Denial of Service (DoS) attack is considered a critical threat to networks. A DoS is a destructive attack aiming at denying services to legitimate users. An attacker could create an attack that floods a network, disrupts a connection between two computers, or even crashes a computer. Accordingly, legitimate users will not be able to have access to services needed. DoS attacks could originate from a single attacker or it could originate from multiple attackers creating Distributed Denial of Service (DDoS) attacks towards a target victim. One of the main problems ofDoS attacks is the ability of an attacker to forge or spoof his IP address. In this case, the identity of the actual attacker can be completely hidden. It is necessary to note here that there are two main categories of techniques to respond to DoS attacks. The first category is the Proactive category. Proactive means trying to respond to attacks and mitigate their effect before an attack actually happens. The second category is the Reactive category. Reactive category relies on handling an attack and mitigating its effect during or after an attack has taken place. Since an attacker could easily spoof his source IP address, then it is very difficult to discover his true identity. Accordingly, this attacker will never be discouraged to stop such destructive attacks towards target victims. This made responding to DoS attacks a tough task, since it would be difficult to differentiate between legitimate and not legitimate traffic. One of the Reactive category response techniques is called IP Traceback. Its main aim is tracing back an attack until the actual attacker is identified. It is an essential part of response systems. Many papers [3, 25] have presented different traceback techniques which have advantages and disadvantages. One paper presented

by Midori, Shunji and Atsushi from Waseda University tackled this problem and presented a solution in [26]. They used mobile agent technology to traceback an attacker in a Local Area Network (LAN). Our research work builds on their methodology. Hence, this thesis presents an extension to the work produced in [26]. It proposes a model that would enable the traceback of attacks in a LAN, in Inter-connected Networks, or in a Wide Area Network (WAN). The implemented work uses mobile agent technology to traceback an attacker. Packets coming in and out of a node are logged in it. The tracer agents would identify the next hop in trace route using source Datalink-level identifier (MAC address) of a packet in the log, similar to the work presented in [29]. The tracing agent uses MAC address, since it is not common for an attacker to spoof the MAC address compared to the IP address. Choosing next hops to visit does not rely only on datalink-level identifiers solely, but also on the timestamp

of logged packets. If traces of an attack packet are found at several hops placed in the same network level, then the hop with latest timestamp will be visited first. Experiments were conducted using two attack tools. One attack tool creates attack packets with spoofed IP addresses. The second attack tool creates flooding attacks which congest the network. The tests were conducted to prove the ability of the implemented traceback system to identify an attacker under conditions that he generates spoofed IP address packets and congests the network. The experiments proved the success of the implemented traceback system covering LAN, Inter-connected Network and WAN. However, there were several limitations which are discussed in details at the end of the thesis.


School of Sciences and Engineering


Computer Science & Engineering Department

Degree Name

MS in Computer Science

Date of Award


Online Submission Date


First Advisor

Sherif El Kassas

Committee Member 1

Ahmed Darwish

Committee Member 2

Hoda Hosny

Committee Member 3

Mohy Mahmoud

Document Type



261 leaves

Library of Congress Subject Heading 1


Library of Congress Subject Heading 2

Computer networks


The American University in Cairo grants authors of theses and dissertations a maximum embargo period of two years from the date of submission, upon request. After the embargo elapses, these documents are made available publicly. If you are the author of this thesis or dissertation, and would like to request an exceptional extension of the embargo period, please write to thesisadmin@aucegypt.edu

Call Number

Thesis 2003/62