Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers

Masayuki Ohta, Yoshiki Kanda, Kensuke Fukuda, Toshiharu Sugawara

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    5 Citations (Scopus)

    Abstract

    Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

    Original languageEnglish
    Title of host publicationProceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011
    Pages355-361
    Number of pages7
    DOIs
    Publication statusPublished - 2011
    Event25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011 - Biopolis
    Duration: 2011 Mar 222011 Mar 25

    Other

    Other25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011
    CityBiopolis
    Period11/3/2211/3/25

    Fingerprint

    Internet
    Viruses

    Keywords

    • darknet
    • network security
    • source spoofing

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Computer Science Applications

    Cite this

    Ohta, M., Kanda, Y., Fukuda, K., & Sugawara, T. (2011). Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. In Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011 (pp. 355-361). [5763526] https://doi.org/10.1109/WAINA.2011.111

    Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. / Ohta, Masayuki; Kanda, Yoshiki; Fukuda, Kensuke; Sugawara, Toshiharu.

    Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011. 2011. p. 355-361 5763526.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Ohta, M, Kanda, Y, Fukuda, K & Sugawara, T 2011, Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. in Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011., 5763526, pp. 355-361, 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011, Biopolis, 11/3/22. https://doi.org/10.1109/WAINA.2011.111
    Ohta M, Kanda Y, Fukuda K, Sugawara T. Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. In Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011. 2011. p. 355-361. 5763526 https://doi.org/10.1109/WAINA.2011.111
    Ohta, Masayuki ; Kanda, Yoshiki ; Fukuda, Kensuke ; Sugawara, Toshiharu. / Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011. 2011. pp. 355-361
    @inproceedings{5c0547d29a324896999e637ef3ee6404,
    title = "Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers",
    abstract = "Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.",
    keywords = "darknet, network security, source spoofing",
    author = "Masayuki Ohta and Yoshiki Kanda and Kensuke Fukuda and Toshiharu Sugawara",
    year = "2011",
    doi = "10.1109/WAINA.2011.111",
    language = "English",
    isbn = "9780769543383",
    pages = "355--361",
    booktitle = "Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011",

    }

    TY - GEN

    T1 - Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers

    AU - Ohta, Masayuki

    AU - Kanda, Yoshiki

    AU - Fukuda, Kensuke

    AU - Sugawara, Toshiharu

    PY - 2011

    Y1 - 2011

    N2 - Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

    AB - Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

    KW - darknet

    KW - network security

    KW - source spoofing

    UR - http://www.scopus.com/inward/record.url?scp=79957569612&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=79957569612&partnerID=8YFLogxK

    U2 - 10.1109/WAINA.2011.111

    DO - 10.1109/WAINA.2011.111

    M3 - Conference contribution

    SN - 9780769543383

    SP - 355

    EP - 361

    BT - Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011

    ER -