1 / 31

Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation

2004 IEEE Symposium on Security and Privacy. Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation. Jun (Jim) Xu Networking & Telecommunications Group College of Computing Georgia Institute of Tech nology

taro
Download Presentation

Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2004 IEEE Symposium on Security and Privacy Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College of Computing Georgia Institute of Technology (Joint work with Jun Li, Minho Sung, Li Li)

  2. Introduction • Internet DDoS attack is real threat • - on websites • · Yahoo, CNN, Amazon, eBay, etc (Feb. 2000) •  services were unavailable for several hours • - on Internet infrastructure • · 13 root DNS servers (Oct, 2002) •  7 of them were shut down completely • First step to counter attack : identification of attackers • - IP spoofing enables attackers to hide their identity • - IP Traceback : mechanism to trace the attack sources

  3. State of IP Traceback • Assumptions “inherited” from the literature • - attackers send lots of packets • - Traceback scheme uses limited space in IP header • - attackers are aware of the effort and can sabotage • Two main types of proposed traceback techniques • (1) Probabilistic Packet Marking (PPM) scheme • a. routers : probabilistically mark each packet • with partial path info using some coding algorithms • b. victim : reconstruct the attacking paths using some • decoding algorithms

  4. “Have you seen this packet?” “yes” “Have you seen this packet?” “yes” “Have you seen this packet?” “yes” packet digest packet digest packet digest State of IP Traceback (Cont.) • Two main types of proposed traceback techniques • (2) Hash-based scheme • a. routers : store packet digests • b. victim : uses recursive lookup to reconstruct the attack path attacker Victim

  5. Scalability Problems of Two Approaches • PPM schemes - limited marking field (17-bits) - cannot scale to large number of attackers • Hash-based scheme - recording 100% of the packet digests - infeasible for high-speed links • Our objective : design a traceback scheme that is scalable both to the number of attackers and to high link speed

  6. Outline of the talk • Overview of our solution • Design detail • Information theoretic framework • Performance Evaluation • Related work, Future work, Conclusion

  7. Design Overview attacker • Our idea : store digests of sampled packets only - use small sampling rate p (such as 3.3%) - small storage and computational cost - can scale to OC-192 or OC-768 link speed - Let us go across the DRAM/SRAM speed barrier • the challenge of the sampling - one packet traceback is not possible : need to obtain larger number of attack packets - independent random sampling will not work -- need to improve “correlation factor” correlation correlation packet digest Victim

  8. Information-theoretic framework overview • Information-theoretic framework to solve an optimization problem (1) given fixed resource constraints (e.g. we can use 0.4 bits per packet in bloom filter in average), what is the best parameter setting for number of hash functions and sampling probability? - relationship between resource constrains and two parameters resource constraints = number of hash functions  sampling probability - two tradeoffs higher number of hash functions gives less false positive rate in bloom filter higher sampling probability gives higher sampling correlation(easier traceback) ex) when s=0.4, which set is best? (8 hash, 5% sampling) vs (12 hash, 3.3% sampling) vs (16 hash, 2.5% sampling)

  9. Information-theoretic framework overview • Information-theoretic framework to establish a lower bound (2) what’s the lower bound of the size of the evidence to achieve a certain level of traceback accuracy? - there is a tradeoff between the number of attack packets used for traceback (evidence) vs the accuracy of the traceback ex) we want to find the minimum size of the evidence for identifying more than 90% of the attack sources

  10. Outline of the talk • Overview of our solution • Design Detail • Information theoretic framework • Performance Evaluation • Related work, Future work, Conclusion

  11. One-bit Random Marking and Sampling(ORMS) • Basic idea - each router sample the packet with probability p - ORMS make correlation factor be larger than 50% : we sample more than 50% of the packet which are sampled at previous router - use 1 bit marking for coordinating the sampling correlation : Sample and mark Sample all marked packets 1 p/2 0 p Sample unmarked packet with probability p/(2-p) 1 Sample andnot mark 0 p/2 total sampling probability : 0 0 correlation factor (sampled by both) : ( > 50% because 0<p<1 )

  12. One-bit Random Marking and Sampling(ORMS) • why not trajectory sampling? - the attacker can use hash values that escape sampling • design tampering-resistant scheme - Why save p/2 of marked packets, and p/2 of unmarked packets? Why not simply save all packets that are marked with 1? send marked normal traffics Other host attacker send unmarked attack traffics Victim - “jump-start” in first hop using dual leaky bucket scheme tampering jump-start stationary stationary r : rate of marked packets 0  r  1 make r to p/2 using dual-leaky-bucket r = p/2 r = p/2

  13. Traceback Processing 1. Collect a set of attack packets Lv 2. Check router S, a neighbor of the victim, with Lv 3. Check each router R ( neighbor of S ) with Ls attacker R “Have you seen any of these packets? “yes” packet digest Ls S packet digest “You are convicted! Use these evidences to make your Ls” packet digest Lv Victim

