Article

Centertrack: an IP overlay network for tracking DoS floods

Author:

Robert StoneAuthors Info & Claims

SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium - Volume 9

Page 15

Published: 14 August 2000 Publication History

Abstract

Finding the source of forged Internet Protocol (IP) datagrams in a large, high-speed network is difficult due to the design of the IP protocol and the lack of sufficient capability in most high-speed, high-capacity router implementations. Typically, not enough of the routers in such a network are capable of performing the packet forwarding diagnostics required for this. As a result, tracking-down the source of a flood-type denial-of-service (DoS) attack is usually difficult or impossible in these networks.

CenterTrack is an overlay network, consisting of IP tunnels or other connections, that is used to selectively reroute interesting datagrams directly from edge routers to special tracking routers. The tracking routers, or associated sniffers, can easily determine the ingress edge router by observing from which tunnel the datagrams arrive. The datagrams can be examined, then dropped or forwarded to the appropriate egress point.

This system simplifies the work required to determine the ingress adjacency of a flood attack while bypassing any equipment which may be incapable of performing the necessary diagnostic functions.

References

[1]

{1} Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review, 9(2):32-48, April 1989.]]

Digital Library

[2]

{2} P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2267, January 1998.]]

Digital Library

[3]

{3} Computer Emergency Response Team. CERT Advisory CA-96.26: Denial-of-Service Attack via pings. http://www.cert.org/advisories/CA-96.26.ping.html, December 1996.]]

[4]

{4} Computer Emergency Response Team. CERT Advisory CA-98.01: "smurf" IP Denial-of-Service Attacks. http://www.cert.org/advisories/CA-98.01.smurf.html, January, 1998.]]

[5]

{5} Craig A. Huegen. The Latest in Denial of Service Attacks: "Smurfing." http://users.quadrunner.com/chuegen/smurf.cgi. February, 2000.]]

[6]

{6} Computer Emergency Response Team. CERT Advisory CA-96.21: TCP SYN Flooding and IP Spoofing Attacks. http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.html. August, 1998.]]

[7]

{7} Computer Emergency Response Team. Results of the Distributed-Systems Intruder Tools Workshop. http://www.cert.org/reports/dsit_workshop-final.html. November 1999.]]

[8]

{8} S. Hanks, T. Li, D. Farinacci, and P. Traina. Generic Routing Encapsulation. RFC 1701, October 1994.]]

Digital Library

[9]

{9} S. Hanks, T. Li, D. Farinacci, D. Meyer, and P. Traina. Generic Routing Encapsulation. RFC 2784, March 2000.]]

[10]

{10} Y. Rekhter and T. Li. A Border Gateway Protocol 4 (BGP-4). RFC 1771, March 1995.]]

Digital Library

[11]

{11} Christian Huitema. Routing in the Internet. Prentice Hall, 1995.]]

Digital Library

[12]

{12} Bassam Halabi. Internet Routing Architectures. New Rider's Publishing, 1997.]]

Digital Library

[13]

{13} Intermediate system to Intermediate system intra-domain routeing information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode Network Service. ISO DP 10589, International Standards Organization, 1992.]]

[14]

{14} R. Callon. Use of OSI IS-IS for Routing in TCP/IP and Dual Environments. RFC 1195, December 1990.]]

Digital Library

[15]

{15} Hal Burch and Bill Cheswick. Tracing Anonymous Packets to their Approximate Source. Unpublished paper, December 1999.]]

[16]

{16} Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical Network Support for IP Traceback. To appear in SIGCOMM 2000, Stockholm, Sweden, July 2000.]]

Digital Library

[17]

{17} Steven M. Bellovin. ICMP Traceback Messages. IETF Internet Draft, draft-bellovinitrace-00.txt, March 2000. (Expires September 2000.)]]

[18]

{18} N. Brownlee, C. Mills, and G. Ruth. Traffic Flow Measurement: Architecture. RFC 2063, January 1997.]]

Digital Library

[19]

{19} cflowd. http://www.caida.org/Tools/Cflowd/]]

[20]

{20} Glenn Sager. Security Management in Next Generation Networks, a presentation. PICS, July 1998. http://www.caida.org/NGI/Security/0798/]]

[21]

{21} Glenn Sager. Security Fun with OCxmon and cflowd, a presentation. PICS, at the Internet2 Working Group meeting, November 1998. http://www.caida.org/NGI/Security/1198/]]

[22]

{22} J. Apisdorf, k. claffy {sic} (NLANR), and K. Thompson. OC3MON: Flexible, Affordable, High-Performance Statistics Collection. MCI/vBNS and NLANR, Internet Society INET '97, January 1997.]]

