Network Support For IP Traceback - PowerPoint PPT Presentation

About This Presentation
Title:

Network Support For IP Traceback

Description:

Post mortem. Cons. High resource demand. ICMP Traceback. Sample packets with low probability ... Can trace attack 'post mortem' DoS Scenario Seen by Victim. A1 ... – PowerPoint PPT presentation

Number of Views:174
Avg rating:3.0/5.0
Slides: 58
Provided by: myn100
Category:

less

Transcript and Presenter's Notes

Title: Network Support For IP Traceback


1
Network Support For IP Traceback
  • Stefan Savage, David Wetherall, Anna Karlin and
    Tom Anderson

Teng Fei - Umass April, 2002
2
Outline
  • Motivation
  • Related work
  • Proposed solution
  • Experimental results
  • Future work

3
The Problem
  • Denial of Service (DoS) attack
  • remotely consume resource of server or network
  • Increase in number and frequency
  • simple to implement (Trinoo)

4
Difficult To Trace
  • Indirection
  • attacking packets sent from slave machines, which
    under the control of a remote master machine
  • Spoof of IP source addresses
  • Disguise their location using incorrect IP
    addresses, hence the true origin is lost

5
DoS Counter Measures
  • Ingress filtering
  • Link testing
  • input debugging
  • controlled flooding
  • Logging

6
Ingress Filtering
  • Block packets with invalid source addresses
  • Pros
  • Moderate management/network overhead
  • Cons
  • require widespread deployment
  • hard to do in backbone/transit network

7
Link Testing
  • Start from victim and test upstream links
  • Recursively repeat until source is located
  • Assume attack remains active until trace complete

8
Input Debugging
  • Victim recognize attack signature
  • Install filter on upstream router
  • Pros
  • May use software to help coordinate
  • Cons
  • Require cooperation between ISPs
  • Considerable management overhead

9
Controlled Flooding
  • Flooding link with large bursts of traffic during
    attack
  • Observe attacking packet rate change to determine
    the source
  • Pros
  • Ingenious
  • Cons
  • Itself a denial of service - possible worse

10
Logging
  • Key routers logging packets
  • Data mining to analysis
  • Pros
  • Post mortem
  • Cons
  • High resource demand

11
ICMP Traceback
  • Sample packets with low probability
  • Copy data and path information in a new ICMP
    packet
  • Pros
  • reconstruct path information with large amount of
    packet
  • Cons
  • ICMP may be filtered

12
Packet Marking Traceback
  • Mark packets with router address
  • deterministically or probabilistically
  • Trace attack using marked packets
  • Pros
  • Require no cooperation with ISPs
  • Does not cause heavy network overhead
  • Can trace attack post mortem

13
DoS Scenario Seen by Victim
A1
A2
A3
R5
R7
R6
R3
R4
R2
victim
R1
V
14
Multiple Attackers
A1
A2
A3
attack origin
R5
R7
R6
R3
R4
R2
R1
V
15
Exact Traceback Problem
A1
A2
A3
R5
R7
R6
R3
R4
R2
attack path
exact traceback R6, R3, R2, R1
R1
V
16
Approximate Traceback Problem
A1
A2
A3
R5
R7
R6
R3
R4
R2
approx. traceback R5, R6, R3, R2, R1
R1
V
17
Marking Algorithms
  • Marking procedure
  • by routers
  • add information to packets
  • Path reconstruction procedure
  • by victim
  • use information in marked packets
  • Convergence time
  • of packets to reconstruct the attack path

18
DoS Attack Assumptions
  • Attacker may generate any packet
  • Multiple attackers may conspire
  • Attackers may be aware they are being traced
  • packets may be lost or reordered

19
Design Assumptions
  • Attackers send numerous packets
  • Route between attacker and victim is fairly
    stable
  • Routers have limited CPU and memory
  • Routers are not widely compromised

20
Basic Marking Algorithms
  • Node Append
  • Node Sampling
  • Edge Sampling

21
Node Append
  • Append address of each node to the end of the
    packet
  • Complete, ordered list of routers attack path

original packet
router list
22
Node Append
  • Pros
  • complete, ordered attack path
  • converge quickly (single packet)
  • Cons
  • infeasibly high router overhead
  • attacks can create false path information

23
Node Sampling
  • Reserve node file in packet header
  • Router write address in node field with
    probability p
  • Reconstruct path using relative of node samples
  • Only require additional write, checksum update
  • robust against single attacker when p gt 0.5

24
Node Sampling
R1
R2
R3
25
Node Sampling
R1
R2
R3
26
Node Sampling
R1
R2
R3
27
Node Sampling
R1
R2
R3
28
Cons Of Node Sampling
  • Slow convergence
  • need many packets
  • usually order of 10,000 - 100,000
  • Can not trace multiple attackers