  14. Traceback Processing 4. Pass Lv to R to be used to make new Ls 5. Repeat these processes attacker R “Have you seen any of these packets? “yes” Ls S packet digest “You are convicted! Use these evidences to make your Ls” packet digest Lv packet digest Victim

  15. Outline of the talk • Overview of our solution • Design Detail • Information-theoretic framework • Performance Evaluation • Related work, Future work, Conclusion

  16. Why do we need theoretical foundation? • Information-theoretic framework - view the traceback system as a communication channel - tradeoff between sampling rate and the size of packet digest : optimal parameter setting maximizes channel capacity (i.e. mutual information ) - tradeoff between the number of packets and the traceback accuracy : Information theory allows us to derive the lower bound on the number of packets (evidence) to achieve a certain level of traceback accuracy through Fano’s inequality

  17. Information Theory Background • Concepts - Entropy H(X) : measures the uncertainty of X - Conditional entropy H(X|Y) : measures how much uncertainty remains for X given the observation of Y • Fano’s inequality - Given an observation of Y, our estimation of X is We denote pe as - H(pe)  H(X|Y), if X is binary-valued

  18. Legend: true positive false positive Applications of Information Theory R2 Z=1Xt2 • What we can observe : Xt1 + Xf1 , Yt + Yf • We want to estimate Z • Question : How to maximize our accuracy in estimating Z? • Answer : minimize H(Z|Xt1+Xf1,Yt+Yf) Yt Yf Ls Xt2 R1 Xt1 Xf1 Lv Lv Np : # of pkts in Lv Victim

  19. Applications of Information Theory • Parameter tuning : - k : number of hash functions in a Bloom filter - to maximize our accuracy in estimating Z, we would like to compute k* = argmin H( Z | Xt1+Xf1, Yt+Yf ) k subject to the resource constraint ( s = k  p ) s : average number of bits for each packet p : sampling probability

  20. Applications of Information Theory Resource constraint: s = k  p = 0.4

  21. Applications of Information Theory • Lower bound on the number of packets to achieve a certain level of traceback accuracy : Fano’s inequality : H(pe) H( Z | Xt1+Xf1, Yt+Yf ) Parameters: s=0.4, k=12, p=3.3% (12  3.3% = 0.4)

  22. Outline of the talk • Overview of our solution • Design Detail • Information-theoretic framework • Performance Evaluation • Related work, Future work, Conclusion

  23. Simulation set-up • Three Topologies - Skitter data I, Skitter data II, Bell-lab’s data (routes from a host to 192,900, 158,181, 86,813 destinations) • Host setting : - Victim : all three topologies are routes from a single origin to many destinations, assume this origin to be the victim - Attackers : randomly distributed among the destination hosts • Performance Metrics - False Negative Ratio (FNR): the ratio of the number of missed routers to the number of infected routers - False Positive Ratio (FPR): the ratio of the number of incorrectly convicted routers to the number of convicted routers

  24. Simulation results • False Negative & False Positive on Skitter I topology Parameters: s=0.4, k=12, p=3.3% (12  3.3% = 0.4)

  25. Verification of Theoretical Analysis • Parameter tuning Parameters: 1000 attackers, s = k  p = 0.4

  26. Verification of Theoretical Analysis • Error levels by different k values Parameters: 2000 attackers, Np=200,000

  27. Verification of Theoretical Analysis • Lower bound on the number of packets to achieve a certain level of traceback accuracy Parameters: s = 0.4, k = 12, p = 3.3%

  28. Outline of the talk • Overview of our solution • Design Detail • Information-theoretic framework • Performance Evaluation • Related work, Future work, Conclusion

  29. Related work (not exhaustive) • PPM (Probabilistic Packet Marking) traceback schemes - S. Savage et al., Practical network support for IP traceback, SIGCOMM 2000 - M.T.Goodrich, Efficient packet marking for large-scale IP traceback, ACM CCS 2002 • Hash-based traceback scheme - Snoeren et al., Hash-based IP traceback, SIGCOMM 2001 • Analysis of the traceback scheme and lower bounds - M. Adler, Tradeoffs in PPM for IP traceback, ACM STOC 2002

  30. Discussion and future work 1. Is correlation factor 1/(2-p) optimal for coordination using one bit? 2. What if we use more that one bit for coordinating sampling? 3. How to optimally combine PPM and hash-based scheme – a Network Information Theory question. 4. How to know with 100% certainty that some packets are attack packets? How about we only know with p-certainty?

  31. Conclusion • New approach to IP traceback is presented - using sampling, the scheme can scale to very high link speed - ORMS, a novel sampling technique, is introduced • Analysis using Information-theoretic framework - allows us to compute the optimal parameters - can be used to compute the trade-off between the amount of evidence and the traceback accuracy • Simulation study - demonstrate the high performance of the scheme even with thousands of attackers and very low (3.3%) of sampling rate

More Related