Source Path Isolation Engine

1
Source Path Isolation Engine

• Tim Strayer, Luis A. Sanchez, Craig
  Partridge,Alex Snoeren, Christine Jones, Fabrice
  Tchakountio, Walter Milliken, Steve Kent
• Internetworking Research Department

2
SPIE Programmatics

• Project Start Date June 30, 2000
• Contract Duration 24 months
• Agent POC S. Spendlove
• Team Members
• Luis A. Sanchez, Tim Strayer, Craig
  Partridge,Alex Snoeren, Christine Jones, Fabrice
  Tchakountio, Walter Milliken, Steve Kent

3
Tracing Attacks

• A perfect attack tracing system would
• Trace even the smallest possible attack
• A single packet (a bit within a packet is still a
  packet)
• Not modify the routing infrastructure or IP
• Always identify the source of the attack
• Ingress point to our network, or
• Actual host or network of origin, or
• One or more compromised routers
• Have no false negatives
• System must never state attacker didnt do it
• System may say attacker is one of the following
  suspects
• Not reduce privacy
• Should not be able to use system to eavesdrop

4
Logging Each Packet

• Our starting point
• Suppose we keep information about each packet
  that goes through each router?
• Allows single packet attacks to be traced
• Ensures no false negatives (at least in theory)
• Needs a privacy solution (more on this later)
• The overwhelming problem with logging is data
  storage

5
Minimizing Storage

• Whats the minimum information we can keep about
  each packet?
• An OC-192c moves 10 Mpkt/s
• So want to store very little per packet
• How about 1 bit?
• Initial idea
• Hash each packet, and set bit in a bitmap to
  indicate weve seen the hash

6
The Basic Idea

• As each packet goes through each router we
• Hash it
• Set bit in hash table at the router
• To trace an attacking packet
• Ask your neighboring router if it has seen the
  packets hash
• For each router that has seen the hash, ask its
  neighbors if theyve seen the hash
• Result is a graph back to a set of origins, one
  of which is the attacker

7
The Basic Idea
Bad Packet Discovery
8
Challenges

• Hash collisions
• Limited time to trace
• Packet transforms
• Realization in Hardware
• Vulnerability issues
• Privacy issues

9
Hash Collisions
Bad Packet Discovery
10
Hash Collisions

• If we had the same hash function on all routers
• If attackers packets path overlaps that of
  another packet with same hash, well trace both
• Chance of collision is quite high ( the hash
  table is full)
• Result is a huge set of candidate origins
• NOTE the issue is innocents colliding with
  attacker if the attacker floods packet from
  multiple sources, we just learn all the sources
• Solution Vary the hash at each router
• Implication We must pass attacking packet back
  to each router to hash (may give
  attacker/subverter information about queries and
  success of attack)

11
Hash Collisions

• Varying the hash solves crossing path problem
• But a similar birthday problem occurs
• If I have 3 neighbors and ask all of them if
  theyve seen a packet, theres a chance that one
  of them will have seen a packet with the same
  hash ? a false positive
• If we ask that neighbors neighbors, theres a
  chance that one of them will have seen a packet
  with the same hash
• Because we vary the hash, this train is
  probabilistic (product of the probabilities of a
  hash collision)
• Challenge is to keep probability low while
  keeping hash tables reasonably filled

12
How Late Can You Trace?

• How long after an attack can you trace the
  packet?
• In a perfect world, youd like hours or days
• Can we save router bitmaps at a server?
• Yes were saving 1 bit per packet 0.1 of
  network bandwidth (after compression)
• No router control systems arent designed for
  this much non-production traffic
• For now, save data on the router
• Limits traceback time to a minute or so

13
Transforms

• Defined as any network function that takes an
  original packet into a new packet
• Basic Modification
• Packet is modified, but retains basic structure
• Packet transform forwarded to final destination
• Fragmentation, Source Route, NAT, Packet Marking
• Packet Encapsulation
• Packet is not modified, but encapsulated
• Packet transform forwarded to intermediate
  destination
• IPsec, IP-IP, MPLS
• Packet Generation
• Message is generated, original packet is dropped
  or forwarded
• ICMP Echo

14
Transforms

• Must be able to trace back through transforms
• Implies inverting the transform
• Most are invertable, but requires some care in
  picking fields from the header to hash
• Much information is readily available from the
  packet or the router
• Not all transforms can be inverted
• Additional storage of information required for
  uninvertible transforms
• Requires mapping from original to new packet
• Need to keep the transform data structure small
  to avoid DoS on the transform
• Invertability allows us to build compact mapping
  records

15
SPIE Components
DGA
DGA
Router
Router
Router
Router
Router
Router
SCAR
SCAR
Router
Router
ISP's Network
DGA
STM
Router
Router
Router
SCAR
Router

• SPIE has three major components
• Data Generation Agents (DGAs)
• SPIE Collection and Reduction agents (SCARs)
• SPIE Traceback Manager (STM)

16
Data Generation Agents

• DGAs Interact with forwarding engines at routers
• Produce a packet digest (result from a hash
  function) for every packet forwarded at each
  router interface card and store them in the form
  of timestamped bitmap tables
• Upon request, transmit the content of their
  history memories to SPIE Collection and Reduction
  agents (SCARs) for traceback analysis
• Can be implemented as interface cards or as a
  separate auxiliary boxes connected to the IP
  forwarding device through some auxiliary interface