[23]

{23} J. Moy. OSPF Version 2. RFC 2328, April 1998.]]

[24]

{24} S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, November 1998.]]

Digital Library

[25]

{25} S. Kent and R. Atkinson. IP Authentication Header. RFC 2402, November 1998.]]

Digital Library

Cited By

Vaton SBrun OMouchet MBelzarena PAmigo IPrabhu BChonavel T(2019)Joint Minimization of Monitoring Cost and Delay in Overlay NetworksJournal of Network and Systems Management10.1007/s10922-018-9464-127:1(188-232)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1007/s10922-018-9464-1
Hadem PSaikia DShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)SMITEProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136878(171-177)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136878
Patil RDevane SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Unmasking of source identity, a step beyond in cyber forensicProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136870(157-164)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136870
Show More Cited By

Index Terms

Centertrack: an IP overlay network for tracking DoS floods

Recommendations

TCP CERL: congestion control enhancement over wireless networks

In this paper, we propose and verify a modified version of TCP Reno that we call TCP Congestion Control Enhancement for Random Loss (CERL). We compare the performance of TCP CERL, using simulations conducted in ns-2, to the following other TCP variants: ...
Evaluating TCP-friendliness in light of Concurrent Multipath Transfer

In prior work, a CMT protocol using SCTP multihoming (termed SCTP-based CMT) was proposed and investigated for improving application throughput. SCTP-based CMT was studied in (bottleneck-independent) wired networking scenarios with ns-2 simulations. ...
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
SIGMETRICS '00: Proceedings of the 2000 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

Our research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium - Volume 9

August 2000

289 pages

Publisher

USENIX Association

United States

Publication History

Published: 14 August 2000

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

66
Total Citations
View Citations
76
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Vaton SBrun OMouchet MBelzarena PAmigo IPrabhu BChonavel T(2019)Joint Minimization of Monitoring Cost and Delay in Overlay NetworksJournal of Network and Systems Management10.1007/s10922-018-9464-127:1(188-232)Online publication date: 1-Jan-2019
https://dl.acm.org/doi/10.1007/s10922-018-9464-1
Hadem PSaikia DShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)SMITEProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136878(171-177)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136878
Patil RDevane SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Unmasking of source identity, a step beyond in cyber forensicProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136870(157-164)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136870
Savola RSavolainen PSalonen JBahsoon RWeinreich R(2016)Towards security metrics-supported IP tracebackProccedings of the 10th European Conference on Software Architecture Workshops10.1145/2993412.2993416(1-5)Online publication date: 28-Nov-2016
https://dl.acm.org/doi/10.1145/2993412.2993416
Liu XTrappe W(2016)Overlay tunneling as a policy tool for defending mobile ad hoc networksSecurity and Communication Networks10.1002/sec.16409:17(4482-4494)Online publication date: 25-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1640
Sairam ARoy SSahay R(2015)Coloring networks for attacker identification and responseSecurity and Communication Networks10.1002/sec.10228:5(751-768)Online publication date: 25-Mar-2015
https://dl.acm.org/doi/10.1002/sec.1022
Tupakula UVaradharajan VCho YShin SKim SHung CHong J(2014)Secure monitoring for dementia patientsProceedings of the 29th Annual ACM Symposium on Applied Computing10.1145/2554850.2554950(14-19)Online publication date: 24-Mar-2014
https://dl.acm.org/doi/10.1145/2554850.2554950
Wu YTseng HYang WJan R(2011)DDoS detection and traceback with decision tree and grey relational analysisInternational Journal of Ad Hoc and Ubiquitous Computing10.1504/IJAHUC.2011.0389987:2(121-136)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1504/IJAHUC.2011.038998
Liu XYang XXia Y(2010)NetFenceACM SIGCOMM Computer Communication Review10.1145/1851275.185121440:4(255-266)Online publication date: 30-Aug-2010
https://dl.acm.org/doi/10.1145/1851275.1851214
Liu XYang XXia YKalyanaraman SPadmanabhan VRamakrishnan KShorey RRamakrishnan KVoelker G(2010)NetFenceProceedings of the ACM SIGCOMM 2010 conference10.1145/1851182.1851214(255-266)Online publication date: 30-Aug-2010
https://dl.acm.org/doi/10.1145/1851182.1851214
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents