Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers

Masayuki Ohta; Yoshiki Kanda; Kensuke Fukuda; Toshiharu Sugawara

doi:10.1109/WAINA.2011.111

Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers

Masayuki Ohta^*, Yoshiki Kanda, Kensuke Fukuda, Toshiharu Sugawara

^*Corresponding author for this work

School of Fundamental Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Citations (Scopus)

Abstract

Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

Original language	English
Title of host publication	Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011
Pages	355-361
Number of pages	7
DOIs	https://doi.org/10.1109/WAINA.2011.111
Publication status	Published - 2011
Event	25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011 - Biopolis, Singapore Duration: 2011 Mar 22 → 2011 Mar 25

Publication series

Name	Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011

Conference

Conference	25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011
Country/Territory	Singapore
City	Biopolis
Period	11/3/22 → 11/3/25

Keywords

darknet
network security
source spoofing

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications

Access to Document

10.1109/WAINA.2011.111

Cite this

Ohta, M., Kanda, Y., Fukuda, K., & Sugawara, T. (2011). Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. In Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011 (pp. 355-361). [5763526] (Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011). https://doi.org/10.1109/WAINA.2011.111

Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. / Ohta, Masayuki; Kanda, Yoshiki; Fukuda, Kensuke et al.
Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011. 2011. p. 355-361 5763526 (Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ohta, M, Kanda, Y, Fukuda, K & Sugawara, T 2011, Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. in Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011., 5763526, Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011, pp. 355-361, 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011, Biopolis, Singapore, 11/3/22. https://doi.org/10.1109/WAINA.2011.111

Ohta M, Kanda Y, Fukuda K, Sugawara T. Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. In Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011. 2011. p. 355-361. 5763526. (Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011). doi: 10.1109/WAINA.2011.111

Ohta, Masayuki ; Kanda, Yoshiki ; Fukuda, Kensuke et al. / Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers. Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011. 2011. pp. 355-361 (Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011).

@inproceedings{5c0547d29a324896999e637ef3ee6404,

title = "Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers",

abstract = "Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.",

keywords = "darknet, network security, source spoofing",

author = "Masayuki Ohta and Yoshiki Kanda and Kensuke Fukuda and Toshiharu Sugawara",

year = "2011",

doi = "10.1109/WAINA.2011.111",

language = "English",

isbn = "9780769543383",

series = "Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011",

pages = "355--361",

booktitle = "Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011",

note = "25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011 ; Conference date: 22-03-2011 Through 25-03-2011",

}

TY - GEN

T1 - Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers

AU - Ohta, Masayuki

AU - Kanda, Yoshiki

AU - Fukuda, Kensuke

AU - Sugawara, Toshiharu

PY - 2011

Y1 - 2011

N2 - Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

AB - Internet services are often exposed to many kinds of threats such as the distributed denial of service (DDoS), viruses, and worms. Since these threats cause an adverse effect on the social and economical activities on the Internet, the technologies for protecting Internet services from the threats are strongly required. Many researchers have analyzed network traffic to detect anomalous one using many packet features (e.g., TCP/IP headers). In this paper, we focus on the Time To Live (TTL) and Identification fields (IPID) of the IP header to understand the anomalous traffic behavior, since source IP addresses are often spoofed. We propose a method to distinguish a plausible spoofed IP address from others based on a sequence of TTL and IPID fields. We show that our method can extract a number of plausible spoofing packets from real dark net traces in which all of the packets were not normal.

KW - darknet

KW - network security

KW - source spoofing

UR - http://www.scopus.com/inward/record.url?scp=79957569612&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79957569612&partnerID=8YFLogxK

U2 - 10.1109/WAINA.2011.111

DO - 10.1109/WAINA.2011.111

M3 - Conference contribution

AN - SCOPUS:79957569612

SN - 9780769543383

T3 - Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011

SP - 355

EP - 361

BT - Proceedings - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011

T2 - 25th IEEE International Conference on Advanced Information Networking and Applications Workshops, WAINA 2011

Y2 - 22 March 2011 through 25 March 2011

ER -

Analysis of spoofed IP traffic using time-to-live and identification fields in IP headers

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this