Three Dimensional Multidirectional Geographical IP Traceback: Direction Ratio Sampling Algorithm

Problem statement: An important and challenging problem is that of tracing DOS/DDOS attack source. IP traceback is the process of identifying the actual source(s) of attack packets, So that the attackers can be held accountable as also in mitigating them, either by isolating the attack sources or by filtering packets for away from the victim. Several IP traceback schemes have been proposed to solve this problem. Among many IP traceback schemes, a recent development was Directed Geographical Traceback (DGT). Though multidirectional two-dimensional DGT schemes were available, in the real scenario, three dimensional, Multidirectional DGT has potential applications. Approach: The Direction Ratio Algorithm (DRA) has the limitation of the impossibility of ensuring sufficient unused space in the packet header for the complete Direction Ratio List (DRL) especially when the length of the path is not known apriori. To overcome this, DRSA was proposed. The methods used in DRSA were random sampling methods, where the sufficient numbers of samples were drawn; one can reconstruct the path of the attack packets and trace the attack source. Results: In this study those limitation had been overcome using Direction Ratio Sampling Algorithm (DRSA) which works well for 3-dimensional, multi-directional, geographical IP traceback. This approach enables the attack path reconstruction was easily possible and hence a victim can typically reconstruct the path after receiving 75 packets from the attacker. This same algorithm can efficiently discern multiple attacks. When attackers from different sources produce disjoint edges in the tree structure of reconstruction, the number of packets needed to reconstruct each path is independent of other paths. Conclusion: DRSA was found to be a robust scheme of attack path reconstruction in Geographical traceback.


INTRODUCTION
DOS attacks [3,4] represent a growing threat to the internet infrastructure, by denying regular internet services from being accessed by legitimate users.IP traceback is the process of identifying the actual source(s) of attack packets, So that the attackers can be held accountable as also in mitigating them, either by isolating the attack sources or by filtering packets for away from the victim, Several IP traceback schemes have been proposed to solve this problem.
DGT (Directed Geographical Traceback) scheme exploits the potential of the geographical topology of the internet for traceback.Gao [1] gave a limited two dimensional, 8 directional DGT scheme.This was generalised by [2,5] , to 2 n (n≥4) directions, though only in 2 dimensions.
Considering the spherical/Ellipsoidal topology of the earth, it is clear that the internet path is three dimensional in nature.In this study, 3 dimensional, Multidirectional, Geographical Traceback, through DRSA (Direction Ratio Sampling Algorithm) is proposed.

Normalized coordinates:
Taking the geographical topology of the earth (on which all the routers are) either as the sphere: or as the ellipsoid £: then the transformation: makes ( 1), (2) into the unit sphere: For all the points on note that (5), except for the points (±1,0,0), (0, ±1,0) and (0,0, ±1), we have: \x\, \y\, \z\ < 1 (6)   satisfying (5).Thus routers R i are at points (x i , y i , z i ) where: x i 2 +y i 2 +z i 2 = 1 (7)   for all i.We assume that the routers are numbered serially and that the length of any internet path seldom exceeds 32 hops and hence a 10 bit field in the packet header can accommodate the last 3 digits of the router serial number, throughout its journey.All other assumptions regarding attack packets are the same as in [1,2,5,6] .

Direction ratios:
In three dimensional space, the direction indicators of a line are the direction cosines (d.c) (Cos α, Cos β, Cos r) where α, β, r are the angles which the line makes with the rectangular coordinate axes ox, oy, oz respectively.It can be shown that: Cos 2 α+Cos 2 β+Cos 2 r = 1 (8)   for any directional cosines (d.c).Since Cosθ, in general, is a cumbersome fraction/irrational, we use direction ratios (DR) of a line, which are proportional to directional cosines (d. For any router R₀, we can get a neighborhood direction set of DR (a i , bi, ci) of neighbor routers R i by taking: Satisfying ( 10).(where, N is the set of natural numbers).
We can show that DR (n), for n Є N, (the number of neighborhood directions from router R 0 ) satisfy: In fact DR (1) = 13 and DR (2) = 49 and they are shown in Table 1 and Table 2. One-to-one correspondence between DR at a router R 0 and its neighbor routers: Theorem: Given router R 0 at (x 0 , y 0 , z 0 ),and a set of direction ratios DR(n) for some n Є N then, for each ratio d i = (a i , b i, c i ) Є DR(n),there is a unique neighbor router R i at (x i ,y i ,z i ) on the unit sphere, given by: x i = x 0 +ra i, y i = y 0 +rb i, z i = z 0 +rc i (15) Where: for i = 1,2,..........
Proof: Any point (x, y, z) on the line through router R 0 (x 0 , y 0 , z 0 ) in the direction d i with direction ratios(a i , b i , c i ) is: and it is on: x 2 +y 2 +z 2 = 1 (18) at router point R i (x i, y i ,z i ) if ( 18) is satisfied.
Hence there is one-to-one correspondence between elements of DR(n) at R 0 and its neighbor routers.

