1 / 23

Adjusted Probabilistic Packet Marking for IP Traceback

Adjusted Probabilistic Packet Marking for IP Traceback. Tao Peng, Chris Leckie, Ramamohanarao Kotagiri. Department of Electrical and Electronic Engineering The University of Melbourne, Victoria 3010, Australia. Outline. Introduction to Denial-of-Service (DoS) attacks

ronnie
Download Presentation

Adjusted Probabilistic Packet Marking for IP Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Adjusted Probabilistic Packet Marking for IP Traceback Tao Peng, Chris Leckie, Ramamohanarao Kotagiri Department of Electrical and Electronic Engineering The University of Melbourne, Victoria 3010, Australia

  2. Outline • Introduction to Denial-of-Service (DoS) attacks • Previous works and research motivation • Our Approach: Adjusted Probabilistic Packet Marking • Effectiveness for tracing DoS attacks

  3. Denial-of-Service Attack Overwhelming stream of fake requests consumes all resources on a server or network Attacker Server NormalUser :Router

  4. Denial-of-Service Attack Exploits weakness in TCP/IP protocols • Attacker creates large number of half-open TCP connections. • Attacker fakes source address field in IP header (IP Spoofing). Impact:Complete shutdown of major web sites, such as Yahoo, CNN, Amazon, eBay … (Feb. 2000)

  5. Weakness of TCP/IP protocol Y V Source X Victim V Y Denial of Service Attack has become a major threat to the INTERNET. How to stop it? :Router

  6. Ingress Filtering [RFC 2827] Source X Victim V Normal User Y • Very effective to stop IP spoofing • Requires prolonged period for broad deployment

  7. Probabilistic Packet Marking [Savage 00] Probabilistically mark the packets Y V R1 R2 Y V R2 R3 Source X R1 R2 R3 Victim V R4 R6 R5 Normal User Y

  8. Probabilistic Packet Marking (PPM) • Routers write their IP address in the IP packet header probabilistically. • Victim receives the marked packets and reconstructs the attacking path from them.

  9. Probabilistic Packet Marking X R2 R1 X R1 R4 R2 R3 V R5 R6 R3 Router inscribes ( ) onto a packet with probability p V Attack path reconstruction X: Source V: Victim R1,R2,R3: Routers

  10. distance from router edge start edge end X V X V X V 0 R1 X V 0 R1 Overwritten By R2 X V 1 R1 R2 X V 0 R2 X V 2 R1 R2 X V 1 R2 R3 X R1 R2 V X R1 R2 R3 V Example – Probabilistic Packet Marking X R1 R2 R3 V

  11. How to store edge information • Additional fields in packet • Use the option field in the IP packet header • Too much overhead for the router to process the option field 2. Overwrite IP Identification Field • There are less than 0.25% of packets are fragmented [Stoica99] [Claffy00] • Only 0.25% traffic is affected if we overwrite the IP identification field

  12. Probabilistic Packet Marking Pd: Router d marks the packet with the probability Pd Ad: Probability of receiving a marked packet from router d The probability Ad of receiving packet marked by Rd Direction of attack Ad Rd Rd-1 R2 R1 Victim d d-1 2 1 Each router mark thepacket with a probability of p

  13. Path Reconstruction in PPM We need a sample from each router in order to reconstruct the complete path. Probability to receive a packet marked by router Rd Ad = Problem !!! Less likely to receive packets marked by more distant routers. Note: d is the number of hops between the source and the destination

  14. Coupon Collecting Problem If there are n distinct kinds of coupons, each equally likely to be received with any given purchase, what is the expected number of purchases in order to acquire a complete set of coupons. The well-known solutionis n(1+1/2+1/3+…+1/n) = n (ln n + O(1)) Constant item and can be omitted

  15. Adjusted Marking Probability Ideal Case : • Sample from all of the d routers with a probability of 1/d • The number of packets needed for reconstruction is d ln(d )

  16. Uniform Marking Probability • Conservative Assumption: Sample from • all of the d routers with the probability • of • Then the number of packets required for • the victim to reconstruct a path of length • d is

  17. PPM Performance Ad Pd Uniform Probability d d d = distance to victim from router Pd Ad Adjusted Probability d d

  18. Current router S v1 v2 v3 t d1 d2 d3 Adjusted Probabilistic Packet Marking How to estimate d ? d1 :distance from source to current router d2 :distance from last router to mark packet to current router d3 :distance from current router to destination

  19. Three Schemes to Adjust the Probability Add extra field in IP option field to record the distance d1:Ideal but need extra field Scheme 1: Get d2 from the marking field: Need Authentication Scheme 2 : Get d3 from the routing table : Most practical Scheme Scheme 3 :

  20. Evaluation • Simulated attacks with different path lengths • Simulation topology based on the real traceroute dataset from Lucent Bell Labs • Compared with Advanced Marking Scheme in [Song00].

  21. 1400 Scheme 1 Scheme 2 1200 Scheme 3 ( p=0.04) Uniform Marking Probability 1000 800 Number of Packets Needed for Reconstruction 600 400 200 0 0 5 10 20 25 30 15 Attack Path Length

  22. Evaluation • Both Scheme 1 and 2 outperform optimal Uniform Marking Probability (p=0.04) • However, Scheme 1 and 2 require authentication • Scheme 3 is more practical (no authentication needed) • Scheme 3 reduces packets needed by 25-50 %

  23. Conclusion • Presented Adjusted Probabilistic Packet Marking (APPM) as an improved technique for IP traceback • Demonstrated 3 versions of APPM that all outperform Uniform Probabilistic Packet Marking • Scheme 3 reduces packets needed by 25-50% and is not vulnerable to spoofing by the attacker

More Related