230 likes | 241 Views
Explore the innovative SPIE architecture that empowers Network Accountability to trace packets efficiently and securely, minimizing cost, and ensuring privacy in high-speed routers.
E N D
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01
Introduction • Today’s Internet infrastructure is extremely vulnerable to motivated and well equipped attackers. • Denial of service attacks • Single well-targeted packet attacks • To institute accountability for these attacks, the source of individual packets must be identified.
Today’s IP Network • The IP protocol has difficulty to identify the true source of an IP datagram. • Stateless and destination based routing w/o source authentication • Legitimately spoofed source addresses • NAT, Mobile IP, IPSec • Ingress filtering
Source Path Isolation Engine • Challenges in constructing a tracing system • Determining which packets to trace • Maintain privacy • Minimizing cost • The proposed SPIE can • reduces memory consumption with bloom filters • verifies packets while maintains privacy by packet digests
Assumptions on a Traceback System • Packets may be addressed to more than one physical host • Duplicate packets may exist in the network • Routers may be subverted, but not often • Attackers are aware they are being traced Continued…
Assumptions on a Traceback System • The routing behavior of the network may be unstable • The packet size should not grow as a result of tracing • End hosts may be resource constrained • Traceback is an infrequent operation
Design Goals • An optimal IP traceback system would • precisely identify the source of an arbitrary IP packet • construct an attack path when co-opted routers exist • construct an attack graph when multiple indistinguishable packets exist • produce no false negatives while attempting to minimize false positives • not expand the eavesdropping capabilities of a malicious party
Design Goals • An optimum traceback system should trace packets through valid transformation back to the source of the original packet. • Transformation categories • Packet encapsulation • Packet generation • Common packet transformation (RFC 1812)
Related Works • Two approaches to determine the route of a packet flow are auditing and inferring. • Inferring (Burch and Cheswick) • Floods candidate links and monitors variations • Network topology and large packet floods • Specialized routing (Stone) • Overlay tracking network • Long-live flow and routing change
Auditing • End-host schemes • Routers notify the packet destination of their presence on the route by in-band or out-of-band signaling. • Infrastructure schemes • Log packets at various points throughout the network. • Space and privacy considerations • Input debugging & IDIP • High overhead
Packet Digesting • Auditing by computing and storing 32-bit packet digests reduces storage requirements and prevents eavesdropping. • SPIE computes digests over the invariant portion of the IP header and the first 8 bytes of the payload (totally 28 bytes). Continued…
Bloom Filter There are multiple, independent hashes which change over time at each router.
SPIE Architecture DGA: Data Generation Agent SCAR: SPIE Collection and Reduction STM: SPIE Traceback Manager IDS: Intrusion Detection System
Traceback Processing • IDS provide STM with a packet, P, victim, V, and time of attack, T. • STM verifies message’s authenticity and integrity. • STM immediately asks all SCARs to poll their DGAs for relevant traffic digests. • Each SCAR responds with a partial attack graph. • STM constructs a composite attack graph and returns it to IDS
a. Pointer b. Flow caching Indirect (I) flag: Transformation Processing • Packet being transformed are put on the control path, thus relaxing the timing requirements. • Transform Lookup Table (TLT): Continued…
Transformation Processing • 29-bit packet digest field implies eight distinct packet digests map to the same TLT entry. • Rarity of packet transformations • Sparsity of the digest table • Uniformity of the digesting function • SPIE considers the security gateway or NAT functionality of routers as a separate entity to manage TLT growth.
Graph Construction • Simulating Reverse-Path Flooding (RPF), SCARs construct attack graphs by examining the digest tables.
Discussion • Reliable and timely SPIE communication • Out-of-band channel • Higher priority • Inter-domain cooperation • Authentication • Denial of service through transformation • Performance & policy
Conclusion and Future Works • SPIE contributes on tracing a single packet with privacy and low storage. • SPIE deals with complex packet transformations in high-speed routers. • Future works of SPIE include • extending time period of traceability • reduce information of de-transformation