- Email: [email protected]
A systematic review of IP traceback schemes for denial of service attacks
Accepted Manuscript Title: A systematic review of IP traceback schemes for denial of service attacks Author: Karanpreet Singh, Paramvir Singh, Krishan Kumar PII: DOI: Reference:
S0167-4048(15)00093-0 http://dx.doi.org/doi:10.1016/j.cose.2015.06.007 COSE 920
To appear in:
Computers & Security
Received date: Revised date: Accepted date:
17-3-2015 31-3-2015 22-6-2015
Please cite this article as: Karanpreet Singh, Paramvir Singh, Krishan Kumar, A systematic review of IP traceback schemes for denial of service attacks, Computers & Security (2015), http://dx.doi.org/doi:10.1016/j.cose.2015.06.007. This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
A systematic review of IP traceback schemes for denial of service attacks
Author
Biographical Sketch Karanpreet Singh received the masters’s degree in computer science and engineering, in 2013 and the bachelor’s degree in information technology, in 2011 from Punjab Technical University, Jalandhar, Punjab, India. He is currently pursuing the Ph.D. degree in computer science and engineering at National Institute of Technology Jalandhar, Punjab, India. His research interests include
1.
network security, distributed networks, and cloud computing. He is a student (Corresponding Author)
member of the IEEE and the IEEE Communications Society.
Paramvir Singh received the Ph.D. degree in computer science and engineering from Guru Nanak Dev University, Amritsar, Punjab, India, in 2011 and the M.Tech. degree in computer science and engineering from Panjab University Chandigarh, India, in 2005. He is currently with Department of Computer Science and Engineering, National Institute of Technology Jalandhar, Punjab. He has
2.
published more than 20 papers in refereed international journals and refereed international conferences proceedings. His research interests include software engineering, secure systems, and network security. He is a member of the IEEE and the IEEE Computer Society, and a life member of ISTE.
3.
Krishan Kumar received the Ph.D. degree in electronics and computer engineering from Indian Institute of Technology, Roorkee, India. He is currently with the Department of Computer Science and Engineering, SBS State Technical Campus, Ferozepur, Punjab, India. His research interests include network security, network measurement/modeling, manets and WSNs. He has published more than 70 papers in refereed international journals and conference proceedings. He is presently working on developing testbed facility for defense against DDoS attacks under AICTE research promotion scheme. He is on editorial board of many reputed international journal and conferences in the field of networking.
1
Page 1 of 41
HIGHLIGHTS
Comprehensive categorization of the IP traceback schemes.
In-depth evaluation of IP traceback approaches, classes and metrics.
Exploration of research trends with the help of a systematic review protocol.
Discussion on the mapping results of the systematic literature review.
Summarization of issues, challenges and future research avenues.
A B S T R A C T Internet has always been vulnerable to a variety of security threats as it was originally designed without apprehending the prospect of security concerns. Modern era has seen diverse nature of attacks possible on the Internet, including the most perilous attack, Distributed Denial of Service (DDoS) attacks. In such an attack, a large number of compromised systems coordinate with each other so as to direct gigantic magnitude of attack traffic towards the victim, depleting its tangible and intangible network resources. To further exacerbate the situation, these compromised systems usually disguise their identity by capitalizing on IP address spoofing. IP traceback is the class of techniques used to identify the actual source of network packets. In this paper, we followed a systematic approach to comprehensively review and categorize 275 works representing existing IP traceback literature. The paper also provides an in-depth analysis of different IP traceback approaches, their functional classes and the evaluation metrics. Based on the literature review, we also answered a set of research questions to understand the current trends in IP traceback. Various issues, challenges and avenues for future research in the area of IP traceback are also discussed. Keywords: Distributed denial-of-service attacks, IP traceback, packet marking, packet logging, systematic review.
1.
Introduction 2
Page 2 of 41
Distributed Denial of Service (DDoS) attacks undoubtedly pose a severe threat to the Internet, aiming to disrupt its conventional working. Various resources running on the Internet, when under the influence of such attacks, are not able to deliver their services effectively. The compromised systems involved in a DDoS attack are called attacking nodes. These attacking nodes choke up a victim node’s resources, in turn, strangulating its access by legitimate users. DDoS attacks primarily affect these legitimate users by counteracting victim’s capability to respond properly. A DDoS attack can make the victim’s resources unusable for some time or even cause a permanent cessation by sending a substantial amount of packets, depleting the victim’s network bandwidth and/or processing power [1]. Fig. 1 represents the architecture of a traditional DDoS attack where an attacker first subverts a number of vulnerable systems known as handlers present on the Internet. These handlers are responsible for forwarding commands from the attacker to a large number of compromised systems known as zombies. Zombies further initiate the actual flow of attack packets. Handlers provide a sheltering layer to the real attacker by prohibiting a direct trace to it [2]. The control flow coordinated by the attacker and assisted by one or more handlers decides the nature and time of an attack flow generated by zombies as shown in Fig. 1. There are a number of freely available attack tools on the Internet that can easily be deployed by an amateur user for launching an attack. The methods used by the attackers for conducting an attack are becoming complex and consequently making its mitigation more challenging. According to Prolexic Technologies, there are around 7000 DDoS attacks observed daily and this number is believed to be growing rapidly [3].
DDoS attacks are possible due to vulnerable architecture of TCP/IP protocol suite in which a packet is routed without verifying its source address [4]. The source address field in attack packets is generally spoofed, which complicates tracing the origin of packets. The stateless nature of Internet makes it nearly impractical to identify the true origin of the attack. Currently, there is no single effective mechanism to defend against DDoS attacks. The best possible defense against DDoS attacks not only lies in preventive measures, but also in identifying the true origin of the attack to block further attacks and assist the mitigation process. The rest of this paper is organized as follows. In Section 2, we provide background on DDoS attacks and IP traceback along with the motivation behind this systematic review. Section 3 discusses the characteristics of IP traceback approaches and factors used to classify the IP traceback schemes known till date. Section 4 elaborates the complete systematic review protocol. Section 5 depicts the mapping results of our study, followed by a discussion on research questions in Section 6. Various technical issues and challenges are examined in Section 7. Threats to validity are summarized in Section 8. Finally, Section 9 concludes our systematic review and also highlights the scope for future research work.
2.
Background and motivation
During a DDoS attack, the routing paths towards the victim get badly affected causing a substantial amount of service degradation to overall network. This necessitates the victim as well as ISPs to detect and filter attack traffic at the earliest. The overall DDoS attack process is divided into three phases as shown in Fig. 2. The detail of each phase is discussed below: Phase 1: Target acquisition The attack target is first determined by the attacker depending on reasons including political or financial gains, personal enmity, revenge, cyber warfare, etc. Subsequent attack phases rely on security details and other information gathered by the attacker regarding target in this phase. Phase 2: Groundwork The attacker initiates vulnerability scanning across the Internet to determine all the 3
Page 3 of 41
unsecured systems. These systems are then compromised using one or other kind of security breach by the attacker. These compromised machines (also called as bots or zombies) form a large network known as botnet. Attacker directs these bots through successive layers of compromised machines, known as stepping stones, with the aim to hide its identity. Phase 3: Attack The commands to initiate an attack are disseminated to botnet using different network channels. The bots then flood the victim with burst of traffic causing a partial halt of the victim’s services to legitimate users. The attack continues up to the time directed by the attacker or till it has been effectively mitigated by the victim.
It is rather not possible to confine the intricacy of DDoS attacks. However, all possible measures are continuously being taken so as to prevent it from affecting the Internet. DDoS defense system as a whole comprises of three phases: prevention and preemption; detection and filtering; and traceback and identification as shown in Fig. 2. First phase mainly deals with diminishing the probability of attack occurrence by either strengthening the security of various systems through patches, upgrades, etc. or continuously monitoring network traffic predominantly for avoiding any system being misused by the attacker. It is however still impossible to fully avoid the damage of such kind as the Internet comprises of numerous vulnerable systems that instead of decreasing are on the rise with increasing number of Internet users. When the actual attack is initiated, it is important to mitigate the attack effect in least possible time. The efficiency of this phase depends on the ability of the detection scheme to filter out attack packets from legitimate ones. The third phase, i.e. identification of attack source and attack path is also carried during the course of an attack. This process is referred to as IP traceback. However traceback may continue even after the termination of attack. IP traceback and post-attack analysis of traffic logs then help in reducing the possibility of future attacks by revealing the compromised systems and sometimes the actual attacker. 2.1 IP traceback During a DDoS attack, higher detection accuracy is achieved in the closed vicinity of the victim due the presence of aggregated attack flows, in comparison to far off disjoint attack flows. On the contrary, it is desirable to perform filtering of attack traffic closer to their sources to avoid influence on other Internet users. IP traceback nonetheless can effectively assist the mitigation process to overcome the above scenario by revealing the attack source and the path followed by attack packets [5]. It is a complex task due to the spoofing of packets during an attack. Fig. 3 represents a typical DoS attack where an attacker sends out a continuous stream of forged packets to the victim in order to deplete its resources. The Internet is distributed among a number of Internet Service Providers (ISPs). These ISPs are responsible for providing the Internet access to their users. Intra-domain links are used to establish communication among routers belonging to the same ISP whereas routers belonging to different ISPs depend upon inter-domain links for mutual communication. The path followed by attack packets is known as an attack path. A typical DDoS attack comprises of a number of attack paths as attacking systems may be widely distributed across the Internet.
A particular attack path consists of a number of inter-domain and intra-domain links. Fig. 3 shows a scenario representing the path travelled by the attack packets. This path can be defined by the ordered list of routers from source to destination as {a, R1, R2, R3, R7, R9, v} where ‘a’ and ‘v’ represent an attacker and a victim respectively. Although the actual aim of an IP traceback scheme is to trace the attacker’s network e.g., tracing router R 1 in Fig. 3, 4
Page 4 of 41
majority of traceback schemes are capable of identifying only the entry point of attack packets in victims’ ISP e.g., tracing router R9 in Fig. 3, which alone poses ample challenge to the attacker’s spoofing based identity hiding approach. 2.2 Summary of existing review studies With the rise in threat of DDoS attacks on the Internet, researchers apparently have gained interest in IP traceback as an effective countermeasure for such type of attacks. According to our review of IP traceback literature, IP traceback was first introduced by Burch [6] using controlled flooding to trace an attacker. A significant number of articles based on IP traceback have been proposed since then. Belenky and Ansari [5] in 2003 proposed metrics that were extensively used by the researchers in this field to evaluate their IP traceback schemes. They also evaluated various IP traceback approaches against their proposed metrics. Aljifri [7] in 2003 discussed various advantages and disadvantages of IP traceback approaches. Santhanam et al. [8] performed an informal assessment of traceback schemes based on various IP traceback approaches. Vincent [9] discussed the importance of hybrid IP traceback schemes over individual packet marking or logging based scheme. Among recent works, Bhandari et al. [10] and Kumar et al. [11] surveyed a limited number of IP traceback schemes. Also Singh et al. [12] in 2013 evaluated a number of basic IPv4 and IPv6 traceback schemes using a number of metrics. Parashar and Radhakrishnan [13] in the same year reviewed two main packet marking IP traceback schemes i.e., Probabilistic Packet Marking (PPM) [14] and Deterministic Packet Marking (DPM) [15]. None of the above has considered a systematic approach for conducting their respective surveys which resulted in overlooking a considerable amount of relevant literature. A traditional review highlights only a part of complete literature available with the possibility of missing out high quality works. A systematic review in contrast provides a comprehensive coverage of the research work carried out in a specific field. The predefined methods employed in a systematic review seek to minimize the bias related to final selection of articles. The first step is to define a search strategy, based on which the works related to literature under consideration are extracted from various sources. This follows the elimination of irrelevant works based on the analysis of titles and abstracts of articles obtained in previous step. Thereafter high quality works are extracted depending on the content of selected works. The final list of selected works provides a comprehensive reflection of state-of-the-art research in the considered area. The answers to various research questions can then be examined based on these results. Following this, any gaps in the literature can also be identified to guide further analysis, and provide a base for future research activities. Below are some of the key advantages of a systematic review over other surveying methods: Eliminate biasness in selection of studies. Well-defined methodology to carry out every task. In-depth coverage of complete literature available on a specific research field. A systematic review has widely been recommended due to its number of benefits as compared to a traditional survey approach [16]. Systematic reviews are reasonably common in the fields of medicine, psychology, public health, speech therapy, physical therapy, educational research, sociology, business management, environmental management, etc. It has also been widely used to investigate the available literature on software engineering [17,18], but are not very common in the field of networking. According to our study, only a small number of such reviews are available in networking related literature [19–22].
3.
IP traceback: Approaches, functional classes and metrics
A number of criteria to classify and evaluate IP traceback schemes have been proposed till date [5,7,8,14,23–25]. 5
Page 5 of 41
After a careful analysis of these works, we have based our review of IP traceback schemes on following three key factors: IP traceback approach, marking strategy, and IP traceback metrics. 3.1 IP traceback approach IP traceback schemes can be classified according to the underneath approaches used for the collection of trace information. These approaches may differ in their deployment strategies, storage requirements, information collecting algorithms, etc. Various traceback approaches present in current literature are given below. 3.1.1
Link testing
The analysis of all upstream links is performed in a recursive manner until the source is reached, in order to determine the link carrying the attack packets. It starts from the router closest to the victim and ends till the source router of the attacker is identified as shown in Fig. 5(a). In year 2000, Burch [6] proposed the first IP traceback scheme based on this principle. This was followed by a few more link testing based traceback schemes [26–28]. There are two varieties of link testing schemes: input debugging, and controlled flooding. Input debugging Every router has the capability to determine its incoming links for specific packet characteristics. The victim under an attack can construct an attack packet signature and send it to upstream routers. A router can then recursively investigate its upstream links against the received attack packet signature and consequently identify the attacker. The pros and cons of this approach are listed below: Pros: Consistent with existing protocols and infrastructure. Provides good support for incremental deployment. Little bandwidth overhead on network traffic. Cons: Unsuited for DDoS environment. Dependent upon cooperation among ISPs. Traceback operational only during an attack. Controlled flooding Using a predefined ISP map, a victim iteratively floods packets to its upstream routers and simultaneously determines variations in the intensity of attack. This recursive process can reveal the attack source at each upstream level. The pros and cons of this approach are listed below: Pros: Consistent with existing protocols and infrastructure. Support easy and incremental implementation. Cons: Traceback operational only during an on-going attack. Prior knowledge of network topology required. Ineffective against DDoS attacks. 3.1.2
Messaging
Messaging provides greater flexibility in transmitting traceback related information to the destination. It mainly uses Internet Control Message Protocol (ICMP) based scheme proposed by Bellovin et al. [29]. In this scheme, each router probabilistically generates an ICMP packet known as trace packet or iTrace message, which is responsible for 6
Page 6 of 41
carrying information to be used as an input to the traceback process. A supplementary message is generated by R3 as shown in Fig. 5(b) that may contain parameters like next and previous hop information, timestamp, MAC address, etc. During an attack, thousands of these iTrace packets (or other messages) facilitate successful traceback operation. However, to avoid network traffic overhead caused by these messages, the probability of message generation is kept under tolerable limits. We have categorized a work under messaging only if it uses ICMP or any other kind of specially crafted messaging packets to carry the trace information, as in [30–32]. The pros and cons of this approach are listed below: Pros: Supports incremental deployment with low ISP cooperation. Consistent with existing protocols and infrastructure. Allow post-attack analysis. Cons: Easily misused by attackers if lacking authentication support. Incurs network traffic overhead due to additional packets generated. 3.1.3
Marking
The key idea behind packet marking is to record the route information in the packet itself. This information is used by the victim to explore the path traversed by that packet. The packet can contain the complete encoded route information or one or more markings embedded by the intermediate routers as shown in Fig. 5(c). A victim identifies all the incoming marked packets and utilizes the information stored in marked fields to trace the attack source. Probabilistic Packet Marking (PPM) and Deterministic Packet Marking (DPM) are the two most prominent marking schemes [6]. These two schemes serve as the basis for many of the marking based schemes present in available literature. Fig. 4 shows the fields of IP header that are commonly overwritten by intermediate routers to store the trace information. This approach though needs appropriate mark encoding methods so as to avoid any issues relating overloading header fields and reducing false positives while constructing an attack path.
A marking based scheme employs three strategies for marking a packet which depends on the approach and the type of information inscribed into the packet [23]. Node append: The traceback data is appended to the original IP packet header [44], [45]. This mechanism simplifies the marking process by allowing supplementary marking fields. This primarily helps in tracing the complete path using a single attack packet. A major drawback of this strategy is its high bandwidth overhead caused due to the addition of supplementary fields which in turn limits their application. Node sampling: The marked information is node specific. This usually consists of IP address of a router. Many IP traceback schemes assign color, identity number or a marking function specific to a router [35,36]. The existing fields of original IP header are overloaded by marking information, leading to reduced marking flexibility. Edge sampling: It involves encoding of edge information, like start, end, etc. that are fairly common among the proposed traceback schemes, rather than node information. The other common edge information attributes are edge weight, color, identity number, etc. Apart from these attributes, the presence of distance field provides construction of attack path without requiring prior knowledge of the Internet topology. The pros and cons of this approach are listed below: Pros: Compatible with existing network infrastructure. 7
Page 7 of 41
Easy and flexible implementation in comparison to other approaches. Suitable against DDoS attacks. Least ISP support required. Cons:
Packet fragmentation issues due to overloading of identification field in many traceback schemes. Sometimes may produces high false positive results. Requires modifications to existing protocols implement marking process. Traceback accuracy depends on the number of marked packets received by the victim node.
3.1.4
Logging
Packet logging aims to store the packet digests on intermediate routers. As illustrated in Fig. 5(d), routers store the digest (a hashed value of IP header fields) of packets passing through them. The network path is then determined using the stored information at these routers. Although this approach is powerful as it can trace an attack path using a single packet, one of its major drawbacks is the enormous storage overhead that it incorporates on the routers. Therefore, its deployment has been a challenging task. Snoeren et al. [37] proposed a hash-based IP traceback approach, called Source Path Isolation Engine (SPIE), to implement log-based IP traceback in practice. Their approach uses a space-efficient data structure known as a bloom filter to considerably reduce storage overhead at routers for storing digests of packets. Further improvements have also been proposed to enhance the performance [38,39]. The pros and cons of this approach are listed below: Pros: Compatible with protocols and existing infrastructure. Supports post-attack analysis. Allows traceback of even a single packet. Negligible network traffic overhead. Cons: High memory and processing requirements. Privacy issues in cooperation of ISPs pose problem to this approach Traceback needs to be done timely as routers periodically refresh previously logged information. 3.1.5
Overlay
An overlay network consists of specialized routers known as tracking routers which are responsible for monitoring the traffic flow as shown in Fig. 5(e). When an attack is detected, a command is issued which directs the traffic to pass through these specialized routers. These routers then examine the traffic passing through them and extract the information to be used for traceback. Stone [40] proposed such a system known as CenterTrack which provides traceback service by analysing the traffic routed through the centralized tracking routers. Work proposed in [41,42] also followed overlay based approach for IP traceback. The pros and cons of this approach are listed below: Pros: Provides accurate traceback results. Effectively handle DDoS attacks. Client levied of carrying out traceback process. Cons: High implementations cost. Lacks support for incremental deployment. 8
Page 8 of 41
Tracing routers could themselves become the target of DDoS attacks. 3.1.6
Pattern analysis
While an attack is in progress, routers can extract the flow pattern information which can be utilized for traceback as proposed in [43–45]. Routers collaborate with each other in a distributed manner to gather the flow information and trace the attack source. This relieves a victim from the task of traceback which is considered to be a major advantage of this approach. The pros and cons of this approach are listed below: Pros: Clients levied of carrying out traceback process. Distributed handling of traceback process. Provides improved scalability. Cons: High router processing overhead due to continuous traffic monitoring. Complexity increases with increased number of attack flows in DDoS.
3.1.7
Hybrid
Making two or more different traceback approaches to work together as a single traceback mechanism constitutes a hybrid mechanism. This combination could yield much more efficient results as compared to each implemented individually. IP traceback schemes in [46,47] use hybrid approach. Pros and cons of hybrid schemes rely on their parent schemes. The main objective is to use and combine existing approaches to cater their advantages. 3.2 Functional classification According to [5,7,8,14,23–25], the above approaches can further be categorized into a number of classes depending on their functionalities. Table 1 depicts the functional classes to which an IP traceback approach could belong. An IP traceback scheme could belong to a single unique traceback approach but can represent multiple functional classes. It is important to clarify that the relationships among the traceback approaches and functional classes shown in Table 1 are based on our review of current literature, and have the considerable scope for enhancement with the introduction of new IP traceback schemes in future research. 3.2.1
Proactive and reactive
An IP traceback scheme can further be classified depending on its timing of application i.e., before or after an attack initiation. A continuous recording and logging of packets as they flow through the network constitute a proactive scheme i.e., a traceback scheme active even before an attack is launched. In a reactive scheme on the other hand, traceback is executed during an ongoing attack and needs to be completed before an attack ends. 3.2.2
In-band and out-of-band
In a traceback scheme, when the trace information is sent embedded into the packet itself, it can be classified as an 9
Page 9 of 41
in-band scheme. While in an out-of-band scheme, a separate packet carries the trace information that is used for the traceback. In-band schemes avoid any kind of network traffic overhead as compared to out-of-band schemes. Marking based schemes usually belong to in-band class whereas messaging based schemes fall under out-of-band class. 3.2.3
Network based and host based
Both network and host based traceback schemes can either be proactive or reactive. In proactive network based scheme, routers are more involved in marking and logging of the packets. In proactive host based scheme, routers embed path information into the packet and the victim does a hop-by-hop traceback. A reactive network based scheme is constituted by a special infrastructure that performs continuous traffic monitoring to perform traceback. In a reactive host based scheme, victim is entitled with the responsibility of carrying out the traceback similar to the link testing approach. On the whole, ISPs and the victim are liable to perform traceback in network and host based schemes respectively. 3.2.4
Traffic monitoring and packet monitoring
Traffic monitoring based traceback schemes involves analyzing the traffic comprising of a stream of packets, in comparison to packet monitoring based traceback schemes that rely on individual packet analysis. The traceback scheme belonging to the former category can use packet count, congestion information, etc., whereas, the latter utilizes packet level information such as source or destination address, TTL field, etc. for tracing the source of an attack. 3.2.5
IDS assisted and non-IDS assisted
Some traceback schemes require additional information in the form of attack signature related to an ongoing attack. This information can be delivered by a third party Intrusion Detection System (IDS) for helping the traceback process. A traceback scheme belongs to one of these classes depending on whether it is in co-ordination with IDS or not. 3.3 IP traceback metrics Belenky and Ansari [5] proposed the following metrics which are essential for comparing and evaluating different IP traceback schemes: Packets required for traceback IP traceback schemes may depend on a small to large number of marked attack packets to be able to extract their source. A traceback scheme should ideally be able to trace back to the attack source using a single packet. ISP cooperation/router involvement An ideal traceback scheme should not require any ISP involvement. But most of the existing traceback schemes involve little or more intervention of ISPs. This may include additional hardware or software installation. Memory requirement IP traceback schemes may demand some additional storage at either the ISP and/or the victim level. This should be minimal at the ends of both ISP and the victim in an ideal traceback scheme. Deployment IP traceback schemes must support incremental deployment without having the need of major modifications and installation of new hardware to the existing network infrastructure. Scalability Adding a new device to the Internet should require minimum or no additional configurations to the 10
Page 10 of 41
current infrastructure. A scalable IP traceback scheme should well adapt to the growing environment with minimal overheads. Duration of attack for traceback It is important for a traceback process to trace the attack source as soon as possible or at least while the attack lasts. This metric represents the minimum attack duration that is required for a successful traceback. Some schemes are able to disclose the attack path in short span whereas others may require longer attack durations in order to complete the traceback. Handling packet transformations Sometimes the attacker deforms the attack packets to somehow obstruct the traceback process. It is essential for the traceback scheme to effectively discover all these malformed packets without affecting the actual traceback. Security An ideal traceback scheme must provide a mechanism to avoid fake markings. It may also be possible for an attacker to subvert some of the network elements involved in executing a traceback scheme resulting in false information to mislead the traceback process. DDoS handling capability Tracing a DoS attack with only a single source is an easy task for a traceback scheme. However, in case of a DDoS attack, the complexity of traceback increases due to the presence of large number of attack flows originating from different sources. False positives The traceback process may yield a number of incorrect paths if the trace information collected is insufficient. An IP traceback scheme should give accurate results without causing any false positives. Processing overhead Every traceback scheme incurs additional processing overhead at either ISP level and/or victim level. An ideal traceback scheme requires negligible amount of processing overhead. ISP privacy ISPs are usually reluctant to disclose their private information like topology, IP addresses, etc. Many traceback schemes rely on this information for successfully exercising the traceback process, limiting their practical applicability. Post-attack analysis If a traceback scheme lacks post-attack analysis, it is possible for the attacker to evade by attacking in short pulses. Moreover, post-attack analysis could also help in strengthening various legal issues standing against the attackers.
4.
Review protocol
Systematic review aims to identify and characterize all research works that are related to a specific topic, using a defined and defendable search strategy [17]. This work focuses on various IP traceback schemes proposed till date. The result of a systematic review is a set of papers related to a specific area classified according to various dimensions, and the count of the number of articles in those categories [48]. The outcome of this study would help underlining various issues related to the field motivating the researchers to perform further investigations. We followed the review protocol proposed by Tahir and MacDonell [17]. Fig. 6 shows the overview of review protocol. The following subsections contain the step wise description of review protocol. 4.1 Review research questions Defining the relevant research questions is a vital step in a systematic review work. These research questions help in chalking out appropriate search and data extraction strategies [17]. In this work, we intended to answer the following four key questions:
RQ1. Which of the IP traceback approaches and marking strategies have been most widely followed by the known IP traceback schemes? 11
Page 11 of 41
RQ2. What percentage of proposed work resolves authentication and security issues of markings? RQ3. How many schemes are able to provide single packet traceback and maintain ISP privacy? RQ4. What proportion of literature deals with IPv6 network? RQ1 focuses on the traceback approaches and marking strategies followed by various traceback schemes. The markings inscribed in the packets are to be authenticated so as to avoid constructing an incorrect attack path [5]. Therefore, authentication or security is an important aspect of a traceback scheme which is addressed by RQ2. Single packet traceback schemes converge fast as only one packet per attack path is required for path reconstruction. ISP privacy maintenance along with the impact of number of packets required for the traceback are two critical aspects covered in RQ3. Ever increasing demand of Internet necessitates complete adoption of IPv6 [49]. RQ4 emphasises on the need of IPv6 traceback schemes. 4.2 Search strategy Two-phase searching was performed which includes automatic and manual search. Automatic approach utilizes two broadly used academic search engines: Microsoft Academic Search and Google Scholar. Manual approach involves IEEE Xplore, Science Direct, ACM Digital Library, and Springer to obtain material related to our work. The keywords ‘traceback denial of service’ and ‘traceback distributed denial of service’ were used as search strings in both manual as well as automatic search. Automatic search We conducted our automatic search using two different electronic resources, namely: Microsoft Academic Search and Google Scholar. Both search engines provide free access to over millions of academic papers and literature in a variety of research fields and languages. Google Scholar generated 2780 results for our search query but it limits the access to first 1000 results only. We compared the search output of automatic with manual search and eliminated all the duplicate entries which left us with fewer results. These results were then refined on the basis of title, abstract, and full content respectively. Manual search To avoid over-sighting any significant work by automatic search, a manual search was also performed. This assured us of covering the entire literature based on our selected research area. A search of articles on IP traceback was conducted using IEEE Xplore, Science Direct, ACM Digital Library, and Springer. The results from Science Direct, ACM Digital Library, and Springer were narrowed down to relevant fields using the advanced search options in order to extract the most relevant literature. Reference checking We analysed references of some renowned articles and passed the results to stage 3 for scrutiny against our exclusion criteria defined in subsequent sections. This additional step helped in minimizing the possibility of omitting any other significant work in the field.
4.3 Study selection criteria The selection criteria followed by this work based on the research questions is given below: If a work on IP traceback is relevant to the research questions and is explained to a considerable extent, then it is selected for evaluation. All the works defining the traceback mechanism as a part of the complete mitigation framework were also considered for evaluation. 4.4 Inclusion and exclusion criteria
12
Page 12 of 41
Inclusion and exclusion criteria are used to filter and rule out studies that are not relevant to the defined review questions. This review included papers published between year 2000 and year 2014. We excluded the following: Studies not in English. Editorials, prefaces, covers, books, interviews, news, correspondence, comments, tutorials, readers’ letters and summaries of workshops and symposiums. Duplicate studies. Works not outlining adequate amount of information. Works applied to mobile networks, Multiprotocol Label Switching (MPLS), grid networks, wireless networks, adhoc networks and wireless sensor networks. Surveys and performance analysis of IP traceback schemes. 4.5 Systematic review process We followed a six stage review process as shown in Fig. 7. We conducted our automatic and manual searches at stage 1. Initially we started with automatic search using Google Scholar and Microsoft Academic Search engines following a manual search using IEEE Xplore, Science Direct, ACM Digital Library, and Springer. We combined the results of both manual and automatic searches. In stage 2, we removed the duplicate entries from the combined search results. In stage 3, we applied the first filter by discarding articles with irrelevant titles. In stage 4, we filtered articles based on their abstract. Then, in stage 5, we performed a full text review of all the papers obtained so far, further eliminating irrelevant articles. Results from stage 5 were added to a final list of papers in stage 6 of the process. We followed stage 6 with a reference check on some selected articles from the final list. The articles which we found significant to our review were again filtered based on title, abstract, and full content. Fig. 8 illustrates the review process and the number of articles under consideration at the end of each stage. The final list included 275 articles.
