Analysis of Spoofed IP Traffic Using Time-to-Live and Identification Fields in IP Headers

Author

Ohta, Masayuki ; Kanda, Yoshiki ; Fukuda, Kenji ; Sugawara, Toshiharu

Author_Institution

Grad. Sch. of Fundamental Sci. & Eng., Waseda Univ., Tokyo, Japan

fYear

2011

fDate

22-25 March 2011

Firstpage

355

Lastpage

361

Abstract

Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

Keywords

IP networks; Internet; computer network security; computer viruses; telecommunication traffic; IP address; IP header; IPID field; Internet service; TTL field; anomalous traffic behavior; distributed denial of service; identification field; spoofed IP traffic; time to live; Electronic mail; Grippers; IP networks; Internet; Time series analysis; Viruses (medical); darknet; network security; source spoofing;

fLanguage

English

Publisher

ieee

Conference_Titel

Advanced Information Networking and Applications (WAINA), 2011 IEEE Workshops of International Conference on

Conference_Location

Biopolis

Print_ISBN

978-1-61284-829-7

Electronic_ISBN

978-0-7695-4338-3

Type

conf

DOI

10.1109/WAINA.2011.111

Filename

5763526