310 likes | 409 Views
IP Traceback Concepts, tools, and applications. by Santosh reddy Vuppala 10/24/07. OUTLINE . Introduction ipTraceback Methods of finding Source Evaluation Limitations Conclusion References. Introduction. More number of DoS and DDoS attacks in the past. Increase by 50% a year.
E N D
IP TracebackConcepts, tools, and applications by Santosh reddy Vuppala 10/24/07
OUTLINE • Introduction • ipTraceback • Methods of finding Source • Evaluation • Limitations • Conclusion • References
Introduction • More number of DoS and DDoS attacks in the past. • Increase by 50% a year. • Not much development in mechanisms that deal with DoS attacks.
Traditional techniques To Discover the source of an attack: • Call each ISP and make them test each link • Structure Firewalls to block spoofed addresses • Structure Routers to drop spoofed addresses
What is ip Traceback? • ipTraceback is a method to find the source of a DoS or a DDoS atack. • Solution complicated by use of ip spoofing. • One solution is to mark the packets with path information as they pass through the routers.
What is ip Traceback? • Identify the machine that directly generate attack traffic. • Identify the network path the attack traffic follows.
How does ipTraceback help to find the attacker? • A general scheme would be to mark the packets with the path information as it goes through the routers • And then reconstruct the attack path using this information.
Methods for Finding Source • Basic Approaches: Ingress filtering Link Testing Logging ICMP TraceBack • Marking Approach • Authenticated Marking Approach
Ingress filtering-Configure routers to block packets that arrive with illegitimate source addresses. • Requires a router with sufficient power to examine the source address of every packet and sufficient knowledge to distinguish between legitimate and illegitimate addresses. • Attackers could still forge addresses from the hundreds or thousands of hosts within a valid customer network.
Link Testing- Start from the router closest to the victim and interactively test its upstream links until they determine which one is used to carry the attackers traffic. • This technique assumes that an attack remains active until the completion of a trace. • Two varieties ---input debugging and controlled flooding
Input debugging: An input debugging filter is placed on the victims egress port to find out the associated input port. This process is repeated on the upstream router until we find the source. DisAdvatages: Management overhead Communicating and coordinating with network operators at ISP’s is not feasible.
Controlled Flooding: It tests links by flooding them with large bursts of traffic and observing how this perturbs traffic from the attacker By observing changes in the rate of packets received from the attacker, the victim can infer which link they arrived from. Advantage: Is effective at tracing an on-going attack and cannot be used “post mortem”. Disadvantage: Not suitable because, the victim requires to have a good topological map of large sections of internet.
Logging- Log packets at key routers and then use data mining techniques to determine the path that the packet traversed. Advantage: It can trace an attack long after the attack has completed. Disadvantage: Needs enormous resources.
ICMP Traceback: Sample some of the packets with low probability and copy the contents into a special ICMP traceback message.
Marking Algorithms • Mark packets deterministically or probabilistically • Trace attacks using marked packets
Marking Algorithms Assumptions: • Most routers remain uncompromised • Attacker sends many packets • Route from attacker to victim remains relatively stable
Marking Algorithms • marking procedure • by routers • add information to packet • path reconstruction procedure • by victim • use information in marked packets • convergence time • # of packets to reconstruct the attack path
Marking Algorithms • Probabilistic Packet Marking • This scheme is based on the idea that routers mark packets that pass through them with their addresses or a part of their addresses • This scheme is aimed primarily at DoS and DDoS attacks as it needs many attack packets to reconstruct the full path. • To deploy the scheme, we need to implement two functions: marking and reconstruction.
Methods for finding Source • Probabilistic Marking
Marking Algorithms • Node Append: To append each nodes address to the end of the packet as the packet travels through the network from attacker to victim Disadvantage: Length of path is not known a priori.. original packet router list
Marking Algorithms Node Sampling: Attaching router ip address to the packet with a probability p. Inferring the total router order from the distribution of samples is slow. Not robust against multiple attackers. Algorithm: Marking procedure at router R: for each packet w let x be a random number from [0.. 1) if x < p then, write R into w.node
Marking Algorithms Edge Sampling • Explicitly encode edges in the attack path rather than simply individual nodes. Edges are constructed only between the participating routers Algorithm: Marking procedure at router R: for each packet w let x be a random number from [0.. 1) if x < p then write R into w.start and 0 into w.distance else if w.distance = 0 then write R into w.end increment w.distance
Authenticated Marking Schemes • A Compromised router can falsely mark packets • Use authentication mechanism to verify the markings on a packet. • Use Source IP + a time based key to generate encryption
Limitations • In addition to the technical aspects of IP traceback, there are also legal and societal aspects. • Legislation that requires IP traceback may be needed for ISPs to start implementing and deploying the schemes.
Conclusion • None of the methods possesses all the qualities of an ideal scheme. • More work is being done towards the ipTraceback problem. • There is a need to identify these attacks and try to stop them .
References • http://www.cs.washington.edu/homes/djw/papers/Ton01.pdf • http://en.wikipedia.org/wiki/IP_traceback • http://www.cc.gatech.edu/~jx/reprints/IEEESP04.pdf • http://www.sm.luth.se/csee/csn/publications/ip_traceback.pdf • http://www.cs.berkeley.edu/~dawnsong/papers/iptrace.pdf