5.
Mapping results
The careful execution of review protocol resulted in a total number of 275 primary studies. The results of this systematic review comprising of the associated statistics are represented in the form of charts and tables for easy data interpretation. The distribution of the selected studies in Table 3 shows that the majority of articles were published in the conference proceedings. IP traceback has proved to be an effective defence mechanism against DDoS attacks. This has led to an increased research activity in this field. From Fig. 9, it is evident that the number of publications addressing IP traceback consistently increased from the year 2000 to year 2005. This was primarily due to the sudden increase in number and magnitude [3] of the DDoS attacks around the world that motivated the network security research towards devising and improving IP traceback schemes. Year 2005 witnessed the highest number of publications. The numbers of publications defining IP traceback schemes have decreased thereafter. This trend can be attributed to the following: In addition to network layer DDoS attacks, the researchers have also started focusing on application-layer DDoS attacks as evident from increased number of relevant publications in recent past. These attacks rely on establishing legitimate 2-way TCP connections, thus eliminating the need of IP traceback. The evolution of diverse research areas in networking in recent years such as adhoc networks, cloud based networks, etc. might have contributed to decreasing amount of research work in IP traceback. 13
Page 13 of 41
Most of the known mitigation frameworks avoid relying on IP traceback schemes as a part of the complete mitigation process. Reduction in the number of publications might also be due to possible hardened acceptance criteria.
IP traceback approach wise distribution of articles is depicted in Fig. 10. It can be observed that marking based traceback schemes have consistently dominated the IP traceback literature, as shown in Fig. 10, due to their flexible nature and ease of implementation. These traceback schemes usually exploit the already available fields present in the original IP header like TTL, identification, flags, etc. The possibility of enhancement in the marking based traceback schemes is steadily diminishing with the large number variations already implemented.
To analyse the performance of some commonly used traceback approaches against the considered metrics, we plotted a bar chart as shown in Fig. 11. It represents the dominance of a particular metric in the published work following a given IP traceback approach with the help of percentage of articles having a positive traceback metric value against the total number of articles under each traceback approach. We can observe from Fig. 11 that hybrid approach based schemes do relatively well for all the four metrics. The scope of improvement is diminishing in individual approaches due to which we have observed the inclination of the researchers towards hybridizing the existing approaches.
Marking based traceback schemes lack in providing single packet traceback when compared to both hybrid and logging based traceback schemes. Further logging, link testing, overlay, and pattern analysis based schemes do not need to deal with the forged markings, hence eliminating the need of any authentication measure. Moreover, these schemes do not depend upon the ISP or the Internet map, thus, maintaining their privacy. However, logging based traceback schemes must solve the problem of subverted routers because of the excessive router involvement in traceback process. Table 4 lists 10 of the most renowned publication venues for both the categories: journals/magazines/transactions and workshops/symposia/conferences.
6.
Discussion
The mapping results reflect that the issues related to IP traceback received increased attention from researchers between year 2000 and year 2005 before showing a downwards trend from year 2006 onwards. In this section, we discuss the possible answers to the review questions defined in Section 4, along with the shortcomings of our study. RQ1. Which of the IP traceback approaches and marking strategies have been most widely followed by the known IP traceback schemes? Packet marking approach has been widely employed as it incurs lower bandwidth and storage overhead in comparison to the other traceback approaches. The only limitation of this approach is the inadequate size of marking fields present in the original IP header which complicates encoding procedure by increasing the number of false 14
Page 14 of 41
positives. Combining two or more IP traceback approaches in the form of a hybrid approach, utilizing the advantages of individual approaches is also becoming a common norm. Messaging incurs additional bandwidth overhead which makes it less prominent among others. Overlay and Pattern analysis were the least preferred approaches because of their additional overheads. Link testing approach fails to produce useful results in case of highly-distributed DDoS attacks. We observed that node sampling (in 110 of 173 marking based articles) is being exceedingly applied as a packet marking strategy in comparison to edge sampling or node append. Although node append marking strategy enables single packet traceback, it is rarely used due to the bandwidth overhead caused by the addition of out-of-band trace data. RQ2. What percentage of proposed work resolves authentication or security issues of markings? A traceback scheme should not only define the process of marking but should also deal with forged markings and their authenticity. Most of the marking based traceback solutions are not defined with any kind of security or authentication measures. Such schemes thus require additional security measures to avoid false results. On the other hand pattern analysis, link testing, etc. based schemes are supposed to be inherently secured. Only 37 (about 21%) of the total packet marking based schemes considered marking related security issues. We realized that the logging based schemes have not at all dealt with the problem of subverted routers. This means that an attacker can easily destabilize the scheme by compromising the routers that are actively involved in the traceback process. RQ3. How many schemes are able to provide single packet traceback and maintain ISP privacy? An ideal scheme provides the attack path construction using a single attack packet. This would allow a victim to reconstruct the attack path more rapidly and without requiring much storage capacity. Only 90 (about 33%) of the total articles provide single packet traceback facility. It is also evident that most of the traceback schemes that follow logging [50–52], hybrid [38,39,53] or marking (node append) [54,55] approach, were found capable of delivering complete route information instead of ISP entry points, using a single packet. The complete attack path information can enable a much more dynamic and efficient filtering mechanism against a DDoS attack. Usually, ISPs are unwilling to cooperate with the client for attack detection or prevention. A traceback scheme normally requires hardware or software assistance from ISPs for its effective functionality. Some traceback procedures need peculiar information of individual ISPs such as topology, number of routers, IP addresses of routers, etc., which further discourages ISPs to incorporate such traceback schemes. According to our review, 202 (about 73%) of total articles were able to preserve ISP privacy by providing traceback mechanisms independent of ISP topology. We inferred that the majority of schemes used the distance field to evade the need of obtaining ISP topology. Most marking based IP traceback schemes use hashing functions over routers’ IP addresses to mark a packet which may lead to several false positive results. These schemes generally require IP addresses of routers, which ISPs hesitate to share for several security concerns. There were a number of schemes that recommended forwarding the collected trace information by the victim to ISPs in order to enable them construct attack path. This saves the victim from becoming dependent on ISP topology and router addresses related information. RQ4. What proportion of work deals with IPv6 network? According to the current literature most of the known traceback schemes are meant for IPv4. In the upcoming years, a complete transition is expected from IPv4 to IPv6 based networks. This demands distinct and effective approaches to handle the trackback problem in IPv6 based networks. Only a small number of IP traceback schemes proposed till date have been explicitly recommended for both the versions [34,56–60]. We found just 9 articles 15
Page 15 of 41
providing traceback solutions solely targeting IPv6 based networks [33,61–68]. This work classifies a traceback scheme under IPv6 if it provides considerable amount of implementation details pertaining to the solution of IP traceback problem in IPv6 based networks. It is worthwhile mentioning that IP traceback schemes using pattern analysis, link testing and overlay mechanisms can provide traceback services regardless of the IP version used. This is because of non-dependency of such approaches on the communication protocol structure. We hence were unable to classify traceback schemes based on these approaches under any of the two IP protocols (IPv4 and IPv6) citing the lack of protocol dependent behaviour found in the implementation details of these works. Classification results We classified all the relevant articles according to our predefined factors. The classification of the final set of articles is summarized in Appendix A - Table 1.
7.
Current issues and challenges
The reviewed IP traceback solutions have rarely been deployed by ISPs due to a substantial number of issues and challenges faced in their practical implementation. Not being able to penetrate beyond private firewalls and corporate networks, IP traceback generally terminates at the network entry points. It is not possible to carry forward the traceback process beyond firewalls or private networks without their cooperation. Knowing only the entry points, sometimes does not resolves the issue of traceback as the traced network might itself contain large number of compromised systems acting as sleeper cells for future attacks. Nonetheless, this entry point information could also provide some kind of support to filter out possibilities of future attacks. Many state-of–the–art traceback schemes fall short when attacker is concealed behind multiple layers of compromised machines. Instead of revealing the identity of actual attacker, traceback halts till stepping stones. This problem also persists in reflector based attacks where the attacker uses third party systems known as reflectors to overwhelm the victim. The cooperation of different ISPs plays an important role in deployment of a traceback scheme. However, the current scenario does not provide any evidence of such collaboration among those entities which in itself is a major issue. Legal and other privacy concerns further intensify the challenges involved in deploying a traceback scheme in practice. More than often a traceback scheme requires modification to existing protocols or router software. At the same time demand of additional resources may also arise. As such ISPs are usually reluctant to employ all these changes without seeking any incentives. IP traceback in itself is not a sufficient mechanism to defend against DDoS attacks. Rather, it only provides the path that the attack flow follows. However, integrating it with other attack defense components could well constitute a comprehensive solution towards mitigation of such attacks. A good IP traceback approach must also provide easy scalability and incremental deployment to counter the growing user base of the Internet. These functional issues and challenges must be tackled effectively in future research.
8.
Threats to validity
Although, utmost care was taken in the article selection, we still might have missed some of the relevant studies due to inappropriate selection criteria. The studies wherein the procedure to perform the traceback process was not fully defined were excluded. A reference check on some renowned articles selected from the final list was also conducted to prevent overlooking any prominent work on IP traceback. The selected studies were then examined and subsequently added to the final set of papers to be reviewed. A language barrier has always been there due to which 16
Page 16 of 41
numerous findings were bound to be excluded. Google Scholar restricted us to first 1000 results only, which could be another validity threat. We might have missed some relevant work published after the considered time period of our systematic review i.e. January 2000 to January 2014.
9.
Conclusions and future work
In this paper, we conducted a systematic review on IP traceback schemes. An automatic search was used to look for articles using the Microsoft Academic Search and Google Scholar search engines. We also conducted a manual search using IEEE Xplore, ACM Digital Library, Science Direct, and Springer to look for articles possibly missed by the automatic search. In addition, we carried out reference checking to maximize the article coverage and minimize the chances of omitting significant articles. We shortlisted 275 articles highly relevant to IP traceback following by the classification of articles based on traceback approach, marking strategy, IP version, packets required for traceback, ISP privacy, and security. This study observed a growing interest in IP traceback (for countering DDoS attacks) between year 2000 to year 2005, as reflected by the published literature during this phase. However, this positive growth was ruined thereafter by a plummeting trend in the number of IP traceback publications. It was observed that the marking approach has received a great deal of attention due to its ease of implementation supported by low overhead on intermediate routers. About 222 (about 81%) out of 275 articles focus on IPv4 as compared to only 15 (about 5%) in case of IPv6. An irresistible and brisk adaptation of new generation protocol (IPv6) demands the researchers to emphasize on IPv6 traceback schemes in future, as a traceback mechanism specially crafted for IPv6 is bound to work more effectively than a mapped IPv4 scheme. Following our systematic review of literature available on IP traceback, we summarized the most important outcomes and likelihood of future research work: i. The review inferred that the role of IP traceback in the overall DDoS mitigation process is important but underused. As the number of DDoS attacks is soaring each year, the amount of research work directed towards finding ways for mitigation of such attacks is also expected to be growing. We look to follow this work with a detailed systematic review on all the DDoS mitigation schemes. ii. The problems caused by subverted routers have not yet been taken up by researchers working on logging based traceback schemes in comparison to marking based traceback schemes where such issues have been long worked upon. iii. Many novel denial of service attacks have already been predicted on IPv6 based networks even prior to its complete deployment. While defining the appropriate traceback schemes for IPv6 based networks, the researchers need to focus on the inherent problems related to IPv6 that can possibly obstruct the traceback solutions. iv. Hybrid traceback schemes have the potential to exhibit positive characteristics of all the constituent traceback approaches. Hence it should be considered as a preferable IP traceback approach. v. DDoS mitigation solutions seem to provide more productive results when assisted by an IP traceback process. Skillful integration of traceback schemes with DDoS defense mechanisms is a good research prospect. vi. Many traceback schemes fall short in dealing with highly-distributed DDoS attacks. Such attacks are conducted using compromised systems that are distributed across networks around the globe. Only a small number of traceback schemes are capable of effectively surmounting these types of attacks. 17
Page 17 of 41
Appendix A Table 1
Article classification result IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Baskar et al. [69]
2013
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Foroushani et al. [70]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Alenezi et al. [71]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Roy et al. [36]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Tian et al. [72]
2013
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Kim et al. [73]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tian et al. [74]
2012
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Wang et al. [50]
2012
.
.
.
.
.
.
o
.
o
.
o
.
o
.
.
o
.
.
Lu et al. [51]
2012
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Rajam et al. [75]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
o
o
.
.
o
Kiremire et al. [76]
2012
.
.
.
.
o
.
.
.
o
.
.
.
.
o
o
.
.
o
Tian et al. [77]
2012
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Shalinie et al. [78]
2012
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Saurabh et al. [79]
2012
.
.
.
o
.
.
.
.
o
o
o
.
.
o
o
.
.
o
Shamani et al. [26]
2012
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Yang et al. [46]
2012
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
.
o
Karasawa et al. [52]
2012
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Luo et al. [80]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Cheng et al. [81]
2012
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Liang [82]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Tripathy et al. [83]
2012
.
.
.
o
.
.
.
.
o
.
.
o
.
o
o
.
o
.
Peng et al. [84]
2012
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Kartik et al. [85]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Okada et al. [86]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Guerid et al. [87]
2011
.
.
.
.
o
.
.
o
.
.
.
.
o
.
o
.
.
o
Wang et al. [88]
2011
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Moreira et al. [89]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Sattari et al. [90]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Zeng et al. [91]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tian et al. [42]
2011
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
packet
Year
single
IP traceback scheme
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
18
Page 18 of 41
Saurabh et al. [92]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Sun et al. [62]
2011
.
.
.
o
.
.
.
o
.
.
.
o
o
.
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Kim et al. [54]
2011
.
.
.
.
.
.
o
o
.
.
o
.
o
.
o
.
o
.
Kuo et al. [93]
2011
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Yu et al. [94]
2011
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Pilli et al. [95]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Saurabh et al. [96]
2011
.
.
.
.
o
.
.
.
o
.
o
.
.
o
o
.
.
o
Pilli et al. [97]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Yim et al. [98]
2011
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Koga et al. [99]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Li et al. [100]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Sattari et al. [101]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Qin et al. [102]
2010
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Wei et al. [103]
2010
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Tian et al. [104]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Shuai et al. [105]
2010
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
o
.
Wang et al. [47]
2010
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Dong et al. [53]
2010
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
.
Yonghui et al. [106]
2010
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Khan et al. [107]
2010
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
o
Chen et al. [108]
2010
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Karthik et al. [109]
2010
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Nalavade et al. [110]
2010
.
.
.
o
.
.
.
o
.
.
o
o
.
o
Yim et al. [111]
2010
.
.
.
.
.
.
o
.
.
.
o
.
.
.
o
.
.
.
Nagaraj et al. [112]
2010
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mallinga et al. [113]
2010
.
.
.
.
.
.
o
.
.
.
o
.
o
.
.
.
.
.
Yao et al. [114]
2010
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Bhavani et al. [115]
2010
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Duarte et al. [38]
2010
.
.
.
.
.
o
.
.
.
.
.
.
o
.
o
.
.
.
Wang et al. [116]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Yan et al. [56]
2010
.
.
.
o
.
.
.
.
o
.
o
o
.
o
o
.
.
o
Oiao-jing et al. [117]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Zhang et al. [118]
2009
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Wan et al. [119]
2009
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Su et al. [120]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Castelucio et al. [41]
2009
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
19
Page 19 of 41
Huang et al. [121]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Wu et al. [122]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Dabir et al. [123]
2009
.
.
.
o
.
.
.
.
.
o
o
.
o
.
o
.
.
o
Bo et al. [124]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Murakami et al. [125]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Zhou et al. [126]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Oiang et al. [127]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Castelucio [128]
2009
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Wang et al. [129]
2009
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Oiao-jing et al. [130]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Thing et al. [131]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Armoogum et al. [132]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Akyuz et al. [133]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Kai et al. [39]
2009
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Tang et al. [134]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mallinga et al. [135]
2009
.
.
.
o
.
.
.
o
.
.
o
o
.
o
Jin et al. [136]
2009
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Mallinga et al. [137]
2009
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Kannan et al. [138]
2009
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Gong et al. [139]
2009
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Lu et al. [140]
2009
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Waizumi et al. [141]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Lee et al. [142]
2009
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Qu et al. [143]
2008
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Fadlallah et al. [144]
2008
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
o
.
Gong et al. [35]
2008
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Qu et al. [145]
2008
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Qu et al. [146]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Su et al. [147]
2008
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Jang et al. [148]
2008
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Chonka et al. [149]
2008
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Shi et al. [63]
2008
.
.
.
o
.
.
.
.
.
o
.
o
o
.
.
o
.
o
Manimaran et al. [150]
2008
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
.
.
Stefanidis et al. [151]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yu et al. [152]
2008
.
.
.
.
o
.
.
.
.
.
.
.
o
.
o
.
.
o
Wang et al. [153]
2008
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
20
Page 20 of 41
Thing et al. [27]
2008
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Goodrich [154]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Boudaoud et al. [155]
2008
.
.
.
.
.
o
.
.
.
.
o
.
.
o
o
.
.
.
Paruchuri et al. [156]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Amin et al. [64]
2008
.
.
.
o
.
.
.
.
o
.
.
o
o
.
o
.
.
o
Yen et al. [157]
2008
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Yi et al. [158]
2008
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mallinga et al. [159]
2008
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
o
Lai et al. [44]
2008
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Zheng et al. [160]
2008
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
.
o
Karthik et al. [161]
2008
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lee et al. [162]
2008
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Li et al. [163]
2008
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
o
.
Nagaratna et al. [164]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Mallinga et al. [165]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Tian et al. [166]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
.
Chae et al. [167]
2007
.
.
.
.
o
.
.
o
.
.
.
.
o
.
o
.
o
.
Izaddoost et al. [168]
2007
.
.
.
.
o
.
.
.
o
.
.
.
.
o
o
.
.
o
Jin et al. [169]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Ke et al. [170]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yen et al. [171]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Paruchuri et al. [172]
2007
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Duarte et al. [173]
2007
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Takurou et al. [174]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
Shah et al. [175]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Stefanidis et al. [176]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Laufer et al. [177]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Bhaskaran et al. [178]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Belenky et al. [179]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Siris et al. [57]
2007
.
.
.
o
.
.
.
.
o
.
o
o
.
o
o
.
.
o
Peng et al. [180]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Wang et al. [181]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Gao et al. [182]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Castelucio et al. [183]
2007
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
.
Liu et al. [184]
2007
.
.
.
o
.
.
.
.
.
.
o
.
.
.
o
.
o
Aijaz et al. [55]
2007
.
.
.
.
.
.
o
o
.
.
o
.
o
.
o
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
.
21
Page 21 of 41
Wuu et al. [185]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Thing et al. [186]
2007
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Bhaskaran et al. [187]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Ohsita et al. [188]
2007
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Demir et al. [189]
2007
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
.
Jing et al. [190]
2006
.
.
.
.
.
.
o
.
o
.
o
.
.
o
o
.
.
.
Liu et al. [191]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Bhaskaran et al. [192]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Kumar et al. [193]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Shokri et al. [194]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Jin et al. [195]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tseng et al. [196]
2006
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lin et al. [197]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Chen et al. [198]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Al-Duwairi et al. [199]
2006
.
.
.
.
.
.
o
.
o
.
o
.
.
o
o
.
.
o
Durresi et al. [200]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Fadlallah et al. [201]
2006
.
.
.
.
o
.
.
.
.
.
.
.
o
.
o
.
.
o
Zhang et al. [202]
2006
.
.
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
.
Gong et al. [203]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tseng et al. [204]
2006
.
.
.
.
.
.
o
.
.
o
o
.
.
o
o
.
.
o
Amin et al. [65]
2006
.
.
.
o
.
.
.
o
.
.
.
o
.
o
o
.
.
o
Kim et al. [205]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Yin et al. [206]
2006
.
.
.
o
.
.
.
.
.
o
o
.
.
.
o
.
.
o
Yi et al. [207]
2006
.
.
.
o
.
.
.
.
.
o
o
.
o
.
o
.
.
o
Kim et al. [208]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Kim et al. [209]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yim et al. [210]
2006
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Lee et al. [211]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yan et al. [212]
2006
.
.
.
o
.
.
.
.
o
o
o
.
.
o
.
o
.
o
Chen et al. [45]
2006
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Amin et al. [33]
2006
.
.
.
o
.
.
.
o
.
.
.
o
o
.
o
.
.
o
Hu et al. [213]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Wong et al. [214]
2006
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Ma et al. [215]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Sung et al. [216]
2006
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Yaar et al. [58]
2006
.
.
.
o
.
.
.
.
o
.
o
o
o
.
.
o
o
.
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
22
Page 22 of 41
Alwis et al. [59]
2006
.
.
.
o
.
.
.
o
.
.
o
o
o
.
o
.
.
o
Alwis et al. [60]
2006
.
.
.
o
.
.
.
o
.
.
o
o
o
.
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Sun et al. [217]
2006
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Oiang et al. [218]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Lee et al. [219]
2005
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Huang et al. [220]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Yang et al. [221]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Strayer et al. [222]
2005
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Chen et al. [223]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Gao et al. [224]
2005
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
.
o
Jing et al. [225]
2005
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
o
.
Dong et al. [226]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Thing et al. [227]
2005
.
.
.
.
o
.
.
.
.
.
.
.
.
o
o
.
.
o
Gao et al. [228]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Li et al. [229]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yaar et al. [230]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Leu et al. [231]
2005
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Liu et al. [232]
2005
.
.
.
o
.
.
.
.
.
.
o
.
.
o
o
.
.
o
Gong et al. [233]
2005
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Isozaki et al. [234]
2005
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Chen et al. [235]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Manimaran et al. [236]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Ma et al. [237]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Law et al. [238]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lee et al. [239]
2005
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
o
.
Hou et al. [240]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Shi et al. [28]
2005
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Qu et al. [241]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Jing et al. [242]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Lee et al. [66]
2005
.
.
.
.
.
.
o
.
.
.
.
o
.
o
o
.
.
.
Huang et al. [243]
2005
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Rayanchu et al. [244]
2005
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Kim et al. [245]
2005
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Lee et al. [246]
2005
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Gong et al. [247]
2005
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Laufer et al. [248]
2005
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
23
Page 23 of 41
Albright et al. [67]
2005
.
.
.
o
.
.
.
.
.
o
.
o
.
o
o
.
.
o
Laufer et al. [249]
2005
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Kim et al. [250]
2005
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
Durresi et al. [251]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Wang et al. [30]
2004
.
.
.
.
o
.
.
.
.
.
.
.
o
.
o
.
o
.
Choi et al. [252]
2004
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
o
.
Oiaofeng et al. [43]
2004
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Al-Duwairi et al. [253]
2004
.
.
.
.
.
.
o
.
o
.
o
.
.
o
o
.
.
o
Bai et al. [254]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Wang et al. [31]
2004
.
.
.
.
o
.
.
o
.
.
.
.
o
.
o
.
o
.
Durresi et al. [255]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Ping et al. [256]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Jones et al. [257]
2004
.
.
.
o
.
.
.
.
.
o
o
.
o
.
o
.
.
o
Varanasi et al. [258]
2004
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Li et al. [259]
2004
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Tseng et al. [260]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Lee et al. [261]
2004
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Strayer et al. [68]
2004
.
.
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
.
Oiang et al. [262]
2004
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lee et al. [263]
2004
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Lau et al. [264]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Manimaran et al. [265]
2004
.
.
.
.
.
.
o
.
.
o
o
.
.
o
o
.
o
.
Kai et al. [266]
2004
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
o
.
Lee et al. [267]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Liu et al. [268]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Lee et al. [269]
2004
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Lee et al. [270]
2004
.
.
.
.
o
.
.
.
o
.
o
.
o
.
o
.
o
.
Tupakula et al. [271]
2004
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Gao et al. [272]
2004
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
.
o
Oe et al. [273]
2004
.
.
.
.
.
.
o
.
.
.
o
.
.
.
.
.
.
.
Hai-tao et al. [274]
2003
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Belenky et al. [275]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
OE et al. [34]
2003
.
.
.
o
.
.
.
o
.
.
o
o
.
o
o
.
o
.
Chen et al. [276]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Ogawa et al. [277]
2003
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Kim et al. [278]
2003
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
24
Page 24 of 41
Liu et al. [279]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
.
o
.
o
.
Belenky et al. [15]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Sung et al. [280]
2003
.
.
.
o
.
.
.
.
o
o
o
.
.
o
o
.
o
.
Belenky et al. [281]
2003
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Min et al. [282]
2003
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
o
.
Song et al. [283]
2003
.
.
.
.
o
.
.
.
.
.
o
.
o
.
o
.
.
o
Henry et al. [284]
2003
.
.
.
.
o
.
.
o
.
.
o
.
.
o
o
.
.
o
Kim et al. [285]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Hsu et al. [32]
2003
.
.
.
.
o
.
.
.
.
.
.
.
.
o
o
.
.
o
Kwak et al. [286]
2003
.
.
.
o
.
.
.
.
.
.
o
.
.
.
.
.
.
o
Yaar et al. [287]
2003
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
o
.
Oe et al. [288]
2003
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Tupakula et al. [289]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Matsuda et al. [290]
2002
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Snoeren et al. [291]
2002
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Baba et al. [24]
2002
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Law et al. [292]
2002
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Peng et al. [293]
2002
.
.
.
o
.
.
.
.
.
o
.
.
.
o
o
.
o
.
Dean et al. [294]
2002
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Goodrich et al. [295]
2002
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
o
.
Wei et al. [296]
2002
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Tokuda et al. [297]
2002
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Song et al. [298]
2001
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Mankin [299]
2001
.
.
.
.
o
.
.
o
.
.
.
.
.
o
o
.
.
o
Snoeren et al. [37]
2001
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Kim et al. [300]
2001
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Stone [40]
2000
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Burch [6]
2000
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Klein et al. [301]
2000
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
References 1.
Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review, 2004, 34(2): 39–53.
2.
Specht SM, Lee RB. Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. In: Proceedings of 25
Page 25 of 41
the International Conference on Parallel and Distributed Computing Systems. 2004, 543–550. 3.
DoS and DDoS Protection | Anti Denial of Service (DDoS) Attack | Prolexic [Internet]. [cited 2015 Feb 12] Available from: http://www.prolexic.com/
4.
Bellovin SM. Security Problems in the TCP/IP Protocol Suite. ACM SIGCOMM Computer Communication Review, 1989, 19(2): 32–48.
5.
Belenky A, Ansari N. On IP traceback. IEEE Communications Magazine, 2003, 41(7): 142–153.
6.
Burch H. Tracing Anonymous Packets to Their Approximate Source. In: Proceedings of the USENIX conference on System administration. 2000, 319–328.
7.
Aljifri H. IP Traceback: A New Denial-of-Service Deterrent?. IEEE Security and Privacy, 2003, 1(3): 24–31.
8.
Santhanam L, Kumar A, Agrawal DP. Taxonomy of IP traceback. Journal of Information Assurance and Security, 2006, 1(2): 79–94.
9.
Vincent S, Raja J. A survey of IP traceback mechanisms to overcome denial-of-service attacks. In: Proceedings of the International Conference on Networking, VLSI and signal Processing. 2010, 93-98.
10.
Kumar K, Sangal AL, Bhandari A. Traceback techniques against DDOS attacks: A comprehensive review. In: Proceedings of the International Conference on Computer and Communication Technology. 2011, 491–498.
11.
ArunKumar K, Sai Ashritha K. Analysis of Various IP Traceback Techniques - A Survey. International Journal of Computer Applications, 2013, 77(13): 13–16.
12.
Singh K, Bhandari A, Kumar K. Classification and State of Art of IP Traceback Techniques for DDoS Defense. In: Proceedings of the ARTCom & ARTEE PEIE & itSIP and PCIE. 2013, 36–44.
13.
Parashar A, Radhakrishnan R. A Review of Packet Marking IP Traceback Schemes. International Journal of Computer Applications, 2013, 67(6): 15–20.
14.
Savage S, Wetherall D, Karlin A, Anderson T. Practical network support for IP traceback. ACM SIGCOMM Computer Communication Review, 2000, 30(4): 295–306.
15.
Belenky A, Ansari N. IP traceback with deterministic packet marking. IEEE Communications Letters, 2003, 7(4): 162–164.
16.
Kitchenham B, Charters S. Guidelines for performing Systematic Literature Reviews in Software Engineering. Keele University and Durham University Joint Report, 2007.
17.
Tahir A, MacDonell SG. A systematic mapping review on dynamic metrics and software quality. In: Proceedings of the IEEE International Conference on Software Maintenance. 2012, 326–335.
18.
Cornelissen B, Zaidman A, van Deursen A, Moonen L, Koschke R. A Systematic Survey of Program Comprehension through Dynamic Analysis. IEEE Transactions on Software Engineering, 2009, 35(5): 684–702.
19.
Fuchs L, Pernul G, Sandhu R. Roles in information security – A survey and classification of the research area. Computers and Security, 2011, 30(8): 748-769.
20.
Jamshidi P, Ahmad A, Pahl C. Cloud Migration Research: A Systematic Review. IEEE Transactions on Cloud Computing, 2013, 1(2): 142–157.
21.
Patel A, Taghavi M, Bakhtiyari K, Celestino J. Review: An Intrusion Detection and Prevention System in Cloud Computing: A Systematic Review. Journal of Network and Computer Applications, 2013, 36(1): 25–41.
22.
Rahman N, Choo K-K. A survey of information security incident handling in the cloud. Computers and Security, 2015, 49: 45-69.
23.
Alenezi M, Reed MJ. IP traceback methodologies. In: Proceedings of the Computer Science and Electronic Engineering Conference. 2011, 98–102.
24.
Baba T, Matsuda S. Tracing Network Attacks to Their Sources. IEEE Internet Computing, 2002, 6(2): 20–26.
25.
Takahashi T, Hazeyama H, Miyamoto D, Kadobayashi Y. Taxonomical approach to the deployment of traceback mechanisms. In: Proceedings of the Baltic Congress on Future Internet Communications. 2011, 13–20.
26.
Hamedi-Hamzehkolaie M, Shamani MJ, Ghaznavi-Ghoushchi MB. Low rate DOS traceback based on sum of flows. In: Proceedings of the International Symposium on Telecommunications. 2012, 1142–1146. 26
Page 26 of 41
27.
Thing VLL, Sloman M, Dulay N. Network domain entrypoint/path determination for DDoS attacks. In: Proceedings of the IEEE Symposium on Network Operations and Management. 2008, 57–64.
28.
Shi Y, Yang X. A novel architecture for detecting and defending against flooding-based DDoS attacks. In: Proceedings of the Computational Intelligence and Security. Springer; 2005, 364–374.
29.
Taylor T, Leech M, Bellovin S. ICMP Traceback Messages [Internet]. [cited 2015 Jan 01] Available from: https://tools.ietf.org/html/draft-ietf-itrace-04.
30.
Wang B-T, Schulzrinne H. A denial-of-service-resistant IP traceback approach. In: Proceedings of the Ninth International Symposium on Computers and Communications, 2004, 351–356.
31.
Wang B-T, Schulzrinne H. An IP traceback mechanism for reflective DoS attacks. In: Proceedings of the Canadian Conference on Electrical and Computer Engineering. 2004, 901–904.
32.
Hsu F, Chiueh T. A Path Information Caching and Aggregation Approach to Traffic Source Identification. In: Proceedings of the International Conference on Distributed Computing Systems. 2003, 332–339.
33.
Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, Strayer WT. Hash-based IP traceback. ACM SIGCOMM Computer Communication Review, 2001, 31(4): 3–14.
34.
Hilgenstieler E, Duarte Jr. EP, Mansfield-Keeni G, Shiratori N. Extensions to the source path isolation engine for precise and efficient log-based IP traceback. Computers & Security, 2010, 29(4): 383–392.
35.
Kai T, Hashiguchi A, Nakatani H. Proposal for and Evaluation of Improved Method of Hash-Based IP Traceback System. In: Proceedings of the International Conference on Computer Science and its Applications, 2009, 1–7.
36.
Stone R. Centertrack: an IP overlay network for tracking DoS floods. In: Proceedings of the USENIX Conference on Security Symposium. 2000, 15–15.
37.
Castelucio A, Ziviani A, Salles RM. An AS-level overlay network for IP traceback. IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection, 2009, 23(1): 36–41.
38.
Tian H, Bi J, Zhang W, Jiang X. EasyTrace: An easily-deployable light-weight IP traceback on an AS-level overlay network. In: Proceedings of the International Conference on Network Protocols. 2011, 129-130.
39.
Xiaofeng Q, Jihong H, Ming C. A mechanism to defend SYN flooding attack based on network measurement system. In: Proceedings of the International Conference on Information Technology: Research and Education. 2004, 208–212.
40.
Lai GH, Chen C-M, Jeng B-C, Chao W. Ant-based IP traceback. Expert Systems with Applications, 2008, 34(4): 3071–3080.
41.
Chen C, Jeng B, Yang CR, Lai GH. Tracing Denial of Service Origin: Ant Colony Approach. In: Proceedings of the Applications of Evolutionary Computing. 2006, 286-295.
42.
Yang M-C. RIHT: A Novel Hybrid IP Traceback Scheme. IEEE Transactions on Information Forensics and Security, 2012, 7(2): 789–797.
43.
Malliga S, Tamilarasi A. A hybrid scheme using packet marking and logging for IP traceback. International Journal of Internet Protocol Technology, 2010, 5(1/2): 81–91.
44.
Amin SO, Hong CS, Kim KY. Tracing the True Source of an IPv6 Datagram Using Policy Based Management System. In: Proceedings of the Management of Convergence Networks and Services. Springer; 2006, 263–272.
45.
Oe M, Kadobayashi Y, Yamaguchi S. An implementation of a hierarchical IP traceback architecture. In: Proceedings of the Symposium on Applications and the Internet Workshops. 2003, 250–253.
46.
Gong C, Saraç K. A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking. IEEE Transactions on Parallel and Distributed Systems, 2008, 19(10): 1310–1324.
47.
Roy S, Singh A, Sairam AS. IP traceback in star colored networks. In: Proceedings of the International Conference on Communication Systems and Networks. 2013, 1–9.
48.
Kitchenham BA, Budgen D, Pearl Brereton O. Using Mapping Studies As the Basis for Further Research - A Participant-observer Case Study. Information and Software Technology, 2011, 53(6): 638–651.
49.
Wu P, Cui Y, Wu J, Liu J, Metz C. Transition from IPv4 to IPv6: A State-of-the-Art Survey. IEEE Communications Surveys and Tutorials, 2013, 15(3): 1407–1424. 27
Page 27 of 41
50.
Wang Y, Su S, Yang Y, Ren J. A More Efficient Hybrid Approach for Single-Packet IP Traceback. In: Proceedings of the Euromicro International Conference on Parallel, Distributed and Network-Based Processing. 2012, 275–282.
51.
Lu N, Wang Y, Yang F, Xu M. A Novel Approach for Single-Packet IP Traceback Based on Routing Path. In: Proceedings of the Euromicro International Conference on Parallel, Distributed and Network-Based Processing. 2012, 253–260.
52.
Karasawa T, Soshi M, Miyaji A. A Novel Hybrid IP Traceback Scheme with Packet Counters. In: Proceedings of the International conference on Internet and Distributed Computing Systems. 2012, 71–84.
53.
Dong Y, Yu-long W, Sen S, Fang-chun Y. An Efficient Collaborative Traceback Scheme Based on Packet Digests Logging. In: Proceedings of the IEEE International Conference on Computer and Information Technology. 2010, 2811–2815.
54.
Kim HS, Kim HK. Network Forensic Evidence Acquisition (NFEA) with Packet Marking. In: Proceedings of the IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops. 2011, 388–393.
55.
Aijaz A, Mohsin SR, Mofassir-Ul-Haque M-U-H. IP Trace Back Techniques to Ferret out Denial of Service Attack Source. In: Proceedings of the WSEAS International Conference on Information Security and Privacy. 2007, 135–140.
56.
Yan Q, He X, Ning T. An Improved Dynamic Probabilistic Packet Marking for IP Traceback. International Journal of Computer Network and Information Security, 2010, 2(2): 47.
57.
Siris VA, Stavrakis I. Provider-based deterministic packet marking against distributed DoS attacks. Journal of Network and Computer Applications, 2007, 30(3): 858–876.
58.
Yaar A, Perrig A, Song D. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE Journal on Selected Areas in Communications, 2006, 24(10): 1853–1863.
59.
Alwis HA, Doss RC, Chowdhury MU, Hewage PS. A performance evaluation of Route Based Packet Marking (RBPM) for IP trace back. In: Proceedings of the Multitopic Conference. 2006, 364–369.
60.
Alwis HA, Doss RC, Hewage PS, Chowdhury MU. Topology based packet marking for IP traceback. In: Proceedings of the Australian Telecommunication Networks and Applications Conference. 2006, 224–228.
61.
Tripathy A, Dansana J, Mishra DP. A secure packet marking scheme for IP traceback in IPv6. In: Proceedings of the International Conference on Advances in Computing, Communications and Informatics. 2012, 656–659.
62.
Sun Y, Zhang C, Meng S, Lu K. Modified Deterministic Packet Marking for DDoS Attack Traceback in IPv6 Network. In: Proceedings of the IEEE International Conference on Computer and Information Technology. 2011, 245–248.
63.
Shi Y, Qi Y, Yang B. Deterministic link signature based IP traceback algorithm under IPv6. In: Proceedings of the International Conference on Advanced Communication Technology. 2008, 1010–1014.
64.
Amin SO, Siddiqui MS, Hong CS. A novel IPv6 traceback architecture using COPS protocol. annals of telecommunications - annales des télécommunications, 2008, 63(3-4): 207–221.
65.
Amin S, Kang M, Hong C. A Lightweight IP Traceback Mechanism on IPv6. In: Proceedings of the EUC 2006 Workshops. 2006, 671–680.
66.
Lee H, Yun S. Authenticated IPv6 Packet Traceback Against Reflector Based Packet Flooding Attack. In: Proceedings of the Knowledge-Based and Intelligent Engineering & Information Systems. 2005, 1118-1124.
67.
Dang X, Albright E. An Implementation of IP Traceback in IPv6 Using Probabilistic Packet Marking. In: Proceedings of the IEEE International Conference on Internet Computing. 2005, 416–421.
68.
Strayer WT, Jones CE, Tchakountio F, Hain RR. SPIE-IPv6: single IPv6 packet traceback. In: Proceedings of the Annual IEEE International Conference on Local Computer Networks. 2004, 118–125.
69.
Baskar M, Gnanasekaran T, Saravanan S. Adaptive IP traceback mechanism for detecting low rate DDoS attacks. In: Proceedings of the International Conference on Emerging Trends in Computing, Communication and Nanotechnology. 2013, 373–377.
70.
Foroushani VA, Zincir-Heywood AN. Deterministic and Authenticated Flow Marking for IP Traceback. In: Proceedings of the IEEE International Conference on Advanced Information Networking and Applications. 2013, 397–404.
71.
Alenezi M, Reed MJ. Efficient AS DoS traceback. In: Proceedings of the International Conference on Computer Applications Technology. 2013, 1–5. 28
Page 28 of 41
72.
Tian H, Bi J, Jiang X. An adaptive probabilistic marking scheme for fast and secure traceback. Networking Science, 2013, 2(1-2): 42–51.
73.
Kim K, Kim J, Hwang J. IP traceback with sparsely-tagged fragment marking scheme under massively multiple attack paths, Cluster Computing, 2013, 16(2): 229–239.
74.
Tian H, Bi J, Xiao P. A Flow-Based Traceback Scheme on an AS-Level Overlay Network. In: Proceedings of the International Conference on Distributed Computing Systems Workshops. 2012, 559–564.
75.
Soundar Rajam VK, Shalinie SM. A novel traceback algorithm for DDoS attack with marking scheme for online system. In: Proceedings of the International Conference on Recent Trends in Information Technology. 2012, 407–412.
76.
Kiremire AR, Brust MR, Phoha VV. A prediction based approach to IP traceback. In: Proceedings of the IEEE Conference on Local Computer Networks Workshops. 2012, 1022–1029.
77.
Tian H, Bi J. An Incrementally Deployable Flow-Based Scheme for IP Traceback. IEEE Communications Letters, 2012, 16(7): 1140–1143.
78.
Vijayalakshmi M, Shalinie SM, Arun Pragash A. IP traceback system for network and application layer attacks. In: Proceedings of the International Conference on Recent Trends in Information Technology. 2012, 439–444.
79.
Saurabh S, Sairam AS. Linear and Remainder Packet Marking for fast IP traceback. In: Proceedings of the International Conference on Communication Systems and Networks. 2012, 1–8.
80.
Luo R, Li J, Sun L. Distributed Collaborative Traceback Model against DDoS in Network Confrontation Based on Electronic Technology. In: Proceedings of the Advances in Mechanical and Electronic Engineering. 2012, 281–286.
81.
Cheng B-C, Liao G-T, Lin C-K, Hsu S-C, Hsu P-H, Park JH. MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis. In: Proceedings of the Network and Parallel Computing. Springer; 2012, 101–109.
82.
Liang S. The New Method of DDOS Defense. In: Proceedings of the MSEC International Conference on Multimedia, Software Engineering and Computing. 2012, 145–151.
83.
Tripathy A, Dansana J, Mishra DP. A Secure Packet Marking Scheme for IP Traceback in IPv6. In: Proceedings of the International Conference on Advances in Computing, Communications and Informatics.
84.
2012, 656–659.
Peng S-H, Chang K-D, Chen J-L, Lin I-L, Chao H-C. A Probabilistic Packet Marking scheme with LT Code for IP Traceback. International Journal of Future Computer and Communication, 2012, 1(1): 51–56.
85.
Viswanathan A, Arunachalam VP, Karthik S. Geographical Division Traceback for Distributed Denial of Service. Journal of Computer Science, 2012, 8(2): 216–221.
86.
Okada M, Katsuno Y, Kanaoka A, Okamoto E. 32-bit as Number Based IP Traceback. In: Proceedings of the International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. 2011, 628–633.
87.
Guerid H, Serhrouchni A, Achemlal M, Mittig K. A Novel Traceback Approach for Direct and Reflected ICMP Attacks. In: Proceedings of the Conference on Network and Information Systems Security. 2011, 1–5.
88.
Wang P, Lin H-T, Wang TS. A Revised Ant Colony Optimization Scheme for Discovering Attack Paths of Botnet. In: Proceedings of the IEEE International Conference on Parallel and Distributed Systems. 2011, 918–923.
89.
Moreira MDD, Laufer RP, Fernandes NC, Duarte OCMB. A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet. In: Proceedings of the IEEE International Conference on Communications. 2011, 1–6.
90.
Sattari P, Markopoulou A. Algebraic Traceback Meets Network Coding. In: Proceedings of the International Symposium on Network Coding. 2011, 1–7.
91.
Zeng K, Li Z, He S. Design and implementation of FDPM in network processor. In: Proceedings of the IEEE International Conference on Anti-Counterfeiting, Security and Identification, 135–138.
92.
Saurabh S, Sairam AS. FC-DERM: Fragmentation compatible deterministic edge router marking. In: Proceedings of the Asia-Pacific Conference on Communications. 2011, 800–805.
93.
Kuo W-C, Chen Y-L, Tsai S-C, Li J-S. Single-Packet IP Traceback with Less Logging. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2011, 97–100.
94.
Yu S, Zhou W, Doss R, Jia W. Traceback of DDoS Attacks Using Entropy Variations. IEEE Transactions on Parallel and 29
Page 29 of 41
Distributed Systems, 2011, 22(3): 412–425. 95.
Pilli ES, Joshi RC, Niyogi R. An IP Traceback Model for Network Forensics. In: Proceedings of International Conference on Arts and Technology. 2011, 129–136.
96.
Saurabh S, Sairam AS. PT: A Path Tracing and Filtering Mechanism to Defend against DDoS Attacks. In: Proceedings of the International Conference on Information Processing. 2011, 336–341.
97.
Pilli E, Joshi R, Niyogi R. Router and Interface Marking for Network Forensics. In: Proceedings of the Advances in Digital Forensics VII. 2011, 209–220.
98.
Yim H, Kim T, Jung J. Probabilistic Route Selection Algorithm to Trace DDoS Attack Traffic Source. In: Proceedings of the International Conference on Information Science and Applications. 2011, 1–8.
99.
Koga K, Okazaki N. A proposal of an extended method of IP trace-back for distributed denial of service attacks. Electronics and Communications in Japan, 2007, 94(12):29-44.
100.
Li Y, Wang Y, Yang F, Su S. A cross-AS traceback method based on flexible fragmentation of path information. In: Proceedings of the IEEE GLOBECOM Workshops. 2010, 1611–1616.
101.
Sattari P, Gjoka M, Markopoulou A. A Network Coding Approach to IP Traceback. In: Proceedings of the IEEE International Symposium on Network Coding. 2010, 1–6.
102.
Qin L, Zhang Y, Chang Q. A novel improved compositive DDoS defence system. In: Proceedings of the International Conference on Signal Processing Systems. 2010, 493–496.
103.
Wei J, Chen K, Lian Y-F, Dai Y-X. A novel vector edge sampling scheme for IP traceback against DDoS attacks. In: Proceedings of the International Conference on Machine Learning and Cybernetics. 2010, 2829–2832.
104.
Tian H, Bi J, Jiang X, Zhang W. A Probabilistic Marking Scheme for Fast Traceback. In: Proceedings of the International Conference on Evolving Internet. 2010, 137–141.
105.
Shuai H, Xiaohong H, Yan M. A simple packet authentication mechanism based on stateless core approach. In: Proceedings of the IEEE GLOBECOM Workshops. 2010, 503–507.
106.
Yonghui L, Yulong W, Fangchun Y, Sen S, Dong Y. Deterministic packet marking based on the coordination of border gateways. In: Proceedings of the International Conference on Education Technology and Computer. 2010, 154–161.
107.
Khan ZS, Akram N, Alghathbar K, She M, Mehmood R. Secure single packet IP Traceback mechanism to identify the source. In: Proceedings of the International Conference for Internet Technology and Secured Transactions. 2010, 1–5.
108.
Chen H-H, Yang W. The Design and Implementation of a Practical Meta-Heuristic for the Detection and Identification of Denial-of-Service Attack Using Hybrid Approach. In: Proceedings of the Second International Conference on Machine Learning and Computing. 2010, 47–51.
109.
Karthik S, Arunachalam VP, Ravichandran T, Valarmathi ML. An Optimizing Technique for MDGT Using DRSA Algorithm Association with IP Traceback Strategies. In: Proceedings of the International Conference on Information and Communication Technologies. 2010, 55–61.
110.
Nalavade KC, Meshram BB. Identifying the Attack Source by IP Traceback. In: Proceedings of the International Conference on Information and Communication Technologies. 2010, 292–296.
111.
Yim H, Jung J. Probabilistic Route Selection Algorithm for IP Traceback. In: Proceedings of the Security Technology, Disaster Recovery and Business Continuity. 2010, 94–103.
112.
Varalakshmi P, Narayanan PK, Hariharan M, Nagaraj P, Amritha K. Reactive Network Monitor for DDoS Attacks. In: Proceedings of the Information Processing and Management. 2010, 349–355.
113.
Malliga S, Tamilarasi A. A Backpressure Technique for Filtering Spoofed Traffic at Upstream Routers. International Journal of Security and Networks, 2010, 5(1): 3–14.
114.
Yao G, Bi J, Zhou Z. Passive IP Traceback: Capturing the Origin of Anonymous Traffic Through Network Telescope. In: Proceedings of the ACM SIGCOMM Conference. 2010, 413–414.
115.
Bhavani Y, Reddy PN. An efficient ip traceback through packet marking algorithm. International Journal of Network Security and Its Applications, 2010, 2(3): 132–142. 30
Page 30 of 41
116.
WANG X, WANG X. Topology-assisted deterministic packet marking for IP traceback. The Journal of China Universities of Posts and Telecommunications, 2010, 17(2): 116–121.
117.
Xiao-jing W, Chang-zhen H, He H. A Fast Deterministic Packet Marking Scheme for IP Traceback. In: Proceedings of the International Conference on Multimedia Information Networking and Security. 2009, 526–529.
118.
Zhang F, Jin G, Zhang H, Xie Z. A new border filtering scheme against DDoS attacks. In: Proceedings of the International Conference on Power Electronics and Intelligent Transportation System. 2009, 336–340.
119.
Wan Z, Zhang Y, Cao T, Wu M, Wang F. A novel Authenticated Packet Marking Scheme for IP Trace-back. In: Proceedings of the IEEE International Conference on Computer Science and Information Technology. 2009, 150–153.
120.
Su W-T, Chuang Y-H, Wu Z-B, Kuo Y-H. A table-driven approach for IP traceback based on network statistic analysis. In: Proceedings of the International Conference on Advanced Communication Technology. 2009, 1633–1637.
121.
Huang C, Li M, Gao C. Autonomous System-Based Marking Scheme for Internet Traceback. In: Proceedings of the WRI World Congress on Computer Science and Information Engineering. 2009, 81–85.
122.
Wu Y-C, Tseng H-R, Yang W, Jan R-H. DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis. In: Proceedings of the International Conference on Multimedia and Ubiquitous Engineering. 2009, 306–314.
123.
Dabir A, Matrawy A. Design and Analysis of a Hierarchical IP Traceback System. In: Proceedings of the IEEE International Conference on Communications. 2009, 1–6.
124.
Bo F, Fan G, Mingxing D. Dynamic Probabilistic Packet Marking Based on PPM. In: Proceedings of the Pacific-Asia Conference on Web Mining and Web-based Application. 2009, 289–292.
125.
Murakami M, Kai T, Irie H, Sasaki R. Extension and Evaluation of IP Traceback Method Using Departure Stamp in Edge Router. In: Proceedings of the International Conference on Computer Science and its Applications. 2009, 1–8.
126.
Zhou Z, Qian B, Tian X, Xie D. Fast Traceback against Large-Scale DDoS Attack in High-Speed Internet. In: Proceedings of the International Conference on Computational Intelligence and Software Engineering. 2009, 1–7.
127.
Xiang Y, Zhou W, Guo M. Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks. IEEE Transactions on Parallel and Distributed Systems, 2009, 20(4): 567–580.
128.
Castelucio A, Gomes ATA, Ziviani A, Salles RM. Intra-domain IP traceback using OSPF. In: Proceedings of the IEEE Symposium on Network Operations and Management. 2009, 1–9.
129.
Wang X, Xiao Y. IP Traceback Based on Deterministic Packet Marking and Logging. In: Proceedings of the International Conference on Scalable Computing and Communications. 2009, 178–182.
130.
Xiao-jing W, Sheng-jun W. IP Traceback Based Probabilistic Packet Marking and Randomized Network Coding. In: Proceedings of the International Workshop on Computer Science and Engineering. 2009, 151–154.
131.
Thing VLL, Sloman M, Dulay N. Locating network domain entry and exit point/path for DDoS attack traffic. IEEE Transactions on Network and Service Management, 2009, 6(3): 163–174.
132.
Armoogum S, Mohamudally N. Mobile Agents and Packet Marking for Real-Time IP Traceback. In: Proceedings of the International Conference on Digital Society. 2009, 260–265.
133.
Akyuz T, Sogukpinar I. Packet Marking with Distance Based Probabilities for IP Traceback. In: Proceedings of the International Conference on Networks and Communications. 2009, 433–438.
134.
Tang H, Xu C, Luo X, Ouyang J. Traceback-Based Bloomfilter IPS in Defending SYN Flooding Attack. In: Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing. 2009, 1–6.
135.
Malliga S, Tamilarasi A. Collaborative Framework for Detection, Prevention, and Traceback of Flooding Attacks Using Marking and Filtering. Information Security Journal: A Global Perspective, 2009, 18(2): 74–86.
136.
Jin G, Zhang F, Li Y, Zhang H, Qian J. A Hash-Based Path Identification Scheme for DDoS Attacks Defense. In: Proceedings of the IEEE International Conference on Computer and Information Technology. 2009, 219–224.
137.
Malliga AS, Tamilarasi BDA. An autonomous level defense for DoS/DDoS attacks. International Journal of Recent Trends in Engineering, 2009, 1(1): 518-522.
138.
Kannan AR, Duraiswamy K, Sangeetha K. Three Dimensional Multidirectional Geographical IP Traceback: Direction Ratio 31
Page 31 of 41
Sampling Algorithm. Journal of Computer Science, 2009, 5(2): 136–139. 139.
Gong C, Sarac K. Toward a Practical Packet Marking Approach for IP Traceback. International Journal of Network Security, 2009, 8(3): 271–281.
140.
Lu N, Zhou H, Zhang H. A new probabilistic packet marking technology based on path identification. In: Proceedings of the IEEE International Conference on Communications Technology and Applications. 2009, 751–755.
141.
Waizumi Y, Sato T, Nemoto Y. A New Traffic Pattern Matching for DDoS Traceback Using Independent Component Analysis. World Academy of Science, Engineering & Technology, 2009, (36): 760.
142.
Lee M, He Y, Chen Z. Towards improving an algebraic marking scheme for tracing DDoS attacks. International Journal of Network Security, 2009: 204–213.
143.
Qu Z, Huang C. A Fractional-Step DDoS Attack Source Traceback Algorithm Based on Autonomous System. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2008, 1383–1387.
144.
adlallah A, Serhrouchni A,
egriche
,
a t-Abdesselam F. A Hybrid Messaging-Based Scheme for IP Traceback. In:
Proceedings of the International Conference on Information and Communication Technologies: From Theory to Applications. 2008, 1–6. 145.
Qu Z, Huang C. A Novel Deterministic Packet Marking Scheme for IP Traceback. In: Proceedings of the Workshop on Power Electronics and Intelligent Transportation System. 2008, 38–41.
146.
Qu Z, Huang C, Liu N. A Novel Two-Step Traceback Scheme for DDoS Attacks. In: Proceedings of the International Symposium on Intelligent Information Technology Application. 2008, 879–883.
147.
Su W-T, Lin T-C, Wu C-Y, Hsu J-P, Kuo Y-H. An On-line DDoS Attack Traceback and Mitigation System Based on Network Performance Monitoring. In: Proceedings of the International Conference on Advanced Communication Technology. 2008, 1467–1472.
148.
Jang H, Yun H, Lee S. Attack Flow Traceback. In: Proceedings of the International Conference on Convergence and Hybrid Information Technology. 2008, 411–415.
149.
Chonka A, Zhou W, Singh J, Xiang Y. Detecting and Tracing DDoS Attacks by Intelligent Decision Prototype. In: Proceedings of the IEEE International Conference on Pervasive Computing and Communications. 2008, 578–583.
150.
Muthuprasanna M, Manimaran G. Distributed Divide-and-Conquer Techniques for Effective DDoS Attack Defenses. In: Proceedings of the International Conference on Distributed Computing Systems. 2008, 93–102.
151.
Stefanidis K, Serpanos DN. Implementing filtering and traceback mechanism for packet-marking IP-traceback schemes against DDoS attacks. In: Proceedings of the Intelligent Systems. 2008, 28–33.
152.
Yu F, Lee D. In: Proceedings of theternet Attack Traceback - Cross-validation and Pebble Tracing. In: Proceedings of the IEEE Conference on Technologies for Homeland Security. 2008, 378–383.
153.
Wang C-H, Chiang Y-C. Multi-Layer Traceback under the Hierarchical Tracers Deployment. In: Proceedings of the International Conference on Advanced Information Networking and Applications - Workshops. 2008, 590–595.
154.
Goodrich MT. Probabilistic Packet Marking for Large-Scale IP Traceback. IEEE/ACM Transactions on Networking, 2008, 16(1): 15–24.
155.
Boudaoud K, LeBorgne F. Towards an efficient implementation of traceback mechanisms in autonomous systems. In: Proceedings of the IEEE Symposium on Network Operations and Management. 2008, 1015–1018.
156.
Paruchuri V, Durresi A, Chellappan S. TTL Based Packet Marking for IP Traceback. In: Proceedings of the IEEE Global
157.
Yen W, Sung J-S. Dynamic Probabilistic Packet Marking with Partial Non-Preemption. In: Proceedings of the Ubiquitous
Telecommunications Conference. 2008, 1–5.
Intelligence and Computing. 2008, 732–745. 158.
Yi Z, Pan L, Wang X, Huang C, Huang B. IP Traceback Using Digital Watermark and Honeypot. In: Proceedings of the Ubiquitous Intelligence and Computing. 2008, 426–438.
159.
Malliga S, Tamilarasi A. A Proposal for New Marking Scheme with Its Performance Evaluation for IP Traceback. WSEAS 32
Page 32 of 41
Transactions on Computer Research, 2008, 3(4): 259–272. 160.
Zheng R, Wu Q, Zhang M. An Intelligent Packet Marking Algorithm Based on Extended Huffman Coding. In: Proceedings of the International Symposium on Intelligent Information Technology Application. 2008, 60–64.
161.
Karthik S, Arunachalam VP, Ravichandran T. Multi Directional Geographical Traceback with n Directions Generalization. Journal of Computer Science, 2008
162.
Lee M-C, He Y-J, Chen Z. On Improving an Algebraic Marking Scheme for Detecting DDoS Attacks. Journal of Information Assurance and Security, 2008, 3: 279–288.
163.
LI L, Shen S. Packet track and traceback mechanism against denial of service attacks. The Journal of China Universities of
164.
Nagaratna M, Prasad VK, Kumar ST. Detecting and Preventing IP-spoofed DDoS Attacks by Encrypted Marking Based
Posts and Telecommunications, 2008, 15(3): 51–58.
Detection and Filtering (EMDAF). In: Proceedings of the International Conference on Advances in Recent Technologies in Communication and Computing. 2009, 753–755. 165.
Malliga S, Tamilarasi A. A Defensive Mechanism to Defend against DoS / DDoS Attacks by IP Traceback with DPM. In: Proceedings of the International Conference on Computational Intelligence and Multimedia Applications. 2007, 115–119.
166.
Tian J, Li N, Wang Z. A Proactive Defense Scheme Based on the Cooperation of Intrusion Deception and Traceback. In: Proceedings of the International Conference on Computational Intelligence and Security Workshops. 2007, 502–505.
167.
Chae C-J, Lee S-H, Lee J-S, Lee J-K. A Study of Defense DDoS Attacks Using IP Traceback. In: Proceedings of the International Conference on Intelligent Pervasive Computing. 2007, 402–408.
168.
Izaddoost A, Othman M, Rasid MFA. Accurate ICMP TraceBack Model under DoS/DDoS Attack. In: Proceedings of the
169.
Jin G, Yang J, Wei W, Dong Y. Across-Domain Deterministic Packet Marking for IP Traceback. In: Proceedings of the
International Conference on Advanced Computing and Communications. 2007, 441–446.
International Conference on Communications and Networking in China. 2007, 382–386. 170.
Ke S-C, Chen Y-W. An edge router-based fast internet traceback. In: Proceedings of the TENCON IEEE Region 10 Conference. 2007, 1–4.
171.
Yen W, Huang C-C. Cyclical deterministic packet marking. In: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. 2007, 2080–2085.
172.
Paruchuri V, Durresi A, Barolli L. FAST: Fast Autonomous System Traceback. In: Proceedings of the International Conference on Advanced Information Networking and Applications. 2007, 498–505.
173.
Hilgenstieler E, Duarte EP, Mansfield-Keeni G, Shiratori N. Improving the Precision and Efficiency of Log-Based IP Packet Traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2007, 1823–1827.
174.
Takurou H, Matsuura K, Imai H. IP Traceback by Packet Marking Method with Bloom Filters. In: Proceedings of the IEEE International Carnahan Conference on Security Technology. 2007, 255–263.
175.
Vijairaghavan V, Shah D, Galgali P, Shah A, Shah N, Srinivasan V, Bhatia L. Marking Technique to Isolate Boundary Router and Attacker. Computer, 2007, 40(2): 54–58.
176.
Stefanidis K, Serpanos DN. Packet Marking Scheme and Deployment Issues. In: Proceedings of the IEEE Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications. 2007, 603–608.
177.
Laufer RP, Velloso PB, de O.Cunha D, Moraes IM, Bicudo MDD, Moreira MDD, Duarte OCMB. Towards Stateless Single-Packet IP Traceback. In: Proceedings of the IEEE International Conference on Local Computer Networks. 2007, 548–555.
178.
Bhaskaran VM, Natarajan AM, Sivanandam SN. Tracebacking the Spoofed IP Packets in Multi ISP Domains with Secured Communication. In: Proceedings of the International Conference on Signal Processing, Communications and Networking. 2007, 579–584.
179.
Belenky A, Ansari N. On deterministic packet marking. Computer Networks, 2007, 51(10): 2677–2700.
180.
Peng D, Shi Z, Tao L, Ma W. Enhanced and Authenticated Deterministic Packet Marking for IP Traceback. In: Proceedings of Advanced Parallel Processing Technologies. Springer; 2007, 508–517. 33
Page 33 of 41
181.
Muthuprasanna M, Manimaran G, Wang Z. Unified Defense against DDoS Attacks. In: Proceedings of the Networking 2007, Ad Hoc and Sensor Networks, Wireless Networks, Next Generation Internet. 2007, 1047–1059.
182.
Gao Z, Ansari N. A Practical and Robust Inter-domain Marking Scheme for IP Traceback. Computer Networks, 2007, 51(3): 732–750.
183.
Castelucio AO, Salles RM, Ziviani A. An AS-level IP Traceback System. In: Proceedings of the 2007 ACM CoNEXT Conference. 2007, 35:1–35:2.
184.
Liu J, Lee Z-J, Chung Y-C. Dynamic Probabilistic Packet Marking for Efficient IP Traceback. Computer Networks, 2007, 51(3): 866–882.
185.
Wuu L-C, Liu T-J, Yang J-Y. IP Traceback Based on Chinese Remainder Theorem. In: Proceedings of the International Conference on Communications, Internet, and Information Technology. 2007, 214–219.
186.
Thing VLL, Sloman M, Dulay N. Non-intrusive IP Traceback for DDoS Attacks. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security. 2007, 371–373.
187.
Bhaskaran MV, Natarajan AM, Sivanandam SN. A New Promising IP Traceback Approach and its Comparison with Existing Approaches. Information Technology Journal, 2007, 6(2): 182–188.
188.
Ohsita Y, Ata S, Murata M. Identification of Attack Nodes from Traffic Matrix Estimation. IEICE Transactions on Communications, 2007, E90-B(10): 2854–2864.
189.
Demir O, Ji P, Kim J. Session Based Logging (SBL) for IP-Traceback on Network Forensics. In: Proceedings of the International Conference Security and Management. 2006, 233–239.
190.
Jing Y, Li J, Wang X, Xiao X, Zhang G. A Distributed-Log-based IP Traceback Scheme to Defeat DDoS Attacks. In: Proceedings of the International Conference on Advanced Information Networking and Applications. 2006, 25–32.
191.
Liu Y, Gu X, Sun Y. A non-preemptive packet marking scheme. In: Proceedings of the IEEE Conference on Industrial Electronics and Applications. 2006, 1–6.
192.
Bhaskaran VM, Natarajan AM, Sivanandam SN. Analysis of IP Traceback Systems. In: Proceedings of the International Symposium on Ad Hoc and Ubiquitous Computing. 2006, 125-130.
193.
Muthuprasanna M, Manimaran G, Alicherry M, Kumar V. Coloring the Internet: IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Systems. 2006, 589–598.
194.
Shokri R, Varshovi A, Mohammadi H, Yazdani N, Sadeghian B. DDPM: Dynamic deterministic packet marking for IP traceback. In: Proceedings of the IEEE International Conference on Networks. 2006, 1–6.
195.
Jin G, Yang J. Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Communications Letters, 2006, 10(3): 204–206.
196.
Tseng Y-K, Lu Y-Y, Huang J-Y, Hsieh W-S, Chang B-R, Chen Y-C, Chen S-H. ID-Based PPM for IP Traceback. In: Proceedings of the International Conference on Innovative Computing, Information and Control. 2006, 262–265.
197.
Lin I, Lee T-H. NISp1-03: Robust and Scalable Deterministic Packet Marking Scheme for IP Traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2006, 1–6.
198.
Chen R, Park J-M, Marchany R. NISp1-05: RIM: Router Interface Marking for IP Traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2006, 1–5.
199.
Al-duwairi Basheer, Manimaran G. Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. IEEE Transactions on Parallel and Distributed Systems, 2006, 17(5): 403–418.
200.
Durresi A, Paruchuri V. NXG01-4: Scalable Hierarchical Traceback. In: Proceedings of the IEEE Global
201.
Fadlallah A, Serhrouchni A. PSAT: Proactive Signalling Architecture for IP Traceback. In: Proceedings of the International
Telecommunications Conference. 2006, 1–5.
Conference on Communication Networks and Services Research. 2006, 293–299. 202.
Zhang L, Guan Y. TOPO: A Topology-aware Single Packet Attack Traceback Scheme. In: Proceedings of the International Workshop on Security. 2006, 1-10.
203.
Gong C, Saraç K. Toward a More Practical Marking Scheme for IP Traceback. In: Proceedings of the International 34
Page 34 of 41
Conference on Broadband Communications, Networks and Systems. 2006, 1-10. 204.
Tseng Y-K, Hsieh W-S, Chou W-Y, Yang K-Y, Tsia Y-T, Huang M-C. Using Probing Packets to Recover the Incomplete IP Traceback. In: Proceedings of the IEEE International Symposium on Intelligent Signal Processing and Communication Systems. 2006, 776-779.
205.
Kim B-R, Kim K. A Proposal of Extension of FMS-Based Mechanism to Find Attack Paths. In: Proceedings of the International Conference on Computational Science and its Applications. 2006, 476-485.
206.
Yin H, Li J. An Efficient Probabilistic Packet Marking Scheme (NOD-PPM). In: Proceedings of the International Conference on Information Security. 2006. 373–382.
207.
Yi S, Xinyu Y, Ning L, Yong Q. Deterministic Packet Marking with Link Signatures for IP Traceback. In: Proceedings of the SKLOIS Conference on Information Security and Cryptology. 2006, 144-152.
208.
Kim B. Efficient Technique for Fast IP Traceback. In: Proceedings of the Third International Conference on Cooperative Design, Visualization, and Engineering. 2006, 211-218.
209.
Kim B-R, Kim K-C. Improved technique of IP address fragmentation strategies for dos attack traceback. In: Proceedings of the International Symposium on Computer Science–Theory and Applications. 2006, 427–437.
210.
Yim H, Jung J. IP traceback algorithm for DoS/DDoS attack. In: Proceedings of the Management of Convergence Networks and Services. 2006, 558–561.
211.
Lee H. SVM Based Packet Marking Technique for Traceback on Malicious DDoS Traffic. In: Proceedings of the Information Networking. Advances in Data Communications and Wireless Networks. Springer; 2006, 754-763.
212.
Yan P, Lee MC. Towards an Adaptive Packet Marking Scheme for IP Traceback. In: Proceedings of e-Business and Telecommunication Networks. Springer; 2004, 150-157.
213.
Hu H, Wang Y, Wang L, Guo W, Ding M. Two Novel Packet Marking Schemes for IP Traceback. In: Proceedings of the International Conference on Autonomic and Trusted Computing. 2006, 459-466.
214.
Wong TY, Law KT, Lui JCS, Wong MH. An Efficient Distributed Algorithm to Identify and Traceback DDoS Traffic. The Computer Journal, 2006, 49(4): 418–442.
215.
Ma M. Tabu marking scheme to speedup IP traceback. Computer Networks, 2006, 50(18): 3536–3549.
216.
Sung M, Chiang J. Scalable Hash-based IP Traceback using Rate-limited Probabilistic Packet Marking. Georgia Institute of Technology. 2006.
217.
Sun Y, Kumar A, Srinivasam S. WON (Wireless Overlay Network) for Traceback of Distributed Denial of Service. In: Proceedings of the International Conference on Wireless Broadband and Ultra Wideband Communications. 2006.
218.
Xiang Y, Zhou W. A defense system against DDOS attacks by large-scale IP traceback. In: Proceedings of the International Conference on Information Technology and Applications. 2005, 431-436.
219.
Lee T-H, Huang T-Y, Lin I. A deterministic packet marking scheme for tracing multiple internet attackers. In: Proceedings of the IEEE International Conference on Communications. 2005. 850–854.
220.
Huang C, Li M, Yang J, Gao C. A real-time traceback scheme for DDoS attacks. In: Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing. 2005, 1175–1179.
221.
Yang X, Pei C, Zhu C, Li Y. AMS Based Reconstruction Algorithm with Two-dimensional Threshold for IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Computing: Applications and Technologies. 2005, 781–783.
222.
Strayer WT, Jones CE, Schwartz BI, Mikkelson J, Livadas C. Architecture for Multi-Stage Network Attack Traceback. In:
223.
Chen R, Park J-M. Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources Internet. In:
Proceedings of the IEEE International Conference on Local Computer Networks. 2005, 776–785.
Proceedings of the International Conference on Computer Communications and Networks. 2005, 275–280. 224.
Gao Z, Ansari N. Directed geographical traceback. In: Proceedings of the International Conference on Information Technology: Research and Education. 2005, 221–224.
225.
Jing Y-N, Tu P, Wang X-P, Zhang G-D. Distributed-log-based scheme for ip traceback. In: Proceedings of the International 35
Page 35 of 41
Conference on Computer and Information Technology. 2005, 711–715. 226.
Dong Q, Banerjee S, Adler M, Hirata K. Efficient Probabilistic Packet Marking. In: Proceedings of the International Conference on Network Protocols. 2005, 368–377.
227.
Thing VL, Lee HC, Sloman M, Zhou J. Enhanced ICMP traceback with cumulative path. In: Proceedings of the International Conference on Vehicular Technology. 2005, 2415–2419.
228.
Gao Z, Ansari N. Enhanced probabilistic packet marking for IP traceback. In: Proceedings of the International Conference on Global Telecommunications. 2005.
229.
Li Q, Feng Q, Hu L, Ju J. Fast Two Phrases PPM for IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Computing: Applications and Technologies. 2005, 386–389.
230.
Yaar A, Perrig A, Song D. FIT: fast Internet traceback. In: Proceedings of Annual Joint Conference of the IEEE Computer and Communications Societies. 2005, 1395–1406.
231.
Leu F-Y, Yang W-J, Chang W-K. IFTS: Intrusion forecast and traceback based on union defense environment Internet. In: Proceedings of the International Conference on Parallel and Distributed Systems. 2005, 716–722.
232.
Liu W, Duan H, Wu J-P, Li X. Improved Marking Model ERPPM Tracing Back to DDoS Attacker. In: Proceedings of the International Conference on Information Technology and Applications. 2005, 759–762.
233.
Gong C, Sarac K. IP traceback based on packet marking and logging. In: Proceedings of the IEEE International Conference on Communications. 2005, 1043-1047.
234.
Isozaki H, Ata S, Oka I, Fujiwara C. Performance improvement on probabilistic packet marking by using history caching. In: Proceedings of the Asia-Pacific Symposium on Information and Telecommunication Technologies. 2005, 381–386.
235.
Chen S, Song Q. Perimeter-based defense against high bandwidth DDoS attacks. IEEE Transactions on Parallel and Distributed Systems, 2005, 16(6): 526–537.
236.
Muthuprasanna M, Manimaran G. Space-time encoding scheme for DDoS attack traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2005.
237.
Ma M. Tabu Marking Scheme for IP Traceback. In: Proceedings of the IEEE International Symposium on Parallel and Distributed Processing. 2005.
238.
Law TK, Lui JC, au DK. ou can run, but you can’t hide: an effective statistical methodology to trace back DDoS attackers. IEEE Transactions on Parallel and Distributed Systems, 2005, 16(9): 799–813.
239.
Lee G, Lim H, Hong M, Lee DH. A dynamic path identification mechanism to defend against DDoS attacks. In: Proceedings of the International Conference on Information Networking, Convergence in Broadband and Mobile Networking. 2005, 806–813.
240.
Hou J, Lee MH. A fast search and advanced marking scheme for network IP traceback model. In: Proceedings of the International Conference on Distributed Computing and Internet Technology. 2005, 15–20.
241.
Qu H, Su P, Lin D, Feng D. A packet marking scheme for IP traceback. In: Proceedings of the International Conference on Networking. 2005, 964–971.
242.
Jing Y, Li J, Zhang G. An Adaptive Edge Marking Based Hierarchical IP Traceback System. In: Proceedings of the International Conference on Networking and Mobile Computing. 2005, 1188-1197.
243.
Huang W, Cong JL, Wu C, Zhao F, Wu SF. Design, Implementation, and Evaluation of FRiTrace. In: Proceedings of the International Information Security Conference. 2005, 343-358.
244.
Rayanchu SK, Barua G. Tracing attackers with deterministic edge router marking (DERM). In: Proceedings of the International Conference on Distributed Computing and Internet Technology. 2005, 400-409.
245.
Kim DS, Hong CS, Xiang Y. An intelligent approach of packet marking at edge router for IP traceback. In: Proceedings of the International Conference on Knowledge-Based Intelligent Information and Engineering Systems. 2005, 303–309.
246.
Lee J, de Veciana G. Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks. International Journal of Network Management, 2005, 15(1): 43–60.
247.
Gong C, Le T, Korkmaz T, Sarac K. Single packet IP traceback in AS-level partial deployment scenario. In: Proceedings of 36
Page 36 of 41
the IEEE Global Telecommunications Conference. 2005, 1310-1324. 248.
Laufer RP, Velloso PB, Cunha D de O, Moraes IM, Bicudo MD, Duarte O. A new IP traceback system against distributed denial-of-service attacks. In: Proceedings of the International Conference on Telecommunications. 2005.
249.
Laufer RP, Velloso PB, Duarte OCM. Defeating DoS Attacks with IP Traceback. In: Proceedings of the IFIP Open Conference on Metropolitan Area Networks. 2005, 131-148.
250.
Kim Y, Jo J-Y, Merat F, Yang M, Jiang Y. Mitigating Distributed Denial-of-Service attack with deterministic bit marking. International Journal of Information Technology, 2005, 11(2): 62–82.
251.
Durresi A, Paruchuri V, Barolli L, Kannan R, Iyengar SS. Efficient and secure autonomous system based traceback. Journal of interconnection Networks, 2004, 5(2): 151–164.
252.
Choi KH, Dai HK. A marking scheme using Huffman codes for IP traceback. In: Proceedings of the International Symposium on Parallel Architectures, Algorithms and Networks. 2004, 421–428.
253.
Al-duwairi Basheer, Manimaran G. A Novel Packet Marking Scheme for IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Systems. 2004, 195-202.
254.
Bai C, Feng G, Wang G. Algebraic geometric code based IP traceback. In: Proceedings of the IEEE International Conference on Performance, Computing, and Communications. 2004. 49–56.
255.
Paruchuri V, Durresi A, Kannan R, Iyengar SS. Authenticated Autonomous System Traceback. In: Proceedings of the International Conference on Advanced Information Networking and Applications. 2004, 406-413.
256.
Ping SY, Moonchuen L. IP traceback marking scheme based packets filtering mechanism. In: Proceedings of the International Conference on IP Operations and Management. 2004, 253-260.
257.
Jones E, Le Moigne O, Robert J-M. IP traceback solutions based on time to live covert channel. In: Proceedings of the IEEE International Conference on Networks. 2004, 451–457.
258.
Varanasi R, Phoha VV, Joshi S. IP-traceback based attacker tracking: A probabilistic technique for detecting Internet attacks using the concept of hidden markov models. In: Proceedings of the IEEE Information Assurance Workshop. 2004, 438–439.
259.
Li J, Sung M, Xu J, Li L. Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation. In: Proceedings of the IEEE Symposium on Security and Privacy. 2004, 115–129.
260.
Tseng YK, Chen HH, Hsieh WS. Probabilistic Packet Marking With Non-Preemptive Compensation. IEEE Communications Letters, 2004, 8(6): 359–361.
261.
Lee T-H, Wu W-K, Huang T-YW. Scalable packet digesting schemes for IP traceback. In: Proceedings of the IEEE International Conference on Communications. 2004, 1008–1013.
262.
Xiang Y, Zhou W. Trace IP packets by flexible deterministic packet marking (FDPM). In: Proceedings of the IEEE Workshop on IP Operations and Management. 2004, 246–252.
263.
Lee H-W. Advanced packet marking mechanism with pushback for IP traceback. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2004, 426–438.
264.
Sin LN, Lee M. An Efficient Domain Based Marking Scheme for IP Traceback. In: Proceedings of the IEEE International Conference on High Speed Networks and Multimedia Communications. 2004, 1080-1091.
265.
Al-duwairi Basheer, Chakrabarti A, Manimaran G. An Efficient Probabilistic Packet Marking Scheme for IP Traceback. In: Proceedings of the International IFIP-TC6 Networking Conference. 2004, 1263-1269.
266.
Kai C, Xiaoxin H, Ruibing H. DDoS Scouter: A Simple IP Traceback Scheme. In: Proceedings of the Progress on Cryptography. Springer; 2004, 217–228.
267.
Lee JM, Han IG, Lee KH. Design of Traceback System Using Selected Router. In: Proceedings of the International Conference on Information Networking, Networking Technologies for Broadband and Mobile Networks. 2004, 877-885.
268.
Liu W, Duan H-X, Wu J-P, Ren P, Lu L-H. Distributed IDS Tracing Back to Attacking Sources. In: Proceedings of the Workshop on Grid and Cooperative Computing. 2004, 859–866.
269.
Lee H, Kang M, Choi C. PTrace: Pushback/SVM Based ICMP Traceback Mechanism against DDoS Attack. In: Proceedings of the International Conference on Computational Science and its Applications. 2004, 302-309. 37
Page 37 of 41
270.
Lee H, Yun S, Kwon T, Kim J, Park H, Nam-ho O. Reflector Attack Traceback System with Pushback Based iTrace Mechanism. In: Proceedings of the International Conference on Information and Communications Security. 2004, 236-248.
271.
Tupakula UK, Varadharajan V. Tracing DDoS floods: an automated approach. Journal of Network and Systems Management, 2004, 12(1): 111–135.
272.
Gao Z, Ansari N, Anantharam K. A new marking scheme to defend against distributed denial of service attacks. In: Proceedings of the IEEE Global Telecommunications Conference. 2004, 2256–2260.
273.
Oe M, Kadobayashi Y. An implementation and verification of a hierarchical architecture for IP traceback. Electronics and Communications in Japan, 2004, 87(11): 49–56.
274.
Hai-tao T, Liu-sheng Huang, Yun-fei L, Guo-liang C. A new scheme for IP traceback under DoS attack. In: Proceedings of the International Conference on Parallel and Distributed Computing: Applications and Technologies. 2003, 189 - 193.
275.
Belenky A, Ansari N. Accommodating fragmentation in deterministic packet marking for IP traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2003, 1374 - 1378.
276.
Chen Z, Lee M-C. An IP traceback technique against denial-of-service attacks. In: Proceedings of the International Conference on Computer Security Applications. 2003, 96–104.
277.
Ogawa T, Nakamura F, Wakahara Y. Branch label based probabilistic packet marking for IP traceback. In: Proceedings of the IEEE International Conference on Networks. 2003, 467–474.
278.
Kim Y, Jo J-Y, Merat FL. Defeating distributed denial-of-service attack with deterministic bit marking. In: Proceedings of the Global Telecommunications Conference. 2003, 1363–1367.
279.
Liu J, Lee Z-J, Chung Y-C. Efficient dynamic probabilistic packet marking for IP traceback. In: Proceedings of the IEEE
280.
Sung M, Xu J. IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks.
International Conference on Networks. 2003, 475–480.
IEEE Transactions on Parallel and Distributed Systems, 2003, 14(9): 861–872. 281.
Belenky A, Ansari N. Tracing multiple attackers with deterministic packet marking (DPM). In: Proceedings of the IEEE Pacific Rim Conference on Communications, Computers and signal Processing. 2003, 49–52.
282.
Min F, Zhang J, Yang G. An IP traceback scheme integrating DPM and PPM. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2003, 76–85.
283.
Song HY, Kim H. Cooperative Routers against DoS Attacks. In: Proceedings of the Australasian Conference on Information Security and Privacy. 2003, 204-213.
284.
Lee HCJ, Thing VLL, Xu Y, Ma M. ICMP Traceback with Cumulative Path, an Efficient Solution for IP Traceback. In: Proceedings of the International Conference on Information and Communications Security. 2003, 124-135.
285.
Kim KC, Hwang JS, Kim BY, Kim S-D. Tagged fragment marking scheme with distance-weighted sampling for a fast IP traceback. In: Proceedings of the Asia-Pacific Web Conference on Web Technologies and Applications. 2003, 442–452.5
286.
Kwak M, Cho D. Extended Probabilistic Packet Marking Scheme for IP Traceback. In: Proceedings of the International Conference on Security and Management. 2003, 521–526.
287.
Yaar A, Perrig A, Song D. Pi: A path identification mechanism to defend against DDoS attacks. In: Proceedings of the International Symposium on Security and Privacy. 2003, 93–107.
288.
Hazeyama H, Masafumi OE, Kadobayashi Y. A layer-2 extension to hash-based IP traceback. IEICE transactions on information and systems, 2003, 86(11): 2325–2333.
289.
Tupakula U, Varadharajan V. Counteracting DDoS attacks in multiple ISP domains using routing arbiter architecture. In: Proceedings of the IEEE International Conference on Networks. 2003, 455–460.
290.
Matsuda S, Baba T, Hayakawa A, Nakamura T. Design and Implementation of Unauthorized Access Tracing System. In: Proceedings of the International Symposium on Applications and the Internet. 2002, 74–81.
291.
Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Schwartz B, Kent ST, Strayer WT. Single-packet IP traceback. IEEE/ACM Transactions on Networking, 2002, 10(6): 721–734.
292.
Law KT, Lui JC, Yau DK. You can run, but you can’t hide: an effective methodology to traceback DDoS attackers. In: 38
Page 38 of 41
Proceedings of the IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems. 2002, 433–440. 293.
Peng T, Leckie C, Ramamohanarao K. Adjusted probabilistic packet marking for IP traceback. In: Proceedings of Networking. Springer; 2002, 697–708.
294.
Dean D, Franklin M, Stubblefield A. An algebraic approach to IP traceback. ACM Transactions on Information and System Security, 2002, 5(2): 119–137.
295.
Goodrich MT. Efficient packet marking for large-scale IP traceback. In: Proceedings of the ACM Conference on Computer and Communications Security. 2002, 117–126.
296.
Wei D, Ansari N. Implementing IP traceback in the Internet—an ISP perspective. In: Proceedings of the IEEE Workshop on Information Assurance. 2002, 326–332.
297.
Nishio N, Harashima N, Tokuda H. Reflective Probabilistic Packet Marking Scheme for IP Traceback. IEIC Technical Report (Institute of Electronics, Information and Communication Engineers), 2002, 102(153): 65–72.
298.
Song DX, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies. 2001, 878–886.
299.
Mankin A, Massey D, Wu C, Wu S , Zhang L. On Design and Evaluation of “Intention-Driven” ICMP Traceback. In: Proceedings of the International Conference on Computer Communications and Networks. 2001, 159–165.
300.
Kim G, Bogovic T, Chee D. Active edge-tagging (ACT): An intruder identification and isolation scheme in active networks. In: Proceedings of the IEEE Symposium on Computers and Communications. 2001, 29–34. Doeppner TW, Klein PN, Koyfman A. Using router stamping to identify the source of IP packets. In: Proceedings of the ACM Conference on Computer and Communications Security. 2000, 184–189.
Fig. 1 A DDoS attack architecture depicting control and attack flows Fig. 2 Different attack and security phases Fig. 3 A scenario representing a typical DoS attack Fig. 4 IP header fields used for marking process Fig. 5 Functioning of different traceback approaches Fig. 6 Overview of review protocol Fig. 7 Systematic review process Fig. 8 Article count at the end of each stage of systematic review process Fig. 9 Article distribution per year Fig. 10 Article distribution among various traceback approaches Fig. 11 Bar chart: mapping traceback approaches to metrics of a traceback scheme Table 1 Classification of IP traceback schemes Messaging
Marking
Logging
Overlay
Pattern analysis
Hybrid
Traceback Link testing
301.
Proactive
.
√
√
√
.
.
√
Reactive
√
√
√
√
√
√
√
In-band
.
.
√
√
.
.
√
Out-of-band
.
√
.
.
.
.
√
Network based
.
.
√
√
√
.
√
Host based
√
.
√
√
.
.
√
Traffic monitoring
√
.
.
.
.
√
√
approach
Functional class
39
Page 39 of 41
Packet monitoring
.
√
√
√
√
.
√
IDS assisted
√
.
.
√
√
.
√
Non-IDS assisted
√
.
.
.
.
.
√
Table 2 Comparison of IP traceback approaches Approach
Link testing
Messaging
Marking
Logging
Overlay
Pattern analysis
Evaluation metric Packets required for traceback ISP cooperation/ router involvement
large
medium
medium
very less or 1
very less or 1
less
high
low
low
high
very high
high
Memory
Victim
no
high
low
no
no
no
requirement
Network
no
low
no
high
low
low
Deployment
good
good
good
good
poor
fair
Scalability
poor
good
good
poor
poor
good
Duration of attack for traceback
long
short
short
medium
short
short
Handling packet transformations
good
yes
fair
yes
yes
yes
possible
possible
possible
difficult
possible
difficult
no
good
good
good
fair
good
high
low
low
very low
low
low
Support
Security DDoS handling capability False positives Processing
Victim
high
high
fair
none
none
none
overhead
Network
none
high
fair
high
high
high
ISP privacy
no
yes
rarely
yes
yes
yes
Post-attack analysis
no
yes
yes
yes
yes
yes
recursive Basic functionality
upstream traffic analysis until source
supplementary messages generated carrying path information
routers store
path information stamped on packet itself
logs of packets flowing through
specialized infrastructure setup behind network
routers continuously monitor traffic patterns
Table 2 summarizes the performance of various IP traceback approaches against the evaluation metrics defined above. In addition to the IP traceback approaches, we have also selected some important metrics like ISP privacy, packets needed for traceback and security, for classifying various traceback schemes available in literature. ISP privacy can be assessed based on whether the private information associated to ISPs is known to the victim or not. We grouped the IP traceback schemes into sets containing schemes dependent on single or multiple packets respectively for attack path construction. Security metric examine whether a marking based scheme deals with the forged markings generated by subverted routers or not. Besides this, we have also classified traceback schemes according to the version of associated Internet Protocol i.e., IPv4 or IPv6.
Table 3 Distribution according to publication type Publication type
No. of studies
Percentage 40
Page 40 of 41
Conference
171
62.2%
Journal
43
15.6%
Magazine
5
1.81%
Symposium
26
9.45%
Transaction
15
5.45%
Workshop
15
5.45%
Table 4 Distribution according to publication venue Publication type
Title
No. of articles in final set
Journal/
ACM SIGCOMM Computer Communication Review
1
Magazine/
ACM Transactions on Information and System Security
1
Transaction
Computer Networks
4
Computers and Security
1
IEEE Transactions on Parallel and Distributed Systems
7
IEEE Communication Letters
4
IEEE/ACM transactions on networking
2
International Journal of Network Security
2
Journal of Computer Science
3
Journal of Network and Systems Management
1
Others
37
Workshop/
ACM Conference on Computer and Communications Security
2
Symposium/
Annual Joint Conference of the IEEE Computer and Communications
2
Conference
Societies IEEE Conference on Local Computer Networks IEEE Global Telecommunications Conference/Workshop International Conference on Advanced Information Networking and
4 13 5
Applications IEEE International Conference on Communications
5
International Conference on Advanced Communication Technology
3
International Conference on Computer Communications and Networks
3
International Conference on Information and Communication Technology
2
International Symposium on Network Coding
2
Others
171
41
Page 41 of 41
S0167-4048(15)00093-0 http://dx.doi.org/doi:10.1016/j.cose.2015.06.007 COSE 920
To appear in:
Computers & Security
Received date: Revised date: Accepted date:
17-3-2015 31-3-2015 22-6-2015
Please cite this article as: Karanpreet Singh, Paramvir Singh, Krishan Kumar, A systematic review of IP traceback schemes for denial of service attacks, Computers & Security (2015), http://dx.doi.org/doi:10.1016/j.cose.2015.06.007. This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
A systematic review of IP traceback schemes for denial of service attacks
Author
Biographical Sketch Karanpreet Singh received the masters’s degree in computer science and engineering, in 2013 and the bachelor’s degree in information technology, in 2011 from Punjab Technical University, Jalandhar, Punjab, India. He is currently pursuing the Ph.D. degree in computer science and engineering at National Institute of Technology Jalandhar, Punjab, India. His research interests include
1.
network security, distributed networks, and cloud computing. He is a student (Corresponding Author)
member of the IEEE and the IEEE Communications Society.
