International Journal of Computer Applications (0975 – 8887) Volume 74– No.16, July 2013 31 Fig 1: IP Traceback IPv6 Packet Traceback: A Survey Rajesh Kumar Singh M.tech Scholar Department of Computer Science and Engineering Graphic Era University Dehradun, India Sumit Pundir Assistant Professor Department of Computer Science and Engineering Graphic Era University Dehradun, India Emmanuel S. Pilli,Ph.D Professor Department of Computer Science and Engineering Graphic Era University Dehradun, India ABSTRACT The Internet is expanding year by year and providing services of convenience and commercial value. It is also becoming prone for many attacks. Every day, new vulnerabilities are found, new threats are detected and attacks are launched. We need countermeasures for these attacks and IDS and firewalls are not able to defend all the attacks. In this situation we need to traceback the attacker and get to the source of the attacker so that there is deterrence to the cyber criminals, thereby reducing attack rate. In this paper we survey various traceback techniques for IPv6 after introducing the same for IPv4. We also analyze the differences between packet header fields of IPv4 and v6 and list the challenges for IPv6 traceback. General Terms IP Traceback. Keywords IPv4, IPv6, DoS, DDos, traceback. 1. INTRODUCTION The Internet expanded very rapidly from last one decade and for every communication it has become a major backbone. To provide connectivity to each and every device we need a huge amount of addresses. With IPv4 around 4.3 million of people or devices can be connected uniquely but as it become one of the important medium of communication soon all addresses will vanishes. To remove this problem IPv6 comes up with 128 bit addresses. As internet becomes pervasive and we are using much functionality it can be consider as one of most integral part of our lives. From last one decade Internet has expand very much and for every transaction starting from communication to e-commerce it has become the prominent choice of anyone. But as the Internet is expanding in various sphere of our life and become a medium for a broad range of transaction, the impact of attacks is getting more and more significant. Every day new threatening element were coming for this broad medium among them, Denial of Service (DoS) and Distributed Denial of Service (DDoS) are the prominent one. DoS & DDoS attacks consume resources of a remote host or network so that it cannot offer its services to the legitimate users. Such attacks are among the toughest to address because they are simple to implement, hard to prevent and difficult to trace [1]. To prevent these attacks techniques like Intrusion detection system (IDS), Intrusion prevention system (IPS) and firewall are good one but preventing all kind of attacks is nearly impossible. The situation become more panic with the use of spoof IP address means an attacker can hide its entity if he wants. The stateless nature of Internet protocol add advantage to spoofing as the source host itself files source host id in IP packet and in TCP/IP there is no provision for discovery the true origin of the packet [2]. So when prevention fails a mechanism to identify the source of attack needed to at least ensure accountability for these attack and here we need the traceback techniques. IP traceback is the technology that can traceback the source of spoofed attack packet and recognize attack graph by tracing attack paths and the packet sender/receiver. IP traceback techniques neither prevent nor stop the attack they are only used for identification of offending packets during and after the attack. IP traceback may be limited to identifying the point where the packets constituting the attacks enter the internet [3]. The traceback mechanism is shown in Fig. 1. IP traceback methods are either reactive or proactive. Reactive traceback technique initiates the traceback in response of an attack and must complete their operation while attack is active means for reactive the attack must be in live. While proactive approach record the trace records as packets traverse through the internet and a victim used recorded data for traceback. IP traceback schemes can be categorized into link testing, messaging, logging and packet marking [4, 5]. Link testing also known as hop-by-hop tracing test network lines between routers to determine the origin of attacker’s traffic. In this, testing start from the router closest to the victim and interactively test the upstream links to determine which one carries the attack traffic. This is a reactive method and requires attack to remain active until trace is completed. Logging is maintaining database for all traffic at every router within the domain and use data-mining technique to extract information about attack traffic source. In messaging routers send ICMP messages from participating routers to destination. Victims reconstruct the attack path from received ICMP messages. Packet marking method inserts traceback data into IP packet header. In this router through which the data packets traverse insert partially or complete information of itself as trace data. The victim used this mark and reconstructs the source from where the packet was introduced into the network.