Traceback model for identifying sources of distributed attacks in real time

• Published in: Security and communication networks Vol. 9; no. 13; pp. 2173 - 2185
• Main Authors: Ahmed, Abdulghani Ali, Sadiq, Ali Safa, Zolkipli, Mohamad Fadli
• Format: Journal Article
• Language: English
• Published: London Hindawi Limited 10.09.2016
• Subjects: active connection; Communication networks; Computational efficiency; Computer simulation; distributed attack; End users; explicit congestion notification; Joints; Mathematical models; Monitoring; Real time; real‐time trackback; service level agreement
• ISSN: 1939-0114; 1939-0122
• DOI: 10.1002/sec.1476

Locating sources of distributed attack is time‐consuming; attackers are identified long after the attack is completed. This paper proposes a trackback model for identifying attackers and locating their distributed sources in real time. Attackers are identified by monitoring violations of malicious end users on their bandwidth shares predefined in the service level agreement. Then, active connections of the malicious users are investigated to locate the host machines used as distributed sources of attack traffic. Mathematical model and simulation results demonstrate that the proposed model can reduce the required time for identifying malicious users and locating host machines used as the actual sources of attack packets. Copyright © 2016 John Wiley & Sons, Ltd. The proposed model traces the origins of the detected attacks through two steps; identifying the malicious users and locating the source hosts that are used by the malicious users to launch their attacks. An advantage of the proposed model is its efficiency in detecting an attack before actualization. The obtained findings of the mathematical model and the simulation experiment indicate that distributed attacks can be detected before the services of legitimate users are completely denied.