1 / 49

Introduction to IP Traceback

Introduction to IP Traceback. 交通大學 電 信系 李程輝 教授. Outline. Introduction Ingress Filtering Packet Marking Packet Digesting Summary. Introduction. Introduction . Internet becomes ubiquitous The impact of network attackers is getting more and more significant Two kind of attackers

lydia-gallagher
Download Presentation

Introduction to IP Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to IP Traceback 交通大學 電信系 李程輝 教授

  2. Outline • Introduction • Ingress Filtering • Packet Marking • Packet Digesting • Summary

  3. Introduction

  4. Introduction • Internet becomes ubiquitous • The impact of network attackers is getting more and more significant • Two kind of attackers • A few well-targeted packets • Ex: Teardrop attack • Denial-of-service (DoS) & distributed DoS (DDoS) • Typically conducted by flooding network links with large amounts of traffics

  5. DDoS (a) Direct DDoS (b) reflector attacker

  6. The Difficulty to Catch the Attacker • The anonymous feature of the IP protocol • Can’t identify the true source of an IP datagram if the source wishes to conceal it • Solution:ingress filtering • Somewhere spoofed source address are legal • Network address translators (NATs) • Mobile IP

  7. IP Traceback Problem • IP traceback problem • The problem of identifying the source of the offending packets • Source means • Zombie • Reflector • Spoofed address • Ingress point to the traceback-enabled network • One or more compromised routers within the enabled network

  8. IP Traceback Problem - Solution • Packet marking • To cope with DDoS attacks • Router marks packets with it’s identifications • Victim can reconstruct the attack path if sufficient number of packets are collected • Packet digesting • For attacks that require only a few packets • Require storage of audit trails on the routers • Victim ask routers if the offending packet passed before

  9. Evaluation Metrics for IP Traceback Technique (1) • ISP Involvement • Number of Attacking Packets Needed for Traceback • The Effect of Partial Deployment • Processing Overhead • Bandwidth Overhead • Memory Requirements • Ease of Evasion

  10. Evaluation Metrics for IP Traceback Technique (2) • Protection • Scalability • Number of Functions Needed to Implement • Ability to Handle Major DDoS Attacks • Ability to Trace Transformed Packets • Network Address Translation (NAT) • Tunneling • ICMP packet • Duplication of a packet in multicast

  11. Ingress Filtering

  12. Ingress Filtering • Limit source addresses of IP datagramsfrom a network to addresses belonging to that network • If ingress filtering is not deployed everywhereattackers can still spoof any address on the Internet

  13. Why Don’t People Run Ingress Filtering? • It is easy! It improves security! Why not run it? • Some people run it In current routers • It is implemented in the slow path in the software not the hardware • It is easy For the routers close to the edge of the networks where addressing rules are well defined • It becomes complex and inefficient For transit networks where packets with a different source address can enter the network in multiple locations

  14. Packet Marking

  15. Packet Marking • Probabilistic packet marking (PPM) • ICMP traceback (iTrace) • Deterministic packet marking (DPM)

  16. Probabilistic Packet Marking • Routers mark packets that pass through them • Packets for marking are selected with probability p=0.04

  17. Router Marking

  18. Pros & Cons • Pros • High stability • Still can work under partial deployment • No bandwidth overhead • Low network processing overhead (decide which packet should be marked) • Cons • Only for DoS & DDoS attacks • Victim requires high memory and high processing overhead • Without authentication mark spoofing may happen

  19. Ability to Trace Transformed Packets • Can handle packet modification transformation of the packets directed to the victim • The ID field used for fragmentation is used for the mark • If a single fragment of the original datagram is marked • The reassembly function would fail at the destination Solution: select a lower probability of marking for fragmented packet • Tunneling may create a problem for reconstruction • If marks are extracted before the outer header is removed

  20. ICMP Traceback (iTrace) • ICMP traceback message (iTrace) • Next hop • Previous hop • Timestamp • As many bytes of the traced packet • TTL=255

  21. “Intension-Driven” iTrace • Attack[V] • =1, victim V is attacked • Intension[V] • =1, victim V wants to receive ICMP traceback message • Received[R→V] • How many iTrace messages from router R to victim V have been received • Generated[R] • The number of iTrace messages generated by router R for all destinations • The value of ICMP packet can be a function of

  22. Architecture • Introduce a new bit – intension bit • The intension bit in routing table will set to 1 if one has intension to receive ICMP packet • Decision Module • “Choose” one from routing table • prefer the one with the highest value

  23. Pros & Cons • The pros and cons of iTrace is similar to that of PPM • Except • iTrace has bandwidth overhead;PPM has no bandwidth overhead • Without authentication fake ICMP packet may be generated more easily

  24. Deterministic Packet Marking • Eachpacket is marked when it enters the network • Only mark Incoming packets • Mark:address information of this interface • 16 bit ID + 1 bit Reserved Flag

  25. PPM vs. DPM • Mark spoofing • (PPM) Use coding technique (but not 100%) • (DPM)Spoofed mark will be overwritten • The received information • (PPM) Full path • (DPM) Address of the ingress router

  26. Method 1 -The Information of Marks Pad Ideal hash

  27. Method 1- Reconstruction Process • area • Each area hask segments • Each segment has bits area

  28. Method 1- Performance • M:the number of all routers • N:the number of attackers (ingress routers) • Use d bits to indicate hash value of router • There will be m routers that have the same digest • The expected number of different values the segment will take is

