JOURNAL OF INFORMATION SCIENCE AND ENGINEERING XX,XXX-XXX(2014) A low storage and traceback overhead system for IP traceback: A hybrid approach S. MALLIGA, C.S.KANIMOZHI SELVI AND S.V.KOGILAVANI Professors Department of Computer Science and Engineering Kongu Engineering College, Perundurai Tamil Nadu, India – 638 052 E-mail : mallinishanth72@gmail.com , kani_abi@yahoo.co.in , kogilavani@kongu.ac.in Using IP spoofing, a person masquerades as another by falsifying source IP address and gains an illegitimate access. Denial of Service (DoS) is an attack that is launched to bring down a network by flooding it with useless traffic. This attack can be easily exploited by IP spoofing. To prevent DoS, it is necessary to determine the source of the attacks. IP traceback is a mechanism that attempts to reconstruct the path traversed by a packet to find the real source. Two predominant traceback mechanisms are packet marking and logging. Packet marking records the path information of the intermediate routers in the packet, which can then be used to reconstruct the path. Packet logging logs the packets at the intermediate routers. Hybridizing these two methods gives the benefits of both. This paper refines a hybrid IP traceback method, Modulo and Reverse modulo and proposes a few changes in the way the packets are logged and tracked back. Revised-MORE uses subnet address to create hash values rather than source IP. This reduces the amount of packets to be logged at the routers. Time-To-Live is used for tracing exactly. The simulation results show that the refinements reduce logging overhead, storage requirements and improve traceback accuracy. Keywords : IP Spoofing, DoS, IP Traceback, Packet Marking, Packet Logging, Logging Overhead, Traceback Accuracy 1. INTRODUCTION The prime motive of a DoS attacker is to degrade and damage the resources of a server, so that legitimate users are denied from the services they requested. The attacker will exploit the inherent weaknesses of IP protocol to launch DoS attacks. One among the weaknesses is the non authenticity of source address which leads to spoofing. IP spoofing is forging of one‟s IP address. DoS attackers spoof source IP address in order to hide their identity which complicates the process of identifying the real source much difficult. In their book, Kevin and Chris [1] have described that the DoS attacks have the following properties: destructive, resource consumption and bandwidth consumption. They have also discussed the devastating effects of DoS attacks. The distributed nature of DoS attacks (DDoS) employs and instructs a large number of weak hosts on a wide area network to flood a specific target. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack. Gong and Sarac, 2008 [2] has classified the DoS attacks into two categories namely : flooding attacks and software exploits. Flooding attacks flood a victim by huge amount of packets whereas software exploits use the vulnerabilities of the TCP/IP protocol suite. Tracing of packets helps identifying the origin of both flooding attacks and software exploits. Even a single, well targeted attack packet can disable routers and operating system [3]. The impact of these attacks has encouraged many researchers to address the issues and led to the development of many solutions. One such solution is IP traceback. IP traceback is a mechanism that identifies the true origin of a packet. Such method would also be useful for identifying flood-based attacks. IP traceback is achieved either by packet marking and/or packet logging [2]. Packet marking is a technique based on the idea that routers in the intermediate network mark, either probabilistically (PPM) or deterministically (DPM), the packets that pass through them. These marks are used to reconstruct the path traversed by the packets. The main idea of PPM is to mark the packets probabilistically as they traverse through the routers. Hence, a packet can carry only partial path information. This is done with the belief that after having received ample number of packets, the path can be reconstructed using the marking information present in the packets. Several PPM techniques have been advocated in literature. [4, 5, 6, 7]. In DPM, a router would mark all the packets that pass through it. Belenky and Ansari [8] outlined a DPM scheme and put a single mark in the packet at the network ingress point. The idea is to write either upper or lower half of the IP address of the ingress edge into the packet with a random probability and a reserved bit indicates which portion of the address is placed in the ID field of the packet. This approach claims that it is able to find the attacking origin with only 7 packets. Choi and Dai [9] suggested a new DPM scheme that uses Huffman codes. To mark, the 16-bit IP ID and 16-bit flag and fragment offset fields in the packets are divided into 1-bit saved flag and 31-bit link sequence. The links of a router are represented by Huffman codes based on