be noted that the contents described below are only examples for carrying out the present invention, and the present invention is not limited only to the contents of the embodiments described below.

That is, the IP tracking method under an extensive multipath attack by intermittent tag transplantation according to the present invention uses a tagging method as the second method of the related art as described below, but routers are very useful to prevent tag collision. The tag is intermittently ported with a low probability, and only the markers that do not collide with the tag at the point of damage are collected to recover the IP address. The present inventors named this method as a sparsely tagged fragment marking scheme (STFMS).

Here, the router sending its IP information with low probability is similar to the ITRACE described in [Ref.] Above (see Ref. [1]).

However, ITRACE causes additional network traffic increase by separately generating and sending ICMP packets. However, in the present invention, as described below, the tag is recorded with the IP fragment information in the identification field of the packet passing through the router. Therefore, there is no problem of traffic increase as in the prior art.

In addition, since the IP tracking method proposed in the present invention does not require a fragment combining process, the error recovery rate is zero, and the IP of the routers in the attack path can be recovered only by collecting a relatively small number of packets.

In addition, the inventors have confirmed the performance of this technique by simulator and mathematical analysis, as described below, and as a result, when 8N packets per router (N is the total number of routers engaged in the attack) were collected. It was found that 95% of the original IP could be recovered to zero recovery rate without fragment combinations as well.

Subsequently, details of the IP tracking method under a wide multipath attack by intermittent tag transplantation according to the present invention will be described.

In general, tracking the attack path during or after an attack is not an easy problem (see references [5] and [6]).

In other words, various techniques have been proposed in terms of cost and performance. Among them, input debugging techniques (see Ref. [18]) use input debugging functions provided by most routers. The problem is that the router administrator must search for input directly.

In addition, the controlled flooding technique (see Ref. [4]) is a proposed technique that does not require the help of a router administrator, but needs to know the upper router map at the point of damage, and is vulnerable to multiple attack paths.

In addition, the logging technique (see Ref. [10]) is an efficient way of logging logs to the router. The key to this technique is to ensure that only the minimum necessary information can be logged to prevent data overflow. Accumulation of data is required.

In addition, the ICMP tracking technique (see Ref. [1]) uses a completely different approach, with very low probability of the routers passing the packet rather than relying on random tracking at the point of damage. By performing the sampling, a copy of the sampled packet is stored in a special ICMP packet along with the information about the neighboring router and transmitted.

Therefore, at the point of damage, the attack path can be reconstructed by extracting the information of the ICMP packet.

However, this technique has the problem of increasing network traffic due to additional ICMP packets, and at the same time, has a disadvantage in that a large number of packets need to be collected at the point of damage due to the low packet sampling probability (about 1/20000).

Subsequently, PPM (see Ref. [17]), also called FMS (Fragment Marking Scheme), requires routers to send their location information to the point of failure, similar to ICMP tracking, but in PPM, each router has its own Rather than storing the location information of the ICMP packet, it writes directly to the packet passing through itself.

Therefore, since it does not generate additional ICMP packets, it does not increase the network traffic, but it is a matter of which part of the route packet to record the location information.

Here, the PPM allows this information to be recorded in a 16-bit IP identification field of the packet header, which is used when assigning an identification number to recover fragmented packets later when the packet is fragmented. It is known that its utilization rate is less than 0.25% (refer to Ref. [17]), and it is suitable to be borrowed instead to store IP information of router when packet fragmentation does not occur.

However, for each router that a given packet passes through, its location information must be entered in this 16-bit field, so each router divides its IP address into pieces (for example, 8 pieces) and one of them is a certain probability. Record (mark) with.

In addition, the location of the fragment during marking, the hop distance of the router from the point of damage, and the fragment of the hash value for error checking are also recorded in this field.

In this case, since the hop distance from the damage point is not known to the current router, the hop distance of the current router is unconditionally recorded as 0 when the probability function is determined and marked.

Subsequently, the routers through which this packet passes increase this hop distance by one when it decides not to mark by performing a probability function.

If all routers after the current router decide not to mark their addresses, each router will increase the hop distance by one, and when the packet reaches the damage point, the hop distance from the damage point is initially marked. It indicates the hop distance from the damage point of the determined router.

Therefore, at the point of damage, the IP fragment information sent by the routers through the above process is used to restore the IPs of the routers existing on the attack path.

At this time, if it was a single attack path, the routers in the attack path sent their IP fragment information along with the hop distance information from the point of damage. Combining by location can restore IPs for routers at each hop distance in turn, making IP recovery very simple.

However, under multiple attack vectors, the IP fragments can be combined to restore the original IP.

For example, assume that there are two attack paths, and also assume IP reconstruction at hop distance one.

That is, if routers A and B belonged to each attack path at hop distance 1, IP fragments having hop distance 1 from routers A and B arrive at each fragment position at the damage point.

In this case, assuming that IP is divided into 8 pieces and transmitted, two different pieces of IP arrive at each fragment location with the same hop distance value.

Therefore, since these fragment IP pairs exist at each fragment location, you must try both possible combinations to find out which fragment IP belongs to which router.

That is, to check whether each combination is the original IP, the error checking hash fragments included in the packet are also restored to the same combination and the restored IP value is put in the given hash function to check whether the same value as the error checking hash value.

At this time, even if the hash value is the same by accident, even if the original IP value may be incorrectly determined when restoring the IP, such a case is called a misconstruction.

In addition, as the number of attack paths increases, the number of fragment combinations required for IP recovery can increase exponentially.

Therefore, the PPM can be used in real situations only when three values such as the number of IP fragment combinations, the restoration rate, and the number of collected packets that can be greatly increased as the attack path increases.

The prior art idea of a technique for reducing packet collection is to dynamically adjust the marking probability so that each hop distance of router IP address has a similar probability of surviving to the point of damage (Refs. [9], [13]. ], [14]).

More specifically, fixing the marking probabilities means that routers farther away from the point of damage (ie, routers with larger hop distances) are less likely to survive IP fragments.

Therefore, in order to restore the attack path at the point of damage, packets must be collected until all the IP fragments of the farthest router arrive, and the smaller the probability that the router's IP fragments reach the damage point, the more packets to collect. Increases.

In addition, Ref. [9] proposes a marking probability that minimizes the number of collected packets as a function of hop distance of each router, and Ref. [13] adjusts the marking probability according to the number of hops that a packet passes. Reference [14] proposes a similar technique or a method based on the TTL value of each packet.

However, because PPM, when applied to practical situations, results in a huge combination of IP fragments and a very high recovery rate, reducing the packet collection time alone does not fully guarantee the practicality of PPM.

Two different approaches have been proposed, one of which is tagging and the other is the use of router maps.

First, the tagging technique requires routers to attach their own tag (identifier) to each packet, where the tag is a different identifier from IP (see references [3], [9], [11]).

More specifically, since each router has its own IP, if a router ported its IP as it is, the router immediately knows which router the packet came from.

However, as noted above, although the Identification field, where the router stores its IP, is only 16 bits in size, multiple routers must use this field jointly, so each router is not a full IP of its own, but some fragmented IP (usually the original). Only one-eighth piece of IP is stored, and the IP pieces received at the point of damage do not know if they are IP pieces of the same router.

Therefore, the tag is information added to enable the IP fragments belonging to the same router to be recognized.

Here, since the field available for the tag is also part of the Identification field, up to 4 bits may be used for the tag.

That is, routers issue a random number of 4 bits and make it their own tag, and when they write their own IP fragments in the packet, they record these tags together, and at the point of damage, they collect the original IP fragments with the same tag. Since the IP is recovered, if all routers with the same hop distance have different tags, the IPs can be recovered without combining IP fragments. In this case, there is also no fragment combination, so the restoration rate is zero.

However, the tag scheme described above still causes a problem of fragmentation because the number of routers existing at the same hop distance increases as the attack paths are multiplexed, and thus the same tag increases.

In addition, since the tag is used in the field that contains the hash fragment value, there is no hash fragment value to check the error of the combined IP fragment, so that error checking is relatively incomplete when a tag collision occurs, which causes a high restoration rate.

In other words, the method described in Ref. [9] discloses the results of reducing the number of packet combinations under multiple attack paths using 4-bit tags, and Ref. [3] also uses tags (address digests) for edge routers. The technique of recovering an IP address is shown.

Therefore, both techniques show a problem that the restoration rate increases exponentially as the number of routers increases, as described above. [11] proposes a technique for reducing the restoration rate by using a plurality of tags. Instead, the problem arises that the number of IP fragment combinations increases rapidly.

Here, another method of controlling the number of IP fragment combinations and the restoration rate is the use of a router map (see references [8], [19], and [20]).

