Precise ICMP Traceback Based On Normal Flow Filtration in Denial of Services Attack

In past two decades, Internet has developed rapidly and has integrated in many aspects of human life. Any disruption of connectivity and the overuse of services cause for service unavailability to its intended users. The Denial of Service (DoS) attacks are becoming more serious in security of Internet. DoS is a harmful attempt in targeting to limit or deny availability of service to legitimate users. This kind of attack can be done by consuming important resources. The best action is to block the attack traffic at its source. There is no easy way to this approach because attacker can spoof the source IP address easily. Traceback models try to locate source of attack regardless of whether the source address field in each packet contains false information or not. Intention-driven model, a sampling traceback technique, provides information about the attack flow and able to reconstruct the attack path to the source of attack by the aid of Intrusion Detection system (IDS). This technique does not have any flow differentiate mechanism. In other words, it is unable to differentiate legitimate user and attacker, when both of them sending packet via same route to the victim. As a result, providing incorrect information and locate false point about the source of attack. To overcome this weakness, this research aims to increase the generation of more useful ICMP traceback packets, which includes attack path information. More useful information about the attack flow provided by the routers along the attack path to the IDS, can provide higher accuracy to locate the attacker. To achieve such a goal, this research improves the Intention-driven ICMP traceback model by filtering normal flow in the specific short time and two new algorithms in UDP-based and TCP-based attack are applied. As a consequence of filtering of normal flow, the percentage of packets belonging to the attack flow will be expanded and the chance of generating ICMP traceback messages which contain attack flow information will be increased. The results show the proposed model used in this research increases the percentage of useful ICMP traceback messages in UDP-based attack about 10% and 14% in the TCP-based attack when compared to the previous work. The proposed model also decreases percentage of ineffective generated iTrace packets in both UDP-based and TCP-based attack about 10%.