200 likes | 210 Views
Agenda. Last time: finished brief overview of buffer-overflow attacks Today: IP Traceback. What and Why. IP Traceback: operation of tracing the source of an IP packet Why is this important and useful? If done properly, can be used to limit DDoS attacks
E N D
Agenda • Last time: finished brief overview of buffer-overflow attacks • Today: IP Traceback SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
What and Why • IP Traceback: • operation of tracing the source of an IP packet • Why is this important and useful? • If done properly, can be used to limit DDoS attacks • Post-mortem analysis, investigation into other kinds network of attacks • Potential drawback? • Abused by repressive regimes/organization • Why is it difficult? • Potentially resource-intensive, target for DoS itself • Internet is stateless • Backward compatibility (think of source-routing) • Avoid the new scheme itself being “spoofed” • The “true” identity of an attacker may be unknown, still SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Overview of existing approaches • Ingress filtering • Input debugging • Controlled flooding • Logging • ICMP traceback • Probabilistic Packet Marking (PPM) • Hash-based [one of your reading assignments] SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Ingress filtering • Routers block packets that arrive with illegitimate sources addresses • Requires the interface to be configured with a range of valid IPs • Quite feasible at customer network at the edge • Drawbacks • At higher level ISP, traffic load is higher, “valid” IP range is ambiguous • With hundreds or thousands of customers, one can forge IP of another without much troubles • Not all ISPs do this. Many don’t because there’s administrative burden, no economic incentive, interfere with services requiring spoofing (mobile IP) SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Input debugging • Use “input debugging” feature of routers to do traceback • Input debugging allows operators to filter particular packets (with some kind of signature) on some egress port and determine which ingress port they come from • Manually: call the upstream router operator • Automatically: some ISPs have tools to do this • Drawbacks: • Often too slow • Management overhead • Coordination with other ISPs is difficult, and very slow SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Controlled Flooding • Selectively flood a link to observe attack traffic, with the help of some Internet map • This does not require intermediate operator intervention • Drawbacks • This is a form of DoS itself • Requires the map, which itself is non-trivial • Poorly suited for DDoS • Only effective for on-going attacks, cannot be use for post-mortem analysis SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
ICMP Traceback • Every router samples with low probability (1/20K) one of the packets it’s forwarding • Copy the content into a special ICMP traceback along the path to the destination, containing • Back link, forward link, authentication, • Destination then use this info to do traceback • Drawbacks • ICMP traffic is also differentiated and may be filtered • Requires input-debugging which may not be available in some router architecture • Requires key distribution architecture to avoid itself being attacked • However, this is quite effective SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Probabilistic Packet Marking (PPM) • Idea proposed by Burch & Cheswick • First scheme proposed by Stefan Savage et al • We’ll look at this idea in details SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
PPM: Assumptions • An attacker may generate any packet • Multiple attackers may conspire • Attackers are aware that they’re being traced • Packets may be lost or re-ordered • Attackers send numerous packets • Route between attacker(s) and receiver is fairly stable • Routers and both CPU and memory limited • Routers are not widely compromised • Compatible with current IP protocol SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
PPM: Node Append • The most basic algorithm • Each router appends its IP into the packet • Pros: • Robust and quick to converge • Cons: • High router overhead • Interfere with MTU discovery, IP fragmentation, … SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
PPM: Node sampling • Reserve some 32-bit field in each IP packet • A router randomly puts its IP in this field with probability p • Victim receive multiple packets, use this database to approximately reconstruct the path. How? • Probability of receiving a packet d hops away is p(1-p)d-1, p shoulde be > ½. • This probability is monotonic in d, we can use the frequency of IPs to reconstruct path to the destination • Drawbacks • Inferring is a slow process • Requires a sufficient number of received packets, e.g. for d=15, p = 0.51, we need 42000 packets before the furthest router is “seen” at the target • Not effective against multiple attackers: routers at the same distance from different source are sampled with the same rate SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
PPM: Edge Sampling • Idea: sample the “edges” on the paths instead of nodes: • Reserve 2 32-bit fields on every packet, FROM & TO • One more field (8 bits) called HOP • Sampling is done as follows. Fix a probability p • Chose x at random in [0, 1) • If x < p then write IP into packet.FROMElse if packet.HOP = 0 then write IP into packet.TO packet.HOP++ SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
PPM: Edge Sampling • Time to converge dominated by time to receive a sample from the furthest router, roughly 1/[p(1-p)d-1] • Expected number of packets required to work properly is at most ln(d)/[p(1-p)d-1] • Choose p = 1/d for optimal result • In practice, choose p=1/25 (as path lengths often <= 25) • Pros • Single attacker: any packet written by attacker will necessarily has distance at least the distance of true attack path • Multiple attacker: the above applies to the closest attacker • Quite robust • Cons • Not backward compatible (requires > 64 more bits) SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Encoding Issues • Compress edge segment sampling: 3 techniques • Next router fills FROM XOR TO into the 32-bit space • Partition address into k fragments, sends fragment along with fragment offset, next-hop router use the the offset to send the right fragment. Over time, all fragments of all edge IDs are received. • XORing makes edge ID not unique, compute a hash of an IP, interleave it with actual IP, then do fragmentation • Expected # of packets needed to reconstruct path is k ln(kd)/[p(1-p)d-1] • For instance, if k=8, d=10, p=1/25, then we need about 1300 packets on average • In practice: overload 16-bit identification field in each IP packet with 3-bit offset (k=8), 5 bit distance (32 hops), 8-bit edge fragment SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Formalization of the Problem • b: number of extra header bits in each packet • n: number of bits used to describe a path • Investigate the tradeoff between b, convergence time, and total number of packets needed to reconstruct the attack path(s) with high probability SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Interesting Results by Micah Adler • Single path attacks: • b=1 works! Requires θ((2+ε)2n) packets for any ε • Showed that, for b=1, Ώ(2n) packets is necessary • For general b, Adler gave a protocol that usesO(bn22b(2+ε)4n/2^b) packets, and showed Ώ(2b2n/2^b) is necessary • Multiple path attacks, say k paths • At least log(2k-1) header bits is needed [regardless of the number of received packets] • For a restricted class of attacker strategies, log(2k+1) bits are sufficient SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Open Problems • Close the upper-lower bound gap when b=1, single path attack • For multiple path attacks, there’s still a lot to be done, e.g. • Devise protocols for all attacker’s strategies • Computational complexity has not been addressed properly • … SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
Brainstorming • What kind of information does the victim need? • Where can we store this information? • How can the routers be instructed to store this information? • This is the protocol • How effective is the protocol? This requires probabilistic analysis, information theoretic analysis • Drawbacks of PPM-related schemes? • Requires large number of packets • Not exact science SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
A Simple Model for Upper Bounding • Assumptions [to be relaxed later] • Packet delivery paths form a tree rooted at the victim v • Assume the tree is full-binary, depth = n • Each path can be encoded with B1B2…Bn • Want routers to send victim the string B1B2…Bn • Protocol • Idea: encode the string into a probability of victim receiving bit-1 packets • What’s the most natural way to do this? • Prob[packet with bit-1 received] = the binary number represented by B1B2…Bn divided by 2n, i.e. • How do we realize this? SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
A Simple Protocol • Each router knows its bit Bi • With probability ½, it forwards the bit as it is • With probability ½, it set the bit to be Bi • If original bit is 0, then p is as expected • If original bit is 1, then p is as expected + 1/2n • Need to “fix” this case • Next time [I’ll talk a little bit about information theory] SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo