SinglePacket IP Traceback

1
Single-Packet IP Traceback

• Alex C. Snoeren
• BBN Technologies
• (with Craig Partridge, Tim Strayer, Christine
  Jones,
• Fabrice Tchakountio, Beverly Schwartz, Matthew
  Condell,
• Bob Clements, and Steve Kent)

2
SPIE in Action
3
Challenges to Logging

• Attack path reconstruction is difficult
• Packet may be transformed as it moves through the
  network
• Full packet storage is problematic
• Memory requirements are prohibitive at high line
  speeds (OC-192 is 10Mpkt/sec)
• Extensive packet logs are a privacy risk
• Traffic repositories may aid eavesdroppers

4
Packet Digesting

• Record only invariant packet content
• Mask dynamic fields (TTL, checksum, etc.)
• Store information required to invert packet
  transformations at performing router
• Compute packet digests instead
• Use hash function to compute small digest
• Store probabilistically in Bloom filters
• Impossible to retrieve stored packets

5
Invariant Content
Total Length
Ver
TOS
HLen
Identification
Fragment Offset
M F
D F
Checksum
TTL
Protocol
28 bytes
Source Address
Destination Address
Options
First 8 bytes of Payload
Remainder of Payload
6
Bloom Filters

• Fixed structure size
• Uses M bit array
• Initialized to zeros
• Insertion is easy
• Use l-bit digest as indices into bit array

l bits
1
H(P)
M bits

• Variable capacity
• Easy to adjust
• Store up to n packets

7
Limited Error Propagation

• Bloom filters may be mistaken
• Mistake frequency can be controlled
• Depends on capacity of full filters
• Neighboring routers wont be fooled
• Vary hash functions used in Bloom filters
• Each router select hashes independently
• Long chains of mistakes highly unlikely
• Probability drops exponentially with length

8
False Positive Distribution
R
R
A
R
R
R
R
R7
R4
R6
R5
R
R3
R1
R2
V
9
Adjusting Graph Accuracy

• False positives rate depends on
• Length of the attack path, N
• Complexity of network topology, d
• Capacity of Bloom filters, P
• Bloom filter capacity is easy to adjust
• Required filter capacity varies with router speed
  and number of neighbors
• Appropriate capacity settings achieve linear
  error growth with path length

10
Simulation Results
1
1
1
1
Random Graph
Real ISP, 100 Utilization
Real ISP, Actual Utilization
0.8
0.8
0.8
0.8
N/7 N?/(1-?) ? ? 1/8
0.6
0.6
0.6
0.6
P ?
Expected Number of False Positives
0.4
0.4
0.4
0.4
May be able to assume degree independence
0.2
0.2
0.2
0.2
P ?/d
0
0
0
0
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
Length of Attack Path (N)
11
How Big are Digests?

• Quick rule of thumb
• ? 1/8, assuming degree independence
• Bloom filter k 3, M/n 5 bits per packet.
• Assume packets are 1000 bits
• Filters require 0.5 of link capacity
• Four OC-3s require 47MB per minute
• 128 OC-192 links need
• Access times are equally important
• Current drives can write 3GB per minute
• OC-192 needs SRAM access times

12
Filter Paging

• Small Bloom filters
• Random access
• Need fast memory
• Store multiple filters
• Increase time span
• Ring buffer avoids memory copies
• Timestamp each bin
• Fence-post issues

13
Transformations

• Occasionally invariant content changes
• Network Address Translation (NAT)
• IP/IPsec Encapsulation, etc.
• IP Fragmentation
• ICMP errors/requests
• Routers need to invert these transforms
• Often requires additional information
• Can store this information at the router

14
Transform Lookup Table

• Only need to restore invariant content
• Often available from the transform (e.g., ICMP)
• Otherwise, save data at transforming router
• Index required data by transformed packet digest
• Record transform type and sufficient data to
  invert
• Bounded by transform performance of router

15
Prototype Implementation

• Implemented in PC-based routers
• Both FreeBSD and Linux implementations
• Packet digesting on kernel forwarding path
• Zero-copy kernel/user digest tables
• Digest tables and TLT stored in kernel space
• User-level query-support daemons
• Supports automatic topology discovery
• Queries automatically triggered by IDS

16
SPIEDER Approach
Each router has an internal Data Generation Agent
(DGA)
external
DGA
Router
SPIE DGA Encompassing Router (SPIEDER)
17
Summary

• Hash-based traceback is viable
• With reasonable memory constraints
• Supports common packet transforms
• Timely tracing of individual packets
• Publicly available implementations
• FreeBSD/Linux versions available now
• SPIEDER-based solution in development
• http//www.ir.bbn.com/projects/SPIE