MATERIALS AND METHODS
This is a theoretical paper on IP traceback problem using geographical information in three dimensions in a multi-directional environment.The materials are a host of Routers R i at points (x i ,y i , z i ) for i = 1 to n, on the earth x 2 +y 2 +z 2 = 1.Also the internet attack packets in flight are materials whose flight path is to be reconstructed for mitigating DOS/DDOS attacks.
The methods used in DRSA are random sampling methods, where, after sufficient number of samples are drawn, one can reconstruct the path of the attack packets and trace the attack source.

Direction Ratio Algorithm (DRA):
In this algorithm of traceback, for every packet w arriving from the attacker at router R, we appended the DR d j = (a j ,b j ,c j ) of the next destination in the packet header of w.This is possible due to the unique (1-1) correspondence between d j (from any router from R) and its neighbors R j .
The limitation of this DRA (direction ratio appending algorithm) is the impossibility of ensuring sufficient space in the packet header for appending the DR of every edge of the attack path.
This problem is addressed using DRSA (direction ratio sampling algorithm).

DRSA traceback procedure:
We require an address field R, a direction ratio field DR and a distance field S, in the packet header to implement this algorithm.
Assuming that the IP header has (16+8+1) = 25 bits, for DRSA, we can allot 10 bits each.For the address field and DR field and 5 bits for the distance field.This is acceptable since, routers are numbered serially; the 10 digit field can accommodate the last 3 digits of the serial number and is sufficient for R mod (1000).Since a 9 bit field is enough for the 4, 9 direction set of DR (2), 10 bits are sufficient for the DR field.Since any IP path never exceeds 32 hops, a 5 bit distance field is taken at in Fig. 2.
Here R i is router at (x i , y i , z i ) with a given serial number D j = (a j , b j , c j ) = an element of DR (2) indicating the direction ratio of the next router R j (from R i ).Note that R i (D j ) = R j (the router from R i in the direction D j is the unique R j since D j is in (1-1) correspondence with R j from a given R i ).

Direction Ratio Sampling Algorithm (DRSA):
The marking procedure at a router R i of every packet w from the attacker is as follows: Let x be a random number in (0, 1) and p is a chosen probability level [7,8] .If x<p, then if the packet is unmarked, then write R i mod (1000) in RF, D j in DRF, 0 in SF.Otherwise ( if the packet is already marked) or (x≥p) then only increment the distance field SF.
After sufficient number of samples are drawn, then using the property R i (D j ) = R j and the distance field count, the attack path can be reconstructed.The victim uses the DR (along with R) sampled in these packets to create a graph leading back to the source (s) of attack.

RESULTS
After sufficient number of samples are drawn, then using the property R i (D j ) = R j and the distance field count, the attack path can be reconstructed.The victim uses the DR (along with R) sampled in these packets to create a graph leading back to the source (s) of attack.
If we constrain p to be identical at each router, then the probability [9] of receiving a marked packet from a router d hops away is p (1-p) d-1 and this function is monotonic in the distance from the victim.Because the probability of receiving a sample is geometrically smaller, the further away it is from the victim, the time for this algorithm to converge is dominated by the time to receive a sample from the furthest router.
We conservatively assume that samples from all of the d routers (in the path from A toV) appear with the same likelihood as the furthest router.Since these probabilities are disjoint, the probability that a given packet will deliver a sample from some router is at least dp (1-p) d-1 by addition law for disjoint events.As per the well-known Coupon Collector problem [3] , the number of trials required to select one of each of d equiprobable items is d (ln(d) + O(1)).Therefore, the number of packets X, required for the victim to reconstruct a path of length d has the bounded expectation: From ( 19) we can show that E(X) is optimal if p = 1/d ie dE/dp = 0, d 2 E/d p 2 > 0 for p = 1/d).This same algorithm can efficiently discern multiple attacks.When attackers from different sources produce disjoint edges in the tree structure of reconstruction.The number of packets needed to reconstruct each path is independent of other paths.

DISCUSSION
The limitations imposed by restricting the number of DR to /DR (2)/ = 49 at every stage and using R (mod 1000) instead of the full serial number of router R are marginal in nature.We need more space in the packet header to use elements of DR (3) and the full representation of the R serial number.

CONCLUSION
In conclusion, DRSA is a robust scheme of three dimensional, multi-directional, geographical IP trace back.

Fig. 1 :Fig. 2 :
Fig. 1: Flow diagram of DRA For example, if p = 1/d, where d = attack path length, then the victim can typically reconstruct the path after receiving E(x) = d d ln(d)/(d-1) d-1 packets.For d = 10; E(x)≤75 and hence a victim can typically reconstruct the path after receiving 75 packets from the attacker.