Identification of Attack Nodes from Traffic Matrix Estimation

Distributed denial-of-service attacks on public servers have recently become more serious. The most effective way to prevent this type of traffic is to identify the attack nodes and detach (or block) attack nodes at egress routers of them. However, existing traceback mechanisms are currently not widely used for some reasons, such as the necessity of replacement of many routers to support traceback capability, or difficulties in distinguishing between attacks and legitimate traffic. In this paper, we propose a new scheme that enables a traceback from a victim to the attack nodes. More specifically, we identify the egress routers that attack nodes are connecting to by estimating the traffic matrix between arbitral source-destination edge pairs. We identify the edge routers that are forwarding the attack traffic, which have a sharp traffic increase to the victim, by monitoring the traffic variations obtained by the traffic matrix, we identify the edge routers forwarding attack traffic which have a sharp traffic increase to the victim. We also evaluate the effectiveness of our proposed scheme through simulation, and show that our method can identify attack sources accurately.