Identification of Attack Nodes from Traffic Matrix Estimation

Yuichi OHSITA  Shingo ATA  Masayuki MURATA  

Publication
IEICE TRANSACTIONS on Communications   Vol.E90-B   No.10   pp.2854-2864
Publication Date: 2007/10/01
Online ISSN: 1745-1345
DOI: 10.1093/ietcom/e90-b.10.2854
Print ISSN: 0916-8516
Type of Manuscript: PAPER
Category: Internet
Keyword: 
distributed denial of service (DDoS),  traceback,  traffic matrix,  simple network management protocol (SNMP),  

Full Text: PDF(481.8KB)
>>Buy this Article


Summary: 
Distributed denial-of-service attacks on public servers have recently become more serious. The most effective way to prevent this type of traffic is to identify the attack nodes and detach (or block) attack nodes at their egress routers. However, existing traceback mechanisms are currently not widely used for several reasons, such as the necessity of replacement of many routers to support traceback capability, or difficulties in distinguishing between attacks and legitimate traffic. In this paper, we propose a new scheme that enables a traceback from a victim to the attack nodes. More specifically, we identify the egress routers that attack nodes are connecting to by estimating the traffic matrix between arbitral source-destination edge pairs. By monitoring the traffic variations obtained by the traffic matrix, we identify the edge routers that are forwarding the attack traffic, which have a sharp traffic increase to the victim. We also evaluate the effectiveness of our proposed scheme through simulation, and show that our method can identify attack sources accurately.