80 likes | 214 Views
iTrace Probability: 1/20,000. For routers closer to the victim, useful iTrace messages will be produced very frequently. But, for routers closer to a slave with a low packet rate, it can take a long time, statistically, for the “right” iTrace messages to be generated.
E N D
iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently. But, for routers closer to a slave with a low packet rate, it can take a long time, statistically, for the “right” iTrace messages to be generated. A high-rate attack flow from the slave: A low-rate attack flow from the slave: Aggregation of lower-rate flows at routers near the victims: S. Felix Wu and Dan Massey
Intention-driven iTrace • Different destinationhosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets. • We propose to add one “iTrace-intention” bit. • Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example. S. Felix Wu and Dan Massey
Intention-Driven iTrace architecture (draft-wu-itrace-intention-01.txt) BGP routing table iTrace generation module intention iTrace trigger?? P% Intention selection module iTrace intention bits intention iTrace trigger copy copy User (firmware) Kernel (hardware) iTrace Execution bit 1/20K iTrace selection packet- forwarding table S. Felix Wu and Dan Massey
Processing Overhead 1/20K iTrace message trigger occurs: 1. Select and Set one iTrace Intention bit from the BGP table. Processing for each data packet: 1. if the iTrace Execution bit is 1, (1). Copy this packet to the iTrace daemon. (2). reset the iTrace Execution bit to 0. S. Felix Wu and Dan Massey
Differences from the 00 draft • Piit for probabilistically controlling normal versus intention iTrace • The difference between iib (iTrace intention bits in the BGP routing table) and ieb (iTrace execution bit in the forwarding table). S. Felix Wu and Dan Massey
Comments Received • The confusion of “statistics”. • Each packet will have a constant probability to be traced (1/20K). • Packet flows with higher rate will statistically get iTraced faster. • Maliciously sending “intentions” to grab all the iTrace resources. • Using Piit to keep some normal iTrace. • Hard to add one extra bit to the forwarding table. • Looking for ways to implement intention iTrace without modifying the packet forwarding process. S. Felix Wu and Dan Massey
Relationship with “iTrace” • Add iib, ieb and the mechanism for processing “iTrace triggers”. • The proposed architecture will be identical to the original iTrace architecture if Piit = 0. • Need to worry about the “probability element (TAG = 0x0A)” when Piit > 0. S. Felix Wu and Dan Massey
Status • Simulation results for draft-00 to appear in ICCCN’2001. • Simulation and prototype implementation (in Linux) for draft-01 in progress. • Probability analysis (for the probability element, TAG=0x0A) for intention iTrace just started. S. Felix Wu and Dan Massey