Paramvir Singh received the Ph.D. degree in computer science and engineering from Guru Nanak Dev University, Amritsar, Punjab, India, in 2011 and the M.Tech. degree in computer science and engineering from Panjab University Chandigarh, India, in 2005. He is currently with Department of Computer Science and Engineering, National Institute of Technology Jalandhar, Punjab. He has
2.
published more than 20 papers in refereed international journals and refereed international conferences proceedings. His research interests include software engineering, secure systems, and network security. He is a member of the IEEE and the IEEE Computer Society, and a life member of ISTE.
3.
Krishan Kumar received the Ph.D. degree in electronics and computer engineering from Indian Institute of Technology, Roorkee, India. He is currently with the Department of Computer Science and Engineering, SBS State Technical Campus, Ferozepur, Punjab, India. His research interests include network security, network measurement/modeling, manets and WSNs. He has published more than 70 papers in refereed international journals and conference proceedings. He is presently working on developing testbed facility for defense against DDoS attacks under AICTE research promotion scheme. He is on editorial board of many reputed international journal and conferences in the field of networking.
1
Page 1 of 41
HIGHLIGHTS
Comprehensive categorization of the IP traceback schemes.
In-depth evaluation of IP traceback approaches, classes and metrics.
Exploration of research trends with the help of a systematic review protocol.
Discussion on the mapping results of the systematic literature review.
Summarization of issues, challenges and future research avenues.
A B S T R A C T Internet has always been vulnerable to a variety of security threats as it was originally designed without apprehending the prospect of security concerns. Modern era has seen diverse nature of attacks possible on the Internet, including the most perilous attack, Distributed Denial of Service (DDoS) attacks. In such an attack, a large number of compromised systems coordinate with each other so as to direct gigantic magnitude of attack traffic towards the victim, depleting its tangible and intangible network resources. To further exacerbate the situation, these compromised systems usually disguise their identity by capitalizing on IP address spoofing. IP traceback is the class of techniques used to identify the actual source of network packets. In this paper, we followed a systematic approach to comprehensively review and categorize 275 works representing existing IP traceback literature. The paper also provides an in-depth analysis of different IP traceback approaches, their functional classes and the evaluation metrics. Based on the literature review, we also answered a set of research questions to understand the current trends in IP traceback. Various issues, challenges and avenues for future research in the area of IP traceback are also discussed. Keywords: Distributed denial-of-service attacks, IP traceback, packet marking, packet logging, systematic review.
1.
Introduction 2
Page 2 of 41
Distributed Denial of Service (DDoS) attacks undoubtedly pose a severe threat to the Internet, aiming to disrupt its conventional working. Various resources running on the Internet, when under the influence of such attacks, are not able to deliver their services effectively. The compromised systems involved in a DDoS attack are called attacking nodes. These attacking nodes choke up a victim node’s resources, in turn, strangulating its access by legitimate users. DDoS attacks primarily affect these legitimate users by counteracting victim’s capability to respond properly. A DDoS attack can make the victim’s resources unusable for some time or even cause a permanent cessation by sending a substantial amount of packets, depleting the victim’s network bandwidth and/or processing power [1]. Fig. 1 represents the architecture of a traditional DDoS attack where an attacker first subverts a number of vulnerable systems known as handlers present on the Internet. These handlers are responsible for forwarding commands from the attacker to a large number of compromised systems known as zombies. Zombies further initiate the actual flow of attack packets. Handlers provide a sheltering layer to the real attacker by prohibiting a direct trace to it [2]. The control flow coordinated by the attacker and assisted by one or more handlers decides the nature and time of an attack flow generated by zombies as shown in Fig. 1. There are a number of freely available attack tools on the Internet that can easily be deployed by an amateur user for launching an attack. The methods used by the attackers for conducting an attack are becoming complex and consequently making its mitigation more challenging. According to Prolexic Technologies, there are around 7000 DDoS attacks observed daily and this number is believed to be growing rapidly [3].
DDoS attacks are possible due to vulnerable architecture of TCP/IP protocol suite in which a packet is routed without verifying its source address [4]. The source address field in attack packets is generally spoofed, which complicates tracing the origin of packets. The stateless nature of Internet makes it nearly impractical to identify the true origin of the attack. Currently, there is no single effective mechanism to defend against DDoS attacks. The best possible defense against DDoS attacks not only lies in preventive measures, but also in identifying the true origin of the attack to block further attacks and assist the mitigation process. The rest of this paper is organized as follows. In Section 2, we provide background on DDoS attacks and IP traceback along with the motivation behind this systematic review. Section 3 discusses the characteristics of IP traceback approaches and factors used to classify the IP traceback schemes known till date. Section 4 elaborates the complete systematic review protocol. Section 5 depicts the mapping results of our study, followed by a discussion on research questions in Section 6. Various technical issues and challenges are examined in Section 7. Threats to validity are summarized in Section 8. Finally, Section 9 concludes our systematic review and also highlights the scope for future research work.
2.
Background and motivation
During a DDoS attack, the routing paths towards the victim get badly affected causing a substantial amount of service degradation to overall network. This necessitates the victim as well as ISPs to detect and filter attack traffic at the earliest. The overall DDoS attack process is divided into three phases as shown in Fig. 2. The detail of each phase is discussed below: Phase 1: Target acquisition The attack target is first determined by the attacker depending on reasons including political or financial gains, personal enmity, revenge, cyber warfare, etc. Subsequent attack phases rely on security details and other information gathered by the attacker regarding target in this phase. Phase 2: Groundwork The attacker initiates vulnerability scanning across the Internet to determine all the 3
Page 3 of 41
unsecured systems. These systems are then compromised using one or other kind of security breach by the attacker. These compromised machines (also called as bots or zombies) form a large network known as botnet. Attacker directs these bots through successive layers of compromised machines, known as stepping stones, with the aim to hide its identity. Phase 3: Attack The commands to initiate an attack are disseminated to botnet using different network channels. The bots then flood the victim with burst of traffic causing a partial halt of the victim’s services to legitimate users. The attack continues up to the time directed by the attacker or till it has been effectively mitigated by the victim.
It is rather not possible to confine the intricacy of DDoS attacks. However, all possible measures are continuously being taken so as to prevent it from affecting the Internet. DDoS defense system as a whole comprises of three phases: prevention and preemption; detection and filtering; and traceback and identification as shown in Fig. 2. First phase mainly deals with diminishing the probability of attack occurrence by either strengthening the security of various systems through patches, upgrades, etc. or continuously monitoring network traffic predominantly for avoiding any system being misused by the attacker. It is however still impossible to fully avoid the damage of such kind as the Internet comprises of numerous vulnerable systems that instead of decreasing are on the rise with increasing number of Internet users. When the actual attack is initiated, it is important to mitigate the attack effect in least possible time. The efficiency of this phase depends on the ability of the detection scheme to filter out attack packets from legitimate ones. The third phase, i.e. identification of attack source and attack path is also carried during the course of an attack. This process is referred to as IP traceback. However traceback may continue even after the termination of attack. IP traceback and post-attack analysis of traffic logs then help in reducing the possibility of future attacks by revealing the compromised systems and sometimes the actual attacker. 2.1 IP traceback During a DDoS attack, higher detection accuracy is achieved in the closed vicinity of the victim due the presence of aggregated attack flows, in comparison to far off disjoint attack flows. On the contrary, it is desirable to perform filtering of attack traffic closer to their sources to avoid influence on other Internet users. IP traceback nonetheless can effectively assist the mitigation process to overcome the above scenario by revealing the attack source and the path followed by attack packets [5]. It is a complex task due to the spoofing of packets during an attack. Fig. 3 represents a typical DoS attack where an attacker sends out a continuous stream of forged packets to the victim in order to deplete its resources. The Internet is distributed among a number of Internet Service Providers (ISPs). These ISPs are responsible for providing the Internet access to their users. Intra-domain links are used to establish communication among routers belonging to the same ISP whereas routers belonging to different ISPs depend upon inter-domain links for mutual communication. The path followed by attack packets is known as an attack path. A typical DDoS attack comprises of a number of attack paths as attacking systems may be widely distributed across the Internet.
A particular attack path consists of a number of inter-domain and intra-domain links. Fig. 3 shows a scenario representing the path travelled by the attack packets. This path can be defined by the ordered list of routers from source to destination as {a, R1, R2, R3, R7, R9, v} where ‘a’ and ‘v’ represent an attacker and a victim respectively. Although the actual aim of an IP traceback scheme is to trace the attacker’s network e.g., tracing router R 1 in Fig. 3, 4
Page 4 of 41
majority of traceback schemes are capable of identifying only the entry point of attack packets in victims’ ISP e.g., tracing router R9 in Fig. 3, which alone poses ample challenge to the attacker’s spoofing based identity hiding approach. 2.2 Summary of existing review studies With the rise in threat of DDoS attacks on the Internet, researchers apparently have gained interest in IP traceback as an effective countermeasure for such type of attacks. According to our review of IP traceback literature, IP traceback was first introduced by Burch [6] using controlled flooding to trace an attacker. A significant number of articles based on IP traceback have been proposed since then. Belenky and Ansari [5] in 2003 proposed metrics that were extensively used by the researchers in this field to evaluate their IP traceback schemes. They also evaluated various IP traceback approaches against their proposed metrics. Aljifri [7] in 2003 discussed various advantages and disadvantages of IP traceback approaches. Santhanam et al. [8] performed an informal assessment of traceback schemes based on various IP traceback approaches. Vincent [9] discussed the importance of hybrid IP traceback schemes over individual packet marking or logging based scheme. Among recent works, Bhandari et al. [10] and Kumar et al. [11] surveyed a limited number of IP traceback schemes. Also Singh et al. [12] in 2013 evaluated a number of basic IPv4 and IPv6 traceback schemes using a number of metrics. Parashar and Radhakrishnan [13] in the same year reviewed two main packet marking IP traceback schemes i.e., Probabilistic Packet Marking (PPM) [14] and Deterministic Packet Marking (DPM) [15]. None of the above has considered a systematic approach for conducting their respective surveys which resulted in overlooking a considerable amount of relevant literature. A traditional review highlights only a part of complete literature available with the possibility of missing out high quality works. A systematic review in contrast provides a comprehensive coverage of the research work carried out in a specific field. The predefined methods employed in a systematic review seek to minimize the bias related to final selection of articles. The first step is to define a search strategy, based on which the works related to literature under consideration are extracted from various sources. This follows the elimination of irrelevant works based on the analysis of titles and abstracts of articles obtained in previous step. Thereafter high quality works are extracted depending on the content of selected works. The final list of selected works provides a comprehensive reflection of state-of-the-art research in the considered area. The answers to various research questions can then be examined based on these results. Following this, any gaps in the literature can also be identified to guide further analysis, and provide a base for future research activities. Below are some of the key advantages of a systematic review over other surveying methods: Eliminate biasness in selection of studies. Well-defined methodology to carry out every task. In-depth coverage of complete literature available on a specific research field. A systematic review has widely been recommended due to its number of benefits as compared to a traditional survey approach [16]. Systematic reviews are reasonably common in the fields of medicine, psychology, public health, speech therapy, physical therapy, educational research, sociology, business management, environmental management, etc. It has also been widely used to investigate the available literature on software engineering [17,18], but are not very common in the field of networking. According to our study, only a small number of such reviews are available in networking related literature [19–22].
3.
IP traceback: Approaches, functional classes and metrics
A number of criteria to classify and evaluate IP traceback schemes have been proposed till date [5,7,8,14,23–25]. 5
Page 5 of 41
After a careful analysis of these works, we have based our review of IP traceback schemes on following three key factors: IP traceback approach, marking strategy, and IP traceback metrics. 3.1 IP traceback approach IP traceback schemes can be classified according to the underneath approaches used for the collection of trace information. These approaches may differ in their deployment strategies, storage requirements, information collecting algorithms, etc. Various traceback approaches present in current literature are given below. 3.1.1
Link testing
The analysis of all upstream links is performed in a recursive manner until the source is reached, in order to determine the link carrying the attack packets. It starts from the router closest to the victim and ends till the source router of the attacker is identified as shown in Fig. 5(a). In year 2000, Burch [6] proposed the first IP traceback scheme based on this principle. This was followed by a few more link testing based traceback schemes [26–28]. There are two varieties of link testing schemes: input debugging, and controlled flooding. Input debugging Every router has the capability to determine its incoming links for specific packet characteristics. The victim under an attack can construct an attack packet signature and send it to upstream routers. A router can then recursively investigate its upstream links against the received attack packet signature and consequently identify the attacker. The pros and cons of this approach are listed below: Pros: Consistent with existing protocols and infrastructure. Provides good support for incremental deployment. Little bandwidth overhead on network traffic. Cons: Unsuited for DDoS environment. Dependent upon cooperation among ISPs. Traceback operational only during an attack. Controlled flooding Using a predefined ISP map, a victim iteratively floods packets to its upstream routers and simultaneously determines variations in the intensity of attack. This recursive process can reveal the attack source at each upstream level. The pros and cons of this approach are listed below: Pros: Consistent with existing protocols and infrastructure. Support easy and incremental implementation. Cons: Traceback operational only during an on-going attack. Prior knowledge of network topology required. Ineffective against DDoS attacks. 3.1.2
Messaging
Messaging provides greater flexibility in transmitting traceback related information to the destination. It mainly uses Internet Control Message Protocol (ICMP) based scheme proposed by Bellovin et al. [29]. In this scheme, each router probabilistically generates an ICMP packet known as trace packet or iTrace message, which is responsible for 6
Page 6 of 41
carrying information to be used as an input to the traceback process. A supplementary message is generated by R3 as shown in Fig. 5(b) that may contain parameters like next and previous hop information, timestamp, MAC address, etc. During an attack, thousands of these iTrace packets (or other messages) facilitate successful traceback operation. However, to avoid network traffic overhead caused by these messages, the probability of message generation is kept under tolerable limits. We have categorized a work under messaging only if it uses ICMP or any other kind of specially crafted messaging packets to carry the trace information, as in [30–32]. The pros and cons of this approach are listed below: Pros: Supports incremental deployment with low ISP cooperation. Consistent with existing protocols and infrastructure. Allow post-attack analysis. Cons: Easily misused by attackers if lacking authentication support. Incurs network traffic overhead due to additional packets generated. 3.1.3
Marking
The key idea behind packet marking is to record the route information in the packet itself. This information is used by the victim to explore the path traversed by that packet. The packet can contain the complete encoded route information or one or more markings embedded by the intermediate routers as shown in Fig. 5(c). A victim identifies all the incoming marked packets and utilizes the information stored in marked fields to trace the attack source. Probabilistic Packet Marking (PPM) and Deterministic Packet Marking (DPM) are the two most prominent marking schemes [6]. These two schemes serve as the basis for many of the marking based schemes present in available literature. Fig. 4 shows the fields of IP header that are commonly overwritten by intermediate routers to store the trace information. This approach though needs appropriate mark encoding methods so as to avoid any issues relating overloading header fields and reducing false positives while constructing an attack path.
A marking based scheme employs three strategies for marking a packet which depends on the approach and the type of information inscribed into the packet [23]. Node append: The traceback data is appended to the original IP packet header [44], [45]. This mechanism simplifies the marking process by allowing supplementary marking fields. This primarily helps in tracing the complete path using a single attack packet. A major drawback of this strategy is its high bandwidth overhead caused due to the addition of supplementary fields which in turn limits their application. Node sampling: The marked information is node specific. This usually consists of IP address of a router. Many IP traceback schemes assign color, identity number or a marking function specific to a router [35,36]. The existing fields of original IP header are overloaded by marking information, leading to reduced marking flexibility. Edge sampling: It involves encoding of edge information, like start, end, etc. that are fairly common among the proposed traceback schemes, rather than node information. The other common edge information attributes are edge weight, color, identity number, etc. Apart from these attributes, the presence of distance field provides construction of attack path without requiring prior knowledge of the Internet topology. The pros and cons of this approach are listed below: Pros: Compatible with existing network infrastructure. 7
Page 7 of 41
Easy and flexible implementation in comparison to other approaches. Suitable against DDoS attacks. Least ISP support required. Cons:
Packet fragmentation issues due to overloading of identification field in many traceback schemes. Sometimes may produces high false positive results. Requires modifications to existing protocols implement marking process. Traceback accuracy depends on the number of marked packets received by the victim node.
3.1.4
Logging
Packet logging aims to store the packet digests on intermediate routers. As illustrated in Fig. 5(d), routers store the digest (a hashed value of IP header fields) of packets passing through them. The network path is then determined using the stored information at these routers. Although this approach is powerful as it can trace an attack path using a single packet, one of its major drawbacks is the enormous storage overhead that it incorporates on the routers. Therefore, its deployment has been a challenging task. Snoeren et al. [37] proposed a hash-based IP traceback approach, called Source Path Isolation Engine (SPIE), to implement log-based IP traceback in practice. Their approach uses a space-efficient data structure known as a bloom filter to considerably reduce storage overhead at routers for storing digests of packets. Further improvements have also been proposed to enhance the performance [38,39]. The pros and cons of this approach are listed below: Pros: Compatible with protocols and existing infrastructure. Supports post-attack analysis. Allows traceback of even a single packet. Negligible network traffic overhead. Cons: High memory and processing requirements. Privacy issues in cooperation of ISPs pose problem to this approach Traceback needs to be done timely as routers periodically refresh previously logged information. 3.1.5
Overlay
An overlay network consists of specialized routers known as tracking routers which are responsible for monitoring the traffic flow as shown in Fig. 5(e). When an attack is detected, a command is issued which directs the traffic to pass through these specialized routers. These routers then examine the traffic passing through them and extract the information to be used for traceback. Stone [40] proposed such a system known as CenterTrack which provides traceback service by analysing the traffic routed through the centralized tracking routers. Work proposed in [41,42] also followed overlay based approach for IP traceback. The pros and cons of this approach are listed below: Pros: Provides accurate traceback results. Effectively handle DDoS attacks. Client levied of carrying out traceback process. Cons: High implementations cost. Lacks support for incremental deployment. 8
Page 8 of 41
Tracing routers could themselves become the target of DDoS attacks. 3.1.6
Pattern analysis
While an attack is in progress, routers can extract the flow pattern information which can be utilized for traceback as proposed in [43–45]. Routers collaborate with each other in a distributed manner to gather the flow information and trace the attack source. This relieves a victim from the task of traceback which is considered to be a major advantage of this approach. The pros and cons of this approach are listed below: Pros: Clients levied of carrying out traceback process. Distributed handling of traceback process. Provides improved scalability. Cons: High router processing overhead due to continuous traffic monitoring. Complexity increases with increased number of attack flows in DDoS.
3.1.7
Hybrid
Making two or more different traceback approaches to work together as a single traceback mechanism constitutes a hybrid mechanism. This combination could yield much more efficient results as compared to each implemented individually. IP traceback schemes in [46,47] use hybrid approach. Pros and cons of hybrid schemes rely on their parent schemes. The main objective is to use and combine existing approaches to cater their advantages. 3.2 Functional classification According to [5,7,8,14,23–25], the above approaches can further be categorized into a number of classes depending on their functionalities. Table 1 depicts the functional classes to which an IP traceback approach could belong. An IP traceback scheme could belong to a single unique traceback approach but can represent multiple functional classes. It is important to clarify that the relationships among the traceback approaches and functional classes shown in Table 1 are based on our review of current literature, and have the considerable scope for enhancement with the introduction of new IP traceback schemes in future research. 3.2.1
Proactive and reactive
An IP traceback scheme can further be classified depending on its timing of application i.e., before or after an attack initiation. A continuous recording and logging of packets as they flow through the network constitute a proactive scheme i.e., a traceback scheme active even before an attack is launched. In a reactive scheme on the other hand, traceback is executed during an ongoing attack and needs to be completed before an attack ends. 3.2.2
In-band and out-of-band
In a traceback scheme, when the trace information is sent embedded into the packet itself, it can be classified as an 9
Page 9 of 41
in-band scheme. While in an out-of-band scheme, a separate packet carries the trace information that is used for the traceback. In-band schemes avoid any kind of network traffic overhead as compared to out-of-band schemes. Marking based schemes usually belong to in-band class whereas messaging based schemes fall under out-of-band class. 3.2.3
Network based and host based
Both network and host based traceback schemes can either be proactive or reactive. In proactive network based scheme, routers are more involved in marking and logging of the packets. In proactive host based scheme, routers embed path information into the packet and the victim does a hop-by-hop traceback. A reactive network based scheme is constituted by a special infrastructure that performs continuous traffic monitoring to perform traceback. In a reactive host based scheme, victim is entitled with the responsibility of carrying out the traceback similar to the link testing approach. On the whole, ISPs and the victim are liable to perform traceback in network and host based schemes respectively. 3.2.4
Traffic monitoring and packet monitoring
Traffic monitoring based traceback schemes involves analyzing the traffic comprising of a stream of packets, in comparison to packet monitoring based traceback schemes that rely on individual packet analysis. The traceback scheme belonging to the former category can use packet count, congestion information, etc., whereas, the latter utilizes packet level information such as source or destination address, TTL field, etc. for tracing the source of an attack. 3.2.5
IDS assisted and non-IDS assisted
Some traceback schemes require additional information in the form of attack signature related to an ongoing attack. This information can be delivered by a third party Intrusion Detection System (IDS) for helping the traceback process. A traceback scheme belongs to one of these classes depending on whether it is in co-ordination with IDS or not. 3.3 IP traceback metrics Belenky and Ansari [5] proposed the following metrics which are essential for comparing and evaluating different IP traceback schemes: Packets required for traceback IP traceback schemes may depend on a small to large number of marked attack packets to be able to extract their source. A traceback scheme should ideally be able to trace back to the attack source using a single packet. ISP cooperation/router involvement An ideal traceback scheme should not require any ISP involvement. But most of the existing traceback schemes involve little or more intervention of ISPs. This may include additional hardware or software installation. Memory requirement IP traceback schemes may demand some additional storage at either the ISP and/or the victim level. This should be minimal at the ends of both ISP and the victim in an ideal traceback scheme. Deployment IP traceback schemes must support incremental deployment without having the need of major modifications and installation of new hardware to the existing network infrastructure. Scalability Adding a new device to the Internet should require minimum or no additional configurations to the 10
Page 10 of 41
current infrastructure. A scalable IP traceback scheme should well adapt to the growing environment with minimal overheads. Duration of attack for traceback It is important for a traceback process to trace the attack source as soon as possible or at least while the attack lasts. This metric represents the minimum attack duration that is required for a successful traceback. Some schemes are able to disclose the attack path in short span whereas others may require longer attack durations in order to complete the traceback. Handling packet transformations Sometimes the attacker deforms the attack packets to somehow obstruct the traceback process. It is essential for the traceback scheme to effectively discover all these malformed packets without affecting the actual traceback. Security An ideal traceback scheme must provide a mechanism to avoid fake markings. It may also be possible for an attacker to subvert some of the network elements involved in executing a traceback scheme resulting in false information to mislead the traceback process. DDoS handling capability Tracing a DoS attack with only a single source is an easy task for a traceback scheme. However, in case of a DDoS attack, the complexity of traceback increases due to the presence of large number of attack flows originating from different sources. False positives The traceback process may yield a number of incorrect paths if the trace information collected is insufficient. An IP traceback scheme should give accurate results without causing any false positives. Processing overhead Every traceback scheme incurs additional processing overhead at either ISP level and/or victim level. An ideal traceback scheme requires negligible amount of processing overhead. ISP privacy ISPs are usually reluctant to disclose their private information like topology, IP addresses, etc. Many traceback schemes rely on this information for successfully exercising the traceback process, limiting their practical applicability. Post-attack analysis If a traceback scheme lacks post-attack analysis, it is possible for the attacker to evade by attacking in short pulses. Moreover, post-attack analysis could also help in strengthening various legal issues standing against the attackers.
4.
Review protocol
Systematic review aims to identify and characterize all research works that are related to a specific topic, using a defined and defendable search strategy [17]. This work focuses on various IP traceback schemes proposed till date. The result of a systematic review is a set of papers related to a specific area classified according to various dimensions, and the count of the number of articles in those categories [48]. The outcome of this study would help underlining various issues related to the field motivating the researchers to perform further investigations. We followed the review protocol proposed by Tahir and MacDonell [17]. Fig. 6 shows the overview of review protocol. The following subsections contain the step wise description of review protocol. 4.1 Review research questions Defining the relevant research questions is a vital step in a systematic review work. These research questions help in chalking out appropriate search and data extraction strategies [17]. In this work, we intended to answer the following four key questions:
RQ1. Which of the IP traceback approaches and marking strategies have been most widely followed by the known IP traceback schemes? 11
Page 11 of 41
RQ2. What percentage of proposed work resolves authentication and security issues of markings? RQ3. How many schemes are able to provide single packet traceback and maintain ISP privacy? RQ4. What proportion of literature deals with IPv6 network? RQ1 focuses on the traceback approaches and marking strategies followed by various traceback schemes. The markings inscribed in the packets are to be authenticated so as to avoid constructing an incorrect attack path [5]. Therefore, authentication or security is an important aspect of a traceback scheme which is addressed by RQ2. Single packet traceback schemes converge fast as only one packet per attack path is required for path reconstruction. ISP privacy maintenance along with the impact of number of packets required for the traceback are two critical aspects covered in RQ3. Ever increasing demand of Internet necessitates complete adoption of IPv6 [49]. RQ4 emphasises on the need of IPv6 traceback schemes. 4.2 Search strategy Two-phase searching was performed which includes automatic and manual search. Automatic approach utilizes two broadly used academic search engines: Microsoft Academic Search and Google Scholar. Manual approach involves IEEE Xplore, Science Direct, ACM Digital Library, and Springer to obtain material related to our work. The keywords ‘traceback denial of service’ and ‘traceback distributed denial of service’ were used as search strings in both manual as well as automatic search. Automatic search We conducted our automatic search using two different electronic resources, namely: Microsoft Academic Search and Google Scholar. Both search engines provide free access to over millions of academic papers and literature in a variety of research fields and languages. Google Scholar generated 2780 results for our search query but it limits the access to first 1000 results only. We compared the search output of automatic with manual search and eliminated all the duplicate entries which left us with fewer results. These results were then refined on the basis of title, abstract, and full content respectively. Manual search To avoid over-sighting any significant work by automatic search, a manual search was also performed. This assured us of covering the entire literature based on our selected research area. A search of articles on IP traceback was conducted using IEEE Xplore, Science Direct, ACM Digital Library, and Springer. The results from Science Direct, ACM Digital Library, and Springer were narrowed down to relevant fields using the advanced search options in order to extract the most relevant literature. Reference checking We analysed references of some renowned articles and passed the results to stage 3 for scrutiny against our exclusion criteria defined in subsequent sections. This additional step helped in minimizing the possibility of omitting any other significant work in the field.
4.3 Study selection criteria The selection criteria followed by this work based on the research questions is given below: If a work on IP traceback is relevant to the research questions and is explained to a considerable extent, then it is selected for evaluation. All the works defining the traceback mechanism as a part of the complete mitigation framework were also considered for evaluation. 4.4 Inclusion and exclusion criteria
12
Page 12 of 41
Inclusion and exclusion criteria are used to filter and rule out studies that are not relevant to the defined review questions. This review included papers published between year 2000 and year 2014. We excluded the following: Studies not in English. Editorials, prefaces, covers, books, interviews, news, correspondence, comments, tutorials, readers’ letters and summaries of workshops and symposiums. Duplicate studies. Works not outlining adequate amount of information. Works applied to mobile networks, Multiprotocol Label Switching (MPLS), grid networks, wireless networks, adhoc networks and wireless sensor networks. Surveys and performance analysis of IP traceback schemes. 4.5 Systematic review process We followed a six stage review process as shown in Fig. 7. We conducted our automatic and manual searches at stage 1. Initially we started with automatic search using Google Scholar and Microsoft Academic Search engines following a manual search using IEEE Xplore, Science Direct, ACM Digital Library, and Springer. We combined the results of both manual and automatic searches. In stage 2, we removed the duplicate entries from the combined search results. In stage 3, we applied the first filter by discarding articles with irrelevant titles. In stage 4, we filtered articles based on their abstract. Then, in stage 5, we performed a full text review of all the papers obtained so far, further eliminating irrelevant articles. Results from stage 5 were added to a final list of papers in stage 6 of the process. We followed stage 6 with a reference check on some selected articles from the final list. The articles which we found significant to our review were again filtered based on title, abstract, and full content. Fig. 8 illustrates the review process and the number of articles under consideration at the end of each stage. The final list included 275 articles.
5.
Mapping results
The careful execution of review protocol resulted in a total number of 275 primary studies. The results of this systematic review comprising of the associated statistics are represented in the form of charts and tables for easy data interpretation. The distribution of the selected studies in Table 3 shows that the majority of articles were published in the conference proceedings. IP traceback has proved to be an effective defence mechanism against DDoS attacks. This has led to an increased research activity in this field. From Fig. 9, it is evident that the number of publications addressing IP traceback consistently increased from the year 2000 to year 2005. This was primarily due to the sudden increase in number and magnitude [3] of the DDoS attacks around the world that motivated the network security research towards devising and improving IP traceback schemes. Year 2005 witnessed the highest number of publications. The numbers of publications defining IP traceback schemes have decreased thereafter. This trend can be attributed to the following: In addition to network layer DDoS attacks, the researchers have also started focusing on application-layer DDoS attacks as evident from increased number of relevant publications in recent past. These attacks rely on establishing legitimate 2-way TCP connections, thus eliminating the need of IP traceback. The evolution of diverse research areas in networking in recent years such as adhoc networks, cloud based networks, etc. might have contributed to decreasing amount of research work in IP traceback. 13
Page 13 of 41
Most of the known mitigation frameworks avoid relying on IP traceback schemes as a part of the complete mitigation process. Reduction in the number of publications might also be due to possible hardened acceptance criteria.