This method assumes that the victim system has a router map for every router on the packet path that reaches it in advance, and the router sends the 11-bit hash value of its IP address and hop distance from the point of damage in the inbound packet. Marking method (see Ref. [19]).

In this case, if it is decided not to mark, as in the conventional PPM, only the hop distance value is increased by one, and the victim system can see exactly what routers the attack packet is coming through by looking at its router map.

Similarly, the method uses node marking instead of edge marking to maximize the utilization of router maps (see Ref. [20]) and autonomous system (AS) numbers and unique numbers within these ASs to avoid exposing IP addresses. Is used instead (see Ref. [8]).

In the above method, since there is a router map, it is not difficult to assign a unique identification number to every router on the map, and the identification number can be used to calculate the attack path directly at the point of damage without the fragment combination process.

However, creating and maintaining a router map itself is a very difficult task. Currently, the practicality of using a router map method is limited.

As mentioned above, PPM is an IP tracking method that does not induce network traffic and does not change protocols. It shows superior performance compared to other methods, but for practical use, it is required to collect packets, fragment combinations, and errors in a wide range of multipath attacks. The rapid increase in the recovery rate has been a hindrance, and the solutions proposed so far do not solve these problems at the same time as described above, but are only partial solutions.

Therefore, the inventors have performed the following IP tracking technique to properly control the number of packet collection, completely eliminate the fragment combining process, and to achieve zero restoration rate and no additional costs such as router map as follows. Suggested.

In other words, the IP tracking method proposed by the present invention is a so-called interstitial-tagged fragment marking scheme (STFMS), and may be referred to as PPM using tagging.

That is, as described above, tagging is a very effective way to reduce the number of combinations (the number of recombination of fragments to find the attacker's IP) when there are not many routers involved and there is little probability of collision from the same tag.

However, for example, if you use 4-bit tags and 1,000 routers send IP fragments at the same time, tag collisions (if they have the same tag value) will necessarily occur, and there are two solutions to this: Can be summarized.

That is, each router has a very low probability of marking the packets it passes (taging the router's IP fragment, the offset indicating the fragment's location, and the router's 4-bit hash). , Do not (OFF).

In addition, the victim takes the packets that are collected from the moment the attack is recognized and performs IP recovery of the routers used in the attack.

Here, since the number of routers increases, the marking may be very rare. That is, since the ON period is kept very short compared to the OFF period, the number of packets to be marked becomes very small.

Instead, once marking has started, marking continues until all IP fragments have been marked, and for this reason, we have named this method the Sparsely-Tagged Fragment Marking Scheme.

Subsequently, more specific details of the intermittent tag transplantation fragment marking technique according to the present invention as described above will be described.

First, assuming that each of N routers sends M packets to a victim, each router marks each packet passing with a certain probability P1.

Here, once marking starts, all eight packets are marked after that, and a total of eight consecutive markings are performed according to the offset value order of the router IP fragments.

That is, during 8 markings, the IP fragments of the router divided into 8 parts are used in sequence. When marking (ON) is finished with probability P1, non-marking (OFF) is started again with probability 1-P1.

As a result, the total M packets passing through each router are divided into marked packets and unmarked packets.

This marking process can be seen as a special case of the ON / OFF discrete reproduction process, the process of repeating the OFF interval lasts for a random period and the confirmed ON interval for 8 periods.

In terms of reliability theory, the probability of a system failure is P1. If a failure occurs, it requires repair for eight periods and then resumes normal operation.

Therefore, the marking section can be thought of as a repair-ON period for troubleshooting and the non-marking section as a repair-OFF period for normal operation.

In addition, it is assumed that the victim receives one packet at a time from a total of N routers, and this process is called a round.

If all routers send M packets each, the victim has M rounds in total.

Thus, each round consists of marked or unmarked packets received from N routers, and IP reconstruction is performed by classifying and comparing the tag values and offset numbers of the packets of the routers marked for each round.

Here, when a total packet set including all eight offsets is k in any router, Router 1, one comparison group includes eight rounds and a set of other routers that send marked packets among those rounds. Will be

In addition, if the set of all other routers that send packets marked during the i-th marking process in router 1 is the i-th comparison group of router 1, k total comparison groups exist in router 1.

Since the number of routers included in each comparison group will be different each time, if the tag of router 1 is different from that of all other members in the comparison group, router 1's IP is determined.

In addition, in the above description, 'complete packet set' means a collection of packets including all eight different offsets in one router, and 'comparison group' means a packet marked during a marking period of one router. Means a set of outgoing different routers.

