Agenda - PowerPoint PPT Presentation

About This Presentation
Title:

Agenda

Description:

Title: On the Rearrangeability of Shuffle-Exchange Networks Author: Hung Q. Ngo Last modified by: Assistant Created Date: 12/5/2000 2:10:56 AM Document presentation ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 21
Provided by: Hun74
Learn more at: https://cse.buffalo.edu
Category:
Tags: agenda | icmp

less

Transcript and Presenter's Notes

Title: Agenda


1
Agenda
  • Last time finished brief overview of
    buffer-overflow attacks
  • Today IP Traceback

2
What and Why
  • IP Traceback
  • operation of tracing the source of an IP packet
  • Why is this important and useful?
  • If done properly, can be used to limit DDoS
    attacks
  • Post-mortem analysis, investigation into other
    kinds network of attacks
  • Potential drawback?
  • Abused by repressive regimes/organization
  • Why is it difficult?
  • Potentially resource-intensive, target for DoS
    itself
  • Internet is stateless
  • Backward compatibility (think of source-routing)
  • Avoid the new scheme itself being spoofed
  • The true identity of an attacker may be
    unknown, still

3
Overview of existing approaches
  1. Ingress filtering
  2. Input debugging
  3. Controlled flooding
  4. Logging
  5. ICMP traceback
  6. Probabilistic Packet Marking (PPM)
  7. Hash-based one of your reading assignments

4
Ingress filtering
  • Routers block packets that arrive with
    illegitimate sources addresses
  • Requires the interface to be configured with a
    range of valid IPs
  • Quite feasible at customer network at the edge
  • Drawbacks
  • At higher level ISP, traffic load is higher,
    valid IP range is ambiguous
  • With hundreds or thousands of customers, one can
    forge IP of another without much troubles
  • Not all ISPs do this. Many dont because theres
    administrative burden, no economic incentive,
    interfere with services requiring spoofing
    (mobile IP)

5
Input debugging
  • Use input debugging feature of routers to do
    traceback
  • Input debugging allows operators to filter
    particular packets (with some kind of signature)
    on some egress port and determine which ingress
    port they come from
  • Manually call the upstream router operator
  • Automatically some ISPs have tools to do this
  • Drawbacks
  • Often too slow
  • Management overhead
  • Coordination with other ISPs is difficult, and
    very slow

6
Controlled Flooding
  • Selectively flood a link to observe attack
    traffic, with the help of some Internet map
  • This does not require intermediate operator
    intervention
  • Drawbacks
  • This is a form of DoS itself
  • Requires the map, which itself is non-trivial
  • Poorly suited for DDoS
  • Only effective for on-going attacks, cannot be
    use for post-mortem analysis

7
ICMP Traceback
  • Every router samples with low probability (1/20K)
    one of the packets its forwarding
  • Copy the content into a special ICMP traceback
    along the path to the destination, containing
  • Back link, forward link, authentication,
  • Destination then use this info to do traceback
  • Drawbacks
  • ICMP traffic is also differentiated and may be
    filtered
  • Requires input-debugging which may not be
    available in some router architecture
  • Requires key distribution architecture to avoid
    itself being attacked
  • However, this is quite effective

8
Probabilistic Packet Marking (PPM)
  • Idea proposed by Burch Cheswick
  • First scheme proposed by Stefan Savage et al
  • Well look at this idea in details

9
PPM Assumptions
  • An attacker may generate any packet
  • Multiple attackers may conspire
  • Attackers are aware that theyre being traced
  • Packets may be lost or re-ordered
  • Attackers send numerous packets
  • Route between attacker(s) and receiver is fairly
    stable
  • Routers and both CPU and memory limited
  • Routers are not widely compromised
  • Compatible with current IP protocol

10
PPM Node Append
  • The most basic algorithm
  • Each router appends its IP into the packet
  • Pros
  • Robust and quick to converge
  • Cons
  • High router overhead
  • Interfere with MTU discovery, IP fragmentation,

11
PPM Node sampling
  • Reserve some 32-bit field in each IP packet
  • A router randomly puts its IP in this field with
    probability p
  • Victim receive multiple packets, use this
    database to approximately reconstruct the path.
    How?
  • Probability of receiving a packet d hops away is
    p(1-p)d-1, p shoulde be gt ½.
  • This probability is monotonic in d, we can use
    the frequency of IPs to reconstruct path to the
    destination
  • Drawbacks
  • Inferring is a slow process
  • Requires a sufficient number of received packets,
    e.g. for d15, p 0.51, we need 42000 packets
    before the furthest router is seen at the
    target
  • Not effective against multiple attackers routers
    at the same distance from different source are
    sampled with the same rate

