[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/1815396.1815667acmotherconferencesArticle/Chapter ViewAbstractPublication PagesiwcmcConference Proceedingsconference-collections
research-article

Reconstruction of malicious internet flows

Published: 28 June 2010 Publication History

Abstract

We describe a general-purpose distributed system capable of traceback of malicious flow trajectories in the wide area despite possible source IP spoofing. Our system requires the placement of agents on a subset of the inter-autonomous system (AS) links of the Internet. Agents are instrumented with a uniform notion of attack criterion. Deployed, these agents implement a self-organizing, decentralized mechanism that is capable of reconstructing topological and temporal information about malicious flows. For example, when the attack criterion is taken to be based on excessive TCP connection establishment traffic to a destination, the system becomes a traceback service for distributed denial of service (DDoS) attacks. As another special case, when the attack criterion is taken to be based on malicious payload signature match as defined by an intrusion detection system (IDS), the agents provide a service for tracing malware propagation pathways. The main contribution of this paper, is to demonstrate that the proposed system is effective at recovering malicious flow structure even at moderate levels of deployment in large networks, including within the present Internet topology.

References

[1]
Arbor Networks, http://www.arbornetworks.com.
[2]
Bellovin, ICMP traceback messages, RFC draft, September 'http://tools.ietf.org/draft/draft-bellovin-itrace/draft-bellovin-itrace-00.txt (2000).
[3]
Bellovin, Cert advisory ca-1996-26, Cert Advisory, 'http://www.cert.org/advisories/CA-1996-26.html (1996).
[4]
Bloom, B. H.: Space time trade-offs in hash coding with allowable errors, Commun. ACM, vol. 13, no. 7, pp. 422--426, (1970).
[5]
Burch and Hal: Tracing anonymous packets to their approximate source, Proceedings of the 14th USENIX conference on System administration. Berkeley, CA, USA: USENIX Association, 319--328 (2000).
[6]
Demir O.: A Survey of Network Denial of Service Attacks and Countermeasures. City University of New York, Computer Science Department. (2009).
[7]
Demir, O., Khan, B.: An Agent-based Architecture for Flow Reconstruction of DDoS Attacks. Submitted to International Communications Conference (ICC) 2010, Cape Town, South Africa, 23--27 May 2010.
[8]
Demir, O., Khan, B.: Quantifying Distributed System Stability through Simulation A Case Study of an Agent-based System for Flow Reconstruction of DDoS Attacks. In: Proceedings of the 1st Intelligent Systems, Modelling and Simulation Conference, Liverpool, England, 27--29 January 2010.
[9]
Gemberling B., Morrow, C., and Greene, B.: ISP security-real world techniques. presentation, nanog. NANOG, www.nanog.org (2001).
[10]
Gligor V. D.: A Note on Denial-of-Service in Operating Systems. IEEE Trans. Softw. Eng. 10, 320--324 (1984).
[11]
Savage, S, Wetherall, D. Karlin, A. and Anderson, T.: Practical network support for IP traceback, SIGCOMM Comput. Commun. Rev., vol. 30, no. 4, pp. 295--306, (2000).
[12]
Snoeren, A. C.: Hash-based IP traceback, in SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications. New York, NY, USA: ACM, pp. 3--14, (2001).
[13]
The IPv4 Routed/24 AS Links Dataset, Young Hyun, Bradley Huffaker, Dan Andersen, Emile Aben, Matthew Luckie, K. C. Claffy, and Colleen Shannon, 11/15/2009, http://www.caida.org.
[14]
Waxman, B. M.: Routing of Multipoint Connections.: Broadband Switching: Architectures, Protocols, Design, and Analysis. IEEE Computer Society Press, Los Alamitos, CA, USA (1991).

Cited By

View all
  • (2022)Botnet Mapping Based on Intersections of TracesProceedings of the 23rd International Conference on Distributed Computing and Networking10.1145/3491003.3491025(198-207)Online publication date: 4-Jan-2022
  • (2011)Finding DDoS attack sources: Searchlight localization algorithm for network tomography2011 7th International Wireless Communications and Mobile Computing Conference10.1109/IWCMC.2011.5982570(418-423)Online publication date: Jul-2011

Index Terms

  1. Reconstruction of malicious internet flows

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
    June 2010
    1371 pages
    ISBN:9781450300629
    DOI:10.1145/1815396
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    • Computer and Information Society

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 28 June 2010

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. distributed denial of service
    2. flow reconstruction

    Qualifiers

    • Research-article

    Conference

    IWCMC '10
    Sponsor:

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)1
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 28 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)Botnet Mapping Based on Intersections of TracesProceedings of the 23rd International Conference on Distributed Computing and Networking10.1145/3491003.3491025(198-207)Online publication date: 4-Jan-2022
    • (2011)Finding DDoS attack sources: Searchlight localization algorithm for network tomography2011 7th International Wireless Communications and Mobile Computing Conference10.1109/IWCMC.2011.5982570(418-423)Online publication date: Jul-2011

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media