Authors: Jianping Pan, Lin Cai, Xuemin Sherman Shen
Addresses: Department of Computer Science, University of Victoria, Victoria, BC, Canada. ' Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada. ' Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, Canada
Abstract: In order to counter Denial-of-Service (DoS) attacks using spoofed source addresses, many IP traceback schemes have been proposed in the last few years. Among them, distance-indexed probabilistic packet marking schemes appear to be very attractive. In this paper, we first discover two intrinsic vulnerabilities in these schemes. Substantiated by efficacy analysis and numerical results, several exploits are designed to take advantage of these vulnerabilities in an efficient manner when compared with the traceback effort attempted by victims. Consequently, we show that the design goal of these schemes can be compromised in practice. Further, we discuss these vulnerabilities in a general context relevant to network protocols and examine a few possible alternatives.
Keywords: IP traceback; probabilistic packet marking; denial-of-service; DoS attacks; TCP/IP vulnerabilities; internet; security; network protocols; networks.
International Journal of Security and Networks, 2007 Vol.2 No.1/2, pp.81 - 94
Published online: 16 Mar 2007 *Full-text access for editors Access for subscribers Purchase this article Comment on this article