220 likes | 681 Views
Defense Against Spoofed IP Traffic Using Hop-Count Filtering. Reference: Haining Wang, Cheng Jin and Kang G, Shin, “Defense Against Spoofed IP Traffic Using Hop-Count Filtering”, IEEE/ACM Transactions on Networking, vol. 15, no 1, February 2007. 2007. 11. 1 Seung Jae Shin.
E N D
Defense Against Spoofed IP TrafficUsing Hop-Count Filtering Reference: Haining Wang, Cheng Jin and Kang G, Shin, “Defense Against Spoofed IP Traffic Using Hop-Count Filtering”, IEEE/ACM Transactions on Networking, vol. 15, no 1, February 2007 2007. 11. 1 Seung Jae Shin
Contents Introduction Hop-Count Filtering Experimental Evaluation Related Work Conclusion Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Introduction IP Spoofing Commonly associated with malicious network actions Used with TCP sequence number guessing attack Pretend trusted host to trick authentication system Exploited by DDoS (Distributed Denial of Service) attack Conceal flooding sources and diffuse localities in flooding traffic By detecting spoofed IP address Many security attack can be protected in early phase Traffic Explosion Victim DNS Reflected DNS response Spoofed DNS query Attacker Figure 1 DNS reflection DDoS attack using IP spoofing Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Basic Idea Detect spoofing by checking TTL field in IP packet Based on the difficulty of perfect forgery TTL field reflects the hop-count between source and destination Difficult to set the TTL value consistent with spoofed address Maintain IP2HC (IP to Hop-Count) mapping table Capture valid mapping between IP address and hop-count Updated only by packets belonging to TCP connections in established state TCP TCP status values TCP status values IP Hop-Count Inspector IP2HC Table Searching HCF Sending packets Receiving packets Receiving packets Ethernet Figure 2 Basic Organization of Hop-Count Filter Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Hop-Count Inspection Derive the possible hop-count candidates from TTL Most modern Oses uses only a few selected initial TTL values 30, 32, 60, 64, 128 and 255 Example If the final value is 112, the initial TTL value is 128 And guess the hop-count is 16 (= 128 – 112) Ambiguous cases in initial TTL value {30, 32}, {60, 64} and {32, 60} Consider all possible cases Figure 3 Hop-Count Inspection Algorithm Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Rationales for Hop-Count Filtering Diversity of hop count distribution In reality, hop count distribution approximates Gaussian distribution From the result of the raw traceroute data from 47 different gateways For more than 40,000 addresses μ = 14 ~ 19, σ = 3 ~ 5 Desirable property: symmetric and diverse Make it difficult to forge IP packet carrying consistent with spoofed address Figure 4 Hop-Count Distribution of Commercial (left) and Educational (right) Sites Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Rationales for Hop-Count Filtering (cont’d) Effectiveness against simple attacks Spoofed addresses generated by single source All spoofed packets have an identical hop-count : the fraction of identifiable spoofed packet : the fraction of total valid IP addresses having h as hop count HCF should still identify nearly 90% of spoofed addresses Figure 4 Hop-Count Distribution of IP addresses with a single flooding source Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Rationales for Hop-Count Filtering (cont’d) Effectiveness against simple attacks (cont’d) Spoofed addresses generated by multiple source (DDoS) n sources flood a total of F spoofed packets Each source generates F/n spoofed packets : the fraction of identifiable spoofed packet : the fraction of total valid IP addresses having hi as hop count Adding more source does not diminish the Z Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Rationales for Hop-Count Filtering (cont’d) Robustness against HCF-aware attackers Attacker wants to minimize Z (maximize Z = 1 – Z) Randomization of initial TTLs Attacker generates initial TTLs using particular distribution Uniformly distributed randomization: : the fraction of unidentifiable spoofed packets : the fraction of total valid IP addresses having hk as hop count (forged hop counts are uniformly distributed between hi and hj) – Figure 5 Hop-Count Distribution of IP addresses with a single flooding source, uniformly randomized TTL values (hi = 10, hj = 20, H = 11) Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Rationales for Hop-Count Filtering (cont’d) Robustness against HCF-aware attackers (cont’d) Attacker may wants to set an appropriate initial TTL value For successful evasion of HCF filter But, cannot observe the final TTL values of normal traffic at the victim Also difficult to infer Internet backbone topology from Internet map Hop-count stability Frequent changes in Internet topology can leads to followings Filtering in-accuracy when an out-of-date mapping is in use Excessive mapping updates to HCF Modern internet based on BGP is stable A vast majority of BGP instability stems from a small number of destinations Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering IP2HC mapping table construction Objectives in building table Accurate IP2HC mapping Requires 1:1 mappings between address and hop-count value Moderate storage overhead But, should not lead to in-accuracy of IP2HC mapping table Hop-Count Clustering For optimizing the trade-off between above objectives Clustering composed of hash table and binary tree Each entry in the hash table represents 24-bit address prefix Binary tree pointed by each entry stores actual mappings within the networkrepresented by 24-bit prefix Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering IP2HC mapping table construction (cont’d) Example of hop-count clustering … 16/29 0/27 16/28 0/26 24/29 20 32/27 0/25 … 64/26 20 0/24 128/25 20 Figure 6 Structure of IP2HC mapping table Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering IP2HC mapping table construction (cont’d) Efficiency of Clustering Figure 7 comparison of accuracy and table size between aggregations Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Actual Deployment of HCF HCF operates in 2 running states For efficient packet processing HCF causes delay in the critical path of packet processing Learning State Capture legitimate changes in hop-count Detect the presence of spoofed packets Filtering State Actively discards spoofed packets Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Hop-Count Filtering Actual Deployment of HCF (cont’d) Operations in two HCF states • IP2HC_inspect() • Same operation as described in figure 3 • Packet sampling in Learning state • Exponentially distributed sampling • Thresholds for state change • T1: from learning state to filtering state • T2: from filtering state to learning state • Making T1 < T2 is desirable • For avoiding frequent state changing Figure 7 Operations in two HCF states Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Experimental Evaluation Experimental Environment HCF implementation in Linux kernel Modified /usr/src/linux-source-2.X.X/net/ipv4/ip_input.c Test module programmed within int ip_rcv() in ip_input.c IP2HC table 4096 bucket hash with chaining Linear array of 127 elements as clustering tree Test bed Two machines connected to a 100Mb/s Ethernet Hub Victim A Dell Precision workstation (CPU: pentium1.9GHz, Memory: 1GB) HCF installed Attacker Emulates DDoS attack By generating randomly spoofed TCP SYN flooding and ICMP flooding Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Experimental Evaluation Experimental Results Shows followings HCF installed machine is robust against DDoS attack Not waste resources for processing spoofed traffic CPU overhead induced by HCF is small Less than 7% in case of TCP and UDP bulk transfers Consumed CPU cycle of each case Without HCF: With HCF: Installing HCF is much more efficient Table 1 CPU overhead of HCF and IP procession Figure 8 Resource Savings by HCF Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Conclusion Hop-Count Based Filtering Detects and discards spoofed IP traffic based on hop count Can remove 90% of spoofed traffic Not a complete solution, but can effective wall against spoofing New approach to defense DDoS attack DDoS exploit IP spoofing as a typical tool Detection is possible in early phase Future Works Requires systematic procedure for parameter setting Sampling period, IP2HC table update period, state change thresholds Deploying HDF in various high-profile servers For more accurate measurement and optimization Defense Against Spoofed IP Traffic Using Hop-Count Filtering
Q & A Any Questions? Comments? Defense Against Spoofed IP Traffic Using Hop-Count Filtering