The PPM algorithm is not a versatile methodology that can tackle all kinds of distributed denial-of-service attacks such as the TCP-SYN flood attack and the reflector attack. There are assumptions imposed on the execution environment and the algorithm itself.
3.3.1
Marked packets and PPM markings
A received packet by the victim may contain information that is needed to reconstruct the attack graph. According to [30], the marked information is sliced and is distributed in encoded packets. In turn, the victim can reconstruct the information by collecting enough fragments.
In our context, the PPM markings are the information reconstructed by collected packets. To simplify the discussion, we are actually not focused on the reconstruction of the sliced-edge information. Rather, we use the term marked packet as a virtual packet that contains a set of reconstructed marking
information.
Assumption 3.1 It is assumed that a marked packet can always be recon- structed from slices of encoded information.
3.3.2
Router
We assume that every router in the network is willing to participate in the PPM algorithm when requested. For each router, we assume that it is equipped with the ability to mark packets following the packet marking procedure.
Functionally speaking, a router can either be an transit router or a leaf router: a transit router forwards traffic from upstream routers to its down- stream routers (or the victim) while a leaf router connects to the upstream client computers (not routers) and forwards the clients’ traffic to its down- stream routers (or the victim).
3.3.3
Packet marking probability
One of the characteristics of the PPM algorithm is to mark packets randomly.
The randomness is controlled by a variable called the marking probability, pm,
and every (participating) router owns a copy of this variable. There is no
restriction on the packet marking probability pm. But allowing every router
to have a different value for pm would complicate our discussion, and we make
the following assumption.
Assumption 3.2 It is assumed that every participating router uses the same
value of the packet marking probability pm throughout the execution of the
PPM algorithm.
Though this assumption sounds impractical when the PPM algorithm is deployed in a worldwide scale, the fixed marking probability becomes natural when the PPM algorithm is deployed within an ISP. In addition, there is
work in the literature which claims that by changing the value the marking probability of each router, the number of packets required to construct the correct constructed graph can be minimize [70].
3.3.4
Attack source and attack pattern
An attack source is the end-host that sends packets to the victim (not neces- sarily a high volume of traffic). Usually, the number of attack sources can be in an order of thousands, and the aggregated volume is therefore overwhelm- ing. Though such an attack source may not be the attacker (the attack source may only be a zombie), it is necessary to stop such an overwhelming flow by locating the sources. We therefore treat every attack source as an attacker. Assumption 3.3 An attacker is the end-host (the leaf router of an attack graph) that sends an attacking flow toward the victim.
A flood-based DDoS attack, according to its name, attacks the victim by flooding the victim with packets, loads the victim with an extraordinary amount of traffic, and hence disables or degrades the service provided by the victim. However, there is no defined pattern by which the attackers bombard the victim. It can be a continuous flow, a bursty periodic strike, etc. For simplicity, we make an assumption about the attack pattern as follows. Assumption 3.4 Every attacker sends out a continuous flow of packets. Also, every attacker sends approximately the same number of packets toward the victim.
Note that if this assumption is actually not true, say the attack pattern is ac- tually a bursty, then the obtained attack graph may not cover all the attackers.
3.3.5
Attack graph and packet routing
The attack graph generated by the PPM algorithm has a very strong depen- dence on the routings inside the global network graph since the attack graph is formed by the traversals of the packets. Nevertheless, due to the autonomous property of the network routers, the routings inside the Internet graph may be changed under abnormal situations. Unfortunately, a flood-based DDoS attack is one of the abnormal situations. A high volume of flows generated by the DDoS attack creates a congested environment within the Internet graph. This may drive the routers to change their routings so as to cope with such a change (and we all know that their acts are futile).
Eventually, the attack graph may be changed because of the changes in the routings inside the Internet graph, and the topology of attack graph is, therefore, short-lived. Nevertheless, our goal is to locate the attackers. The short-lived property of the attack graph does not hinder us in achieving our goal on the condition that the attack graph, from time to time, is pinpointing the locations of the attackers.
Thus, the target of the PPM algorithm should not be fixed to find a con- sistent attack graph. Rather, the target of the PPM algorithm is to locate the attackers through the construction of the attack graph. We make the following strong assumption.
Assumption 3.5 During the time that the PPM algorithm is executing, the routings inside the global network graph should not change.
We provide the illustration on how the PPM algorithm reacts to the change of the routings. In Figure 3.5(a), we have a network showing all the network
links and the current routing in the network. When one of the routers, R1, is
down, such failure triggers the routing table of every router to change com- pletely as shown in Figure 3.5(b).
R1 R4 R3 R2 ν R1 R4 R3 R2 ν physical link routing path
Routing before change Routing after change
R1
R4 R3
R2
ν
possible constructed graph
constructed graph’s link
(a) (b) (c)
Figure 3.5: The failure of the router R1 causes the route tables of R2, R3, and
R4 to change. This results in a constructed graph with routers having multiple
outgoing edges.
Under such a scenario, the set of collected packets may included encoded packets from the routing configurations in both Figures 3.5(a) and 3.5(b). Therefore, the constructed attack graph may become the one shown in Figure 3.5(c).
We argue that this result is not an undesirable one as long as the definition of a correct attack graph construction (Definition 3.1 on Page 82) still holds because the new attack graph is indeed composed of all the edges traversed by the packets. In the remainder of this paper, we stay with this assumption, and we will discuss the scenario when this assumption is relaxed in Section 5.7.
On the other hand, modern routing protocols [71, 72] currently used by routers favor the formation of a routing tree rather than a routing graph. The difference between a routing tree and a routing graph lies in the number of outgoing routes to a particular address. Usually, there is only one route for one destination address. Therefore, the corresponding attack graph should be a tree instead of a graph unless the routings with the attack graph have been changed.
Pkt # Src Hop#1 Hop#2 Hop#3 Hop#4 New 1 R7 (φ, φ, φ) (φ, φ, φ) (φ, φ, φ) (φ, φ, φ) − 2 R7 (R7, φ, 0) (R7, R4, 1) (R7, R4, 2) (R7, R4, 3) √ 3 R8 (R8, φ, 0) (R5, φ, 0) (R2, φ, 0) (R2, V, 1) √ 4 R7 (R7, φ, 0) (R7, R4, 1) (R7, R4, 2) (R7, R4, 3) × 5 R7 (φ, φ, φ) (R4, φ, 0) (R4, R1, 1) (R4, R1, 2) √ 6 R8 (φ, φ, φ) (φ, φ, φ) (R2, φ, 0) (R2, V, 1) × 7 R7 (φ, φ, φ) (φ, φ, φ) (R1, φ, 0) (R1, V, 1) √ 8 R8 (φ, φ, φ) (R5, φ, 0) (R5, R2, 1) (R5, R2, 2) √ 9 R8 (R8, φ, 0) (R8, R5, 1) (R8, R5, 2) (R8, R5, 3) √ .. . ... ... ... ... ... ...
Table 3.1: A sequence of packets collected by the victim.
Assumption 3.6 Every participating router has only one outgoing route to- ward the victim.
For the ease of presentation, we call the “outgoing route toward the victim” the victim route throughout this thesis.