Abstract
Attribution is the process to investigate and attribute the attacks. In this chapter the attribution phase of network forensics is discussed. IP traceback mechanism is discussed with relevance to network forensics. Topics such as autonomous system-based traceback, router and interface marking, and network forensic traceback are discussed. In network forensic traceback technique relation between various traceback mechanisms is also discussed.
References
Aljifri H (2003) IP traceback: a new denial-of-service deterrent? IEEE Secur Priv 1(3):24–31
Belenky A, Ansari N (2003) On IP traceback. IEEE Commun Mag 41(7):142–153
Gao Z, Ansari N (2005) Tracing cyber attacks from the practical perspective. IEEE Commun Mag 43(5):123–131
Garfinkel SL (2010) Digital forensics research: the next 10 years. Digit Investig 7(Supplement 1):S64–S73
Santhanam L, Kumar A, Agrawal DP (2006) Taxonomy of IP traceback. J Inf Assur Secur 1(1):79–94
Stone R (2000) CenterTrack: an IP overlay network for tracking DoS floods. In: Proc. 9th Usenix Security Symposium, Denver, USA
Burch H, Cheswick B (2000) Tracing anonymous packets to their approximate source. In: Proc. 14th systems administration conference (LISA 2000), New Orleans, Louisiana, USA, pp 319–327
Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, Strayer WT (2001) Hash-based IP traceback. In: Proc. ACM annual conference of the special interest group on data communication (SIGCOMM’ 01), San Diego, California, USA, pp 3–14
Baba T, Matsuda S (2002) Tracing network attacks to their sources. IEEE Internet Comput 6(2):20–26
Zhang L, Guan Y (2006) TOPO: a topology-aware single packet attack traceback scheme. In: Proc. workshop of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm’ 06), pp 1–10
Savage S, Wetherall D, Karlin A, Anderson T (2001) Network support for IP traceback. IEEE/ACM Trans Networking 9(3):226–237
Song DX, Perrig (2001) Advanced and authenticated marking schemes for IP traceback. In: Proc. twentieth annual joint conference of the IEEE computer and communications societies (INFOCOM 01), Anchorage, Alaska, pp 878–886
Dean D, Franklin M, Stubblefield A (2002) An algebraic approach to IP traceback. ACM Trans Inf Syst Secur (TISSEC) 5(2):119–137
Aljifri H, Smets M, Pons A (2003) IP traceback using header compression. Comput Secur 22(2):136–151
Yaar A, Perrig A, Song D (2005) FIT: fast internet traceback. In: Proc. 24th annual joint conference of the IEEE computer and communications societies (INFOCOM 05), vol 2, Miami, FL, USA, pp 1395–1406
Al-Duwairi B, Govindarasu M (2006) Novel hybrid schemes employing packet marking and logging for IP traceback. IEEE Trans Parallel Distrib Syst 17(5):403–418
Jing YN, Tu P, Wang XP, Zhang GD (2005) Distributed-log-based scheme for IP traceback. In: Proc. the fifth international conference on computer and information technology (CIT’ 05), Shanghai, China, pp 711–715
Gong C, Sarac K (2008) A more practical approach for single-packet IP traceback using packet logging and marking. IEEE Trans Parallel Distrib Syst 19(10):1310–1324
Jing WX, Lin XY (2009) IP traceback based on deterministic packet marking and logging. In: Proc. eighth international conference on embedded computing, Scalable Computing and Communications (SCALCOM-EMBEDDEDCOM ’09), Dalian, China, pp 178–182
Bellovin SM, Leech M, Taylor T (2000) ICMP traceback messages. Internet Draft: draft-bellovin-itrace-00. txt 2000
Mankin A, Massey D, Chien-Lung W,. Wu SF, Lixia Z (2001) On design and evaluation of “intention-driven” ICMP traceback. In: Proc. tenth international conference on computer communications and networks (ICCCN 01), Arizona, USA, pp 159–165
Belenky A, Ansari N (2003) IP traceback with deterministic packet marking. IEEE Commun Lett 7(4):162–164
Belenky A, Ansari N (2007) On deterministic packet marking. Comput Netw 51(10):2677–2700
