METHOD FOR TRACING-BACK IP ON IPv6 NETWORK

Abstract

Provided is a method for tracing-back an IP using marking information of a router stored on a hop-by-hop option header, which is one of IPv6 extension headers. According to the method, an attack made by an attacker is detected on the IPv6 network. If the attack is detected, information stored on a hop-by-hop option header of a packet received through the IPv6 network and marked by a router through which the packet has passed is extracted. After that, a reception path of the received packet is reconstructed and an IP of the attacker is back-traced using the extracted marking information.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:

FIG. 1 shows an examplary attack type of distributed denial of services (DDoS) made on a victim's host on a network;

FIG. 2 is a view illustrating an IPv4 network used for explaining PPM;

FIG. 3 is a flowchart explaining a method for tracing-back an attacker's IP on an IPv4 network using PPM;

FIG. 4 is a flowchart explaining a method for tracing-back an attacker's IP on an IPv6 network according to an embodiment of the present invention;

FIGS. 5A and 5B are views illustrating a structure of a hop-by-hop option header according to the present invention;

FIG. 6 is a detailed view of a data field according to the present invention;

FIG. 7 is a view illustrating an example of a received packet classified using a classification field;

FIG. 8 is a flowchart explaining in more detail an error-correction algorithm according to the present invention;

FIG. 9 is a view illustrating a system explaining an error-correction algorithm when reconstruction of a reception path fails;

FIG. 10 is a schematic view illustrating a network explaining PMTUD according to an embodiment of the present invention; and

FIG. 11 is a flowchart explaining in more detail a method for receiving a packet used for tracing-back a reception path according to PMTUD.

Claims

1. A method for tracing-back an IP on an IPv6 network, the method comprising: detecting an attack made by an attacker on the IPv6 network;if the attack is detected, extracting an marking information stored on a hop-by-hop option header of a packet received through the IPv6 network and marked by a router through which the packet has passed; andreconstructing a reception path of the received packet and tracing-back an IP of the attacker using the extracted marking information.

2. The method of claim 1, wherein the hop-by-hop option header includes a code field, a length field, and a data field, and an option value representing an IP tracing-back contained in the code field.

3. The method of claim 2, wherein the marking information stored in the data field includes a distance field representing a distance from a router that performs marking to a host under attack, an address field representing an address of the router that performs marking, and a classification field representing an interface ID of a source address of the received packet.

4. The method of claim 3, wherein the data field includes a 5-bit distance field, a 48-bit address field that excludes FP and TLA, and a classification field including an interface ID of a source address hashed with 11 bits.

5. The method of claim 3, wherein the reconstructing of the reception path comprises: classifying received packets for each attacker using interface IDs of source addresses of received packets;aligning the marking routers in the classified packets for each attacker using the address of the marking router contained in the address field and the distance contained in the distance field; andreconstructing a reception path of the received packets and tracing-back an attacker's IP using the aligned marking routers.

6. The method of claim 3, further comprising: if the reception path of the received packet is not reconstructed, transmitting a request message for requesting routing information of a router whose marking information is not obtained;receiving the routing information of the router that is transmitted in response to the request message; andreconstructing a reception path using the received routing information.

7. The method of claim 6, wherein the routing information includes a destination address of a packet and a next hop router address stored in a router table of the router that has received the request message.

8. The method of claim 3, further comprising: if a size of the received packet is the same as a PMTU (path maximum transmission unit) of the reception path, judging whether a hop-by-hop option header is present in the received packet; andif the hop-by-hop option header is absent in the received packet, dropping the received packet.