IP traceback approach wise distribution of articles is depicted in Fig. 10. It can be observed that marking based traceback schemes have consistently dominated the IP traceback literature, as shown in Fig. 10, due to their flexible nature and ease of implementation. These traceback schemes usually exploit the already available fields present in the original IP header like TTL, identification, flags, etc. The possibility of enhancement in the marking based traceback schemes is steadily diminishing with the large number variations already implemented.
To analyse the performance of some commonly used traceback approaches against the considered metrics, we plotted a bar chart as shown in Fig. 11. It represents the dominance of a particular metric in the published work following a given IP traceback approach with the help of percentage of articles having a positive traceback metric value against the total number of articles under each traceback approach. We can observe from Fig. 11 that hybrid approach based schemes do relatively well for all the four metrics. The scope of improvement is diminishing in individual approaches due to which we have observed the inclination of the researchers towards hybridizing the existing approaches.
Marking based traceback schemes lack in providing single packet traceback when compared to both hybrid and logging based traceback schemes. Further logging, link testing, overlay, and pattern analysis based schemes do not need to deal with the forged markings, hence eliminating the need of any authentication measure. Moreover, these schemes do not depend upon the ISP or the Internet map, thus, maintaining their privacy. However, logging based traceback schemes must solve the problem of subverted routers because of the excessive router involvement in traceback process. Table 4 lists 10 of the most renowned publication venues for both the categories: journals/magazines/transactions and workshops/symposia/conferences.
6.
Discussion
The mapping results reflect that the issues related to IP traceback received increased attention from researchers between year 2000 and year 2005 before showing a downwards trend from year 2006 onwards. In this section, we discuss the possible answers to the review questions defined in Section 4, along with the shortcomings of our study. RQ1. Which of the IP traceback approaches and marking strategies have been most widely followed by the known IP traceback schemes? Packet marking approach has been widely employed as it incurs lower bandwidth and storage overhead in comparison to the other traceback approaches. The only limitation of this approach is the inadequate size of marking fields present in the original IP header which complicates encoding procedure by increasing the number of false 14
Page 14 of 41
positives. Combining two or more IP traceback approaches in the form of a hybrid approach, utilizing the advantages of individual approaches is also becoming a common norm. Messaging incurs additional bandwidth overhead which makes it less prominent among others. Overlay and Pattern analysis were the least preferred approaches because of their additional overheads. Link testing approach fails to produce useful results in case of highly-distributed DDoS attacks. We observed that node sampling (in 110 of 173 marking based articles) is being exceedingly applied as a packet marking strategy in comparison to edge sampling or node append. Although node append marking strategy enables single packet traceback, it is rarely used due to the bandwidth overhead caused by the addition of out-of-band trace data. RQ2. What percentage of proposed work resolves authentication or security issues of markings? A traceback scheme should not only define the process of marking but should also deal with forged markings and their authenticity. Most of the marking based traceback solutions are not defined with any kind of security or authentication measures. Such schemes thus require additional security measures to avoid false results. On the other hand pattern analysis, link testing, etc. based schemes are supposed to be inherently secured. Only 37 (about 21%) of the total packet marking based schemes considered marking related security issues. We realized that the logging based schemes have not at all dealt with the problem of subverted routers. This means that an attacker can easily destabilize the scheme by compromising the routers that are actively involved in the traceback process. RQ3. How many schemes are able to provide single packet traceback and maintain ISP privacy? An ideal scheme provides the attack path construction using a single attack packet. This would allow a victim to reconstruct the attack path more rapidly and without requiring much storage capacity. Only 90 (about 33%) of the total articles provide single packet traceback facility. It is also evident that most of the traceback schemes that follow logging [50–52], hybrid [38,39,53] or marking (node append) [54,55] approach, were found capable of delivering complete route information instead of ISP entry points, using a single packet. The complete attack path information can enable a much more dynamic and efficient filtering mechanism against a DDoS attack. Usually, ISPs are unwilling to cooperate with the client for attack detection or prevention. A traceback scheme normally requires hardware or software assistance from ISPs for its effective functionality. Some traceback procedures need peculiar information of individual ISPs such as topology, number of routers, IP addresses of routers, etc., which further discourages ISPs to incorporate such traceback schemes. According to our review, 202 (about 73%) of total articles were able to preserve ISP privacy by providing traceback mechanisms independent of ISP topology. We inferred that the majority of schemes used the distance field to evade the need of obtaining ISP topology. Most marking based IP traceback schemes use hashing functions over routers’ IP addresses to mark a packet which may lead to several false positive results. These schemes generally require IP addresses of routers, which ISPs hesitate to share for several security concerns. There were a number of schemes that recommended forwarding the collected trace information by the victim to ISPs in order to enable them construct attack path. This saves the victim from becoming dependent on ISP topology and router addresses related information. RQ4. What proportion of work deals with IPv6 network? According to the current literature most of the known traceback schemes are meant for IPv4. In the upcoming years, a complete transition is expected from IPv4 to IPv6 based networks. This demands distinct and effective approaches to handle the trackback problem in IPv6 based networks. Only a small number of IP traceback schemes proposed till date have been explicitly recommended for both the versions [34,56–60]. We found just 9 articles 15
Page 15 of 41
providing traceback solutions solely targeting IPv6 based networks [33,61–68]. This work classifies a traceback scheme under IPv6 if it provides considerable amount of implementation details pertaining to the solution of IP traceback problem in IPv6 based networks. It is worthwhile mentioning that IP traceback schemes using pattern analysis, link testing and overlay mechanisms can provide traceback services regardless of the IP version used. This is because of non-dependency of such approaches on the communication protocol structure. We hence were unable to classify traceback schemes based on these approaches under any of the two IP protocols (IPv4 and IPv6) citing the lack of protocol dependent behaviour found in the implementation details of these works. Classification results We classified all the relevant articles according to our predefined factors. The classification of the final set of articles is summarized in Appendix A - Table 1.
7.
Current issues and challenges
The reviewed IP traceback solutions have rarely been deployed by ISPs due to a substantial number of issues and challenges faced in their practical implementation. Not being able to penetrate beyond private firewalls and corporate networks, IP traceback generally terminates at the network entry points. It is not possible to carry forward the traceback process beyond firewalls or private networks without their cooperation. Knowing only the entry points, sometimes does not resolves the issue of traceback as the traced network might itself contain large number of compromised systems acting as sleeper cells for future attacks. Nonetheless, this entry point information could also provide some kind of support to filter out possibilities of future attacks. Many state-of–the–art traceback schemes fall short when attacker is concealed behind multiple layers of compromised machines. Instead of revealing the identity of actual attacker, traceback halts till stepping stones. This problem also persists in reflector based attacks where the attacker uses third party systems known as reflectors to overwhelm the victim. The cooperation of different ISPs plays an important role in deployment of a traceback scheme. However, the current scenario does not provide any evidence of such collaboration among those entities which in itself is a major issue. Legal and other privacy concerns further intensify the challenges involved in deploying a traceback scheme in practice. More than often a traceback scheme requires modification to existing protocols or router software. At the same time demand of additional resources may also arise. As such ISPs are usually reluctant to employ all these changes without seeking any incentives. IP traceback in itself is not a sufficient mechanism to defend against DDoS attacks. Rather, it only provides the path that the attack flow follows. However, integrating it with other attack defense components could well constitute a comprehensive solution towards mitigation of such attacks. A good IP traceback approach must also provide easy scalability and incremental deployment to counter the growing user base of the Internet. These functional issues and challenges must be tackled effectively in future research.
8.
Threats to validity
Although, utmost care was taken in the article selection, we still might have missed some of the relevant studies due to inappropriate selection criteria. The studies wherein the procedure to perform the traceback process was not fully defined were excluded. A reference check on some renowned articles selected from the final list was also conducted to prevent overlooking any prominent work on IP traceback. The selected studies were then examined and subsequently added to the final set of papers to be reviewed. A language barrier has always been there due to which 16
Page 16 of 41
numerous findings were bound to be excluded. Google Scholar restricted us to first 1000 results only, which could be another validity threat. We might have missed some relevant work published after the considered time period of our systematic review i.e. January 2000 to January 2014.
9.
Conclusions and future work
In this paper, we conducted a systematic review on IP traceback schemes. An automatic search was used to look for articles using the Microsoft Academic Search and Google Scholar search engines. We also conducted a manual search using IEEE Xplore, ACM Digital Library, Science Direct, and Springer to look for articles possibly missed by the automatic search. In addition, we carried out reference checking to maximize the article coverage and minimize the chances of omitting significant articles. We shortlisted 275 articles highly relevant to IP traceback following by the classification of articles based on traceback approach, marking strategy, IP version, packets required for traceback, ISP privacy, and security. This study observed a growing interest in IP traceback (for countering DDoS attacks) between year 2000 to year 2005, as reflected by the published literature during this phase. However, this positive growth was ruined thereafter by a plummeting trend in the number of IP traceback publications. It was observed that the marking approach has received a great deal of attention due to its ease of implementation supported by low overhead on intermediate routers. About 222 (about 81%) out of 275 articles focus on IPv4 as compared to only 15 (about 5%) in case of IPv6. An irresistible and brisk adaptation of new generation protocol (IPv6) demands the researchers to emphasize on IPv6 traceback schemes in future, as a traceback mechanism specially crafted for IPv6 is bound to work more effectively than a mapped IPv4 scheme. Following our systematic review of literature available on IP traceback, we summarized the most important outcomes and likelihood of future research work: i. The review inferred that the role of IP traceback in the overall DDoS mitigation process is important but underused. As the number of DDoS attacks is soaring each year, the amount of research work directed towards finding ways for mitigation of such attacks is also expected to be growing. We look to follow this work with a detailed systematic review on all the DDoS mitigation schemes. ii. The problems caused by subverted routers have not yet been taken up by researchers working on logging based traceback schemes in comparison to marking based traceback schemes where such issues have been long worked upon. iii. Many novel denial of service attacks have already been predicted on IPv6 based networks even prior to its complete deployment. While defining the appropriate traceback schemes for IPv6 based networks, the researchers need to focus on the inherent problems related to IPv6 that can possibly obstruct the traceback solutions. iv. Hybrid traceback schemes have the potential to exhibit positive characteristics of all the constituent traceback approaches. Hence it should be considered as a preferable IP traceback approach. v. DDoS mitigation solutions seem to provide more productive results when assisted by an IP traceback process. Skillful integration of traceback schemes with DDoS defense mechanisms is a good research prospect. vi. Many traceback schemes fall short in dealing with highly-distributed DDoS attacks. Such attacks are conducted using compromised systems that are distributed across networks around the globe. Only a small number of traceback schemes are capable of effectively surmounting these types of attacks. 17
Page 17 of 41
Appendix A Table 1
Article classification result IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Baskar et al. [69]
2013
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Foroushani et al. [70]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Alenezi et al. [71]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Roy et al. [36]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Tian et al. [72]
2013
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Kim et al. [73]
2013
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tian et al. [74]
2012
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Wang et al. [50]
2012
.
.
.
.
.
.
o
.
o
.
o
.
o
.
.
o
.
.
Lu et al. [51]
2012
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Rajam et al. [75]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
o
o
.
.
o
Kiremire et al. [76]
2012
.
.
.
.
o
.
.
.
o
.
.
.
.
o
o
.
.
o
Tian et al. [77]
2012
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Shalinie et al. [78]
2012
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Saurabh et al. [79]
2012
.
.
.
o
.
.
.
.
o
o
o
.
.
o
o
.
.
o
Shamani et al. [26]
2012
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Yang et al. [46]
2012
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
.
o
Karasawa et al. [52]
2012
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Luo et al. [80]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Cheng et al. [81]
2012
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Liang [82]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Tripathy et al. [83]
2012
.
.
.
o
.
.
.
.
o
.
.
o
.
o
o
.
o
.
Peng et al. [84]
2012
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Kartik et al. [85]
2012
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Okada et al. [86]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Guerid et al. [87]
2011
.
.
.
.
o
.
.
o
.
.
.
.
o
.
o
.
.
o
Wang et al. [88]
2011
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Moreira et al. [89]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Sattari et al. [90]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Zeng et al. [91]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tian et al. [42]
2011
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
packet
Year
single
IP traceback scheme
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
18
Page 18 of 41
Saurabh et al. [92]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Sun et al. [62]
2011
.
.
.
o
.
.
.
o
.
.
.
o
o
.
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Kim et al. [54]
2011
.
.
.
.
.
.
o
o
.
.
o
.
o
.
o
.
o
.
Kuo et al. [93]
2011
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Yu et al. [94]
2011
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Pilli et al. [95]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Saurabh et al. [96]
2011
.
.
.
.
o
.
.
.
o
.
o
.
.
o
o
.
.
o
Pilli et al. [97]
2011
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Yim et al. [98]
2011
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Koga et al. [99]
2011
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Li et al. [100]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Sattari et al. [101]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Qin et al. [102]
2010
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Wei et al. [103]
2010
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Tian et al. [104]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Shuai et al. [105]
2010
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
o
.
Wang et al. [47]
2010
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Dong et al. [53]
2010
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
.
Yonghui et al. [106]
2010
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Khan et al. [107]
2010
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
o
Chen et al. [108]
2010
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Karthik et al. [109]
2010
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Nalavade et al. [110]
2010
.
.
.
o
.
.
.
o
.
.
o
o
.
o
Yim et al. [111]
2010
.
.
.
.
.
.
o
.
.
.
o
.
.
.
o
.
.
.
Nagaraj et al. [112]
2010
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mallinga et al. [113]
2010
.
.
.
.
.
.
o
.
.
.
o
.
o
.
.
.
.
.
Yao et al. [114]
2010
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Bhavani et al. [115]
2010
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Duarte et al. [38]
2010
.
.
.
.
.
o
.
.
.
.
.
.
o
.
o
.
.
.
Wang et al. [116]
2010
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Yan et al. [56]
2010
.
.
.
o
.
.
.
.
o
.
o
o
.
o
o
.
.
o
Oiao-jing et al. [117]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Zhang et al. [118]
2009
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Wan et al. [119]
2009
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Su et al. [120]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Castelucio et al. [41]
2009
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
19
Page 19 of 41
Huang et al. [121]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Wu et al. [122]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Dabir et al. [123]
2009
.
.
.
o
.
.
.
.
.
o
o
.
o
.
o
.
.
o
Bo et al. [124]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Murakami et al. [125]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Zhou et al. [126]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Oiang et al. [127]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Castelucio [128]
2009
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Wang et al. [129]
2009
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Oiao-jing et al. [130]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Thing et al. [131]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Armoogum et al. [132]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Akyuz et al. [133]
2009
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Kai et al. [39]
2009
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Tang et al. [134]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mallinga et al. [135]
2009
.
.
.
o
.
.
.
o
.
.
o
o
.
o
Jin et al. [136]
2009
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Mallinga et al. [137]
2009
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Kannan et al. [138]
2009
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Gong et al. [139]
2009
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Lu et al. [140]
2009
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Waizumi et al. [141]
2009
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Lee et al. [142]
2009
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Qu et al. [143]
2008
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Fadlallah et al. [144]
2008
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
o
.
Gong et al. [35]
2008
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Qu et al. [145]
2008
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Qu et al. [146]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Su et al. [147]
2008
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Jang et al. [148]
2008
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Chonka et al. [149]
2008
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Shi et al. [63]
2008
.
.
.
o
.
.
.
.
.
o
.
o
o
.
.
o
.
o
Manimaran et al. [150]
2008
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
.
.
Stefanidis et al. [151]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yu et al. [152]
2008
.
.
.
.
o
.
.
.
.
.
.
.
o
.
o
.
.
o
Wang et al. [153]
2008
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
20
Page 20 of 41
Thing et al. [27]
2008
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Goodrich [154]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Boudaoud et al. [155]
2008
.
.
.
.
.
o
.
.
.
.
o
.
.
o
o
.
.
.
Paruchuri et al. [156]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Amin et al. [64]
2008
.
.
.
o
.
.
.
.
o
.
.
o
o
.
o
.
.
o
Yen et al. [157]
2008
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Yi et al. [158]
2008
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Mallinga et al. [159]
2008
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
o
Lai et al. [44]
2008
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Zheng et al. [160]
2008
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
.
o
Karthik et al. [161]
2008
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lee et al. [162]
2008
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Li et al. [163]
2008
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
o
.
Nagaratna et al. [164]
2008
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Mallinga et al. [165]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Tian et al. [166]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
.
Chae et al. [167]
2007
.
.
.
.
o
.
.
o
.
.
.
.
o
.
o
.
o
.
Izaddoost et al. [168]
2007
.
.
.
.
o
.
.
.
o
.
.
.
.
o
o
.
.
o
Jin et al. [169]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Ke et al. [170]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yen et al. [171]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Paruchuri et al. [172]
2007
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Duarte et al. [173]
2007
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Takurou et al. [174]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
Shah et al. [175]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Stefanidis et al. [176]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Laufer et al. [177]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Bhaskaran et al. [178]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Belenky et al. [179]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Siris et al. [57]
2007
.
.
.
o
.
.
.
.
o
.
o
o
.
o
o
.
.
o
Peng et al. [180]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Wang et al. [181]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Gao et al. [182]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Castelucio et al. [183]
2007
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
.
Liu et al. [184]
2007
.
.
.
o
.
.
.
.
.
.
o
.
.
.
o
.
o
Aijaz et al. [55]
2007
.
.
.
.
.
.
o
o
.
.
o
.
o
.
o
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
.
21
Page 21 of 41
Wuu et al. [185]
2007
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Thing et al. [186]
2007
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Bhaskaran et al. [187]
2007
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Ohsita et al. [188]
2007
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Demir et al. [189]
2007
.
.
.
.
.
.
o
.
.
.
o
.
o
.
o
.
.
.
Jing et al. [190]
2006
.
.
.
.
.
.
o
.
o
.
o
.
.
o
o
.
.
.
Liu et al. [191]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Bhaskaran et al. [192]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Kumar et al. [193]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Shokri et al. [194]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Jin et al. [195]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tseng et al. [196]
2006
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lin et al. [197]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Chen et al. [198]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Al-Duwairi et al. [199]
2006
.
.
.
.
.
.
o
.
o
.
o
.
.
o
o
.
.
o
Durresi et al. [200]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Fadlallah et al. [201]
2006
.
.
.
.
o
.
.
.
.
.
.
.
o
.
o
.
.
o
Zhang et al. [202]
2006
.
.
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
.
Gong et al. [203]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Tseng et al. [204]
2006
.
.
.
.
.
.
o
.
.
o
o
.
.
o
o
.
.
o
Amin et al. [65]
2006
.
.
.
o
.
.
.
o
.
.
.
o
.
o
o
.
.
o
Kim et al. [205]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Yin et al. [206]
2006
.
.
.
o
.
.
.
.
.
o
o
.
.
.
o
.
.
o
Yi et al. [207]
2006
.
.
.
o
.
.
.
.
.
o
o
.
o
.
o
.
.
o
Kim et al. [208]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Kim et al. [209]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yim et al. [210]
2006
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Lee et al. [211]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yan et al. [212]
2006
.
.
.
o
.
.
.
.
o
o
o
.
.
o
.
o
.
o
Chen et al. [45]
2006
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Amin et al. [33]
2006
.
.
.
o
.
.
.
o
.
.
.
o
o
.
o
.
.
o
Hu et al. [213]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Wong et al. [214]
2006
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Ma et al. [215]
2006
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Sung et al. [216]
2006
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Yaar et al. [58]
2006
.
.
.
o
.
.
.
.
o
.
o
o
o
.
.
o
o
.
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
22
Page 22 of 41
Alwis et al. [59]
2006
.
.
.
o
.
.
.
o
.
.
o
o
o
.
o
.
.
o
Alwis et al. [60]
2006
.
.
.
o
.
.
.
o
.
.
o
o
o
.
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Sun et al. [217]
2006
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Oiang et al. [218]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Lee et al. [219]
2005
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Huang et al. [220]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Yang et al. [221]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Strayer et al. [222]
2005
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Chen et al. [223]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Gao et al. [224]
2005
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
.
o
Jing et al. [225]
2005
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
o
.
Dong et al. [226]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Thing et al. [227]
2005
.
.
.
.
o
.
.
.
.
.
.
.
.
o
o
.
.
o
Gao et al. [228]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Li et al. [229]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Yaar et al. [230]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Leu et al. [231]
2005
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Liu et al. [232]
2005
.
.
.
o
.
.
.
.
.
.
o
.
.
o
o
.
.
o
Gong et al. [233]
2005
.
.
.
.
.
.
o
.
o
.
o
.
o
.
o
.
.
.
Isozaki et al. [234]
2005
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
o
Chen et al. [235]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Manimaran et al. [236]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Ma et al. [237]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Law et al. [238]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lee et al. [239]
2005
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
o
.
Hou et al. [240]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
.
o
.
o
Shi et al. [28]
2005
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Qu et al. [241]
2005
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Jing et al. [242]
2005
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Lee et al. [66]
2005
.
.
.
.
.
.
o
.
.
.
.
o
.
o
o
.
.
.
Huang et al. [243]
2005
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Rayanchu et al. [244]
2005
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
.
o
Kim et al. [245]
2005
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Lee et al. [246]
2005
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Gong et al. [247]
2005
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Laufer et al. [248]
2005
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
23
Page 23 of 41
Albright et al. [67]
2005
.
.
.
o
.
.
.
.
.
o
.
o
.
o
o
.
.
o
Laufer et al. [249]
2005
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Kim et al. [250]
2005
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
Durresi et al. [251]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Wang et al. [30]
2004
.
.
.
.
o
.
.
.
.
.
.
.
o
.
o
.
o
.
Choi et al. [252]
2004
.
.
.
.
.
.
o
.
.
o
o
.
o
.
o
.
o
.
Oiaofeng et al. [43]
2004
.
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Al-Duwairi et al. [253]
2004
.
.
.
.
.
.
o
.
o
.
o
.
.
o
o
.
.
o
Bai et al. [254]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Wang et al. [31]
2004
.
.
.
.
o
.
.
o
.
.
.
.
o
.
o
.
o
.
Durresi et al. [255]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
o
.
Ping et al. [256]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Jones et al. [257]
2004
.
.
.
o
.
.
.
.
.
o
o
.
o
.
o
.
.
o
Varanasi et al. [258]
2004
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Li et al. [259]
2004
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Tseng et al. [260]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Lee et al. [261]
2004
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Strayer et al. [68]
2004
.
.
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
.
Oiang et al. [262]
2004
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Lee et al. [263]
2004
.
.
.
.
.
.
o
.
.
.
o
.
.
o
o
.
.
.
Lau et al. [264]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Manimaran et al. [265]
2004
.
.
.
.
.
.
o
.
.
o
o
.
.
o
o
.
o
.
Kai et al. [266]
2004
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
o
.
Lee et al. [267]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Liu et al. [268]
2004
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Lee et al. [269]
2004
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
.
o
Lee et al. [270]
2004
.
.
.
.
o
.
.
.
o
.
o
.
o
.
o
.
o
.
Tupakula et al. [271]
2004
.
.
.
o
.
.
.
.
o
.
o
.
o
.
o
.
o
.
Gao et al. [272]
2004
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
.
o
Oe et al. [273]
2004
.
.
.
.
.
.
o
.
.
.
o
.
.
.
.
.
.
.
Hai-tao et al. [274]
2003
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Belenky et al. [275]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
OE et al. [34]
2003
.
.
.
o
.
.
.
o
.
.
o
o
.
o
o
.
o
.
Chen et al. [276]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
.
o
Ogawa et al. [277]
2003
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Kim et al. [278]
2003
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
o
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
24
Page 24 of 41
Liu et al. [279]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
.
o
.
o
.
Belenky et al. [15]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
IP traceback approach
IP version required for
strategy
messaging
logging
hybrid
node append
node sampling
edge sapling
IPv4
IPv6
maintained
disclosed
yes
no
Sung et al. [280]
2003
.
.
.
o
.
.
.
.
o
o
o
.
.
o
o
.
o
.
Belenky et al. [281]
2003
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Min et al. [282]
2003
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
o
.
Song et al. [283]
2003
.
.
.
.
o
.
.
.
.
.
o
.
o
.
o
.
.
o
Henry et al. [284]
2003
.
.
.
.
o
.
.
o
.
.
o
.
.
o
o
.
.
o
Kim et al. [285]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Hsu et al. [32]
2003
.
.
.
.
o
.
.
.
.
.
.
.
.
o
o
.
.
o
Kwak et al. [286]
2003
.
.
.
o
.
.
.
.
.
.
o
.
.
.
.
.
.
o
Yaar et al. [287]
2003
.
.
.
o
.
.
.
.
.
o
o
.
o
.
.
o
o
.
Oe et al. [288]
2003
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Tupakula et al. [289]
2003
.
.
.
o
.
.
.
.
o
.
o
.
.
o
o
.
.
o
Matsuda et al. [290]
2002
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Snoeren et al. [291]
2002
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Baba et al. [24]
2002
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Law et al. [292]
2002
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Peng et al. [293]
2002
.
.
.
o
.
.
.
.
.
o
.
.
.
o
o
.
o
.
Dean et al. [294]
2002
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
.
o
Goodrich et al. [295]
2002
.
.
.
.
o
.
.
.
.
.
o
.
.
o
o
.
o
.
Wei et al. [296]
2002
.
.
.
o
.
.
.
.
.
o
o
.
.
o
o
.
o
.
Tokuda et al. [297]
2002
.
.
.
o
.
.
.
o
.
.
o
.
.
o
o
.
.
o
Song et al. [298]
2001
.
.
.
o
.
.
.
.
o
.
o
.
.
o
.
o
o
.
Mankin [299]
2001
.
.
.
.
o
.
.
o
.
.
.
.
.
o
o
.
.
o
Snoeren et al. [37]
2001
.
.
.
.
.
o
.
.
.
.
o
.
o
.
o
.
.
.
Kim et al. [300]
2001
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
Stone [40]
2000
.
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Burch [6]
2000
o
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Klein et al. [301]
2000
.
.
.
o
.
.
.
o
.
.
o
.
o
.
o
.
.
o
packet
single
IP traceback scheme
Year
packet multiple
marking
Security
pattern analysis
privacy
overlay
traceback
ISP
link testing
Proposed
Packets
Marking
References 1.
Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review, 2004, 34(2): 39–53.
2.
Specht SM, Lee RB. Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. In: Proceedings of 25
Page 25 of 41
the International Conference on Parallel and Distributed Computing Systems. 2004, 543–550. 3.
DoS and DDoS Protection | Anti Denial of Service (DDoS) Attack | Prolexic [Internet]. [cited 2015 Feb 12] Available from: http://www.prolexic.com/
4.
Bellovin SM. Security Problems in the TCP/IP Protocol Suite. ACM SIGCOMM Computer Communication Review, 1989, 19(2): 32–48.
5.
Belenky A, Ansari N. On IP traceback. IEEE Communications Magazine, 2003, 41(7): 142–153.
6.
Burch H. Tracing Anonymous Packets to Their Approximate Source. In: Proceedings of the USENIX conference on System administration. 2000, 319–328.
7.
Aljifri H. IP Traceback: A New Denial-of-Service Deterrent?. IEEE Security and Privacy, 2003, 1(3): 24–31.
8.
Santhanam L, Kumar A, Agrawal DP. Taxonomy of IP traceback. Journal of Information Assurance and Security, 2006, 1(2): 79–94.
9.
Vincent S, Raja J. A survey of IP traceback mechanisms to overcome denial-of-service attacks. In: Proceedings of the International Conference on Networking, VLSI and signal Processing. 2010, 93-98.
10.
Kumar K, Sangal AL, Bhandari A. Traceback techniques against DDOS attacks: A comprehensive review. In: Proceedings of the International Conference on Computer and Communication Technology. 2011, 491–498.
11.
ArunKumar K, Sai Ashritha K. Analysis of Various IP Traceback Techniques - A Survey. International Journal of Computer Applications, 2013, 77(13): 13–16.
12.
Singh K, Bhandari A, Kumar K. Classification and State of Art of IP Traceback Techniques for DDoS Defense. In: Proceedings of the ARTCom & ARTEE PEIE & itSIP and PCIE. 2013, 36–44.
13.
Parashar A, Radhakrishnan R. A Review of Packet Marking IP Traceback Schemes. International Journal of Computer Applications, 2013, 67(6): 15–20.
14.
Savage S, Wetherall D, Karlin A, Anderson T. Practical network support for IP traceback. ACM SIGCOMM Computer Communication Review, 2000, 30(4): 295–306.
15.
Belenky A, Ansari N. IP traceback with deterministic packet marking. IEEE Communications Letters, 2003, 7(4): 162–164.
16.
Kitchenham B, Charters S. Guidelines for performing Systematic Literature Reviews in Software Engineering. Keele University and Durham University Joint Report, 2007.
17.
Tahir A, MacDonell SG. A systematic mapping review on dynamic metrics and software quality. In: Proceedings of the IEEE International Conference on Software Maintenance. 2012, 326–335.
18.
Cornelissen B, Zaidman A, van Deursen A, Moonen L, Koschke R. A Systematic Survey of Program Comprehension through Dynamic Analysis. IEEE Transactions on Software Engineering, 2009, 35(5): 684–702.
19.
Fuchs L, Pernul G, Sandhu R. Roles in information security – A survey and classification of the research area. Computers and Security, 2011, 30(8): 748-769.
20.
Jamshidi P, Ahmad A, Pahl C. Cloud Migration Research: A Systematic Review. IEEE Transactions on Cloud Computing, 2013, 1(2): 142–157.
21.
Patel A, Taghavi M, Bakhtiyari K, Celestino J. Review: An Intrusion Detection and Prevention System in Cloud Computing: A Systematic Review. Journal of Network and Computer Applications, 2013, 36(1): 25–41.
