1 / 27

ecs298k Intention-Driven iTrace lecture #6

ecs298k Intention-Driven iTrace lecture #6. Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ wu@cs.ucdavis.edu. A Statistic Problem with iTrace.

cara-jacobs
Download Presentation

ecs298k Intention-Driven iTrace lecture #6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ecs298kIntention-Driven iTracelecture #6 Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ wu@cs.ucdavis.edu ecs289K: Intention Driven iTrace

  2. A Statistic Problem with iTrace • Routers closer to the victims have higher probability to generate iTrace packets toward the true victims. • Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets. ecs289K: Intention Driven iTrace

  3. “Usefulness” • Let’s think?? ecs289K: Intention Driven iTrace

  4. Two answers • It carries attack packets. • It carries attack packets from a router that is very close to the original slaves ecs289K: Intention Driven iTrace

  5. Two measures • P(U-iTrace) • When an iTrace message is generated, what is the probability that this iTrace message is “useful” (i.e., it carries an attack packet)? • P(U-iT-sec) • What is probability for a router to generate at least ONE “useful” iTrace message in a second? ecs289K: Intention Driven iTrace

  6. Slave R1 R2 Victim Example: Multi-S Single-V 1K attack-pkt/sec 19K normal-pkt/sec P(U-iTrace) = 5% #iTrace/sec = 1 P(U-iT-sec) = 5% 200K attack-pkt/sec 200K normal-pkt/sec P(U-iTrace) = 50% #iTrace/sec = 20 P(U-iT-sec) = 99.999% 4K attack-pkt/sec 196K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% 980K attack-pkt/sec 20K normal-pkt/sec P(U-iTrace) = 98% #iTrace/sec = 50 P(U-iT-sec) = 100% ecs289K: Intention Driven iTrace

  7. Motivation • About (K* 0.005%) of our network resources will be spent on iTrace packets. • Then, we hope we can spend the resources on more “useful” iTrace packets. ecs289K: Intention Driven iTrace

  8. Three Types of Nodes • DDoS victim with the intention to trace the slaves. • DDoS victim without the intention. • non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones). ecs289K: Intention Driven iTrace

  9. Intention-driven iTrace • Different destinationhosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets. • We propose to add one “iTrace-intention” bit. • Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example. ecs289K: Intention Driven iTrace

  10. a little mathematics... Intention for receiving iTrace. S2V: 2% I: 1 S2B:48% I: 0 S2C:25% I: 0 S2D:25% I: 1 V’s probability to receive iTrace packets: 7.41% 0.02 / (0.02 + 0 + 0 + 0.25) = 0.0741 PiTrace(V) = (Ptraffic(V) * I(V)) / (Ptraffic(n) * I(n)) ecs289K: Intention Driven iTrace

  11. Slave R1 R2 Victim Example: Multi-S Two-V 4K att-v1-pkt/sec 50K att-v2-pkt/sec 146K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% I(Victim-1) = 1 P(U-iTrace) = 7.4% P(U-iT-sec) = 53.7% P(U-iTrace) = 25% #iTrace/sec = 10 P(U-iT-sec) = 95% I(Victim-2) = 1 P(U-iTrace) = 92.6% P(U-iT-sec) = 100.0% ecs289K: Intention Driven iTrace

  12. ecs289K: Intention Driven iTrace

  13. ecs289K: Intention Driven iTrace

  14. ecs289K: Intention Driven iTrace

  15. ecs289K: Intention Driven iTrace

  16. ecs289K: Intention Driven iTrace

  17. Issues • How to determine the intention bit? • Policy to set the bit. • How to distribute the intention bits to routers globally? • Utilize/extend BGP! • How to use the intention bits at each router? ecs289K: Intention Driven iTrace

  18. How to distribute I(n)? • YABE: (Yet Another BGP Extension) • For every BGP route update, we include I(n) as a new string in the community attribute: • 0x[iTrace-Intention]:0x[0-1] (optional & transitive) • These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute. • aggregation: I(new) = max {I(n)} • Rate-Limiting on Intention Update: • should not be more frequent than Keep-Alive messages. • should not trigger any major route computation. ecs289K: Intention Driven iTrace

  19. The iTrace Statistics Model Packet buffering Routing table lookup Forward process Should this packet be iTraced? iTrace Stochastic Process Yes, we should generate an iTrace for this packet? ecs289K: Intention Driven iTrace

  20. iTrace Trigger Packet buffering Routing table lookup Forward process iTrace Trigger If yes, pick the Nth packet in the buffer…. iTrace Stochastic Process Should we generate an iTrace message now? ecs289K: Intention Driven iTrace

  21. A simple design iTrace Process BGP table I(n) iTrace bit per ~20K pkts Add two bits to the routing table: (1). I(n): Intention Bit Value associated with this entry (2). iTrace bit: whether we need to generate an iTrace message for this entry now. ecs289K: Intention Driven iTrace

  22. Handling an iTrace Trigger iTrace Process • If all I(n)’s are zero, shut-off the iTrace trigger process. • Set the iTrace bit on all the entries with I(n) = 1. BGP table I(n) iTrace bit ecs289K: Intention Driven iTrace

  23. I(n) iTrace bit (1). Before iTrace trigger: 152.1.23.0/24 1 0 169.20.3.0/24 0 0 192.1.0.0/16 0 0 207.3.4.183/20 1 0 152.1.0.0/16 1 0 155.0.0.0/16 0 0 (2). After iTrace trigger: 152.1.23.0/24 1 1 169.20.3.0/24 0 0 192.1.0.0/16 0 0 207.3.4.183/20 1 1 152.1.0.0/16 1 1 155.0.0.0/16 0 0 ecs289K: Intention Driven iTrace

  24. I(n) iTrace bit (3). After iTrace sent: 152.1.23.0/24 1 0 169.20.3.0/24 0 0 192.1.0.0/16 0 0 207.3.4.183/20 1 0 152.1.0.0/16 1 0 155.0.0.0/16 0 0 ecs289K: Intention Driven iTrace

  25. Processing Overhead 1/20K iTrace message trigger occurs: 1. Set all the iTrace bits on if I(n) = 1. Processing for each data packet: 1. if the iTrace flag bit is 1, (1). send an iTrace message for this data packet. (2). reset all the iTrace bits to 0. ecs289K: Intention Driven iTrace

  26. Slave R1 R2 Victim The Aggregation Problem 4K att-v1-pkt/sec 50K att-v2-pkt/sec 146K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% I(Victim-1) = 1 P(U-iTrace) = 7.4% for 4K traffic. P(U-iT-sec) = 53.7% 4K att-v1-pkt/sec 16K agg-v1-pkt/sec 50K att-v2-pkt/sec 130K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% I(Victim-1) = 1 P(U-iTrace) = 5.7% for 20K traffic. P(U-iT-sec) = 44.4% ecs289K: Intention Driven iTrace

  27. Summary for Intention iTrace • Improve the probability of “useful” iTrace. • Require some “minor” changes to the router forwarding process. • Require another BGP extension. • We need to verify that this extension will be interoperable well with existing BGP nodes. • The amount of generated iTrace messages should be no more than the current iTrace proposal. ecs289K: Intention Driven iTrace

More Related