As described above, the proposed algorithm is largely composed of two parts, that is, the first is the ON / OFF marking process, and the second is the IP restoration process.

Thus, each router applies a first algorithm (ON / OFF marking) to all packets passing through, and the victim system uses the second algorithm to restore IP sequentially.

That is, as shown in FIG. 2, the first algorithm performs marking with a specific probability of P1 for each packet passing by each router, and once marking starts, subsequent packets are processed according to the offset value order of the corresponding router IP fragment. In the step of performing all of the markings in succession, and when the marking is finished with a probability of P1, the non-marking starts again with a probability of (1-P1), and as a result, all packets passing through each router are marked and unmarked. It is divided into packets.

Here, in the marking process, the state is checked and marked with probability 1 if it is ON, the offset value is increased, the state is kept ON, and subsequently, if the IP fragment corresponding to the last 8th offset is marked, then again. The process of changing the state to OFF and marking the probability P1 in the OFF state is repeated.

In addition, the second algorithm maintains an Intermediate-IP-Table having an offset value and a tag value of IP fragments collected for each tag, as shown in FIG. 3, and sequentially extracts packets from the packet buffer. Receiving and filling a value at a corresponding position of the Intermediate-IP-Table; when all pieces of a particular tag are filled, the value is transferred to the Final-IP-Table where IPs restored from the Intermediate-IP-Table are stored. Configured to move to and determine the last restored IP, and if there is no offset value incrementing in turn on a particular tag, or if different IP fragments collide with the same offset value, then discard all data for that tag and start over .

Therefore, the two algorithms as described above are referred to as an STFMS algorithm, and the contents of the STFMS algorithm as described above are summarized in the form of pseudo code as follows.

[ STFMS  algorithm ]

1. At each router, the first algorithm ( ON Of OFF marking Steps to follow

[First algorithm]

input :

    Status: ON or OFF

    IP fragment location (offset_val): location of the next IP fragment

    P1: Marking Probability

Print :

    New status (status), next IP fragment location (offset_val)

    Marked or Unmarked Packets

Way :

If (status == OFF) {// we are in non-marking period

    marking = decide whether to mark or not with probability P1;

   if (marking) {// we decided to start a marking period

       offset_val = 0;

       send marked packet with offset offset_val;

    status = ON;

} Else // we decided to stay in non-marking period

    send unmarked packet;

} Else {// we are in marking period

    offset_val = offset_val + 1;

    if (offset_val == 7) // last offset

       status = OFF; // we go back to non-marking period

    send marked packet with offset offset_val;

}

2. The second algorithm in the victim system ( IP  The restoration process).

[Second algorithm]

input :

    Packet buffer: The system buffer that stores the arrival packet.

    Intermediate-Ip-Table: Table of IP fragments collected for each tag

    Final-Ip-Table: Table with recovered IPs

Print :

    updated Intermediate-Ip-Table

    update Final-Ip-Table

Way :

    packet = get the next packet from the packet buffer;

    curr_ipfrag = the IP fragment in this packet;

    curr_offset = the offset value of the IP fragment in this packet;

    curr_tag = the tag value of the IP fragment in this packet;

    curr_entry = the entry in the Intermediate-Ip-Table for curr_tag;

    if (curr_ offset is not the expected location for this curr_tag) {

        reset the entry for curr_tag in the Intermediate-Ip-Table;

        skip this packet;

} else {

    if (the curr_offset location in curr_entry is empty) {

        insert curr_ipfrag in curr_offset location in curr_entry;

        if (all 8 IP fragments are found) {

        store this IP in the Final-Ip-Table;

        reset the entry for curr_tag in the Intermediate-Ip-Table;

    }

} else {

    reset the entry for curr_tag in the Intermediate-Ip-Table;

    }

}

In addition, the basic concept of the IP recovery algorithm as described above can be briefly described as follows.

That is, the victim system maintains an Intermediate-IP-Table with eight IP fragments for each tag for every possible tag, receives packets from the packet buffers in turn, and fills the table with the corresponding location.

If all eight pieces of a tag are filled, the value is moved from the Intermediate-IP-Table to the Final-IP-Table.

However, if there is no offset value incrementing in turn for a particular tag, or if different IP fragments are competing for the same offset value, then you must discard all data from that tag and start over.

In the following, a process of performing marking and restoring an IP address by the above algorithm will be described.