22.
Rahman N, Choo K-K. A survey of information security incident handling in the cloud. Computers and Security, 2015, 49: 45-69.
23.
Alenezi M, Reed MJ. IP traceback methodologies. In: Proceedings of the Computer Science and Electronic Engineering Conference. 2011, 98–102.
24.
Baba T, Matsuda S. Tracing Network Attacks to Their Sources. IEEE Internet Computing, 2002, 6(2): 20–26.
25.
Takahashi T, Hazeyama H, Miyamoto D, Kadobayashi Y. Taxonomical approach to the deployment of traceback mechanisms. In: Proceedings of the Baltic Congress on Future Internet Communications. 2011, 13–20.
26.
Hamedi-Hamzehkolaie M, Shamani MJ, Ghaznavi-Ghoushchi MB. Low rate DOS traceback based on sum of flows. In: Proceedings of the International Symposium on Telecommunications. 2012, 1142–1146. 26
Page 26 of 41
27.
Thing VLL, Sloman M, Dulay N. Network domain entrypoint/path determination for DDoS attacks. In: Proceedings of the IEEE Symposium on Network Operations and Management. 2008, 57–64.
28.
Shi Y, Yang X. A novel architecture for detecting and defending against flooding-based DDoS attacks. In: Proceedings of the Computational Intelligence and Security. Springer; 2005, 364–374.
29.
Taylor T, Leech M, Bellovin S. ICMP Traceback Messages [Internet]. [cited 2015 Jan 01] Available from: https://tools.ietf.org/html/draft-ietf-itrace-04.
30.
Wang B-T, Schulzrinne H. A denial-of-service-resistant IP traceback approach. In: Proceedings of the Ninth International Symposium on Computers and Communications, 2004, 351–356.
31.
Wang B-T, Schulzrinne H. An IP traceback mechanism for reflective DoS attacks. In: Proceedings of the Canadian Conference on Electrical and Computer Engineering. 2004, 901–904.
32.
Hsu F, Chiueh T. A Path Information Caching and Aggregation Approach to Traffic Source Identification. In: Proceedings of the International Conference on Distributed Computing Systems. 2003, 332–339.
33.
Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, Strayer WT. Hash-based IP traceback. ACM SIGCOMM Computer Communication Review, 2001, 31(4): 3–14.
34.
Hilgenstieler E, Duarte Jr. EP, Mansfield-Keeni G, Shiratori N. Extensions to the source path isolation engine for precise and efficient log-based IP traceback. Computers & Security, 2010, 29(4): 383–392.
35.
Kai T, Hashiguchi A, Nakatani H. Proposal for and Evaluation of Improved Method of Hash-Based IP Traceback System. In: Proceedings of the International Conference on Computer Science and its Applications, 2009, 1–7.
36.
Stone R. Centertrack: an IP overlay network for tracking DoS floods. In: Proceedings of the USENIX Conference on Security Symposium. 2000, 15–15.
37.
Castelucio A, Ziviani A, Salles RM. An AS-level overlay network for IP traceback. IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection, 2009, 23(1): 36–41.
38.
Tian H, Bi J, Zhang W, Jiang X. EasyTrace: An easily-deployable light-weight IP traceback on an AS-level overlay network. In: Proceedings of the International Conference on Network Protocols. 2011, 129-130.
39.
Xiaofeng Q, Jihong H, Ming C. A mechanism to defend SYN flooding attack based on network measurement system. In: Proceedings of the International Conference on Information Technology: Research and Education. 2004, 208–212.
40.
Lai GH, Chen C-M, Jeng B-C, Chao W. Ant-based IP traceback. Expert Systems with Applications, 2008, 34(4): 3071–3080.
41.
Chen C, Jeng B, Yang CR, Lai GH. Tracing Denial of Service Origin: Ant Colony Approach. In: Proceedings of the Applications of Evolutionary Computing. 2006, 286-295.
42.
Yang M-C. RIHT: A Novel Hybrid IP Traceback Scheme. IEEE Transactions on Information Forensics and Security, 2012, 7(2): 789–797.
43.
Malliga S, Tamilarasi A. A hybrid scheme using packet marking and logging for IP traceback. International Journal of Internet Protocol Technology, 2010, 5(1/2): 81–91.
44.
Amin SO, Hong CS, Kim KY. Tracing the True Source of an IPv6 Datagram Using Policy Based Management System. In: Proceedings of the Management of Convergence Networks and Services. Springer; 2006, 263–272.
45.
Oe M, Kadobayashi Y, Yamaguchi S. An implementation of a hierarchical IP traceback architecture. In: Proceedings of the Symposium on Applications and the Internet Workshops. 2003, 250–253.
46.
Gong C, Saraç K. A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking. IEEE Transactions on Parallel and Distributed Systems, 2008, 19(10): 1310–1324.
47.
Roy S, Singh A, Sairam AS. IP traceback in star colored networks. In: Proceedings of the International Conference on Communication Systems and Networks. 2013, 1–9.
48.
Kitchenham BA, Budgen D, Pearl Brereton O. Using Mapping Studies As the Basis for Further Research - A Participant-observer Case Study. Information and Software Technology, 2011, 53(6): 638–651.
49.
Wu P, Cui Y, Wu J, Liu J, Metz C. Transition from IPv4 to IPv6: A State-of-the-Art Survey. IEEE Communications Surveys and Tutorials, 2013, 15(3): 1407–1424. 27
Page 27 of 41
50.
Wang Y, Su S, Yang Y, Ren J. A More Efficient Hybrid Approach for Single-Packet IP Traceback. In: Proceedings of the Euromicro International Conference on Parallel, Distributed and Network-Based Processing. 2012, 275–282.
51.
Lu N, Wang Y, Yang F, Xu M. A Novel Approach for Single-Packet IP Traceback Based on Routing Path. In: Proceedings of the Euromicro International Conference on Parallel, Distributed and Network-Based Processing. 2012, 253–260.
52.
Karasawa T, Soshi M, Miyaji A. A Novel Hybrid IP Traceback Scheme with Packet Counters. In: Proceedings of the International conference on Internet and Distributed Computing Systems. 2012, 71–84.
53.
Dong Y, Yu-long W, Sen S, Fang-chun Y. An Efficient Collaborative Traceback Scheme Based on Packet Digests Logging. In: Proceedings of the IEEE International Conference on Computer and Information Technology. 2010, 2811–2815.
54.
Kim HS, Kim HK. Network Forensic Evidence Acquisition (NFEA) with Packet Marking. In: Proceedings of the IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops. 2011, 388–393.
55.
Aijaz A, Mohsin SR, Mofassir-Ul-Haque M-U-H. IP Trace Back Techniques to Ferret out Denial of Service Attack Source. In: Proceedings of the WSEAS International Conference on Information Security and Privacy. 2007, 135–140.
56.
Yan Q, He X, Ning T. An Improved Dynamic Probabilistic Packet Marking for IP Traceback. International Journal of Computer Network and Information Security, 2010, 2(2): 47.
57.
Siris VA, Stavrakis I. Provider-based deterministic packet marking against distributed DoS attacks. Journal of Network and Computer Applications, 2007, 30(3): 858–876.
58.
Yaar A, Perrig A, Song D. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE Journal on Selected Areas in Communications, 2006, 24(10): 1853–1863.
59.
Alwis HA, Doss RC, Chowdhury MU, Hewage PS. A performance evaluation of Route Based Packet Marking (RBPM) for IP trace back. In: Proceedings of the Multitopic Conference. 2006, 364–369.
60.
Alwis HA, Doss RC, Hewage PS, Chowdhury MU. Topology based packet marking for IP traceback. In: Proceedings of the Australian Telecommunication Networks and Applications Conference. 2006, 224–228.
61.
Tripathy A, Dansana J, Mishra DP. A secure packet marking scheme for IP traceback in IPv6. In: Proceedings of the International Conference on Advances in Computing, Communications and Informatics. 2012, 656–659.
62.
Sun Y, Zhang C, Meng S, Lu K. Modified Deterministic Packet Marking for DDoS Attack Traceback in IPv6 Network. In: Proceedings of the IEEE International Conference on Computer and Information Technology. 2011, 245–248.
63.
Shi Y, Qi Y, Yang B. Deterministic link signature based IP traceback algorithm under IPv6. In: Proceedings of the International Conference on Advanced Communication Technology. 2008, 1010–1014.
64.
Amin SO, Siddiqui MS, Hong CS. A novel IPv6 traceback architecture using COPS protocol. annals of telecommunications - annales des télécommunications, 2008, 63(3-4): 207–221.
65.
Amin S, Kang M, Hong C. A Lightweight IP Traceback Mechanism on IPv6. In: Proceedings of the EUC 2006 Workshops. 2006, 671–680.
66.
Lee H, Yun S. Authenticated IPv6 Packet Traceback Against Reflector Based Packet Flooding Attack. In: Proceedings of the Knowledge-Based and Intelligent Engineering & Information Systems. 2005, 1118-1124.
67.
Dang X, Albright E. An Implementation of IP Traceback in IPv6 Using Probabilistic Packet Marking. In: Proceedings of the IEEE International Conference on Internet Computing. 2005, 416–421.
68.
Strayer WT, Jones CE, Tchakountio F, Hain RR. SPIE-IPv6: single IPv6 packet traceback. In: Proceedings of the Annual IEEE International Conference on Local Computer Networks. 2004, 118–125.
69.
Baskar M, Gnanasekaran T, Saravanan S. Adaptive IP traceback mechanism for detecting low rate DDoS attacks. In: Proceedings of the International Conference on Emerging Trends in Computing, Communication and Nanotechnology. 2013, 373–377.
70.
Foroushani VA, Zincir-Heywood AN. Deterministic and Authenticated Flow Marking for IP Traceback. In: Proceedings of the IEEE International Conference on Advanced Information Networking and Applications. 2013, 397–404.
71.
Alenezi M, Reed MJ. Efficient AS DoS traceback. In: Proceedings of the International Conference on Computer Applications Technology. 2013, 1–5. 28
Page 28 of 41
72.
Tian H, Bi J, Jiang X. An adaptive probabilistic marking scheme for fast and secure traceback. Networking Science, 2013, 2(1-2): 42–51.
73.
Kim K, Kim J, Hwang J. IP traceback with sparsely-tagged fragment marking scheme under massively multiple attack paths, Cluster Computing, 2013, 16(2): 229–239.
74.
Tian H, Bi J, Xiao P. A Flow-Based Traceback Scheme on an AS-Level Overlay Network. In: Proceedings of the International Conference on Distributed Computing Systems Workshops. 2012, 559–564.
75.
Soundar Rajam VK, Shalinie SM. A novel traceback algorithm for DDoS attack with marking scheme for online system. In: Proceedings of the International Conference on Recent Trends in Information Technology. 2012, 407–412.
76.
Kiremire AR, Brust MR, Phoha VV. A prediction based approach to IP traceback. In: Proceedings of the IEEE Conference on Local Computer Networks Workshops. 2012, 1022–1029.
77.
Tian H, Bi J. An Incrementally Deployable Flow-Based Scheme for IP Traceback. IEEE Communications Letters, 2012, 16(7): 1140–1143.
78.
Vijayalakshmi M, Shalinie SM, Arun Pragash A. IP traceback system for network and application layer attacks. In: Proceedings of the International Conference on Recent Trends in Information Technology. 2012, 439–444.
79.
Saurabh S, Sairam AS. Linear and Remainder Packet Marking for fast IP traceback. In: Proceedings of the International Conference on Communication Systems and Networks. 2012, 1–8.
80.
Luo R, Li J, Sun L. Distributed Collaborative Traceback Model against DDoS in Network Confrontation Based on Electronic Technology. In: Proceedings of the Advances in Mechanical and Electronic Engineering. 2012, 281–286.
81.
Cheng B-C, Liao G-T, Lin C-K, Hsu S-C, Hsu P-H, Park JH. MIB-ITrace-CP: An Improvement of ICMP-Based Traceback Efficiency in Network Forensic Analysis. In: Proceedings of the Network and Parallel Computing. Springer; 2012, 101–109.
82.
Liang S. The New Method of DDOS Defense. In: Proceedings of the MSEC International Conference on Multimedia, Software Engineering and Computing. 2012, 145–151.
83.
Tripathy A, Dansana J, Mishra DP. A Secure Packet Marking Scheme for IP Traceback in IPv6. In: Proceedings of the International Conference on Advances in Computing, Communications and Informatics.
84.
2012, 656–659.
Peng S-H, Chang K-D, Chen J-L, Lin I-L, Chao H-C. A Probabilistic Packet Marking scheme with LT Code for IP Traceback. International Journal of Future Computer and Communication, 2012, 1(1): 51–56.
85.
Viswanathan A, Arunachalam VP, Karthik S. Geographical Division Traceback for Distributed Denial of Service. Journal of Computer Science, 2012, 8(2): 216–221.
86.
Okada M, Katsuno Y, Kanaoka A, Okamoto E. 32-bit as Number Based IP Traceback. In: Proceedings of the International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. 2011, 628–633.
87.
Guerid H, Serhrouchni A, Achemlal M, Mittig K. A Novel Traceback Approach for Direct and Reflected ICMP Attacks. In: Proceedings of the Conference on Network and Information Systems Security. 2011, 1–5.
88.
Wang P, Lin H-T, Wang TS. A Revised Ant Colony Optimization Scheme for Discovering Attack Paths of Botnet. In: Proceedings of the IEEE International Conference on Parallel and Distributed Systems. 2011, 918–923.
89.
Moreira MDD, Laufer RP, Fernandes NC, Duarte OCMB. A Stateless Traceback Technique for Identifying the Origin of Attacks from a Single Packet. In: Proceedings of the IEEE International Conference on Communications. 2011, 1–6.
90.
Sattari P, Markopoulou A. Algebraic Traceback Meets Network Coding. In: Proceedings of the International Symposium on Network Coding. 2011, 1–7.
91.
Zeng K, Li Z, He S. Design and implementation of FDPM in network processor. In: Proceedings of the IEEE International Conference on Anti-Counterfeiting, Security and Identification, 135–138.
92.
Saurabh S, Sairam AS. FC-DERM: Fragmentation compatible deterministic edge router marking. In: Proceedings of the Asia-Pacific Conference on Communications. 2011, 800–805.
93.
Kuo W-C, Chen Y-L, Tsai S-C, Li J-S. Single-Packet IP Traceback with Less Logging. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2011, 97–100.
94.
Yu S, Zhou W, Doss R, Jia W. Traceback of DDoS Attacks Using Entropy Variations. IEEE Transactions on Parallel and 29
Page 29 of 41
Distributed Systems, 2011, 22(3): 412–425. 95.
Pilli ES, Joshi RC, Niyogi R. An IP Traceback Model for Network Forensics. In: Proceedings of International Conference on Arts and Technology. 2011, 129–136.
96.
Saurabh S, Sairam AS. PT: A Path Tracing and Filtering Mechanism to Defend against DDoS Attacks. In: Proceedings of the International Conference on Information Processing. 2011, 336–341.
97.
Pilli E, Joshi R, Niyogi R. Router and Interface Marking for Network Forensics. In: Proceedings of the Advances in Digital Forensics VII. 2011, 209–220.
98.
Yim H, Kim T, Jung J. Probabilistic Route Selection Algorithm to Trace DDoS Attack Traffic Source. In: Proceedings of the International Conference on Information Science and Applications. 2011, 1–8.
99.
Koga K, Okazaki N. A proposal of an extended method of IP trace-back for distributed denial of service attacks. Electronics and Communications in Japan, 2007, 94(12):29-44.
100.
Li Y, Wang Y, Yang F, Su S. A cross-AS traceback method based on flexible fragmentation of path information. In: Proceedings of the IEEE GLOBECOM Workshops. 2010, 1611–1616.
101.
Sattari P, Gjoka M, Markopoulou A. A Network Coding Approach to IP Traceback. In: Proceedings of the IEEE International Symposium on Network Coding. 2010, 1–6.
102.
Qin L, Zhang Y, Chang Q. A novel improved compositive DDoS defence system. In: Proceedings of the International Conference on Signal Processing Systems. 2010, 493–496.
103.
Wei J, Chen K, Lian Y-F, Dai Y-X. A novel vector edge sampling scheme for IP traceback against DDoS attacks. In: Proceedings of the International Conference on Machine Learning and Cybernetics. 2010, 2829–2832.
104.
Tian H, Bi J, Jiang X, Zhang W. A Probabilistic Marking Scheme for Fast Traceback. In: Proceedings of the International Conference on Evolving Internet. 2010, 137–141.
105.
Shuai H, Xiaohong H, Yan M. A simple packet authentication mechanism based on stateless core approach. In: Proceedings of the IEEE GLOBECOM Workshops. 2010, 503–507.
106.
Yonghui L, Yulong W, Fangchun Y, Sen S, Dong Y. Deterministic packet marking based on the coordination of border gateways. In: Proceedings of the International Conference on Education Technology and Computer. 2010, 154–161.
107.
Khan ZS, Akram N, Alghathbar K, She M, Mehmood R. Secure single packet IP Traceback mechanism to identify the source. In: Proceedings of the International Conference for Internet Technology and Secured Transactions. 2010, 1–5.
108.
Chen H-H, Yang W. The Design and Implementation of a Practical Meta-Heuristic for the Detection and Identification of Denial-of-Service Attack Using Hybrid Approach. In: Proceedings of the Second International Conference on Machine Learning and Computing. 2010, 47–51.
109.
Karthik S, Arunachalam VP, Ravichandran T, Valarmathi ML. An Optimizing Technique for MDGT Using DRSA Algorithm Association with IP Traceback Strategies. In: Proceedings of the International Conference on Information and Communication Technologies. 2010, 55–61.
110.
Nalavade KC, Meshram BB. Identifying the Attack Source by IP Traceback. In: Proceedings of the International Conference on Information and Communication Technologies. 2010, 292–296.
111.
Yim H, Jung J. Probabilistic Route Selection Algorithm for IP Traceback. In: Proceedings of the Security Technology, Disaster Recovery and Business Continuity. 2010, 94–103.
112.
Varalakshmi P, Narayanan PK, Hariharan M, Nagaraj P, Amritha K. Reactive Network Monitor for DDoS Attacks. In: Proceedings of the Information Processing and Management. 2010, 349–355.
113.
Malliga S, Tamilarasi A. A Backpressure Technique for Filtering Spoofed Traffic at Upstream Routers. International Journal of Security and Networks, 2010, 5(1): 3–14.
114.
Yao G, Bi J, Zhou Z. Passive IP Traceback: Capturing the Origin of Anonymous Traffic Through Network Telescope. In: Proceedings of the ACM SIGCOMM Conference. 2010, 413–414.
115.
Bhavani Y, Reddy PN. An efficient ip traceback through packet marking algorithm. International Journal of Network Security and Its Applications, 2010, 2(3): 132–142. 30
Page 30 of 41
116.
WANG X, WANG X. Topology-assisted deterministic packet marking for IP traceback. The Journal of China Universities of Posts and Telecommunications, 2010, 17(2): 116–121.
117.
Xiao-jing W, Chang-zhen H, He H. A Fast Deterministic Packet Marking Scheme for IP Traceback. In: Proceedings of the International Conference on Multimedia Information Networking and Security. 2009, 526–529.
118.
Zhang F, Jin G, Zhang H, Xie Z. A new border filtering scheme against DDoS attacks. In: Proceedings of the International Conference on Power Electronics and Intelligent Transportation System. 2009, 336–340.
119.
Wan Z, Zhang Y, Cao T, Wu M, Wang F. A novel Authenticated Packet Marking Scheme for IP Trace-back. In: Proceedings of the IEEE International Conference on Computer Science and Information Technology. 2009, 150–153.
120.
Su W-T, Chuang Y-H, Wu Z-B, Kuo Y-H. A table-driven approach for IP traceback based on network statistic analysis. In: Proceedings of the International Conference on Advanced Communication Technology. 2009, 1633–1637.
121.
Huang C, Li M, Gao C. Autonomous System-Based Marking Scheme for Internet Traceback. In: Proceedings of the WRI World Congress on Computer Science and Information Engineering. 2009, 81–85.
122.
Wu Y-C, Tseng H-R, Yang W, Jan R-H. DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis. In: Proceedings of the International Conference on Multimedia and Ubiquitous Engineering. 2009, 306–314.
123.
Dabir A, Matrawy A. Design and Analysis of a Hierarchical IP Traceback System. In: Proceedings of the IEEE International Conference on Communications. 2009, 1–6.
124.
Bo F, Fan G, Mingxing D. Dynamic Probabilistic Packet Marking Based on PPM. In: Proceedings of the Pacific-Asia Conference on Web Mining and Web-based Application. 2009, 289–292.
125.
Murakami M, Kai T, Irie H, Sasaki R. Extension and Evaluation of IP Traceback Method Using Departure Stamp in Edge Router. In: Proceedings of the International Conference on Computer Science and its Applications. 2009, 1–8.
126.
Zhou Z, Qian B, Tian X, Xie D. Fast Traceback against Large-Scale DDoS Attack in High-Speed Internet. In: Proceedings of the International Conference on Computational Intelligence and Software Engineering. 2009, 1–7.
127.
Xiang Y, Zhou W, Guo M. Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks. IEEE Transactions on Parallel and Distributed Systems, 2009, 20(4): 567–580.
128.
Castelucio A, Gomes ATA, Ziviani A, Salles RM. Intra-domain IP traceback using OSPF. In: Proceedings of the IEEE Symposium on Network Operations and Management. 2009, 1–9.
129.
Wang X, Xiao Y. IP Traceback Based on Deterministic Packet Marking and Logging. In: Proceedings of the International Conference on Scalable Computing and Communications. 2009, 178–182.
130.
Xiao-jing W, Sheng-jun W. IP Traceback Based Probabilistic Packet Marking and Randomized Network Coding. In: Proceedings of the International Workshop on Computer Science and Engineering. 2009, 151–154.
131.
Thing VLL, Sloman M, Dulay N. Locating network domain entry and exit point/path for DDoS attack traffic. IEEE Transactions on Network and Service Management, 2009, 6(3): 163–174.
132.
Armoogum S, Mohamudally N. Mobile Agents and Packet Marking for Real-Time IP Traceback. In: Proceedings of the International Conference on Digital Society. 2009, 260–265.
133.
Akyuz T, Sogukpinar I. Packet Marking with Distance Based Probabilities for IP Traceback. In: Proceedings of the International Conference on Networks and Communications. 2009, 433–438.
134.
Tang H, Xu C, Luo X, Ouyang J. Traceback-Based Bloomfilter IPS in Defending SYN Flooding Attack. In: Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing. 2009, 1–6.
135.
Malliga S, Tamilarasi A. Collaborative Framework for Detection, Prevention, and Traceback of Flooding Attacks Using Marking and Filtering. Information Security Journal: A Global Perspective, 2009, 18(2): 74–86.
136.
Jin G, Zhang F, Li Y, Zhang H, Qian J. A Hash-Based Path Identification Scheme for DDoS Attacks Defense. In: Proceedings of the IEEE International Conference on Computer and Information Technology. 2009, 219–224.
137.
Malliga AS, Tamilarasi BDA. An autonomous level defense for DoS/DDoS attacks. International Journal of Recent Trends in Engineering, 2009, 1(1): 518-522.
138.
Kannan AR, Duraiswamy K, Sangeetha K. Three Dimensional Multidirectional Geographical IP Traceback: Direction Ratio 31
Page 31 of 41
Sampling Algorithm. Journal of Computer Science, 2009, 5(2): 136–139. 139.
Gong C, Sarac K. Toward a Practical Packet Marking Approach for IP Traceback. International Journal of Network Security, 2009, 8(3): 271–281.
140.
Lu N, Zhou H, Zhang H. A new probabilistic packet marking technology based on path identification. In: Proceedings of the IEEE International Conference on Communications Technology and Applications. 2009, 751–755.
141.
Waizumi Y, Sato T, Nemoto Y. A New Traffic Pattern Matching for DDoS Traceback Using Independent Component Analysis. World Academy of Science, Engineering & Technology, 2009, (36): 760.
142.
Lee M, He Y, Chen Z. Towards improving an algebraic marking scheme for tracing DDoS attacks. International Journal of Network Security, 2009: 204–213.
143.
Qu Z, Huang C. A Fractional-Step DDoS Attack Source Traceback Algorithm Based on Autonomous System. In: Proceedings of the International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2008, 1383–1387.
144.
adlallah A, Serhrouchni A,
egriche
,
a t-Abdesselam F. A Hybrid Messaging-Based Scheme for IP Traceback. In:
Proceedings of the International Conference on Information and Communication Technologies: From Theory to Applications. 2008, 1–6. 145.
Qu Z, Huang C. A Novel Deterministic Packet Marking Scheme for IP Traceback. In: Proceedings of the Workshop on Power Electronics and Intelligent Transportation System. 2008, 38–41.
146.
Qu Z, Huang C, Liu N. A Novel Two-Step Traceback Scheme for DDoS Attacks. In: Proceedings of the International Symposium on Intelligent Information Technology Application. 2008, 879–883.
147.
Su W-T, Lin T-C, Wu C-Y, Hsu J-P, Kuo Y-H. An On-line DDoS Attack Traceback and Mitigation System Based on Network Performance Monitoring. In: Proceedings of the International Conference on Advanced Communication Technology. 2008, 1467–1472.
148.
Jang H, Yun H, Lee S. Attack Flow Traceback. In: Proceedings of the International Conference on Convergence and Hybrid Information Technology. 2008, 411–415.
149.
Chonka A, Zhou W, Singh J, Xiang Y. Detecting and Tracing DDoS Attacks by Intelligent Decision Prototype. In: Proceedings of the IEEE International Conference on Pervasive Computing and Communications. 2008, 578–583.
150.
Muthuprasanna M, Manimaran G. Distributed Divide-and-Conquer Techniques for Effective DDoS Attack Defenses. In: Proceedings of the International Conference on Distributed Computing Systems. 2008, 93–102.
151.
Stefanidis K, Serpanos DN. Implementing filtering and traceback mechanism for packet-marking IP-traceback schemes against DDoS attacks. In: Proceedings of the Intelligent Systems. 2008, 28–33.
152.
Yu F, Lee D. In: Proceedings of theternet Attack Traceback - Cross-validation and Pebble Tracing. In: Proceedings of the IEEE Conference on Technologies for Homeland Security. 2008, 378–383.
153.
Wang C-H, Chiang Y-C. Multi-Layer Traceback under the Hierarchical Tracers Deployment. In: Proceedings of the International Conference on Advanced Information Networking and Applications - Workshops. 2008, 590–595.
154.
Goodrich MT. Probabilistic Packet Marking for Large-Scale IP Traceback. IEEE/ACM Transactions on Networking, 2008, 16(1): 15–24.
155.
Boudaoud K, LeBorgne F. Towards an efficient implementation of traceback mechanisms in autonomous systems. In: Proceedings of the IEEE Symposium on Network Operations and Management. 2008, 1015–1018.
156.
Paruchuri V, Durresi A, Chellappan S. TTL Based Packet Marking for IP Traceback. In: Proceedings of the IEEE Global
157.
Yen W, Sung J-S. Dynamic Probabilistic Packet Marking with Partial Non-Preemption. In: Proceedings of the Ubiquitous
Telecommunications Conference. 2008, 1–5.
Intelligence and Computing. 2008, 732–745. 158.
Yi Z, Pan L, Wang X, Huang C, Huang B. IP Traceback Using Digital Watermark and Honeypot. In: Proceedings of the Ubiquitous Intelligence and Computing. 2008, 426–438.
159.
Malliga S, Tamilarasi A. A Proposal for New Marking Scheme with Its Performance Evaluation for IP Traceback. WSEAS 32
Page 32 of 41
Transactions on Computer Research, 2008, 3(4): 259–272. 160.
Zheng R, Wu Q, Zhang M. An Intelligent Packet Marking Algorithm Based on Extended Huffman Coding. In: Proceedings of the International Symposium on Intelligent Information Technology Application. 2008, 60–64.
161.
Karthik S, Arunachalam VP, Ravichandran T. Multi Directional Geographical Traceback with n Directions Generalization. Journal of Computer Science, 2008
162.
Lee M-C, He Y-J, Chen Z. On Improving an Algebraic Marking Scheme for Detecting DDoS Attacks. Journal of Information Assurance and Security, 2008, 3: 279–288.
163.
LI L, Shen S. Packet track and traceback mechanism against denial of service attacks. The Journal of China Universities of
164.
Nagaratna M, Prasad VK, Kumar ST. Detecting and Preventing IP-spoofed DDoS Attacks by Encrypted Marking Based
Posts and Telecommunications, 2008, 15(3): 51–58.
Detection and Filtering (EMDAF). In: Proceedings of the International Conference on Advances in Recent Technologies in Communication and Computing. 2009, 753–755. 165.
Malliga S, Tamilarasi A. A Defensive Mechanism to Defend against DoS / DDoS Attacks by IP Traceback with DPM. In: Proceedings of the International Conference on Computational Intelligence and Multimedia Applications. 2007, 115–119.
166.
Tian J, Li N, Wang Z. A Proactive Defense Scheme Based on the Cooperation of Intrusion Deception and Traceback. In: Proceedings of the International Conference on Computational Intelligence and Security Workshops. 2007, 502–505.
167.
Chae C-J, Lee S-H, Lee J-S, Lee J-K. A Study of Defense DDoS Attacks Using IP Traceback. In: Proceedings of the International Conference on Intelligent Pervasive Computing. 2007, 402–408.
168.
Izaddoost A, Othman M, Rasid MFA. Accurate ICMP TraceBack Model under DoS/DDoS Attack. In: Proceedings of the
169.
Jin G, Yang J, Wei W, Dong Y. Across-Domain Deterministic Packet Marking for IP Traceback. In: Proceedings of the
International Conference on Advanced Computing and Communications. 2007, 441–446.
