introduction to ip traceback
DESCRIPTION
Introduction to IP Traceback. 交通大學 電 信系 李程輝 教授. Outline. Introduction Ingress Filtering Packet Marking Packet Digesting Summary. Introduction. Introduction. Internet becomes ubiquitous The impact of network attackers is getting more and more significant Two kind of attackers - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/1.jpg)
Introduction to IP Traceback
交通大學 電信系 李程輝 教授
![Page 2: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/2.jpg)
2
Outline
Introduction Ingress Filtering Packet Marking Packet Digesting Summary
![Page 3: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/3.jpg)
3
Introduction
![Page 4: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/4.jpg)
4
Introduction
Internet becomes ubiquitous The impact of network attackers is getting more
and more significant
Two kind of attackers A few well-targeted packets
Ex: Teardrop attack
Denial-of-service (DoS) & distributed DoS (DDoS) Typically conducted by flooding network links with large
amounts of traffics
![Page 5: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/5.jpg)
5
DDoS
(a) Direct DDoS (b) reflector attacker
![Page 6: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/6.jpg)
6
The Difficulty to Catch the Attacker
The anonymous feature of the IP protocol Can’t identify the true source of an IP datagram if th
e source wishes to conceal it Solution : ingress filtering
Somewhere spoofed source address are legal Network address translators (NATs) Mobile IP
![Page 7: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/7.jpg)
7
IP Traceback Problem
IP traceback problem The problem of identifying the source of the
offending packets Source means
Zombie Reflector Spoofed address Ingress point to the traceback-enabled network One or more compromised routers within the enabled
network
![Page 8: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/8.jpg)
8
IP Traceback Problem - Solution
Packet marking To cope with DDoS attacks Router marks packets with it’s identifications Victim can reconstruct the attack path if sufficient
number of packets are collected
Packet digesting For attacks that require only a few packets Require storage of audit trails on the routers Victim ask routers if the offending packet passed
before
![Page 9: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/9.jpg)
9
Evaluation Metrics for IP Traceback Technique (1)
ISP Involvement Number of Attacking Packets Needed for
Traceback The Effect of Partial Deployment Processing Overhead Bandwidth Overhead Memory Requirements Ease of Evasion
![Page 10: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/10.jpg)
10
Evaluation Metrics for IP Traceback Technique (2)
Protection Scalability Number of Functions Needed to Implement Ability to Handle Major DDoS Attacks Ability to Trace Transformed Packets
Network Address Translation (NAT) Tunneling ICMP packet Duplication of a packet in multicast
![Page 11: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/11.jpg)
11
Ingress Filtering
![Page 12: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/12.jpg)
12
Ingress Filtering
Limit source addresses of IP datagrams from a network to addresses belonging to that network
If ingress filtering is not deployed everywhere attackers can still spoof any address on the Internet
![Page 13: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/13.jpg)
13
Why Don’t People Run Ingress Filtering ?
It is easy! It improves security! Why not run it? Some people run it In current routers It is implemented in the slow path in the software
not the hardware It is easy
For the routers close to the edge of the networks where addressing rules are well defined
It becomes complex and inefficientFor transit networks where packets with a different source
address can enter the network in multiple locations
![Page 14: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/14.jpg)
14
Packet Marking
![Page 15: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/15.jpg)
15
Packet Marking
Probabilistic packet marking (PPM) ICMP traceback (iTrace) Deterministic packet marking (DPM)
![Page 16: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/16.jpg)
16
Probabilistic Packet Marking
Routers mark packets that pass through them
Packets for marking are selected with probability p=0.04
![Page 17: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/17.jpg)
17
Router Marking
![Page 18: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/18.jpg)
18
Pros & Cons
Pros High stability Still can work under partial deployment No bandwidth overhead Low network processing overhead (decide which
packet should be marked) Cons
Only for DoS & DDoS attacks Victim requires high memory and high processing
overhead Without authentication mark spoofing may happen
![Page 19: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/19.jpg)
19
Ability to Trace Transformed Packets
Can handle packet modification transformation of the packets directed to the victim
