IP Traceback through Modified Probabilistic Packet Marking Algorithm Y. Bhavani Dept of Information Technology KITS Warangal, AP yerram.bh@gmail.com Dr. V. Janaki Dept of Computer Science Vaagdevi College of Engineering Warangal, AP janakicse@yahoo.com Dr. R. Sridevi Dept of Computer Science JNTUH Hyderabad, AP sridevirangu@yahoo.com Abstract— Denial of service (DOS) attack is one of the most common attacks on the internet. The most difficult part of this attack is to find the source of the denial of service (DOS) attack. Savage et al. proposed PPM algorithm to traceback the route to the attacker. We found two disadvantages of the Savage traceback technique. The first disadvantage is probability of finding of far away routers is very less which results in losing some of the routers identity. This affects the attack graph construction. The second disadvantage is, because of re-marking of the edges the constructed graph contain new edges which do not exist in attack graph. In this paper, we propose a modified probabilistic packet marking (MPPM) IP traceback methodology and we found that the results are quite interesting when compared with the approach proposed by Savage. Keywords— DOS attack, IP traceback, indicator, far away routers, Modified Probabilistic Packet marking. I. INTRODUCTION Denial of service (DOS) attack is a pressing problem on the internet. As the name suggests, a denial of service attack is one that denies certain services from being able to be accessed by the legitimate users. Though this problem originated years ago no profound solutions have been proposed, as this attack is easy to detect but difficult to prevent, because the only hint the victim has is the source address, which can easily be forged. Hence, the only solution is to find the entire attack path (from victim to source). The attack path consists of the various routers identity through which the packets travelled along with the source and victim’s address. One of the solutions to deal with DOS attacks is IP traceback which gives the route from the victim to the attacker[2][3][5][8][12] which is a complicated procedure. Once the probable source of the malicious traffic has been identified, system administrator immediately takes the preventive measure to get rid of the attacker. The attack path can be traced from the received packets. To construct this, packets should contain information regarding the routers through which they have travelled. Hence, there should be some methodology to store the individual router’s identity in the packet which can be obtained by a procedure called Marking. There are two techniques for the marking procedure. 1. Deterministic Packet Marking procedure [4]. 2. Probabilistic Packet Marking procedure [2][3][5][8]. This paper deals with the second procedure i.e. Probabilistic Packet Marking. The probabilistic packet marking (PPM) algorithm proposed by Savage et al. [2] has thrown an idea of IP traceback. In this algorithm the packets are marked probabilistically depending upon a threshold marking probability value P m at every router and all these marked packets are collected by the victim to construct the attack path[2][3]. In this approach it is observed that the marked information contained in the packets will be overwritten by the subsequent routers, which leads to wrong marking (new edges) and have a low chance of receiving the identification of far away routers. Here we present a modified probabilistic packet marking algorithm (MPPM). In this technique the router overhead is same as that of the PPM proposed by Savage et al.[2], nevertheless our algorithm is much more accurate in marking the fields of the packets and efficient in construction of attack graph. The structure of this paper is organized as follows. The probabilistic packet marking (PPM) approach is explained in section 2. Section 3 introduces the Modified Probabilistic Packet Marking Algorithm (MPPM). Section 4 explains the Graph reconstruction procedure. Section 5 the Experimentation results. Section 6 compares the PPM and MPPM and Section 7 concludes the paper. II. PROBABILISTIC PACKET MARKING ALGORITHM The Probabilistic Packet Marking (PPM) algorithm was originally suggested by Burch and Cheswick [1]. Later it was designed and implemented by Savage et al. [2] to solve the IP trace back problem. It consists of two levels: Packet marking procedure and Graph reconstruction procedure. In the packet marking procedure, when a router receives a packet, a random number will be generated and the packets will be marked by comparing it with the threshold value P m which is a predefined value. At the victim, graph reconstruction procedure uses these marked packets to construct the graph. The constructed graph is the graph obtained by the PPM algorithm and attack graph is the path the attack packets have traversed. The constructed graph should be the same as the 978-1-4799-2827-9/13/$31.00 ©2013 IEEE