Extensions to the source path isolation engine for precise and efficient log-based IP traceback

Egon Hilgenstieler, Elias P. Duarte, Glenn Mansfield-Keeni, Norio Shiratori

    Research output: Contribution to journalArticle

    20 Citations (Scopus)

    Abstract

    IP traceback is used to determine the source and path traversed by a packet received from the Internet. In this work we first show that the Source Path Isolation Engine (SPIE), a classical log-based IP traceback system, can return misleading attack graphs in some particular situations, which may even make it impossible to determine the real attacker. We show that by unmasking the TTL field SPIE returns a correct attack graph that precisely identifies the route traversed by a given packet allowing the correct identification of the attacker. Nevertheless, an unmasked TTL poses new challenges in order to preserve the confidentiality of the communication among the system's components. We solve this problem presenting two distributed algorithms for searching across the network overlay formed by the packet log bases. Two other extensions to SPIE are proposed that improve the efficiency of source discovery: separate logs are kept for each router interface improving the distributed search procedure; an efficient dynamic log paging strategy is employed, which is based on the actual capacity factor instead of the fixed time interval originally employed by SPIE. The system was implemented and experimental results are presented.

    Original languageEnglish
    Pages (from-to)383-392
    Number of pages10
    JournalComputers and Security
    Volume29
    Issue number4
    DOIs
    Publication statusPublished - 2010 Jun

    Keywords

    • Attack Response
    • Denial of service
    • Packet tracing
    • Traceback
    • Traffic logging

    ASJC Scopus subject areas

    • Computer Science(all)
    • Law

    Fingerprint Dive into the research topics of 'Extensions to the source path isolation engine for precise and efficient log-based IP traceback'. Together they form a unique fingerprint.

  • Cite this