Performance Analysis

Hereinafter, the formula for deriving the average of the ratios of which IP is determined under STFMS will be described.

This equation, in turn, depends on the total number of routers (N), the number of packets sent per router (M), and the marking probability (P1).

Therefore, as follows, an appropriate marking probability value for the minimum number of packets needed to obtain a satisfactory IP determination rate for any number of routers can be proposed.

은 IP가 정해진 라우터의 수가 된다.
First, if the IP of the i th router is determined, an indication probability variable having a value of 1 or 0 is R _i ,

Is the number of routers for which IP is specified.

Here, since R ₁ , ..., R _N can be assumed to follow the same distribution, the average ratio of routers for which IP is determined is given as follows.

E (R) / N = E (R ₁ ) = P (R ₁ = 1)

If the ratio of marked packets among all M packets of one router is P0, if only one packet is marked, P ₁ will be equal to P ₀ .

However, in STFMS, since 8 packets are continuously marked, P ₀ is larger than P ₁ , and the exact relation is shown in the following theorems.

[Theorem 1]

If the marking probability of each router is P ₁ under the STFMS algorithm, the average rate of the marked packets among all M packets is as follows.

Also, if the random variable X is the number of complete packet sets in router 1, there will be k comparison groups when X = k, and router 1's IP will be determined in k comparison groups, If the event determined in the i comparison group is B _i , then the next two events are the same when X = k.

{R ₁ = 1} = B ₁ ∪ ... ∪ B _k

Here, P (B _i ) represents the probability that the tag of router 1 is different from the tags of all members in the i th comparison group, and this probability is the same in all comparison groups, so P (B _i ) = ... P (B _k ), and events B ₁ ,..., B _k can be assumed to be independent of each other because they have a high probability of different members.

therefore,

P (R ₁ = 1│X = k) = P (B ₁ ∪ ... ∪ B _x │X = k)

= 1-(P (B ₁ ^c )) ^k

= 1- (1-(P (B ₁ )) ^k

Lt;

P (R ₁ = 1) = E [1- (1-P (B ₁ )) ^X ]

.

To calculate P (R ₁ = 1), we need to know the probability distributions of the probability values P (B ₁ ) and X. We can obtain the result as shown in the following two theorems.

[Theorem 2]

이고 성공확률 P₀인 이항분포를 따른다.
First, the complete packet set X of router 1 is trial

And binomial distribution with success probability P ₀ .

인 포아송 분포(Poisson distribution)를 따른다.
Also, the number of trials is large and the probability of success is small, so the average

Follow the Poisson distribution.

는 x의 정수부분을 나타낸다.
here

Denotes the integer part of x.

[Theorem 3]

Also, the probability of restoring IP of router 1 in the first comparison group is given by

P (B ₁ ) = e ^{-2 Po (N-1) / 16}

If the random variable U follows the Poisson distribution with mean a, then for any constant b> 0,

E (b ^U ) = e ^{a (1-b)}

Combining this fact with the above two theorems produces the following results:

[ conclusion ]

If the total number of routers is N, the marking probability is P1, and all routers send M packets according to the STFMS algorithm, the average ratio (ep) for which IP is determined is as follows.

Where d = P (B ₁ ) = e ^{-2 Po (N-1) / 16} , and P ₀ = 8 / (1 / P ₁ + 7).

In addition, when the above equation is converted into an equation relating to the number of packets to be sent, it is as follows.

As described above, since P ₀ is a function of P ₁ , d becomes a function of P ₁ and N, and thus ep becomes a function of (P ₁ , N, M).

Conversely, M is a function of (P ₀ , d, ep) and ultimately a function of (P ₁ , N, ep).

Given a simple calculation, given N and M, the optimal minimum value of M occurs at P1 = 1 / (N-8).

The following table gives some values (N, P ₁ , M) that are needed when ep = 0.95 (i.e. 95% average IP recovery rate).

values of N, P ₁ , M when ep = 0.95 N P ₁ M 512 1/412 4249.812 1/462 4176.98 1/512 4161.698 1/562 4184.472 1/612 4233.647 1024 1/824 8525.913 1/924 8368.806 1/1024 8330.791 1/1124 8371.225 1/1224 8465.908 1536 1/1236 12802.39 1/1386 12560.87 1/1536 12500.05 1/1686 12558.09 1/1836 12696.25 2048 1/1648 17078.97 1/1848 16753.00 1/2048 16669.35 1/2248 16744.99 1/2448 16930.62

In the table above, when the number of routers is N = 1024 = 2 ¹⁰ and the marking probability is P ₁ = 1 / N, it is necessary to send M = 8330 packets per router to maintain an average 95% IP recovery rate. Able to know.