29
Edge Sampling
  • Edge represent routers at each end of the link
  • Store edges instead of nodes
  • start and end addresses of edge routers
  • distance from edge to victim

30
Packet Marking Algorithm
  • A router writes its own address in the start
    field, and 0 into the distance field
  • Distance field is zero means the packet is
    already marked
  • router writes its own address in the end address
    field and increase the distance field by 1

31
Edge Sampling
R1
R2
R3
32
Edge Sampling
R1
R2
R3
33
Edge Sampling
R1
R2
R3
34
Edge Sampling
R1
R2
R3
35
Path Reconstuction
  • Consider G is a graph with root v
  • Insert tuples (start, end, distance) into G
  • Remove any edge (x, y, d) with d ! distance from
    x to v in G
  • Extract path from G.

36
Pros Cons Of Edge Sampling
  • Pros
  • Converge much faster than node sampling
  • efficiently discern multiple attacks
  • Cons
  • requires additonal space in the IP header

37
Importan Issue
  • Edge sampling requires 72 bits of space in every
    IP packet (2 - 32 bit IP address and 8 bit for
    distance)
  • Addition data in packet is expensive
  • Sending data out of band results more overhead
    and maybe a new incompatible protocol
  • Solutions???

38
Encoding Issue
  • Overload the IP identification field
  • used for fragmentation
  • Decreases the space requirement
  • store the XOR of the edge addresses (edge-id)
  • Increases reconstruction time

39
Compress Space Requirement
  • XOR the edges IP addresses recursively
  • if d 1, no XOR, just IP address
  • end XOR start XOR end start

40
Marking With XOR
attack path
a
b
c
d
v
resulting XOR edges
b XOR c
c XOR d
d
a XOR b
41
Reconstructing With XOR
c XOR d
d
reconstructed path
b XOR c
a XOR b
42
Subdividing Edge-id
  • Divide the edge-id into k non-overlapping packets
  • Need offset of fragment

43
Creating Unique Edge-ids
  • Edge-id fragments are not unique
  • with multiple attackers, multiple edge fragments
    with the same offset and distance
  • Bit-interleave has code with IP address

44
Creating Unique Edge-ids
Address
Hash(Address)
0000...1111
00111100
Bit-interleave
00000101...11111010
0
k-1
send k fragments into network
45
Candidate Edge-ids
  • Combine all permutations of fragments at each
    distance with disjoint offset values
  • Check that the hash matches hash of the address

46
Construction Candidate Edges
0
k-1
No, reject
00000101...11111010
0000...1111
00111100
Hash(Address)?
Address?
?
00111100
Hash(Address?)
Yes, correct address
47
Evaluation
  • Longer convergence time
  • divide edge-id into 8 fragments
  • attackers distance is 10 hops
  • 2150 packets to converge with 95 certanty
  • few seconds
  • Robust with multiple attackers

48
Picking Parameters
  • Smaller k
  • Larger space requirement
  • Larger k
  • Larger computational overhead
  • Robustness decreases

49
IP Header Encoding
  • Separate issue from algorithms
  • Overload the 16-bit identification field
  • used to differentiate IP fragments

50
Encoding Edge Fragments
offset
edge fragment
21
5
8
8
distance
51
IP Header Encoding
  • Backwards compatibility
  • Two problems
  • Writing same values into id fields of frags from
    different datagrams
  • Writing different values into id fields of frags
    of same datagrams

52
Fragmentation Issues
  • Copy data into ICMP packet
  • Check the checksum at higher level
  • etc

53
Testing the Algorithm
  • Simulator
  • Create random paths
  • Originate attacks
  • Marking probability is 1/25
  • 1,000 random test runs
  • vary path lengths

54
Experimental Results
number of packets to reconstruct paths
55
Future Work
  • Suffix validation
  • spoof end edges
  • include a router secret
  • Attack origin (host)
  • Find attacker (person)

56
Related Research
  • Steven M. Bellovin ICMP Traceback Message
    ATThttp//www.research.att.com/smb/papers/draft
    -bellovin-itrace-00.txt
  • Alex Snoeren Hash-Based IP Traceback BBN
    SigCOMMhttp//www.acm.org/sigcomm/sigcomm2001/p1-
    snoeren.pdf

57
References
  • Stefan Savage Practical Network Support For IP
    Traceback http//www.cs.washington.edu/homes/savag
    e/papers/UW-CSE-00-02-01.pdf
  • Sara Sprenkle Practical Network Support Duke
    Universityhttp//www.duke.edu/ses12/presentation
    s/nerdSavage.ppt
  • Hal Burch IP Traceback Carnegie Mellon
    Universityhttp//axp.missouri.edu/cecs481/Talks/
    rrp83a.ppt
Write a Comment
User Comments (0)
About PowerShow.com