Title: Network Support For IP Traceback
1Network Support For IP Traceback
- Stefan Savage, David Wetherall, Anna Karlin and
Tom Anderson
Teng Fei - Umass April, 2002
2Outline
- Motivation
- Related work
- Proposed solution
- Experimental results
- Future work
3The Problem
- Denial of Service (DoS) attack
- remotely consume resource of server or network
- Increase in number and frequency
- simple to implement (Trinoo)
4Difficult To Trace
- Indirection
- attacking packets sent from slave machines, which
under the control of a remote master machine - Spoof of IP source addresses
- Disguise their location using incorrect IP
addresses, hence the true origin is lost
5DoS Counter Measures
- Ingress filtering
- Link testing
- input debugging
- controlled flooding
- Logging
6Ingress Filtering
- Block packets with invalid source addresses
- Pros
- Moderate management/network overhead
- Cons
- require widespread deployment
- hard to do in backbone/transit network
7Link Testing
- Start from victim and test upstream links
- Recursively repeat until source is located
- Assume attack remains active until trace complete
8Input Debugging
- Victim recognize attack signature
- Install filter on upstream router
- Pros
- May use software to help coordinate
- Cons
- Require cooperation between ISPs
- Considerable management overhead
9Controlled Flooding
- Flooding link with large bursts of traffic during
attack - Observe attacking packet rate change to determine
the source - Pros
- Ingenious
- Cons
- Itself a denial of service - possible worse
10Logging
- Key routers logging packets
- Data mining to analysis
- Pros
- Post mortem
- Cons
- High resource demand
11ICMP Traceback
- Sample packets with low probability
- Copy data and path information in a new ICMP
packet - Pros
- reconstruct path information with large amount of
packet - Cons
- ICMP may be filtered
12Packet Marking Traceback
- Mark packets with router address
- deterministically or probabilistically
- Trace attack using marked packets
- Pros
- Require no cooperation with ISPs
- Does not cause heavy network overhead
- Can trace attack post mortem
13DoS Scenario Seen by Victim
A1
A2
A3
R5
R7
R6
R3
R4
R2
victim
R1
V
14Multiple Attackers
A1
A2
A3
attack origin
R5
R7
R6
R3
R4
R2
R1
V
15Exact Traceback Problem
A1
A2
A3
R5
R7
R6
R3
R4
R2
attack path
exact traceback R6, R3, R2, R1
R1
V
16Approximate Traceback Problem
A1
A2
A3
R5
R7
R6
R3
R4
R2
approx. traceback R5, R6, R3, R2, R1
R1
V
17Marking Algorithms
- Marking procedure
- by routers
- add information to packets
- Path reconstruction procedure
- by victim
- use information in marked packets
- Convergence time
- of packets to reconstruct the attack path
18DoS Attack Assumptions
- Attacker may generate any packet
- Multiple attackers may conspire
- Attackers may be aware they are being traced
- packets may be lost or reordered
19Design Assumptions
- Attackers send numerous packets
- Route between attacker and victim is fairly
stable - Routers have limited CPU and memory
- Routers are not widely compromised
20Basic Marking Algorithms
- Node Append
- Node Sampling
- Edge Sampling
21Node Append
- Append address of each node to the end of the
packet - Complete, ordered list of routers attack path
original packet
router list
22Node Append
- Pros
- complete, ordered attack path
- converge quickly (single packet)
- Cons
- infeasibly high router overhead
- attacks can create false path information
23Node Sampling
- Reserve node file in packet header
- Router write address in node field with
probability p - Reconstruct path using relative of node samples
- Only require additional write, checksum update
- robust against single attacker when p gt 0.5
24Node Sampling
R1
R2
R3
25Node Sampling
R1
R2
R3
26Node Sampling
R1
R2
R3
27Node Sampling
R1
R2
R3
28Cons Of Node Sampling
- Slow convergence
- need many packets
- usually order of 10,000 - 100,000
- Can not trace multiple attackers
29Edge Sampling
- Edge represent routers at each end of the link
- Store edges instead of nodes
- start and end addresses of edge routers
- distance from edge to victim
30Packet Marking Algorithm
- A router writes its own address in the start
field, and 0 into the distance field - Distance field is zero means the packet is
already marked - router writes its own address in the end address
field and increase the distance field by 1
31Edge Sampling
R1
R2
R3
32Edge Sampling
R1
R2
R3
33Edge Sampling
R1
R2
R3
34Edge Sampling
R1
R2
R3
35Path Reconstuction
- Consider G is a graph with root v
- Insert tuples (start, end, distance) into G
- Remove any edge (x, y, d) with d ! distance from
x to v in G - Extract path from G.