As can be seen from the above limited simulation, the approximate optimal marking probability is P1 = 1 / N and it can be seen that approximately 8N packets should be collected for each router.

[ Experimental Example  And experimental results]

The analysis results described above indicate that when N routers were used for an attack, the number of packets needed to recover 95% of the IPs of these routers was 8N when the marking probability was 1 / N.

In order to confirm such an analysis result, the present inventors constructed the simulator as follows.

[ algorithm ]

input

N: number of routers

P ₁ : Marking probability

ep: IP ratio recovered correctly

Print

M: number of packets collected per router to recover the IP of ep

Way

1. Assign random IPs to N routers.

2. Have each router send a packet to the victim system (counted as one round).

3. The victim system collects these packets and updates the Intermediate-Ip-Table and Final-IP-Table.

4. If the number of recovered IPs is above or equal to the threshold, exit. Otherwise, return to step 2.

In the above algorithm, steps 2 and 3 execute the above-described first and second algorithms, respectively.

Table 2 below shows an example of the IP address generated in step 1, where 16 routers are assumed, and each fragment is assumed to be divided into 8 fragments of 32-bit IP addresses for each router. In addition, the tag value of each router is also displayed.

16 router IP addresses and tag values generated for the simulation (each router's IP address is divided into 8 pieces) router offset 0 offset 1 offset 2 offset 3 offset 4 offset 5 offset 6 offset 7  tag 0 7 3 4 11 6 8 11 7 2 One 12 5 5 5 15 9 0 5 3 2 11 8 12 8 6 14 13 13 5 3 14 6 14 2 12 13 7 14 7 4 2 2 9 2 0 9 9 One 4 5 8 One 14 10 5 9 6 2 5 6 5 14 0 5 10 9 14 9 One 7 12 13 13 9 7 One 10 10 2 8 10 9 3 3 3 10 5 12 9 9 2 11 13 One One 2 13 9 3 10 8 9 3 14 13 10 6 5  4 11 13 12 13 9 One 0 6 9  13 12 2 3 13 12 13 One 11 0  0 13 5 4 0 5 4 12 11 6  One 14 6 10 2 One 13 13 9 7  8 15 2 7 14 4 7 0 10 6  15

In addition, the format of marking the identification field of the packet is as shown in FIG.

That is, as shown in Fig. 1, in addition to the 4-bit IP fragment, an offset 3 bits showing the location of the fragment, a hop distance of 5 bits from the current router from the point of damage, and a fragment You can see that 4 bits of tag showing which router came out are included in the total 16 bits.

In addition, the following [Table 3] shows the markers actually produced by each router.

As mentioned above, in each round, routers have a 1/16 chance of deciding whether or not to mark their IP address in the packet, and once a router decides to mark, it must send all its IP fragments in a row for eight rounds. do.

Table 3 shows the marking results up to 8 rounds, that is, router 9 determines the marking in round 1 and continues marking until round 8.

In addition, the value of each field as shown in FIG. 1 is displayed on each marker.

For example, router 0 starts marking from round 6, with the first marker being (1, 0, 7, 2), meaning hop distance 1, IP fragment location 0, IP fragment value 7, and tag value 2. do.

Subsequently, Table 4 shows the Intermediate-IP-Table that the victim system builds for IP tracking, which shows which IP fragments of which tags have arrived so far.

That is, [Table 4] shows the information about IP fragments arriving until round 5, and it can be seen that IP fragments having four kinds of tags (tags 1, 2, 3, and 7) arrived until round 5. .

Here, in the case of tag 3, IP fragments arrive at fragment positions 0, 1, 2, 3, and 4, so if the IP fragments of tag 3 arrive at the fragment positions 5, 6, and 7 without collision, tag 3 You can expect that the IP address of your router will be able to recover successfully.

In addition, referring to Table 5, Table 5 is a table showing rounds 6, 7, and 8, where in the case of tag 3, all IP fragments arrived successfully without collision.

Subsequently, as described above, the tag having successfully recovered the IP address is copied to the Final-IP-Table as shown in [Table 6].

However, in round 6, tag collisions occur, that is, in Table 3, IP fragments with tag 2 arrive for fragment positions 0, 1, 2, and 3, starting from round 2, and these IP fragments You can see that Router 7 was sending.