The ID field used for fragmentation is used for the mark If a single fragment of the original datagram is marked The reassembly function would fail at the destinationSolution: select a lower probability of marking for
fragmented packet Tunneling may create a problem for reconstruction
If marks are extracted before the outer header is removed
![Page 20: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/20.jpg)
20
ICMP Traceback (iTrace)
ICMP traceback message (iTrace) Next hop Previous hop Timestamp As many bytes of
the traced packet TTL=255
![Page 21: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/21.jpg)
21
“Intension-Driven” iTrace
Attack[V] =1, victim V is attacked
Intension[V] =1, victim V wants to receive ICMP traceback message
Received[R→V] How many iTrace messages from router R to victim V have bee
n received Generated[R]
The number of iTrace messages generated by router R for all destinations
The value of ICMP packet can be a function of
1)ed[R]1)(GeneratV]R(Received[
V]HopCount[RV]Intention[Attack[V]
![Page 22: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/22.jpg)
22
Architecture
Introduce a new bit – intension bit The intension bit in routing table will set to 1 if one has
intension to receive ICMP packet Decision Module
“Choose” one from routing table prefer the one with the highest value
![Page 23: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/23.jpg)
23
Pros & Cons
The pros and cons of iTrace is similar to that of PPM
Except iTrace has bandwidth overhead ; PPM has no ban
dwidth overhead Without authentication fake ICMP packet may be g
enerated more easily
![Page 24: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/24.jpg)
24
Deterministic Packet Marking
Each packet is marked when it enters the network
Only mark Incoming packets
Mark : address information of this interface
16 bit ID + 1 bit Reserved Flag
![Page 25: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/25.jpg)
25
PPM vs. DPM
Mark spoofing (PPM) Use coding technique (but not 100%) (DPM) Spoofed mark will be overwritten
The received information (PPM) Full path (DPM) Address of the ingress router
![Page 26: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/26.jpg)
26
Method 1 -The Information of Marks
Pad
Ideal hash
![Page 27: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/27.jpg)
27
Method 1- Reconstruction Process area Each area ha
s k segments Each segmen
t has
bits
area
d2
a2
![Page 28: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/28.jpg)
28
Method 1- Performance
M : the number of all routers N : the number of attackers (ingress routers) Use d bits to indicate hash value of router There will be m routers that have the same digest
The expected number of different values the segment will take is
m
aaa
2
1122
d
Mm
2
![Page 29: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/29.jpg)
29
Method 1- Example
M=4096, N=1024, d=10, a=4, s=3 Choose N balls in boxes, each box has m balls (m=
M/ =4) 4 balls w boxes
3 balls x boxes
2 balls y boxes
1 balls z boxes
F(w,x,y,z) : combinations of deterministic w, x, y, z
d2d2
kkkk
zyxwzyxwF
1
4442
4443
4444
444 )
2
11(22)
2
11(22)
2
11(22)
2
11(22),,,(
![Page 30: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/30.jpg)
30
Method 1- Example
P(w,x,y,z) : The probability of deterministic w, x, y, z
A : the number of false address combination
The number of total false positive= A/ =346.57 Each attacker will produce 0.338 false positive
20481024
41
42
43
44 )()()()(
),,,(!!!!
!1024
C
CCCCzyxwP
zyxw
zyxw
]),,,()[,,,( 4
1024
0
3
41024
2
3410242341024
2341024
NzyxwFzyxwPAw
w
x
xw
y
yxw
yxwz
d2
![Page 31: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/31.jpg)
31
Method 2
The 17 useable bits are divided into two parts g-bits mark h-bits mark identifier
For example: g=14, h=3 present the IP address321 aaa
![Page 32: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/32.jpg)
32
Method 2
The false positive rate is The reconstruction process is complex
The requires number of matches
For N=1K The false positive rate= The requires number of matches=
80
7
2
N
)2222( 6673852441032 NNNNNN
)1512(230
1021
![Page 33: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/33.jpg)
33
Method 3
![Page 34: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/34.jpg)
34
Method 3
First stage Need 6 hashes Need matches The false positive rate
For N=1K, The false positive rate=0.25
Second stage Need hashes Need matches The false positive rate is bounded by
For N=1K, The false positive rate is bounded by 0.4883%
N)2223( 35421372 NNNNN
424 2Nr
)221)(1( 242102 NNrN )22)(1( 242102 NNrN
383 2)1( rN
![Page 35: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/35.jpg)
35
Packet Digesting Source Path Isolation Engine
(SPIE)
![Page 36: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/36.jpg)
36
Packet Digesting
Compute digest over The invariant portion of the IP header (16 bytes) The first 8 bytes of the payload (8 bytes) 24 bytes sufficient to differentiate all packets
![Page 37: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/37.jpg)
37
Prefix Length & Collision Probability
A WAN trace from an OC-3 gateway router A LAN trace from an active 100Mb Ethernet segment
