1 / 21

IP Traceback in Cloud Computing Through Deterministic Flow Marking

This presentation discusses the problem of identifying the source of DoS and DDoS attacks in cloud computing and presents the solution of deterministic flow marking. It explores the limitations and advantages of this approach and compares it with other schemes.

jamier
Download Presentation

IP Traceback in Cloud Computing Through Deterministic Flow Marking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IP Traceback in Cloud ComputingThrough Deterministic Flow Marking MouiadAbid Hani Presentation figures are from references given on slide 21. Presented By

  2. Introduction • IP traceback problem • The problem of identifying the source of the offending packets (DoS and DDoS attacks) • Source: zombie; reflector; spoofed addresses …etc. • Solution • Rely on the routers (PPM) • Only for DOS • Rely on the ingress routers only (DPM and DFM) for DDoS and DoS. • Centralized management (log of packet infor.) • Large overhead, complex, not scalable

  3. DoS and DDoS Attacks

  4. Why Cloud Computing? • Cloud Computing is Traditional Distributed Environment (TDE). • Cloud Computing is vulnerable to any attack targeting TDEs. • DoS and DDoS are targeting TDEs. • DoS and DDoS targeting the availability of a service. • The Cost in cloud computing will be greater.

  5. Deterministic Packet Marking (DPM) • Eachpacket is marked when it enters the network • Only mark Incoming packets • Mark:address information of this interface • 16 bit ID + 1 bit Flag

  6. Coding of a mark • Flag =0  address bits 0~15 • Flag =1  address bits 16~31 • Randomly setting flag value • How many packet are enough? • n:the number of received packets • The probability of successfully generate the ingress IP address is greater than • 2 packets  75%;4 packets 93.75% 6 packets 98.43%;10 packets 99.9%

  7. Pros • Simple to implement • Introduces no bandwidth • Practically no processing overhead • suitable for a variety of attacks [not just (D)DoS] • Backward compatible with equipment which does not implement it • does not have inherent security flaws • Do not reveal internet topology • No mark spoofing • Scalable

  8. Schematics Pad Ideal hash

  9. Reconstruction Area • each area has k segments • Each segment has bits area

  10. DPM Limitations • Can not handle the fragmentation/ reassembly problem • All packets need to be marked • Can trace the attack only to ingress router • Can handle up to 2058 attack sources • Does not support IPv6 implementation

  11. Deterministic Flow Marking • Based on DPM • Only the first K packets need to be marked • Can trace the attack to the attacker’s node • Can handle up to 64K attack sources • Does not support IPv6 implementation • Can not handle subverted router problem

  12. DPM VS. DFM

  13. Identifiers used by DFM

  14. Using the gray fields as marking field in IP header for K=2

  15. DFM Limitations • Can not handle the fragmentation/ reassembly problem • Does not support IPv6 implementation • Using 42-byte signature to authenticate the whole flow

  16. The Proposed Solutions • Using the IPv6 header Flow Label field to hold the mark • Using MD4 algorithm instead of elliptic curve signature within the packet (not assured till now). • The fragmentation/reassembly problem is not an issue in IPv6 protocol.

  17. Conclusion • DFM is more practical and efficient than DPM • DFM and DPM can not prevent DDoS attack but try to trace the source of it • DFM need some improvements to be fully applicable on Intrusion Detection Systems.

  18. I have questions…

  19. References Vahid A. F. Nur A. Zincir-Heywood, “IP traceback through (authenticated) deterministic flow marking: an empirical evaluation”, EURASIP Journal on Information Security, Vol. 1, No. 5, pp. 1-24, 2013. Xiang, Y., W. Zhou and M. Guo, “Flexible deterministic packet marking: An IP traceback system to find the real source of attacks”, IEEE Transactions on Parallel and Distributed Systems, Vol. 20, No. 4, pp. 567-580, 2009. Vahid A. F. Nur A. Zincir-Heywood, “On Evaluating IP Traceback Schemes: A Practical Perspective”, IEEE Communications, Pp: 127-134 Andrey Belenky and Nirwan Ansari, “IP Traceback with Deterministic Packet Marking”, IEEE COMMUNICATIONS LETTERS, VOL. 7, NO. 4, pp: 162-164, 2003. Andrey Belenky and Nirwan Ansari, “Tracing Multiple Attackers with Deterministic Packet Marking (DPM)”, pp: 49-52, 2003.

More Related