  29. Method 1- Example • M=4096, N=1024, d=10, a=4, s=3 • Choose N balls in boxes, each box has m balls (m=M/ =4) 4 balls  w boxes 3 balls x boxes 2 balls  y boxes 1 balls  z boxes • F(w,x,y,z):combinations of deterministic w, x, y, z

  30. Method 1- Example • P(w,x,y,z):The probability of deterministic w, x, y, z • A:the number of false address combination • The number of total false positive= A/ =346.57 • Each attacker will produce 0.338 false positive

  31. Method 2 • The 17 useable bits are divided into two parts • g-bits mark • h-bits mark identifier • For example: g=14, h=3 • present the IP address

  32. Method 2 • The false positive rate is • The reconstruction process is complex • The requires number of matches • For N=1K • The false positive rate= • The requires number of matches=

  33. Method 3

  34. Method 3 • First stage • Need 6 hashes • Need matches • The false positive rate • For N=1K, The false positive rate=0.25 • Second stage • Need hashes • Need matches • The false positive rate is bounded by • For N=1K, The false positive rate is bounded by 0.4883%

  35. Packet DigestingSource Path Isolation Engine (SPIE)

  36. Packet Digesting • Compute digest over • The invariant portion of the IP header (16 bytes) • The first 8 bytes of the payload (8 bytes) • 24 bytes  sufficient to differentiate all packets

  37. Prefix Length & Collision Probability • A WAN trace from an OC-3 gateway router • A LAN trace from an active 100Mb Ethernet segment

  38. Bloom Filter (1) • A technique that simply stores the digests *For each packet arrived Step-1 Use k different hash function computes k independent n-bits digests Step-2 Set the corresponding bits in the bits digest table

  39. Bloom Filter (2) • If any one of them is zero • The packet was not stored in the table • If all the bits are one • It is highly likely the packet was stored • It is possible that some set of other insertions caused all the bits to be set • Restriction • Can only store a limited number of digests • Saturated filters can be swapped out for a new, empty filter • Change to a new filter loss the previous digest information

  40. Architecture (1) • Data Generation Agent (DGA) • SPIE Collection and Reduction Agents (SCARs) • SPIE Traceback Manager (STM)

  41. Architecture (2) • DGA • SPIE enhanced router • 1. produce packet digest • 2. store digests • table annotated – time & hash function • SCARs • Concentration points for several routers • 1. produce local attack graph

  42. Architecture (3) • STM • Control the whole SPIE system • The interface to requesting packet trace • 1. verifies the authenticity • 2. dispatch the request to the appropriate SCARs • 3. gather the resulting attack graphs • 4. complete the attack graph • 5. replies to the IDS

  43. IDS STM determine an exceptional event has occurred cryptographically verifies its authenticity SCAR poll its DGAs & produce partial attack graph another SCAR Traceback Processing • T’– the packet enter the region • P’– the entering packet • V’– the border router between the two network • packet, P ; victim, V ; time of attack, T • P ; V ; T no yes terminate

  44. Graph Construction • Reverse path flooding • R8;R9 • R7 • R4;S5;R5 • R3;R2 • The SCAR don’t need to query DGAs sequentially

  45. Ability to Trace Transformed Packets (1) • Transform lookup table (TLT) • Record sufficient packet data at the time of transformation to allow the original packet to be reconstructed 1st field:a digest of the transformed packet 2nd field:the type of transformation (include a flag I) 3rd field:a variable amount of packet data

  46. Ability to Trace Transformed Packets (2) • Flag I (indirect flag) (1)For some transformations, such as NAT, the 32bits data field is not enough. SetI=1, the third field is treated as a pointer (2)In many case (e.g., tunneling or NAT), packets undergoing a particular transformation are related It is possible to reduce the storage requirement by suppressing duplicate packet data Flag I is used for flow caching, or at least identification, so that the packets within the flow can be correlated and stored appropriately.

  47. Summary

  48. Summary • In recent years much interest and consideration have been paid to the topic of securing the Internet infrastructure • To detect the offending packets IDS (Intrusion Detection System) becomes more and more important • Detecting the offending packets (IDS) find out attackers (IP traceback) • Several methods have been proposed • Each has its own advantages and disadvantages • None of the methods described in this article has been used on the Internet • When economic or political incentives become strong enough to justify deployment of IP traceback, some new requirements and metrics for evaluation might emerge

  49. References • R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,”IEEE Commun. Mag., Oct. 2002, pp. 42–51. • A. Belenky and N. Ansari, “On IP traceback,” IEEE Communications Magazine, vol. 41, no. 7, July 2003 • S. Savage et al., “Network Support for IP Traceback,” IEEE/ACM Trans. Net., vol. 9, no. 3, June 2001, pp. 226–37. • D. X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. INFOCOM,2001, vol. 2, pp. 878–86. • S. F. Wu et al., “On Design and Evaluation of ‘Intention-Driven’ ICMP Traceback,” Proc. 10th Int’l. Conf. Comp. Commun. and Nets., 2001, pp. 159–65. • A. Belenky and N. Ansari “IP Traceback With Deterministic Packet Marking,” IEEE Communications Letters, Vol.7, NO. 4,April 2003 • A. Belenky and N. Ansari “Tracing Multiple Attackers With Deterministic Packet Marking,” IEEE PACRIM’03, August 2003 • A. C. Snoeren et al., “Single-Packet IP Traceback,” IEEE/ACM Trans. Net., vol. 10, no. 6, Dec. 2002, pp. 721–34.

More Related