So, if IP fragments arrive without tag collision for fragment positions 4, 5, 6, and 7 in the future, tag 2 will also succeed in recovering the IP address, but in Table 2, in round 6, router 0 sends fragments with tag 2 To start.

Thus, in Round 6, two markers with the same tag but with different fragment locations and IP fragment values arrive at the point of damage, and as described above, different markers are marking the same tag value. In other words, it can be seen that a tag collision occurred.

In this case, the second algorithm is to give up all IP fragments collected for the tag in this case and reset the position of the next fragment to be inserted on the Intermediate-IP-Table to zero.

That is, referring to Table 5, it can be seen that all IP fragments of Tag 2 are abandoned by the tag collision.

In addition, the second algorithm allows the insertion to be abandoned even when the fragment position of the IP fragment to be inserted is different from the next insertion fragment position on the Intermediate-IP-Table.

Therefore, after Round 6, all IP fragments sent by Router 7 and Router 0 are automatically abandoned.

After this conflict is resolved, in the future, if another router starts sending an IP fragment to Tag 2, the fragment location will start at zero, which is again matched by the victim system as it matches the next insertion fragment location on the Intermediate-IP-Table. Will begin to be collected.

Markers sent by routers in each round router round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 0 1,0,7,2 1,1,3,2 1,2,4,2 One 2 3 1,0,14,7 1,1,6,7 1,2,14,7 1,3,2,7 4 1,0,2,4 1,1,2,4 5 1,0,8,5 1,1,1,5 6 1,0,5,1 1,1,14,1 1,2,0,1 1,3,5,1 1,4,10,1 1,5,9,1 7 1,0,12,2 1,1,13,2 1,2,13,2 1,3,9,2 1,4,7,2 1,5,1,2 1,6,10,2 8 9 1,0,2,3 1,1,11,3 1,2,13,3 1,3,1,3 1,4,1,3 1,5,2,3  1,6,13,3 1,7,9,3 10 11 1,0,13,13 1,1,12,13 12 13 14 15

Intermediate-IP-Table (round 1 to round 5) before tag collision  tag offset 0 offset 1 offset 2 offset 3 offset 4 offset 5 offset 6 offset 7 0 One 5 14 0 2 12 13 13 9 3 2 11 13 One One 4 5 6 7 14 8 9 10 11 12 13 14 15

Intermediate-IP-Table after tag collision (rounds 6, 7, 8) tag offset 0 offset 1 offset 2 offset 3 offset 4 offset 5 offset 6 offset 7 0 One 5 14 0 5 10 9 2 3 2 11 13 One One 2 13 9 4 2 2 5 8 One 6 7 14 6 14 2 8 9 10 11 12 13 13 12 14 15

tag offset 0 offset 1 offset 2 offset 3 offset 4 offset 5 offset 6 offset 7 3 2 11 13 One One 2 13 9

In addition, the results of the simulation as described above are shown in the following [Table 7], which can be seen that very similar to the above-described mathematical analysis results.

That is, as described above, the simulation was performed for various router numbers and marking probabilities, and two singularities were observed as follows.

First, the number of packets to be collected for IP address recovery was about 8N per router. For example, when N = 512, the number of packets collected is 3469 to 5202.

Secondly, the marking probability for minimizing the number of packets to be collected was close to 1 / N. For example, when N = 512, the number of collected packets is minimum at P ₁ = 1/512.

In this case, as the probability of marking increases, markers are recorded in more packets, but accordingly, tag collision probability also increases, and thus, more packets need to be collected until a non-collision marker arrives.

Conversely, the smaller the probability of marking, the lower the probability of tag collision, but still increases the number of packet collections, since it has to wait for the arrival of a packet with a marker.

Therefore, the marking probability (in the case of a router) is a value that minimizes the number of packet collections by preventing excessive tag collisions and ensuring that there are enough packets with markers. In this case, the number of packets to be collected is close to 8N as described above. to be.