17
SPIE Collection and Reduction

• SCARs act as concentration points for several
  Data Generation Agents
• Know their local topologies
• Poll DGAs for their history memories upon request
• Process queries for tracebacks, process data
  received from DGAs to create attack graphs and,
  generate responses to query units
• Produce partial attack graphs data received from
  their DGAs
• There are typically several SCARs distributed
  over an entire network

18
SPIE Traceback Managers

• STMs receive and reply to queries for traceback
  from Intrusion Detection System (IDS)
• Verify their authenticity and integrity before
  initiating the traceback process
• Throttle traceback queries to avoid possible DoS
  attacks
• For a particular offending packet P and a
  detection time T, STMs instruct SCARs to
• Poll DGAs for their history memories
• Generate and send their partial attack graphs
• STM processes partial attack graphs to generate
  the final attack graph

19
Hardware Support

• Can be implemented as an interface card with
  minor modifications to line cards or,
• As a separate box connected to a router with no
  modifications needed for line cards

20
Signature Taps

• Computes 32-bit signatures (S32 in the diagram)
  of each packet that arrives on a SPIE-capable
  interface
• The packet digest is computed by computing the
  CRC-32 of the entire IP packet, except for the IP
  TTL, checksum, and TOS fields
• In order to insure independent values at each
  router, the CRC state is preloaded with the
  CRC-32 of the routers canonical IP address and
  AS number

21
Signature Taps

• Signature taps can be implemented is several
  ways
• Add to line cards
• Add to IP forwarding engine
• Place the signature tap on the output of the
  ingress layer-2 packet framer
• In a separate box
• Add as a set of "feed-through" connectors passing
  the input signals on to the actual router input
  ports
• This requires the taps to include sufficient
  logic to extract IP packets from the link.

22
Signature Aggregation

• Produces a periodic signature vector of size 2k
  bits (k
• Arriving 32-bit signatures on each port from line
  cards are placed into small FIFO
• Several FIFOs feed a simple arbitrating
  multiplexer, signature values reduced to k bits,
  bit set in vector using value as index
• Every interval all vectors are ORed to form
  single vector for interval
• This vector represents the traffic set for the
  interval, and is labeled appropriately

23
History Memory

• Ring buffer of many short-interval signature
  vectors
• The current aggregated signature vector is
  written to head of ring at each time R
• The size can be tailored to meet detection and
  reporting latency requirements

24
Traceback Process
DGA
DGA
Router
Router
Router
Router
Router
Router
SCAR
SCAR
Router
Router
ISP's Network
DGA
STM
Router
Router
Router
SCAR
Router
IDS
Victim's Network
25
Traceback Process
26
Traceback Process (Step 1)

• The intrusion detection system provides the SPIE
  Traceback Manager a packet P and time of
  detection T
• The STM verifies cryptographically the
  authenticity and integrity of the query message
  sent by the IDS
• If the verification process fail the query
  message is dropped and logged.
• STMs throttle queries from IDS to avoid possible
  DoS

27
Traceback Process (Step 2)

• Upon successful verification of the query sent by
  the IDS, the STM asks all SCAR units to poll
  their respective DGAs for packet hashes

28
Traceback Process (Step 3)

• STM sends to all of the SCARs a query with the
  packet P and the time of detection T
• SCARs search each DGAs history for hash of P on
  or after time T
• SCARs use the hash matches and the topology
  information of their area to construct a partial
  attack graph

29
Traceback Process (Step 4)

• All SCARs send their results to the originating
  STM, which uses the partial graph information and
  its own topology information to create a final
  and complete attack graph.

30
Traceback Process (Step 5)

• The STM replies to the IDS with the ingress point
  of the attack
• Each query message received is properly
  acknowledged by the receiving entity

31
Vulnerabilities

• Denial of Service attacks
• Must not be able to cause SPIE to do unauthorized
  queries
• Requests for traces are authenticated and must be
  issued by an authorized entity
• Central authority (SPIE Traceback Manager) can
  rate limit requests and eliminate duplicates
• Transform mapping data structures must be bounded
• Separation of Powers
• SPIE Traceback Manager is logically/physically
  separate from other control and management
  entities
• Predictability
• Attacker must not be able to game the system

32
Big Brother?

• Goal trace packets without revealing information
  not already known
• Must have original packet to do the trace
• Can not reconstruct a packet based on the trace
• However
• A packet misidentified as an attacking packet may
  be revealed to others
• An attacker can learn the success of an attack by
  subverting a router that gets queried
• Motivated SPIE deployers could record every
  packet ever sent through the network, and keep
  that for a long time

33
Summary and Future Work

• Deliverables
• Reference prototype, Documentation, Papers
• We have finished the architecture phase
• Defined requirements
• Analyzed hashes and fields for hashing
• Defined major architecture components
• Submitted DISCEX paper Working on SIGCOMM paper
• Working on Design phase
• DGA details
• Analyzing transforms and false positives
• STM/SCAR communication protocol
• IDS/SPIE API