Hash-Based IP Traceback - PowerPoint PPT Presentation

About This Presentation
Title:

Hash-Based IP Traceback

Description:

Hash-Based IP Traceback. Alex C. Snoeren , Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 16
Provided by: alexcs
Learn more at: http://nms.lcs.mit.edu
Category:
Tags: alex | based | hash | jones | traceback

less

Transcript and Presenter's Notes

Title: Hash-Based IP Traceback


1
Hash-Based IP Traceback
  • Alex C. Snoeren, Craig Partridge,
  • Luis A. Sanchez, Christine E. Jones, Fabrice
    Tchakountio,
  • Stephen T. Kent, W. Timothy Strayer
  • BBN Technologies
  • MIT Laboratory for Computer Science

2
The Need for Traceback
  • Internet hosts are vulnerable
  • Many attacks consist of very few packets
  • Fraggle, Teardrop, ping-of-death, etc.
  • Internet Protocol permits anonymity
  • Attackers can spoof source address
  • IP forwarding maintains no audit trails
  • Need a separate traceback facility
  • For a given packet, find the path to source

3
Approaches to Traceback
  • Path data can be noted in several places
  • In the packet itself Savage et al.,
  • At the destination I-Trace, or
  • In the network infrastructure
  • Logging a naïve in-network approach
  • Record each packet forwarding event
  • Can trace a single packet to a source router,
    ingress point, or subverted router(s)

4
Log-Based Traceback
R
R
A
R
R
R
R
R7
R4
R6
R5
R
R3
R1
R2
V
5
Challenges to Logging
  • Attack path reconstruction is difficult
  • Packet may be transformed as it moves through the
    network
  • Full packet storage is problematic
  • Memory requirements are prohibitive at high line
    speeds (OC-192 is 10Mpkt/sec)
  • Extensive packet logs are a privacy risk
  • Traffic repositories may aid eavesdroppers

6
Solution Packet Digesting
  • Record only invariant packet content
  • Mask dynamic fields (TTL, checksum, etc.)
  • Store information required to invert packet
    transformations at performing router
  • Compute packet digests instead
  • Use hash function to compute small digest
  • Store probabilistically in Bloom filters
  • Impossible to retrieve stored packets

7
Invariant Content
Total Length
Ver
TOS
HLen
Identification
Fragment Offset
M F
D F
Checksum
TTL
Protocol
28 bytes
Source Address
Destination Address
Options
First 8 bytes of Payload
Remainder of Payload
8
Impact of Traffic Diversity
1
WAN (6031 hp)
0.1
LAN (2879 hp)
0.01
Fraction of Collided Packets
0.001
0.0001
1e-05
1e-06
20
22
24
26
28
30
32
34
36
38
40
Prefix Length (in bytes)
9
Bloom Filters
  • Fixed structure size
  • Uses 2n bit array
  • Initialized to zeros
  • Insertion is easy
  • Use n-bit digest as indices into bit array

n bits
1
H(P)
2n bits
  • Variable capacity
  • Easy to adjust
  • Page when full

10
Mistake Propagation is Limited
  • Bloom filters may be mistaken
  • Mistake frequency can be controlled
  • Depends on capacity of full filters
  • Neighboring routers wont be fooled
  • Vary hash functions used in Bloom filters
  • Each router select hashes independently
  • Long chains of mistakes highly unlikely
  • Probability drops exponentially with length

11
Adjusting Graph Accuracy
  • False positives rate depends on
  • Length of the attack path
  • Complexity of network topology
  • Capacity of Bloom filters
  • Bloom filter capacity is easy to adjust
  • Required filter capacity varies with router speed
    and number of neighbors
  • Appropriate capacity settings achieve linear
    error growth with path length

12
Simulation Results
1
1
1
1
Random Graph
Real ISP, 100 Utilization
Real ISP, Actual Utilization
0.8
0.8
0.8
0.8
0.6
0.6
0.6
0.6
Expected Number of False Positives
0.4
0.4
0.4
0.4
0.2
0.2
0.2
0.2
0
0
0
0
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
Length of Attack Path (in hops)
Length of Attack Path (in hops)
Length of Attack Path (in hops)
Length of Attack Path (in hops)
13
How long can digests last?
  • Filters require 0.5 of link capacity
  • Four OC-3s require 47MB per minute
  • A single drive can store a whole day
  • Access times are equally important
  • Current drives can write gt3GB per minute
  • OC-192 needs SRAM access times
  • Still viable tomorrow
  • 128 OC-192 links need lt100GB per minute

14
Prototype Implementation
  • Implemented on a FreeBSD PC router
  • Packet digesting on kernel forwarding path
  • Bloom filters stored in kernel space
  • Zero-copy kernel/user table move
  • User-level query-support daemons
  • Supports topology discovery through gated
  • Queries automatically triggered by IDS

15
Summary
  • Hash-based traceback is viable
  • With reasonable memory constraints
  • Supports common packet transforms
  • Timely tracing of individual packets
  • Publicly Available Implementation
  • FreeBSD version will be available soon
  • Linux port coming shortly thereafter.
  • http//www.ir.bbn.com/projects/SPIE

16
SPIE Architecture
  • Data Generation Agents (DGAs)
  • Compute packet digests maintain tables
  • Reside in, at, or near each router
  • Collection reduction agents (SCARs)
  • Maintain local topology information
  • Generate attack sub-graphs
  • Traceback manager (STM)
  • Authenticates and manages query process

17
Transformations
  • Occasionally invariant content changes
  • Network Address Translation (NAT)
  • IP/IPsec Encapsulation, etc.
  • Packets sometimes give rise to others
  • IP Fragmentation
  • ICMP errors (smurf attacks)
  • Routers need to invert these transforms
  • Often requires additional information

18
Transform Lookup Table
  • Only need to restore invariant content
  • Often available from the transform (e.g., ICMP)
  • Otherwise, save data at transforming router
  • Index required data by transformed packet digest
  • Record transform type and sufficient data to
    invert
  • Use indirect storage for complicated transforms

19
Hardware Implementation
Write a Comment
User Comments (0)
About PowerShow.com