Number of packets collected per router needed to recover an IP address based on marking probability Number of routers Marking probability (P ₁ ) Number of packets collected per router 512 1/212 5202 512 1/312 4135 512 1/412 3982 512 1/512 3469 512 1/612 4075 512 1/712 4238 512 1/812 5026 1024 1/724 8237 1024 1/824 6806 1024 1/924 7196 1024 1/1024 6709 1024 1/1124 7370 1024 1/1224 7981 1024 1/1324 8096 1536 1/1236 11376 1536 1/1336 11303 1536 1/1436 11259 1536 1/1536 10960 1536 1/1636 11231 1536 1/1736 11131 1536 1/1836 11764 2048 1/1748 14984 2048 1/1848 14760 2048 1/1948 14452 2048 1/2048 14467 2048 1/2148 14267 2048 1/2248 14843 2048 1/2348 15731

[ conclusion ]

As mentioned above, when a large number of routers are used for an attack, such as a large-scale DDoS attack, tracking the first attacker by recovering the IP addresses of the routers existing in the attack path is not an easy problem. Likewise, when a large number of routers were used in an attack, IP fragment combinations were exploded, a sudden increase in restoration rate was incurred, or excessive computing costs such as router map generation / management were caused.

On the other hand, the inventors can recover the IP address without IP fragment combination by attaching the tag, and each router has a low probability and ON-OFF scheme to prevent the tag collision that occurs when a large number of routers join the attack. We solve these problems by making marking with.

That is, as described above, an IP tracking method can be implemented under a wide multipath attack by intermittent tag transplantation according to the present invention. Also, through the simulation and mathematical analysis as described above, a large number of routers over 1024 attacks Even in the path, it was able to recover 95% of the original IP without fragmentation and with zero recovery, and the number of packets to be collected was only 8N packets per router for N routers.

Therefore, according to the present invention, it is possible to solve the problem of an increase in combination explosion or restoration rate, and to provide a new IP tracking technique that does not incur additional costs since no router map creation and management is required.

As described above, the details of the IP tracking method under the wide multipath attack by the intermittent tag transplantation according to the present invention have been described through the embodiments of the present invention as described above, but the present invention is only described in the above embodiments. The present invention is not limited, and therefore, it is obvious that various modifications, changes, combinations, and substitutions may be made by those skilled in the art according to design needs and various other factors. I will say.

Claims (6)

In IP tracking method under a wide multipath attack by sparsely-tagged fragment marking scheme (STFMS),
At each router, it performs (ON) or disables (OFF) marking all packets passing through it with a tag that is an IP fragment of the router, an offset indicating the location of the fragment, and a 4-bit hash of the router. Performing a first algorithm,
In the victim system, performing a second algorithm for recovering the IPs of the routers used in the attack by using the packets collected from the moment of recognition of the attack. IP tracking method.
The method of claim 1,
The first algorithm,
In each router, marking is performed with a certain probability of P1 for each packet passing, and once marking is started, all subsequent packets are successively marked according to the offset value order of the corresponding router IP fragment.
When marking is finished with the probability of P1, non-marking is started again with the probability of (1-P1), and as a result, all the packets passing through each router are classified into a marking packet and an unmarking packet. IP tracking method under extensive multipath attack by transplantation.
The method of claim 2,
The first algorithm is,
If the current state is ON, the marking is performed with a probability of 1, the offset value is increased, and the state is kept ON.
When marking is performed up to the IP fragment corresponding to the final offset, the state is switched back to OFF.
If the current state is OFF, IP tracking method under extensive multipath attack by intermittent tag transplantation, characterized by repeating the marking process with probability P1.
The method of claim 3,
The first algorithm marks the tag with the IP fragment information in an identification field of a packet passing through each router,
By holding the marking (ON) period shorter than the marking (OFF) period, the number of packets performing marking is reduced, so that the IP under extensive multipath attack by intermittent tag transplantation is reduced. Tracking method.
The method of claim 1,
The second algorithm is
Maintaining an Intermediate-IP-Table with an offset value and a tag value of IP fragments collected for each tag for every possible tag;
Receiving packets in turn from a packet buffer and filling values at corresponding positions in the Intermediate-IP-Table;
Once all fragments in a particular tag are filled, move the value to the Final-IP-Table where the restored IPs are stored in the Intermediate-IP-Table and determine the final restored IP,
If there is no offset value incrementing in sequence for a specific tag, or if different IP fragments collide with the same offset value, then a wide range of multipathing with intermittent tag transplantation is provided, including the step of discarding all data of the tag and starting anew. How to track IP under attack.
The method of claim 1,
The tracking method is characterized in that when the total N routers are used for an attack, the number of packets needed to recover 95% of the IPs of the routers without fragmentation and zero recovery rate is 8N when the marking probability is 1 / N. IP tracking method under extensive multipath attack by intermittent tag transfer.

Images