Abstract
Denial of Service (DoS) attack is considered a critical threat to networks. A DoS is a destructive attack aiming at denying services to legitimate users. An attacker could create an attack that floods a network, disrupts a connection between two computers, or even crashes a computer. Accordingly, legitimate users will not be able to have access to services needed. DoS attacks could originate from a single attacker or it could originate from multiple attackers creating Distributed Denial of Service (DDoS) attacks towards a target victim. One of the main problems ofDoS attacks is the ability of an attacker to forge or spoof his IP address. In this case, the identity of the actual attacker can be completely hidden. It is necessary to note here that there are two main categories of techniques to respond to DoS attacks. The first category is the Proactive category. Proactive means trying to respond to attacks and mitigate their effect before an attack actually happens. The second category is the Reactive category. Reactive category relies on handling an attack and mitigating its effect during or after an attack has taken place. Since an attacker could easily spoof his source IP address, then it is very difficult to discover his true identity. Accordingly, this attacker will never be discouraged to stop such destructive attacks towards target victims. This made responding to DoS attacks a tough task, since it would be difficult to differentiate between legitimate and not legitimate traffic. One of the Reactive category response techniques is called IP Traceback. Its main aim is tracing back an attack until the actual attacker is identified. It is an essential part of response systems. Many papers [3, 25] have presented different traceback techniques which have advantages and disadvantages. One paper presented
by Midori, Shunji and Atsushi from Waseda University tackled this problem and presented a solution in [26]. They used mobile agent technology to traceback an attacker in a Local Area Network (LAN). Our research work builds on their methodology. Hence, this thesis presents an extension to the work produced in [26]. It proposes a model that would enable the traceback of attacks in a LAN, in Inter-connected Networks, or in a Wide Area Network (WAN). The implemented work uses mobile agent technology to traceback an attacker. Packets coming in and out of a node are logged in it. The tracer agents would identify the next hop in trace route using source Datalink-level identifier (MAC address) of a packet in the log, similar to the work presented in [29]. The tracing agent uses MAC address, since it is not common for an attacker to spoof the MAC address compared to the IP address. Choosing next hops to visit does not rely only on datalink-level identifiers solely, but also on the timestamp
of logged packets. If traces of an attack packet are found at several hops placed in the same network level, then the hop with latest timestamp will be visited first. Experiments were conducted using two attack tools. One attack tool creates attack packets with spoofed IP addresses. The second attack tool creates flooding attacks which congest the network. The tests were conducted to prove the ability of the implemented traceback system to identify an attacker under conditions that he generates spoofed IP address packets and congests the network. The experiments proved the success of the implemented traceback system covering LAN, Inter-connected Network and WAN. However, there were several limitations which are discussed in details at the end of the thesis.
School
School of Sciences and Engineering
Department
Computer Science & Engineering Department
Degree Name
MS in Computer Science
Date of Award
2-1-2004
Online Submission Date
1-1-2003
First Advisor
Sherif El Kassas
Committee Member 1
Ahmed Darwish
Committee Member 2
Hoda Hosny
Committee Member 3
Mohy Mahmoud
Document Type
Thesis
Extent
261 leaves
Library of Congress Subject Heading 1
Hackers
Library of Congress Subject Heading 2
Computer networks
Rights
The American University in Cairo grants authors of theses and dissertations a maximum embargo period of two years from the date of submission, upon request. After the embargo elapses, these documents are made available publicly. If you are the author of this thesis or dissertation, and would like to request an exceptional extension of the embargo period, please write to thesisadmin@aucegypt.edu
Recommended Citation
APA Citation
El-Keissi, G.
(2004).IP traceback of denial of service attacks using mobile agents technology [Thesis, the American University in Cairo]. AUC Knowledge Fountain.
https://fount.aucegypt.edu/retro_etds/1705
MLA Citation
El-Keissi, Ghada Magdi Hashem. IP traceback of denial of service attacks using mobile agents technology. 2004. American University in Cairo, Thesis. AUC Knowledge Fountain.
https://fount.aucegypt.edu/retro_etds/1705
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Call Number
Thesis 2003/62
Location
mmbk