![Page 38: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/38.jpg)
38
Bloom Filter (1)
A technique that simply stores the digests
* For each packet arrived
Step-1 Use k different hash function computes k independent n-bits digests
Step-2 Set the corresponding bits in the bits digest tablen2
![Page 39: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/39.jpg)
39
Bloom Filter (2)
If any one of them is zero The packet was not stored in the table
If all the bits are one It is highly likely the packet was stored It is possible that some set of other insertions caused all
the bits to be set Restriction
Can only store a limited number of digests Saturated filters can be swapped out for a new, empty
filter Change to a new filter loss the previous digest
information
![Page 40: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/40.jpg)
40
Architecture (1)
Data Generation Agent (DGA) SPIE Collection and Reduction Agents (SCARs) SPIE Traceback Manager (STM)
![Page 41: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/41.jpg)
41
Architecture (2)
DGA SPIE enhanced router 1. produce packet digest 2. store digests table annotated – time & hash function
SCARs Concentration points for several routers 1. produce local attack graph
![Page 42: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/42.jpg)
42
Architecture (3)
STM Control the whole SPIE system The interface to requesting packet trace 1. verifies the authenticity 2. dispatch the request to the appropriate SCARs 3. gather the resulting attack graphs 4. complete the attack graph 5. replies to the IDS
![Page 43: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/43.jpg)
43
Traceback Processing
IDS determine an exceptional event has occurred
STM cryptographically verifies its authenticity
SCAR poll its DGAs & produce partial attack graph
packet, P ; victim, V ; time of attack, T
P ; V ; T
another SCAR
T’ – the packet enter the regionP’ – the entering packetV’ – the border router between the two network
terminateno yes
![Page 44: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/44.jpg)
44
Graph Construction
Reverse path flooding R8 ; R9 R7 R4 ; S5 ; R5 R3 ; R2
The SCAR don’t need to query DGAs sequentially
![Page 45: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/45.jpg)
45
Ability to Trace Transformed Packets (1)
Transform lookup table (TLT) Record sufficient packet data at the time of
transformation to allow the original packet to be reconstructed
1st field : a digest of the transformed packet
2nd field : the type of transformation (include a flag I)
3rd field : a variable amount of packet data
![Page 46: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/46.jpg)
46
Ability to Trace Transformed Packets (2)
Flag I (indirect flag)(1)For some transformations, such as NAT, the 32bits
data field is not enough.Set I=1, the third field is treated as a pointer
(2)In many case (e.g., tunneling or NAT), packets undergoing a particular transformation are related
It is possible to reduce the storage requirement by suppressing duplicate packet data
Flag I is used for flow caching, or at least identification, so that the packets within the flow can be correlated and stored appropriately.
![Page 47: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/47.jpg)
47
Summary
![Page 48: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/48.jpg)
48
Summary In recent years much interest and consideration have
been paid to the topic of securing the Internet infrastructure
To detect the offending packets IDS (Intrusion Detection System) becomes more and more important
Detecting the offending packets (IDS) find out attackers (IP traceback)
Several methods have been proposed Each has its own advantages and disadvantages None of the methods described in this article has been
used on the Internet When economic or political incentives become strong
enough to justify deployment of IP traceback, some new requirements and metrics for evaluation might emerge
![Page 49: Introduction to IP Traceback](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56813655550346895d9dddb3/html5/thumbnails/49.jpg)
49
References
R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” IEEE Commun. Mag., Oct. 2002, pp. 42–51.
A. Belenky and N. Ansari, “On IP traceback,” IEEE Communications Magazine, vol. 41, no. 7, July 2003
S. Savage et al., “Network Support for IP Traceback,” IEEE/ACM Trans. Net., vol. 9, no. 3, June 2001, pp. 226–37.
D. X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. INFOCOM,2001, vol. 2, pp. 878–86.
S. F. Wu et al., “On Design and Evaluation of ‘Intention-Driven’ ICMP Traceback,” Proc. 10th Int’l. Conf. Comp. Commun. and Nets., 2001, pp. 159–65.
A. Belenky and N. Ansari “IP Traceback With Deterministic Packet Marking,” IEEE Communications Letters, Vol.7, NO. 4,April 2003
A. Belenky and N. Ansari “Tracing Multiple Attackers With Deterministic Packet Marking,” IEEE PACRIM’03, August 2003
A. C. Snoeren et al., “Single-Packet IP Traceback,” IEEE/ACM Trans. Net., vol. 10, no. 6, Dec. 2002, pp. 721–34.