36Pros Cons Of Edge Sampling
- Pros
- Converge much faster than node sampling
- efficiently discern multiple attacks
- Cons
- requires additonal space in the IP header
37Importan Issue
- Edge sampling requires 72 bits of space in every
IP packet (2 - 32 bit IP address and 8 bit for
distance) - Addition data in packet is expensive
- Sending data out of band results more overhead
and maybe a new incompatible protocol - Solutions???
38Encoding Issue
- Overload the IP identification field
- used for fragmentation
- Decreases the space requirement
- store the XOR of the edge addresses (edge-id)
- Increases reconstruction time
39Compress Space Requirement
- XOR the edges IP addresses recursively
- if d 1, no XOR, just IP address
- end XOR start XOR end start
40Marking With XOR
attack path
a
b
c
d
v
resulting XOR edges
b XOR c
c XOR d
d
a XOR b
41Reconstructing With XOR
c XOR d
d
reconstructed path
b XOR c
a XOR b
42Subdividing Edge-id
- Divide the edge-id into k non-overlapping packets
- Need offset of fragment
43Creating Unique Edge-ids
- Edge-id fragments are not unique
- with multiple attackers, multiple edge fragments
with the same offset and distance - Bit-interleave has code with IP address
44Creating Unique Edge-ids
Address
Hash(Address)
0000...1111
00111100
Bit-interleave
00000101...11111010
0
k-1
send k fragments into network
45Candidate Edge-ids
- Combine all permutations of fragments at each
distance with disjoint offset values - Check that the hash matches hash of the address
46Construction Candidate Edges
0
k-1
No, reject
00000101...11111010
0000...1111
00111100
Hash(Address)?
Address?
?
00111100
Hash(Address?)
Yes, correct address
47Evaluation
- Longer convergence time
- divide edge-id into 8 fragments
- attackers distance is 10 hops
- 2150 packets to converge with 95 certanty
- few seconds
- Robust with multiple attackers
48Picking Parameters
- Smaller k
- Larger space requirement
- Larger k
- Larger computational overhead
- Robustness decreases
49IP Header Encoding
- Separate issue from algorithms
- Overload the 16-bit identification field
- used to differentiate IP fragments
50Encoding Edge Fragments
offset
edge fragment
21
5
8
8
distance
51IP Header Encoding
- Backwards compatibility
- Two problems
- Writing same values into id fields of frags from
different datagrams - Writing different values into id fields of frags
of same datagrams
52Fragmentation Issues
- Copy data into ICMP packet
- Check the checksum at higher level
- etc
53Testing the Algorithm
- Simulator
- Create random paths
- Originate attacks
- Marking probability is 1/25
- 1,000 random test runs
- vary path lengths
54Experimental Results
number of packets to reconstruct paths
55Future Work
- Suffix validation
- spoof end edges
- include a router secret
- Attack origin (host)
- Find attacker (person)
56Related Research
- Steven M. Bellovin ICMP Traceback Message
ATThttp//www.research.att.com/smb/papers/draft
-bellovin-itrace-00.txt - Alex Snoeren Hash-Based IP Traceback BBN
SigCOMMhttp//www.acm.org/sigcomm/sigcomm2001/p1-
snoeren.pdf
57References
- Stefan Savage Practical Network Support For IP
Traceback http//www.cs.washington.edu/homes/savag
e/papers/UW-CSE-00-02-01.pdf - Sara Sprenkle Practical Network Support Duke
Universityhttp//www.duke.edu/ses12/presentation
s/nerdSavage.ppt - Hal Burch IP Traceback Carnegie Mellon
Universityhttp//axp.missouri.edu/cecs481/Talks/
rrp83a.ppt