1 / 20

Agenda

Agenda. Last time: finished brief overview of buffer-overflow attacks Today: IP Traceback. What and Why. IP Traceback: operation of tracing the source of an IP packet Why is this important and useful? If done properly, can be used to limit DDoS attacks

mbasquez
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Agenda • Last time: finished brief overview of buffer-overflow attacks • Today: IP Traceback SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  2. What and Why • IP Traceback: • operation of tracing the source of an IP packet • Why is this important and useful? • If done properly, can be used to limit DDoS attacks • Post-mortem analysis, investigation into other kinds network of attacks • Potential drawback? • Abused by repressive regimes/organization • Why is it difficult? • Potentially resource-intensive, target for DoS itself • Internet is stateless • Backward compatibility (think of source-routing) • Avoid the new scheme itself being “spoofed” • The “true” identity of an attacker may be unknown, still SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  3. Overview of existing approaches • Ingress filtering • Input debugging • Controlled flooding • Logging • ICMP traceback • Probabilistic Packet Marking (PPM) • Hash-based [one of your reading assignments] SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  4. Ingress filtering • Routers block packets that arrive with illegitimate sources addresses • Requires the interface to be configured with a range of valid IPs • Quite feasible at customer network at the edge • Drawbacks • At higher level ISP, traffic load is higher, “valid” IP range is ambiguous • With hundreds or thousands of customers, one can forge IP of another without much troubles • Not all ISPs do this. Many don’t because there’s administrative burden, no economic incentive, interfere with services requiring spoofing (mobile IP) SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  5. Input debugging • Use “input debugging” feature of routers to do traceback • Input debugging allows operators to filter particular packets (with some kind of signature) on some egress port and determine which ingress port they come from • Manually: call the upstream router operator • Automatically: some ISPs have tools to do this • Drawbacks: • Often too slow • Management overhead • Coordination with other ISPs is difficult, and very slow SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  6. Controlled Flooding • Selectively flood a link to observe attack traffic, with the help of some Internet map • This does not require intermediate operator intervention • Drawbacks • This is a form of DoS itself • Requires the map, which itself is non-trivial • Poorly suited for DDoS • Only effective for on-going attacks, cannot be use for post-mortem analysis SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  7. ICMP Traceback • Every router samples with low probability (1/20K) one of the packets it’s forwarding • Copy the content into a special ICMP traceback along the path to the destination, containing • Back link, forward link, authentication, • Destination then use this info to do traceback • Drawbacks • ICMP traffic is also differentiated and may be filtered • Requires input-debugging which may not be available in some router architecture • Requires key distribution architecture to avoid itself being attacked • However, this is quite effective SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  8. Probabilistic Packet Marking (PPM) • Idea proposed by Burch & Cheswick • First scheme proposed by Stefan Savage et al • We’ll look at this idea in details SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  9. PPM: Assumptions • An attacker may generate any packet • Multiple attackers may conspire • Attackers are aware that they’re being traced • Packets may be lost or re-ordered • Attackers send numerous packets • Route between attacker(s) and receiver is fairly stable • Routers and both CPU and memory limited • Routers are not widely compromised • Compatible with current IP protocol SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  10. PPM: Node Append • The most basic algorithm • Each router appends its IP into the packet • Pros: • Robust and quick to converge • Cons: • High router overhead • Interfere with MTU discovery, IP fragmentation, … SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  11. PPM: Node sampling • Reserve some 32-bit field in each IP packet • A router randomly puts its IP in this field with probability p • Victim receive multiple packets, use this database to approximately reconstruct the path. How? • Probability of receiving a packet d hops away is p(1-p)d-1, p shoulde be > ½. • This probability is monotonic in d, we can use the frequency of IPs to reconstruct path to the destination • Drawbacks • Inferring is a slow process • Requires a sufficient number of received packets, e.g. for d=15, p = 0.51, we need 42000 packets before the furthest router is “seen” at the target • Not effective against multiple attackers: routers at the same distance from different source are sampled with the same rate SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  12. PPM: Edge Sampling • Idea: sample the “edges” on the paths instead of nodes: • Reserve 2 32-bit fields on every packet, FROM & TO • One more field (8 bits) called HOP • Sampling is done as follows. Fix a probability p • Chose x at random in [0, 1) • If x < p then write IP into packet.FROMElse if packet.HOP = 0 then write IP into packet.TO packet.HOP++ SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  13. PPM: Edge Sampling • Time to converge dominated by time to receive a sample from the furthest router, roughly 1/[p(1-p)d-1] • Expected number of packets required to work properly is at most ln(d)/[p(1-p)d-1] • Choose p = 1/d for optimal result • In practice, choose p=1/25 (as path lengths often <= 25) • Pros • Single attacker: any packet written by attacker will necessarily has distance at least the distance of true attack path • Multiple attacker: the above applies to the closest attacker • Quite robust • Cons • Not backward compatible (requires > 64 more bits) SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  14. Encoding Issues • Compress edge segment sampling: 3 techniques • Next router fills FROM XOR TO into the 32-bit space • Partition address into k fragments, sends fragment along with fragment offset, next-hop router use the the offset to send the right fragment. Over time, all fragments of all edge IDs are received. • XORing makes edge ID not unique, compute a hash of an IP, interleave it with actual IP, then do fragmentation • Expected # of packets needed to reconstruct path is k ln(kd)/[p(1-p)d-1] • For instance, if k=8, d=10, p=1/25, then we need about 1300 packets on average • In practice: overload 16-bit identification field in each IP packet with 3-bit offset (k=8), 5 bit distance (32 hops), 8-bit edge fragment SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  15. Formalization of the Problem • b: number of extra header bits in each packet • n: number of bits used to describe a path • Investigate the tradeoff between b, convergence time, and total number of packets needed to reconstruct the attack path(s) with high probability SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  16. Interesting Results by Micah Adler • Single path attacks: • b=1 works! Requires θ((2+ε)2n) packets for any ε • Showed that, for b=1, Ώ(2n) packets is necessary • For general b, Adler gave a protocol that usesO(bn22b(2+ε)4n/2^b) packets, and showed Ώ(2b2n/2^b) is necessary • Multiple path attacks, say k paths • At least log(2k-1) header bits is needed [regardless of the number of received packets] • For a restricted class of attacker strategies, log(2k+1) bits are sufficient SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  17. Open Problems • Close the upper-lower bound gap when b=1, single path attack • For multiple path attacks, there’s still a lot to be done, e.g. • Devise protocols for all attacker’s strategies • Computational complexity has not been addressed properly • … SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  18. Brainstorming • What kind of information does the victim need? • Where can we store this information? • How can the routers be instructed to store this information? • This is the protocol • How effective is the protocol? This requires probabilistic analysis, information theoretic analysis • Drawbacks of PPM-related schemes? • Requires large number of packets • Not exact science SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  19. A Simple Model for Upper Bounding • Assumptions [to be relaxed later] • Packet delivery paths form a tree rooted at the victim v • Assume the tree is full-binary, depth = n • Each path can be encoded with B1B2…Bn • Want routers to send victim the string B1B2…Bn • Protocol • Idea: encode the string into a probability of victim receiving bit-1 packets • What’s the most natural way to do this? • Prob[packet with bit-1 received] = the binary number represented by B1B2…Bn divided by 2n, i.e. • How do we realize this? SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

  20. A Simple Protocol • Each router knows its bit Bi • With probability ½, it forwards the bit as it is • With probability ½, it set the bit to be Bi • If original bit is 0, then p is as expected • If original bit is 1, then p is as expected + 1/2n • Need to “fix” this case • Next time [I’ll talk a little bit about information theory] SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

More Related