Mobile Ad hoc NETworks (MANETs) provide a lot of promise for many practical applications. However, MANETs are vulnerable to a number of attacks due to its autonomous nature. DoS/DDoS attacker traceback is especially challenging in MANETs for the lack of infrastructure. In this paper, we propose an efficient on-the-fly search technique, SWAT, to trace back DoS and DDoS attackers in MANETs. Our scheme borrows from small worlds, utilizes the concept of Contacts, and use Traffic Pattern Matching (TPM) and Traffic Volume Matching (TVM) techniques. We also propose multi-directional search, in-network processing and query suppression to reduce communication overhead in energyconstrained MANETs and increase traceback robustness against spoofing and collusion. Simulation results show that SWAT successfully traces back DoS and DDoS attacker under reasonable background traffic. In addition, SWAT incurs low communication overhead (22% compared to flooding-based search).
IntroductionFlooding-type/direct DoS [1][2][3][4] and DDoS [8] attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. There are several characteristics of such attacks: (I) Traffic volume abnormally increases during the attack period. (II) Attackers routinely disguise their location using incorrect/spoofed addresses. (III) It is reported that such attacks may persist for tens of minutes and in some case for several days [1].IP traceback in the Internet, which tracks down attacker(s), is a useful technique for forensics and to discourage attackers. There are several IP traceback schemes proposed for the Internet such as packet marking [14], logging [11], ICMP traceback [6,13], and others [5]. Such traceback schemes developed for the fixed networks are not directly applicable to MANETs due to the following reasons.In MANETs, there is no fixed infrastructure. Each node acts as an autonomous terminal, acting as both host and router. Node mobility frequently changes network topology.In general, network bandwidth and battery power are limited.To perform efficient DoS/DDoS attacker traceback under such a harsh environment in MANETs, we propose an efficient on-the-fly taceback technique. For that, we leverage the small world model. The concept of small worlds was studied in the 60's in the context of social networks [12], during which experiments of mail delivery using acquaintances resulted in an average of 'six degrees of separation', i.e., on average a letter needed six acquaintances to be delivered. Recent research by Watts [16] has shown that in relational graphs adding a few number of random links to regular graphs results in graphs with low average path length and high clustering. Such graphs are called small world graphs. Helmy [9][10] established the applicability of small world graphs to MANETs. Helmy found that path length of wireless networks is drastically reduced by adding a few random links (resembling a small world). Establishing a small world reduces the degrees of separation be...