Attack attribution for distributed denial-of-service and worm attacks.

摘要

Attack attribution has been a very challenging problem for years. Perpetrators have become skillful in masquerading their identity and launching various attacks on the Internet, some of which could be damaging and disruptive, such as Distributed denial-of-service (DDoS) attacks and Worm attacks. With the steady increase in the number of software vulnerabilities and the availability of sophisticated attack tools, it has become easy for "hackers" to gain/control access to many end-hosts all around the world, from which they wage all sort of attacks without getting caught. Moreover, the Internet routing infrastructure is stateless and based largely on destination addresses; there exists no official entity that police the Internet to ensure that the source IP address is correct. The potentiality of spoofing IP addresses has made communication running over stateless protocols (e.g., User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP)) and many types of DDoS attacks untraceable.; The purpose of this thesis is to explore the problem of attack attribution and to propose some plausible solutions that would render the Internet infrastructure more secure. We propose attack attribution solutions for both Distributed Denial-of-Service (DDoS) attacks and Worm attacks. In the case of DDoS attacks, we propose a new deterministic packet marking scheme to trace back in realtime to the thousands of sources of DDoS attacks assuming that the attacking end-hosts use IP address spoofing. For Worm attacks, we propose the reconstruct the infection tree for TCP and UDP scanning worms from data gathered at network telescopes. Such information would also help in replaying the global spread of a worm and gather many forensics about the infected machines and the network they are attached to.