To identify sources of distributed denial-of-service attacks, path traceback mechanisms have been proposed. Traceback mechanisms relying on probabilistic packet marking (PPM) have received most attention, as they are easy to implement and deploy incrementally. In this paper, we introduce a new concept, namely groups of strongly similar birthdays (GOSSIB , 1), that can be used by to obtain effects similar to a successful birthday attack on PPM schemes. The original and most widely known IP traceback mechanism, compressed edge fragment sampling (CEFS), was developed by Savage et al. (2). We analyze the effects of an attacker using GOSSIB against CEFS and show that the attacker can seed misinformation much more effiently than the network is able to contribute real traceback information. Thus, GOSSIB will render PPM effctively useless. It can be assumed that GOSSIB has similar effcts on other PPM traceback schemes and that standard modifiations to the systems will not solve the problem.
(1) "Gossib" is also an early version of today's "gossip," which relates to the sharing of information among groups, where the information is typically changed only slightly.
(2) S. Savage et al., "Practical network support for IP traceback," Proc. ACM SIGCOMM 2000, pp. 295-306.
By: M. Waldvogel
Published in: Proceedings 18th Annual Computer Security Applications ConferenceLos Alamitos, CA, , IEEE Computer Society. , p.5-13 in 2002
Please obtain a copy of this paper from your local library. IBM cannot distribute this paper externally.
Questions about this service can be mailed to reports@us.ibm.com .