1 / 8

Hash-Based IP Traceback

Hash-Based IP Traceback. U Kang Computer Science Department 15-744 Computer Networks. Motivation. Our network or hosts have been compromised How can we trace the attackers identity?. 2. Problem Definition. IP traceback problem Given packets of interest,

kert
Download Presentation

Hash-Based IP Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash-Based IP Traceback U Kang Computer Science Department 15-744 Computer Networks

  2. Motivation Our network or hosts have been compromised How can we trace the attackers identity? 2

  3. Problem Definition IP traceback problem Given packets of interest, 1. Identify the source of the packets 2. Construct an attack graph composed of the attack paths for attack packets that arrived at the victim Attack Graph 3

  4. Log-based Traceback • Routers keep the log of packets • If an attack occurs, routers are queried for attack packets

  5. Challenges C1: Minimizing Cost Storage used to keep information C2: Accuracy No false negative Minimize false positive C3: Maintaining Privacy A tracing system should not adversely impact the privacy of legitimate users 5

  6. Proposed Method Source Path Isolation Engine(SPIE) Audit traffic by storing 32-bit packet digests rather than the packets themselves Solves “C1: Minimizing Cost”, “C3: Maintaining Privacy” Bloom Filters to Minimize False Positive Solves “C2: Accuracy” Bloom Filter - add() - isMember() 6

  7. SPIE Infrastructure 1. IDS detects an attack packet 2. IDS issue a traceback request to STM 3. STM asks all SCARS in its domain to poll their respective DGAs for the relevant traffic digests 4. SCARs construct attack subgraphs STM: Traceback Manager SCAR: Collection and Reduction Agents DGA: Data Generation Agent 7

  8. Discussion Deployment: can the SPIE infrastructure be deployed over multiple ISPs? Memory Requirements? A core router with a max. capacity of 640M pkts/sec requires 23 GB for one minute’s storage 8

More Related