Tracing Network Attacks to Their Sources

As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial-of-service attacks such as TCP SYN flooding,1 Teardrop,2 and Land,2 grows. Because of the weak security in TCP/IP, we must take responsibility for protecting our own sites against network attacks. Although access-control technologies, such as firewalls, are commonly used to prevent network attacks, they cannot prevent some specific attacks, including TCP SYN flooding. Consequently, more companies are deploying intrusion detection systems (IDS). (See the sidebar, “Technologies for Preventing Network Attacks,” page 23, for a discussion of current access-control and detection systems.) IDSs detect network attacks; however, they do not let us identify the attack source. This is especially problematic with denial-of-service attacks, for example, because the attacker doesn’t need to receive packets from the target host and thus can remain hidden. Several efforts are in progress to develop source-identification technologies to trace packets even when an attacker forges its IP address. In this article, we describe some proposed IP traceback architectures, including our own, which we have implemented in a prototype. In our system, routers log data about traversing packets as well as information about other nodes in the packet’s path.3 We use a distributed management approach to enable tracing across networks with different access policies.