International Conference on Communications and Networking in China. 2007, 382–386. 170.
Ke S-C, Chen Y-W. An edge router-based fast internet traceback. In: Proceedings of the TENCON IEEE Region 10 Conference. 2007, 1–4.
171.
Yen W, Huang C-C. Cyclical deterministic packet marking. In: Proceedings of the IEEE International Conference on Systems, Man and Cybernetics. 2007, 2080–2085.
172.
Paruchuri V, Durresi A, Barolli L. FAST: Fast Autonomous System Traceback. In: Proceedings of the International Conference on Advanced Information Networking and Applications. 2007, 498–505.
173.
Hilgenstieler E, Duarte EP, Mansfield-Keeni G, Shiratori N. Improving the Precision and Efficiency of Log-Based IP Packet Traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2007, 1823–1827.
174.
Takurou H, Matsuura K, Imai H. IP Traceback by Packet Marking Method with Bloom Filters. In: Proceedings of the IEEE International Carnahan Conference on Security Technology. 2007, 255–263.
175.
Vijairaghavan V, Shah D, Galgali P, Shah A, Shah N, Srinivasan V, Bhatia L. Marking Technique to Isolate Boundary Router and Attacker. Computer, 2007, 40(2): 54–58.
176.
Stefanidis K, Serpanos DN. Packet Marking Scheme and Deployment Issues. In: Proceedings of the IEEE Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications. 2007, 603–608.
177.
Laufer RP, Velloso PB, de O.Cunha D, Moraes IM, Bicudo MDD, Moreira MDD, Duarte OCMB. Towards Stateless Single-Packet IP Traceback. In: Proceedings of the IEEE International Conference on Local Computer Networks. 2007, 548–555.
178.
Bhaskaran VM, Natarajan AM, Sivanandam SN. Tracebacking the Spoofed IP Packets in Multi ISP Domains with Secured Communication. In: Proceedings of the International Conference on Signal Processing, Communications and Networking. 2007, 579–584.
179.
Belenky A, Ansari N. On deterministic packet marking. Computer Networks, 2007, 51(10): 2677–2700.
180.
Peng D, Shi Z, Tao L, Ma W. Enhanced and Authenticated Deterministic Packet Marking for IP Traceback. In: Proceedings of Advanced Parallel Processing Technologies. Springer; 2007, 508–517. 33
Page 33 of 41
181.
Muthuprasanna M, Manimaran G, Wang Z. Unified Defense against DDoS Attacks. In: Proceedings of the Networking 2007, Ad Hoc and Sensor Networks, Wireless Networks, Next Generation Internet. 2007, 1047–1059.
182.
Gao Z, Ansari N. A Practical and Robust Inter-domain Marking Scheme for IP Traceback. Computer Networks, 2007, 51(3): 732–750.
183.
Castelucio AO, Salles RM, Ziviani A. An AS-level IP Traceback System. In: Proceedings of the 2007 ACM CoNEXT Conference. 2007, 35:1–35:2.
184.
Liu J, Lee Z-J, Chung Y-C. Dynamic Probabilistic Packet Marking for Efficient IP Traceback. Computer Networks, 2007, 51(3): 866–882.
185.
Wuu L-C, Liu T-J, Yang J-Y. IP Traceback Based on Chinese Remainder Theorem. In: Proceedings of the International Conference on Communications, Internet, and Information Technology. 2007, 214–219.
186.
Thing VLL, Sloman M, Dulay N. Non-intrusive IP Traceback for DDoS Attacks. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security. 2007, 371–373.
187.
Bhaskaran MV, Natarajan AM, Sivanandam SN. A New Promising IP Traceback Approach and its Comparison with Existing Approaches. Information Technology Journal, 2007, 6(2): 182–188.
188.
Ohsita Y, Ata S, Murata M. Identification of Attack Nodes from Traffic Matrix Estimation. IEICE Transactions on Communications, 2007, E90-B(10): 2854–2864.
189.
Demir O, Ji P, Kim J. Session Based Logging (SBL) for IP-Traceback on Network Forensics. In: Proceedings of the International Conference Security and Management. 2006, 233–239.
190.
Jing Y, Li J, Wang X, Xiao X, Zhang G. A Distributed-Log-based IP Traceback Scheme to Defeat DDoS Attacks. In: Proceedings of the International Conference on Advanced Information Networking and Applications. 2006, 25–32.
191.
Liu Y, Gu X, Sun Y. A non-preemptive packet marking scheme. In: Proceedings of the IEEE Conference on Industrial Electronics and Applications. 2006, 1–6.
192.
Bhaskaran VM, Natarajan AM, Sivanandam SN. Analysis of IP Traceback Systems. In: Proceedings of the International Symposium on Ad Hoc and Ubiquitous Computing. 2006, 125-130.
193.
Muthuprasanna M, Manimaran G, Alicherry M, Kumar V. Coloring the Internet: IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Systems. 2006, 589–598.
194.
Shokri R, Varshovi A, Mohammadi H, Yazdani N, Sadeghian B. DDPM: Dynamic deterministic packet marking for IP traceback. In: Proceedings of the IEEE International Conference on Networks. 2006, 1–6.
195.
Jin G, Yang J. Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Communications Letters, 2006, 10(3): 204–206.
196.
Tseng Y-K, Lu Y-Y, Huang J-Y, Hsieh W-S, Chang B-R, Chen Y-C, Chen S-H. ID-Based PPM for IP Traceback. In: Proceedings of the International Conference on Innovative Computing, Information and Control. 2006, 262–265.
197.
Lin I, Lee T-H. NISp1-03: Robust and Scalable Deterministic Packet Marking Scheme for IP Traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2006, 1–6.
198.
Chen R, Park J-M, Marchany R. NISp1-05: RIM: Router Interface Marking for IP Traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2006, 1–5.
199.
Al-duwairi Basheer, Manimaran G. Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. IEEE Transactions on Parallel and Distributed Systems, 2006, 17(5): 403–418.
200.
Durresi A, Paruchuri V. NXG01-4: Scalable Hierarchical Traceback. In: Proceedings of the IEEE Global
201.
Fadlallah A, Serhrouchni A. PSAT: Proactive Signalling Architecture for IP Traceback. In: Proceedings of the International
Telecommunications Conference. 2006, 1–5.
Conference on Communication Networks and Services Research. 2006, 293–299. 202.
Zhang L, Guan Y. TOPO: A Topology-aware Single Packet Attack Traceback Scheme. In: Proceedings of the International Workshop on Security. 2006, 1-10.
203.
Gong C, Saraç K. Toward a More Practical Marking Scheme for IP Traceback. In: Proceedings of the International 34
Page 34 of 41
Conference on Broadband Communications, Networks and Systems. 2006, 1-10. 204.
Tseng Y-K, Hsieh W-S, Chou W-Y, Yang K-Y, Tsia Y-T, Huang M-C. Using Probing Packets to Recover the Incomplete IP Traceback. In: Proceedings of the IEEE International Symposium on Intelligent Signal Processing and Communication Systems. 2006, 776-779.
205.
Kim B-R, Kim K. A Proposal of Extension of FMS-Based Mechanism to Find Attack Paths. In: Proceedings of the International Conference on Computational Science and its Applications. 2006, 476-485.
206.
Yin H, Li J. An Efficient Probabilistic Packet Marking Scheme (NOD-PPM). In: Proceedings of the International Conference on Information Security. 2006. 373–382.
207.
Yi S, Xinyu Y, Ning L, Yong Q. Deterministic Packet Marking with Link Signatures for IP Traceback. In: Proceedings of the SKLOIS Conference on Information Security and Cryptology. 2006, 144-152.
208.
Kim B. Efficient Technique for Fast IP Traceback. In: Proceedings of the Third International Conference on Cooperative Design, Visualization, and Engineering. 2006, 211-218.
209.
Kim B-R, Kim K-C. Improved technique of IP address fragmentation strategies for dos attack traceback. In: Proceedings of the International Symposium on Computer Science–Theory and Applications. 2006, 427–437.
210.
Yim H, Jung J. IP traceback algorithm for DoS/DDoS attack. In: Proceedings of the Management of Convergence Networks and Services. 2006, 558–561.
211.
Lee H. SVM Based Packet Marking Technique for Traceback on Malicious DDoS Traffic. In: Proceedings of the Information Networking. Advances in Data Communications and Wireless Networks. Springer; 2006, 754-763.
212.
Yan P, Lee MC. Towards an Adaptive Packet Marking Scheme for IP Traceback. In: Proceedings of e-Business and Telecommunication Networks. Springer; 2004, 150-157.
213.
Hu H, Wang Y, Wang L, Guo W, Ding M. Two Novel Packet Marking Schemes for IP Traceback. In: Proceedings of the International Conference on Autonomic and Trusted Computing. 2006, 459-466.
214.
Wong TY, Law KT, Lui JCS, Wong MH. An Efficient Distributed Algorithm to Identify and Traceback DDoS Traffic. The Computer Journal, 2006, 49(4): 418–442.
215.
Ma M. Tabu marking scheme to speedup IP traceback. Computer Networks, 2006, 50(18): 3536–3549.
216.
Sung M, Chiang J. Scalable Hash-based IP Traceback using Rate-limited Probabilistic Packet Marking. Georgia Institute of Technology. 2006.
217.
Sun Y, Kumar A, Srinivasam S. WON (Wireless Overlay Network) for Traceback of Distributed Denial of Service. In: Proceedings of the International Conference on Wireless Broadband and Ultra Wideband Communications. 2006.
218.
Xiang Y, Zhou W. A defense system against DDOS attacks by large-scale IP traceback. In: Proceedings of the International Conference on Information Technology and Applications. 2005, 431-436.
219.
Lee T-H, Huang T-Y, Lin I. A deterministic packet marking scheme for tracing multiple internet attackers. In: Proceedings of the IEEE International Conference on Communications. 2005. 850–854.
220.
Huang C, Li M, Yang J, Gao C. A real-time traceback scheme for DDoS attacks. In: Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing. 2005, 1175–1179.
221.
Yang X, Pei C, Zhu C, Li Y. AMS Based Reconstruction Algorithm with Two-dimensional Threshold for IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Computing: Applications and Technologies. 2005, 781–783.
222.
Strayer WT, Jones CE, Schwartz BI, Mikkelson J, Livadas C. Architecture for Multi-Stage Network Attack Traceback. In:
223.
Chen R, Park J-M. Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources Internet. In:
Proceedings of the IEEE International Conference on Local Computer Networks. 2005, 776–785.
Proceedings of the International Conference on Computer Communications and Networks. 2005, 275–280. 224.
Gao Z, Ansari N. Directed geographical traceback. In: Proceedings of the International Conference on Information Technology: Research and Education. 2005, 221–224.
225.
Jing Y-N, Tu P, Wang X-P, Zhang G-D. Distributed-log-based scheme for ip traceback. In: Proceedings of the International 35
Page 35 of 41
Conference on Computer and Information Technology. 2005, 711–715. 226.
Dong Q, Banerjee S, Adler M, Hirata K. Efficient Probabilistic Packet Marking. In: Proceedings of the International Conference on Network Protocols. 2005, 368–377.
227.
Thing VL, Lee HC, Sloman M, Zhou J. Enhanced ICMP traceback with cumulative path. In: Proceedings of the International Conference on Vehicular Technology. 2005, 2415–2419.
228.
Gao Z, Ansari N. Enhanced probabilistic packet marking for IP traceback. In: Proceedings of the International Conference on Global Telecommunications. 2005.
229.
Li Q, Feng Q, Hu L, Ju J. Fast Two Phrases PPM for IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Computing: Applications and Technologies. 2005, 386–389.
230.
Yaar A, Perrig A, Song D. FIT: fast Internet traceback. In: Proceedings of Annual Joint Conference of the IEEE Computer and Communications Societies. 2005, 1395–1406.
231.
Leu F-Y, Yang W-J, Chang W-K. IFTS: Intrusion forecast and traceback based on union defense environment Internet. In: Proceedings of the International Conference on Parallel and Distributed Systems. 2005, 716–722.
232.
Liu W, Duan H, Wu J-P, Li X. Improved Marking Model ERPPM Tracing Back to DDoS Attacker. In: Proceedings of the International Conference on Information Technology and Applications. 2005, 759–762.
233.
Gong C, Sarac K. IP traceback based on packet marking and logging. In: Proceedings of the IEEE International Conference on Communications. 2005, 1043-1047.
234.
Isozaki H, Ata S, Oka I, Fujiwara C. Performance improvement on probabilistic packet marking by using history caching. In: Proceedings of the Asia-Pacific Symposium on Information and Telecommunication Technologies. 2005, 381–386.
235.
Chen S, Song Q. Perimeter-based defense against high bandwidth DDoS attacks. IEEE Transactions on Parallel and Distributed Systems, 2005, 16(6): 526–537.
236.
Muthuprasanna M, Manimaran G. Space-time encoding scheme for DDoS attack traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2005.
237.
Ma M. Tabu Marking Scheme for IP Traceback. In: Proceedings of the IEEE International Symposium on Parallel and Distributed Processing. 2005.
238.
Law TK, Lui JC, au DK. ou can run, but you can’t hide: an effective statistical methodology to trace back DDoS attackers. IEEE Transactions on Parallel and Distributed Systems, 2005, 16(9): 799–813.
239.
Lee G, Lim H, Hong M, Lee DH. A dynamic path identification mechanism to defend against DDoS attacks. In: Proceedings of the International Conference on Information Networking, Convergence in Broadband and Mobile Networking. 2005, 806–813.
240.
Hou J, Lee MH. A fast search and advanced marking scheme for network IP traceback model. In: Proceedings of the International Conference on Distributed Computing and Internet Technology. 2005, 15–20.
241.
Qu H, Su P, Lin D, Feng D. A packet marking scheme for IP traceback. In: Proceedings of the International Conference on Networking. 2005, 964–971.
242.
Jing Y, Li J, Zhang G. An Adaptive Edge Marking Based Hierarchical IP Traceback System. In: Proceedings of the International Conference on Networking and Mobile Computing. 2005, 1188-1197.
243.
Huang W, Cong JL, Wu C, Zhao F, Wu SF. Design, Implementation, and Evaluation of FRiTrace. In: Proceedings of the International Information Security Conference. 2005, 343-358.
244.
Rayanchu SK, Barua G. Tracing attackers with deterministic edge router marking (DERM). In: Proceedings of the International Conference on Distributed Computing and Internet Technology. 2005, 400-409.
245.
Kim DS, Hong CS, Xiang Y. An intelligent approach of packet marking at edge router for IP traceback. In: Proceedings of the International Conference on Knowledge-Based Intelligent Information and Engineering Systems. 2005, 303–309.
246.
Lee J, de Veciana G. Scalable multicast based filtering and tracing framework for defeating distributed DoS attacks. International Journal of Network Management, 2005, 15(1): 43–60.
247.
Gong C, Le T, Korkmaz T, Sarac K. Single packet IP traceback in AS-level partial deployment scenario. In: Proceedings of 36
Page 36 of 41
the IEEE Global Telecommunications Conference. 2005, 1310-1324. 248.
Laufer RP, Velloso PB, Cunha D de O, Moraes IM, Bicudo MD, Duarte O. A new IP traceback system against distributed denial-of-service attacks. In: Proceedings of the International Conference on Telecommunications. 2005.
249.
Laufer RP, Velloso PB, Duarte OCM. Defeating DoS Attacks with IP Traceback. In: Proceedings of the IFIP Open Conference on Metropolitan Area Networks. 2005, 131-148.
250.
Kim Y, Jo J-Y, Merat F, Yang M, Jiang Y. Mitigating Distributed Denial-of-Service attack with deterministic bit marking. International Journal of Information Technology, 2005, 11(2): 62–82.
251.
Durresi A, Paruchuri V, Barolli L, Kannan R, Iyengar SS. Efficient and secure autonomous system based traceback. Journal of interconnection Networks, 2004, 5(2): 151–164.
252.
Choi KH, Dai HK. A marking scheme using Huffman codes for IP traceback. In: Proceedings of the International Symposium on Parallel Architectures, Algorithms and Networks. 2004, 421–428.
253.
Al-duwairi Basheer, Manimaran G. A Novel Packet Marking Scheme for IP Traceback. In: Proceedings of the International Conference on Parallel and Distributed Systems. 2004, 195-202.
254.
Bai C, Feng G, Wang G. Algebraic geometric code based IP traceback. In: Proceedings of the IEEE International Conference on Performance, Computing, and Communications. 2004. 49–56.
255.
Paruchuri V, Durresi A, Kannan R, Iyengar SS. Authenticated Autonomous System Traceback. In: Proceedings of the International Conference on Advanced Information Networking and Applications. 2004, 406-413.
256.
Ping SY, Moonchuen L. IP traceback marking scheme based packets filtering mechanism. In: Proceedings of the International Conference on IP Operations and Management. 2004, 253-260.
257.
Jones E, Le Moigne O, Robert J-M. IP traceback solutions based on time to live covert channel. In: Proceedings of the IEEE International Conference on Networks. 2004, 451–457.
258.
Varanasi R, Phoha VV, Joshi S. IP-traceback based attacker tracking: A probabilistic technique for detecting Internet attacks using the concept of hidden markov models. In: Proceedings of the IEEE Information Assurance Workshop. 2004, 438–439.
259.
Li J, Sung M, Xu J, Li L. Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation. In: Proceedings of the IEEE Symposium on Security and Privacy. 2004, 115–129.
260.
Tseng YK, Chen HH, Hsieh WS. Probabilistic Packet Marking With Non-Preemptive Compensation. IEEE Communications Letters, 2004, 8(6): 359–361.
261.
Lee T-H, Wu W-K, Huang T-YW. Scalable packet digesting schemes for IP traceback. In: Proceedings of the IEEE International Conference on Communications. 2004, 1008–1013.
262.
Xiang Y, Zhou W. Trace IP packets by flexible deterministic packet marking (FDPM). In: Proceedings of the IEEE Workshop on IP Operations and Management. 2004, 246–252.
263.
Lee H-W. Advanced packet marking mechanism with pushback for IP traceback. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2004, 426–438.
264.
Sin LN, Lee M. An Efficient Domain Based Marking Scheme for IP Traceback. In: Proceedings of the IEEE International Conference on High Speed Networks and Multimedia Communications. 2004, 1080-1091.
265.
Al-duwairi Basheer, Chakrabarti A, Manimaran G. An Efficient Probabilistic Packet Marking Scheme for IP Traceback. In: Proceedings of the International IFIP-TC6 Networking Conference. 2004, 1263-1269.
266.
Kai C, Xiaoxin H, Ruibing H. DDoS Scouter: A Simple IP Traceback Scheme. In: Proceedings of the Progress on Cryptography. Springer; 2004, 217–228.
267.
Lee JM, Han IG, Lee KH. Design of Traceback System Using Selected Router. In: Proceedings of the International Conference on Information Networking, Networking Technologies for Broadband and Mobile Networks. 2004, 877-885.
268.
Liu W, Duan H-X, Wu J-P, Ren P, Lu L-H. Distributed IDS Tracing Back to Attacking Sources. In: Proceedings of the Workshop on Grid and Cooperative Computing. 2004, 859–866.
269.
Lee H, Kang M, Choi C. PTrace: Pushback/SVM Based ICMP Traceback Mechanism against DDoS Attack. In: Proceedings of the International Conference on Computational Science and its Applications. 2004, 302-309. 37
Page 37 of 41
270.
Lee H, Yun S, Kwon T, Kim J, Park H, Nam-ho O. Reflector Attack Traceback System with Pushback Based iTrace Mechanism. In: Proceedings of the International Conference on Information and Communications Security. 2004, 236-248.
271.
Tupakula UK, Varadharajan V. Tracing DDoS floods: an automated approach. Journal of Network and Systems Management, 2004, 12(1): 111–135.
272.
Gao Z, Ansari N, Anantharam K. A new marking scheme to defend against distributed denial of service attacks. In: Proceedings of the IEEE Global Telecommunications Conference. 2004, 2256–2260.
273.
Oe M, Kadobayashi Y. An implementation and verification of a hierarchical architecture for IP traceback. Electronics and Communications in Japan, 2004, 87(11): 49–56.
274.
Hai-tao T, Liu-sheng Huang, Yun-fei L, Guo-liang C. A new scheme for IP traceback under DoS attack. In: Proceedings of the International Conference on Parallel and Distributed Computing: Applications and Technologies. 2003, 189 - 193.
275.
Belenky A, Ansari N. Accommodating fragmentation in deterministic packet marking for IP traceback. In: Proceedings of the IEEE Global Telecommunications Conference. 2003, 1374 - 1378.
276.
Chen Z, Lee M-C. An IP traceback technique against denial-of-service attacks. In: Proceedings of the International Conference on Computer Security Applications. 2003, 96–104.
277.
Ogawa T, Nakamura F, Wakahara Y. Branch label based probabilistic packet marking for IP traceback. In: Proceedings of the IEEE International Conference on Networks. 2003, 467–474.
278.
Kim Y, Jo J-Y, Merat FL. Defeating distributed denial-of-service attack with deterministic bit marking. In: Proceedings of the Global Telecommunications Conference. 2003, 1363–1367.
279.
Liu J, Lee Z-J, Chung Y-C. Efficient dynamic probabilistic packet marking for IP traceback. In: Proceedings of the IEEE
280.
Sung M, Xu J. IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks.
International Conference on Networks. 2003, 475–480.
IEEE Transactions on Parallel and Distributed Systems, 2003, 14(9): 861–872. 281.
Belenky A, Ansari N. Tracing multiple attackers with deterministic packet marking (DPM). In: Proceedings of the IEEE Pacific Rim Conference on Communications, Computers and signal Processing. 2003, 49–52.
282.
Min F, Zhang J, Yang G. An IP traceback scheme integrating DPM and PPM. In: Proceedings of the International Conference on Applied Cryptography and Network Security. 2003, 76–85.
283.
Song HY, Kim H. Cooperative Routers against DoS Attacks. In: Proceedings of the Australasian Conference on Information Security and Privacy. 2003, 204-213.
284.
Lee HCJ, Thing VLL, Xu Y, Ma M. ICMP Traceback with Cumulative Path, an Efficient Solution for IP Traceback. In: Proceedings of the International Conference on Information and Communications Security. 2003, 124-135.
285.
Kim KC, Hwang JS, Kim BY, Kim S-D. Tagged fragment marking scheme with distance-weighted sampling for a fast IP traceback. In: Proceedings of the Asia-Pacific Web Conference on Web Technologies and Applications. 2003, 442–452.5
286.
Kwak M, Cho D. Extended Probabilistic Packet Marking Scheme for IP Traceback. In: Proceedings of the International Conference on Security and Management. 2003, 521–526.
287.
Yaar A, Perrig A, Song D. Pi: A path identification mechanism to defend against DDoS attacks. In: Proceedings of the International Symposium on Security and Privacy. 2003, 93–107.
288.
Hazeyama H, Masafumi OE, Kadobayashi Y. A layer-2 extension to hash-based IP traceback. IEICE transactions on information and systems, 2003, 86(11): 2325–2333.
289.
Tupakula U, Varadharajan V. Counteracting DDoS attacks in multiple ISP domains using routing arbiter architecture. In: Proceedings of the IEEE International Conference on Networks. 2003, 455–460.
290.
Matsuda S, Baba T, Hayakawa A, Nakamura T. Design and Implementation of Unauthorized Access Tracing System. In: Proceedings of the International Symposium on Applications and the Internet. 2002, 74–81.
291.
Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Schwartz B, Kent ST, Strayer WT. Single-packet IP traceback. IEEE/ACM Transactions on Networking, 2002, 10(6): 721–734.
292.
Law KT, Lui JC, Yau DK. You can run, but you can’t hide: an effective methodology to traceback DDoS attackers. In: 38
Page 38 of 41
Proceedings of the IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems. 2002, 433–440. 293.
Peng T, Leckie C, Ramamohanarao K. Adjusted probabilistic packet marking for IP traceback. In: Proceedings of Networking. Springer; 2002, 697–708.
294.
Dean D, Franklin M, Stubblefield A. An algebraic approach to IP traceback. ACM Transactions on Information and System Security, 2002, 5(2): 119–137.
295.
Goodrich MT. Efficient packet marking for large-scale IP traceback. In: Proceedings of the ACM Conference on Computer and Communications Security. 2002, 117–126.
296.
Wei D, Ansari N. Implementing IP traceback in the Internet—an ISP perspective. In: Proceedings of the IEEE Workshop on Information Assurance. 2002, 326–332.
297.
Nishio N, Harashima N, Tokuda H. Reflective Probabilistic Packet Marking Scheme for IP Traceback. IEIC Technical Report (Institute of Electronics, Information and Communication Engineers), 2002, 102(153): 65–72.
298.
Song DX, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceedings of the Annual Joint Conference of the IEEE Computer and Communications Societies. 2001, 878–886.
299.
Mankin A, Massey D, Wu C, Wu S , Zhang L. On Design and Evaluation of “Intention-Driven” ICMP Traceback. In: Proceedings of the International Conference on Computer Communications and Networks. 2001, 159–165.
300.
Kim G, Bogovic T, Chee D. Active edge-tagging (ACT): An intruder identification and isolation scheme in active networks. In: Proceedings of the IEEE Symposium on Computers and Communications. 2001, 29–34. Doeppner TW, Klein PN, Koyfman A. Using router stamping to identify the source of IP packets. In: Proceedings of the ACM Conference on Computer and Communications Security. 2000, 184–189.
Fig. 1 A DDoS attack architecture depicting control and attack flows Fig. 2 Different attack and security phases Fig. 3 A scenario representing a typical DoS attack Fig. 4 IP header fields used for marking process Fig. 5 Functioning of different traceback approaches Fig. 6 Overview of review protocol Fig. 7 Systematic review process Fig. 8 Article count at the end of each stage of systematic review process Fig. 9 Article distribution per year Fig. 10 Article distribution among various traceback approaches Fig. 11 Bar chart: mapping traceback approaches to metrics of a traceback scheme Table 1 Classification of IP traceback schemes Messaging
Marking
Logging
Overlay
Pattern analysis
Hybrid
Traceback Link testing
301.
Proactive
.
√
√
√
.
.
√
Reactive
√
√
√
√
√
√
√
In-band
.
.
√
√
.
.
√
Out-of-band
.
√
.
.
.
.
√
Network based
.
.
√
√
√
.
√
Host based
√
.
√
√
.
.
√
Traffic monitoring
√
.
.
.
.
√
√
approach
Functional class
39
Page 39 of 41
Packet monitoring
.
√
√
√
√
.
√
IDS assisted
√
.
.
√
√
.
√
Non-IDS assisted
√
.
.
.
.
.
√
Table 2 Comparison of IP traceback approaches Approach
Link testing
Messaging
Marking
Logging
Overlay
Pattern analysis
Evaluation metric Packets required for traceback ISP cooperation/ router involvement
large
medium
medium
very less or 1
very less or 1
less
high
low
low
high
very high
high
Memory
Victim
no
high
low
no
no
no
requirement
Network
no
low
no
high
low
low
Deployment
good
good
good
good
poor
fair
Scalability
poor
good
good
poor
poor
good
Duration of attack for traceback
long
short
short
medium
short
short
Handling packet transformations
good
yes
fair
yes
yes
yes
possible
possible
possible
difficult
possible
difficult
no
good
good
good
fair
good
high
low
low
very low
low
low
Support
Security DDoS handling capability False positives Processing
Victim
high
high
fair
none
none
none
overhead
Network
none
high
fair
high
high
high
ISP privacy
no
yes
rarely
yes
yes
yes
Post-attack analysis
no
yes
yes
yes
yes
yes
recursive Basic functionality
upstream traffic analysis until source
supplementary messages generated carrying path information
routers store
path information stamped on packet itself
logs of packets flowing through
specialized infrastructure setup behind network
routers continuously monitor traffic patterns
Table 2 summarizes the performance of various IP traceback approaches against the evaluation metrics defined above. In addition to the IP traceback approaches, we have also selected some important metrics like ISP privacy, packets needed for traceback and security, for classifying various traceback schemes available in literature. ISP privacy can be assessed based on whether the private information associated to ISPs is known to the victim or not. We grouped the IP traceback schemes into sets containing schemes dependent on single or multiple packets respectively for attack path construction. Security metric examine whether a marking based scheme deals with the forged markings generated by subverted routers or not. Besides this, we have also classified traceback schemes according to the version of associated Internet Protocol i.e., IPv4 or IPv6.
Table 3 Distribution according to publication type Publication type
No. of studies
Percentage 40
Page 40 of 41
Conference
171
62.2%
Journal
43
15.6%
Magazine
5
1.81%
Symposium
26
9.45%
Transaction
15
5.45%
Workshop
15
5.45%
Table 4 Distribution according to publication venue Publication type
Title
No. of articles in final set
Journal/
ACM SIGCOMM Computer Communication Review
1
Magazine/
ACM Transactions on Information and System Security
1
Transaction
Computer Networks
4
Computers and Security
1
IEEE Transactions on Parallel and Distributed Systems
7
IEEE Communication Letters
4
IEEE/ACM transactions on networking
2
International Journal of Network Security
2
Journal of Computer Science
3
Journal of Network and Systems Management
1
Others
37
Workshop/
ACM Conference on Computer and Communications Security
2
Symposium/
Annual Joint Conference of the IEEE Computer and Communications
2
Conference
Societies IEEE Conference on Local Computer Networks IEEE Global Telecommunications Conference/Workshop International Conference on Advanced Information Networking and
4 13 5
Applications IEEE International Conference on Communications
5
International Conference on Advanced Communication Technology
3
International Conference on Computer Communications and Networks
3
International Conference on Information and Communication Technology
2
International Symposium on Network Coding
2
Others
171
41
Page 41 of 41