It has long known aggressors may utilize forged source IP address to conceal their real locations. To capture the spoofers, various IP traceback components have been proposed. Be that as it may, because of the challenges of deployment, there has been not a widely adopted IP traceback solution, at any rate at the Internet level. As the result, the mist on the locations of spoofers has never been scattered till now. This project proposes a passive IP traceback (PIT) that bypasses the deployment challenges of IP traceback techniques. PIT explores Internet Control Message Protocol error messages (named path backscatter) triggered by spoofing movement and tracks the spoofers based on publicly available information (e.g., topology).
Thusly, PIT can discover the spoofers without any deployment requirement. This project represents the causes, collection, and the statistical results on path backscatter demonstrate the processes and effectiveness of PIT and show the captured locations of spoofers by applying the PIT on the path backscatter dataset. These results can help further reveal IP spoofing, which has been studied for long but never well understood. Though PIT cannot work in all the spoofing attacks, it may be the most useful mechanism to trace spoofers before an Internet-level traceback system has been deployed in real.
Existing IP traceback methodologies can be characterized into five primary classes: packet marking, ICMP traceback, logging on the router, link testing, overlay, and hybrid tracing.
Packet checking techniques require routers to modify the header of the packet to contain the information of the router and forwarding decision
various from packet checking techniques, ICMP traceback creates expansion ICMP messages to a gatherer or the destination.
Attacking path can be recreated from a sign on the router when router makes a record on the packets forwarded.
Link testing is an approach which determines the upstream of attacking traffic hop-by-hop while the attack is in progress.
CenterTrack proposes offloading the suspect traffic from edge routers to special tracking routers through an overlay network.
We propose a novel solution, named Passive IP Traceback (PIT), to bypass the challenges in deployment. Routers may fail to forward an IP spoofing packet due to various reasons, e.g., TTL exceeding. In such cases, the routers may generate an ICMP error message (named path backscatter) and send the message to the spoofed source address. Because the routers can be close to the spoofers, the path backscatter messages may potentially disclose the locations of the spoofers.
PIT exploits these path backscatter messages to find the location of the spoofers. With the locations of the spoofers known, the victim can seek help from the corresponding ISP to filter out the attacking packets or take other counterattacks.
A PIT is especially useful for the victims in reflection based spoofing attacks, e.g., DNS amplification attacks. The victims can find the locations of the spoofers directly from the attacking traffic.
Collection of path backscatter messages
Passive IP Traceback mechanism