Data-Link Layer Traceback in Ethernet Networks
Snow, Michael Thomas
MetadataShow full item record
The design of the most commonly-used Internet and Local Area Network protocols provide no way of verifying the sender of a packet is who it claims to be. Protocols and applications exist that provide authentication but these are generally for special use cases. A malicious host can easily launch an attack while pretending to be another host to avoid being discovered. At worst, the behavior may implicate a legitimate host causing it and the user to be kicked off the network. A malicious host may further conceal its location by sending the attack packets from one or more remotely-controlled hosts. Current research has provided techniques to support traceback, the process of determining the complete attack path from the victim back to the attack coordinator. Most of this research focuses on IP traceback, from the victim through the Internet to the edge of the network containing the attack packet source, and Stepping-Stone traceback, from source to the host controlling the attack. However, little research has been conducted on the problem of Data-Link Layer Traceback (DLT), the process of tracing frames from the network edge to the attack source, across what is usually a layer-2 network. We propose a scheme called Tagged-fRAme tracebaCK (TRACK) that provides a secure, reliable DLT technique for Ethernet networks. TRACK defines processes for Ethernet switches and a centralized storage and lookup host. As a frame enters a TRACK-enabled network, a tag is added indicating the switch and port on which the frame entered the network. This tag is collected at the network edge for later use in the traceback operation. An authentication method is defined to prevent unauthorized entities from generating or modifying tag data. Simulation results indicate that TRACK provides accurate DLT operation while causing minimal impact on network and application performance.
- Masters Theses