12
PPM Edge Sampling
  • Idea sample the edges on the paths instead of
    nodes
  • Reserve 2 32-bit fields on every packet, FROM
    TO
  • One more field (8 bits) called HOP
  • Sampling is done as follows. Fix a probability p
  • Chose x at random in 0, 1)
  • If x lt p then write IP into packet.FROMElse
    if packet.HOP 0 then write IP
    into packet.TO packet.HOP

13
PPM Edge Sampling
  • Time to converge dominated by time to receive a
    sample from the furthest router, roughly
    1/p(1-p)d-1
  • Expected number of packets required to work
    properly is at most ln(d)/p(1-p)d-1
  • Choose p 1/d for optimal result
  • In practice, choose p1/25 (as path lengths often
    lt 25)
  • Pros
  • Single attacker any packet written by attacker
    will necessarily has distance at least the
    distance of true attack path
  • Multiple attacker the above applies to the
    closest attacker
  • Quite robust
  • Cons
  • Not backward compatible (requires gt 64 more bits)

14
Encoding Issues
  • Compress edge segment sampling 3 techniques
  • Next router fills FROM XOR TO into the 32-bit
    space
  • Partition address into k fragments, sends
    fragment along with fragment offset, next-hop
    router use the the offset to send the right
    fragment. Over time, all fragments of all edge
    IDs are received.
  • XORing makes edge ID not unique, compute a hash
    of an IP, interleave it with actual IP, then do
    fragmentation
  • Expected of packets needed to reconstruct path
    is k ln(kd)/p(1-p)d-1
  • For instance, if k8, d10, p1/25, then we need
    about 1300 packets on average
  • In practice overload 16-bit identification field
    in each IP packet with 3-bit offset (k8), 5 bit
    distance (32 hops), 8-bit edge fragment

15
Formalization of the Problem
  • b number of extra header bits in each packet
  • n number of bits used to describe a path
  • Investigate the tradeoff between b, convergence
    time, and total number of packets needed to
    reconstruct the attack path(s) with high
    probability

16
Interesting Results by Micah Adler
  • Single path attacks
  • b1 works! Requires ?((2e)2n) packets for any e
  • Showed that, for b1, ?(2n) packets is necessary
  • For general b, Adler gave a protocol that
    usesO(bn22b(2e)4n/2b) packets, and showed
    ?(2b2n/2b) is necessary
  • Multiple path attacks, say k paths
  • At least log(2k-1) header bits is needed
    regardless of the number of received packets
  • For a restricted class of attacker strategies,
    log(2k1) bits are sufficient

17
Open Problems
  • Close the upper-lower bound gap when b1, single
    path attack
  • For multiple path attacks, theres still a lot to
    be done, e.g.
  • Devise protocols for all attackers strategies
  • Computational complexity has not been addressed
    properly

18
Brainstorming
  • What kind of information does the victim need?
  • Where can we store this information?
  • How can the routers be instructed to store this
    information?
  • This is the protocol
  • How effective is the protocol? This requires
    probabilistic analysis, information theoretic
    analysis
  • Drawbacks of PPM-related schemes?
  • Requires large number of packets
  • Not exact science

19
A Simple Model for Upper Bounding
  • Assumptions to be relaxed later
  • Packet delivery paths form a tree rooted at the
    victim v
  • Assume the tree is full-binary, depth n
  • Each path can be encoded with B1B2Bn
  • Want routers to send victim the string B1B2Bn
  • Protocol
  • Idea encode the string into a probability of
    victim receiving bit-1 packets
  • Whats the most natural way to do this?
  • Probpacket with bit-1 received the binary
    number represented by B1B2Bn divided by 2n, i.e.
  • How do we realize this?

20
A Simple Protocol
  • Each router knows its bit Bi
  • With probability ½, it forwards the bit as it is
  • With probability ½, it set the bit to be Bi
  • If original bit is 0, then p is as expected
  • If original bit is 1, then p is as expected
    1/2n
  • Need to fix this case
  • Next time Ill talk a little bit about
    information theory
Write a Comment
User Comments (0)
About PowerShow.com