1 / 31

IP Traceback Concepts, tools, and applications

IP Traceback Concepts, tools, and applications. by Santosh reddy Vuppala 10/24/07. OUTLINE . Introduction ipTraceback Methods of finding Source Evaluation Limitations Conclusion References. Introduction. More number of DoS and DDoS attacks in the past. Increase by 50% a year.

yasir-molina
Download Presentation

IP Traceback Concepts, tools, and applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IP TracebackConcepts, tools, and applications by Santosh reddy Vuppala 10/24/07

  2. OUTLINE • Introduction • ipTraceback • Methods of finding Source • Evaluation • Limitations • Conclusion • References

  3. Introduction • More number of DoS and DDoS attacks in the past. • Increase by 50% a year. • Not much development in mechanisms that deal with DoS attacks.

  4. Traditional techniques To Discover the source of an attack: • Call each ISP and make them test each link • Structure Firewalls to block spoofed addresses • Structure Routers to drop spoofed addresses

  5. What is ip Traceback? • ipTraceback is a method to find the source of a DoS or a DDoS atack. • Solution complicated by use of ip spoofing. • One solution is to mark the packets with path information as they pass through the routers.

  6. What is ip Traceback? • Identify the machine that directly generate attack traffic. • Identify the network path the attack traffic follows.

  7. How does ipTraceback help to find the attacker? • A general scheme would be to mark the packets with the path information as it goes through the routers • And then reconstruct the attack path using this information.

  8. Methods for Finding Source • Basic Approaches: Ingress filtering Link Testing Logging ICMP TraceBack • Marking Approach • Authenticated Marking Approach

  9. Ingress filtering-Configure routers to block packets that arrive with illegitimate source addresses. • Requires a router with sufficient power to examine the source address of every packet and sufficient knowledge to distinguish between legitimate and illegitimate addresses. • Attackers could still forge addresses from the hundreds or thousands of hosts within a valid customer network.

  10. Link Testing- Start from the router closest to the victim and interactively test its upstream links until they determine which one is used to carry the attackers traffic. • This technique assumes that an attack remains active until the completion of a trace. • Two varieties ---input debugging and controlled flooding

  11. Input debugging: An input debugging filter is placed on the victims egress port to find out the associated input port. This process is repeated on the upstream router until we find the source. DisAdvatages: Management overhead Communicating and coordinating with network operators at ISP’s is not feasible.

  12. Controlled Flooding: It tests links by flooding them with large bursts of traffic and observing how this perturbs traffic from the attacker By observing changes in the rate of packets received from the attacker, the victim can infer which link they arrived from. Advantage: Is effective at tracing an on-going attack and cannot be used “post mortem”. Disadvantage: Not suitable because, the victim requires to have a good topological map of large sections of internet.

  13. Controlled flooding

  14. Logging- Log packets at key routers and then use data mining techniques to determine the path that the packet traversed. Advantage: It can trace an attack long after the attack has completed. Disadvantage: Needs enormous resources.

  15. Packet Logging

  16. ICMP Traceback: Sample some of the packets with low probability and copy the contents into a special ICMP traceback message.

  17. ICMP Traceback

  18. Marking Algorithms • Mark packets deterministically or probabilistically • Trace attacks using marked packets

  19. Marking Algorithms Assumptions: • Most routers remain uncompromised • Attacker sends many packets • Route from attacker to victim remains relatively stable

  20. Marking Algorithms • marking procedure • by routers • add information to packet • path reconstruction procedure • by victim • use information in marked packets • convergence time • # of packets to reconstruct the attack path

  21. Marking Algorithms • Probabilistic Packet Marking • This scheme is based on the idea that routers mark packets that pass through them with their addresses or a part of their addresses • This scheme is aimed primarily at DoS and DDoS attacks as it needs many attack packets to reconstruct the full path. • To deploy the scheme, we need to implement two functions: marking and reconstruction.

  22. Methods for finding Source • Probabilistic Marking

  23. Marking Algorithms • Node Append: To append each nodes address to the end of the packet as the packet travels through the network from attacker to victim Disadvantage: Length of path is not known a priori.. original packet router list

  24. Marking Algorithms Node Sampling: Attaching router ip address to the packet with a probability p. Inferring the total router order from the distribution of samples is slow. Not robust against multiple attackers. Algorithm: Marking procedure at router R: for each packet w let x be a random number from [0.. 1) if x < p then, write R into w.node

  25. Marking Algorithms Edge Sampling • Explicitly encode edges in the attack path rather than simply individual nodes. Edges are constructed only between the participating routers Algorithm: Marking procedure at router R: for each packet w let x be a random number from [0.. 1) if x < p then write R into w.start and 0 into w.distance else if w.distance = 0 then write R into w.end increment w.distance

  26. Comparison of these approaches

  27. Authenticated Marking Schemes • A Compromised router can falsely mark packets • Use authentication mechanism to verify the markings on a packet. • Use Source IP + a time based key to generate encryption

  28. Limitations • In addition to the technical aspects of IP traceback, there are also legal and societal aspects. • Legislation that requires IP traceback may be needed for ISPs to start implementing and deploying the schemes.

  29. Conclusion • None of the methods possesses all the qualities of an ideal scheme. • More work is being done towards the ipTraceback problem. • There is a need to identify these attacks and try to stop them .

  30. References • http://www.cs.washington.edu/homes/djw/papers/Ton01.pdf • http://en.wikipedia.org/wiki/IP_traceback • http://www.cc.gatech.edu/~jx/reprints/IEEESP04.pdf • http://www.sm.luth.se/csee/csn/publications/ip_traceback.pdf • http://www.cs.berkeley.edu/~dawnsong/papers/iptrace.pdf

  31. Questions??

More Related