Rayanchu S, Barua G (2005) Tracing attackers with deterministic edge router marking (DERM). In: Ghosh R, Mohanty H (eds) Distributed computing and internet technology, vol 3347. Springer, Berlin/Heidelberg, pp 400–409
Lin I, Lee TH (2006) Robust and scalable deterministic packet marking scheme for IP traceback. In: Proc. IEEE Global Telecommunications Conference (GLOBECOM ’06), San Francisco, California, USA, pp 1–6
Jin G, Yang J (2006) Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Commun Lett 10(3):204–206
Xiang Y, Zhou W, Guo M (2009) Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans Parallel Distrib Syst 20(4):567–580
Hawkinson J, Bates T (1996) RFC 1930: guidelines for creation, selection, and registration of an Autonomous System (AS). Available: http://tools.ietf.org/html/rfc1930, 30 Apr 2011
IANA (2008) 16-bit autonomous system numbers. Available: http://www.iana.org/assignments/as-numbers/as-numbers.xml, 30 Apr 2011
Paruchuri V, Durresi A, Kannan R, Iyengar SS (2004) Authenticated autonomous system traceback. In: Proc. 18th international conference on advanced information networking and applications (AINA 04), Fukuoka, Japan, pp 406–413
Gao Z, Ansari N (2007) A practical and robust inter-domain marking scheme for IP traceback. Comput Netw 51(3):732–750
Udaya Kiran T, Vijay V, Srini Rao P (2009) DoSTRACK: a system for defending against DoS attacks. In: Proc. ACM symposium on applied computing (SAC’ 09), Honolulu, Hawaii, pp 47–53
Korkmaz T, Gong C, Sarac K, Dykes SG (2007) Single packet IP traceback in AS-level partial deployment scenario. Int J Secur Netw 2(1):95–108
Castelucio A, Ziviani A, Salles R (2009) An AS-level overlay network for IP traceback. IEEE Netw 23(1):36–41
Chen R, Park JM, Randolph M (2006) RIM: router interface marking for IP traceback. In: Proc. IEEE global telecommunications conference (GLOBECOM ’06), San Francisco, California, USA, pp 1–5
Chen R, Park JM, Marchany R (2007) A divide-and-conquer strategy for thwarting distributed denial-of-service attacks. IEEE Trans Parallel Distrib Syst 18(5):577–588
Yi S, Xinyu Y, Ning L, Yong Q (2006) Deterministic packet marking with link signatures for IP traceback. In: Lipmaa H, Yung M, Lin D (eds) Information security and cryptology, vol 4318. Springer, Berlin/Heidelberg, pp 144–152
Peng D, Shi Z, Tao L, Ma W (2007) Enhanced and authenticated deterministic packet marking for IP traceback. In: Xu M, Zhan Y, Cao J, Liu Y (eds) Advanced parallel processing technologies, vol 4847. Springer, Berlin/Heidelberg, pp 508–517
Mitropoulos S, Patsos D, Douligeris C (2005) Network forensics: towards a classification of traceback mechanisms. In: Proc. workshop of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm’ 05), Athens, Greece, pp 9–16
Carrier B, Shields C (2004) The session token protocol for forensics and traceback. ACM Trans Inf Syst Secur (TISSEC) 7(3):333–362
Daniels TE (2004) A functional reference model of passive systems for tracing network traffic. Digit Investig 1(1):69–81
Demir O, Ji P, Kim J (2007) Session based packet marking and auditing for network forensics. Int J Digit Evid 6(1):1–15
Cohen MI (2009) Source attribution for network address translated forensic captures. Digit Investig 5(3–4):138–145
Ponec M, Giura P, Wein J, Bronnimann H (2010) New payload attribution methods for network forensic investigations. ACM Trans Inf Syst Secur (TISSEC) 13(2):1–32
Guan Y, Zhang L (2008) Attack traceback and attribution. In: Voeller JG (ed) Wiley handbook of science and technology for homeland ecurity. Wiley, New York
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag London
About this chapter
Cite this chapter
Joshi, R.C., Pilli, E.S. (2016). Network Forensic Attribution. In: Fundamentals of Network Forensics. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-7299-4_7
Download citation
DOI: https://doi.org/10.1007/978-1-4471-7299-4_7
Published:
Publisher Name: Springer, London
Print ISBN: 978-1-4471-7297-0
Online ISBN: 978-1-4471-7299-4
eBook Packages: Computer ScienceComputer Science (R0)