IP Tracing and Active Network Response

TL;DR

This paper introduces an integrated active security response model with mechanisms for tracing anonymous attacks and reconfiguring networks to counteract DoS and DDoS attacks.

Contribution

It presents a novel active response mechanism combining Sleepy Watermark Tracing and Probabilistic Packet Marking for effective attack source identification.

Findings

Effective attack source tracing demonstrated.

Network vulnerabilities can be detected and reconfigured.

Rapid active response against attackers achieved.

Abstract

Active security is mainly concerned with performing one or more security functions when a host in a communication network is subject to an attack. Such security functions include appropriate actions against attackers. To properly afford active security actions a set of software subsystems should be integrated together so that they can automatically detect and appropriately address any vulnerability in the underlying network. This work presents integrated model for active security response model. The proposed model introduces Active Response Mechanism (ARM) for tracing anonymous attacks in the network back to their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or "spoofed", source addresses. This paper presents within the proposed model two tracing approaches based on: 1.Sleepy Watermark Tracing (SWT) for unauthorized access attacks. 2.Probabilistic Packet Marking (PPM) in the network for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. On the basis of the proposed model a cooperative network security tools such as firewall, intrusion detection system with IP tracing mechanism has been designed for taking a rapid active response against real IPs for attackers. The proposed model is able to detect network vulnerabilities, trace attack source IP and reconfigure the attacked subnetworks.