agenda n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Agenda PowerPoint Presentation
Download Presentation
Agenda

Loading in 2 Seconds...

play fullscreen
1 / 20

Agenda - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Agenda. Last time: finished brief overview of buffer-overflow attacks Today: IP Traceback. What and Why. IP Traceback: operation of tracing the source of an IP packet Why is this important and useful? If done properly, can be used to limit DDoS attacks

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Agenda' - jean


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • Last time: finished brief overview of buffer-overflow attacks
  • Today: IP Traceback

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

what and why
What and Why
  • IP Traceback:
    • operation of tracing the source of an IP packet
  • Why is this important and useful?
    • If done properly, can be used to limit DDoS attacks
    • Post-mortem analysis, investigation into other kinds network of attacks
  • Potential drawback?
    • Abused by repressive regimes/organization
  • Why is it difficult?
    • Potentially resource-intensive, target for DoS itself
    • Internet is stateless
    • Backward compatibility (think of source-routing)
    • Avoid the new scheme itself being “spoofed”
    • The “true” identity of an attacker may be unknown, still

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

overview of existing approaches
Overview of existing approaches
  • Ingress filtering
  • Input debugging
  • Controlled flooding
  • Logging
  • ICMP traceback
  • Probabilistic Packet Marking (PPM)
  • Hash-based [one of your reading assignments]

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

ingress filtering
Ingress filtering
  • Routers block packets that arrive with illegitimate sources addresses
    • Requires the interface to be configured with a range of valid IPs
    • Quite feasible at customer network at the edge
  • Drawbacks
    • At higher level ISP, traffic load is higher, “valid” IP range is ambiguous
    • With hundreds or thousands of customers, one can forge IP of another without much troubles
    • Not all ISPs do this. Many don’t because there’s administrative burden, no economic incentive, interfere with services requiring spoofing (mobile IP)

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

input debugging
Input debugging
  • Use “input debugging” feature of routers to do traceback
    • Input debugging allows operators to filter particular packets (with some kind of signature) on some egress port and determine which ingress port they come from
    • Manually: call the upstream router operator
    • Automatically: some ISPs have tools to do this
  • Drawbacks:
    • Often too slow
    • Management overhead
    • Coordination with other ISPs is difficult, and very slow

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

controlled flooding
Controlled Flooding
  • Selectively flood a link to observe attack traffic, with the help of some Internet map
  • This does not require intermediate operator intervention
  • Drawbacks
    • This is a form of DoS itself
    • Requires the map, which itself is non-trivial
    • Poorly suited for DDoS
    • Only effective for on-going attacks, cannot be use for post-mortem analysis

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

icmp traceback
ICMP Traceback
  • Every router samples with low probability (1/20K) one of the packets it’s forwarding
  • Copy the content into a special ICMP traceback along the path to the destination, containing
    • Back link, forward link, authentication,
  • Destination then use this info to do traceback
  • Drawbacks
    • ICMP traffic is also differentiated and may be filtered
    • Requires input-debugging which may not be available in some router architecture
    • Requires key distribution architecture to avoid itself being attacked
  • However, this is quite effective

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

probabilistic packet marking ppm
Probabilistic Packet Marking (PPM)
  • Idea proposed by Burch & Cheswick
  • First scheme proposed by Stefan Savage et al
  • We’ll look at this idea in details

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

ppm assumptions
PPM: Assumptions
  • An attacker may generate any packet
  • Multiple attackers may conspire
  • Attackers are aware that they’re being traced
  • Packets may be lost or re-ordered
  • Attackers send numerous packets
  • Route between attacker(s) and receiver is fairly stable
  • Routers and both CPU and memory limited
  • Routers are not widely compromised
  • Compatible with current IP protocol

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

ppm node append
PPM: Node Append
  • The most basic algorithm
  • Each router appends its IP into the packet
  • Pros:
    • Robust and quick to converge
  • Cons:
    • High router overhead
    • Interfere with MTU discovery, IP fragmentation, …

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

ppm node sampling
PPM: Node sampling
  • Reserve some 32-bit field in each IP packet
  • A router randomly puts its IP in this field with probability p
  • Victim receive multiple packets, use this database to approximately reconstruct the path. How?
    • Probability of receiving a packet d hops away is p(1-p)d-1, p shoulde be > ½.
    • This probability is monotonic in d, we can use the frequency of IPs to reconstruct path to the destination
  • Drawbacks
    • Inferring is a slow process
    • Requires a sufficient number of received packets, e.g. for d=15, p = 0.51, we need 42000 packets before the furthest router is “seen” at the target
    • Not effective against multiple attackers: routers at the same distance from different source are sampled with the same rate

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

ppm edge sampling
PPM: Edge Sampling
  • Idea: sample the “edges” on the paths instead of nodes:
    • Reserve 2 32-bit fields on every packet, FROM & TO
    • One more field (8 bits) called HOP
  • Sampling is done as follows. Fix a probability p
    • Chose x at random in [0, 1)
    • If x < p then write IP into packet.FROMElse if packet.HOP = 0 then write IP into packet.TO packet.HOP++

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

ppm edge sampling1
PPM: Edge Sampling
  • Time to converge dominated by time to receive a sample from the furthest router, roughly 1/[p(1-p)d-1]
  • Expected number of packets required to work properly is at most ln(d)/[p(1-p)d-1]
    • Choose p = 1/d for optimal result
    • In practice, choose p=1/25 (as path lengths often <= 25)
  • Pros
    • Single attacker: any packet written by attacker will necessarily has distance at least the distance of true attack path
    • Multiple attacker: the above applies to the closest attacker
    • Quite robust
  • Cons
    • Not backward compatible (requires > 64 more bits)

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

encoding issues
Encoding Issues
  • Compress edge segment sampling: 3 techniques
    • Next router fills FROM XOR TO into the 32-bit space
    • Partition address into k fragments, sends fragment along with fragment offset, next-hop router use the the offset to send the right fragment. Over time, all fragments of all edge IDs are received.
    • XORing makes edge ID not unique, compute a hash of an IP, interleave it with actual IP, then do fragmentation
  • Expected # of packets needed to reconstruct path is k ln(kd)/[p(1-p)d-1]
  • For instance, if k=8, d=10, p=1/25, then we need about 1300 packets on average
  • In practice: overload 16-bit identification field in each IP packet with 3-bit offset (k=8), 5 bit distance (32 hops), 8-bit edge fragment

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

formalization of the problem
Formalization of the Problem
  • b: number of extra header bits in each packet
  • n: number of bits used to describe a path
  • Investigate the tradeoff between b, convergence time, and total number of packets needed to reconstruct the attack path(s) with high probability

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

interesting results by micah adler
Interesting Results by Micah Adler
  • Single path attacks:
    • b=1 works! Requires θ((2+ε)2n) packets for any ε
    • Showed that, for b=1, Ώ(2n) packets is necessary
    • For general b, Adler gave a protocol that usesO(bn22b(2+ε)4n/2^b) packets, and showed Ώ(2b2n/2^b) is necessary
  • Multiple path attacks, say k paths
    • At least log(2k-1) header bits is needed [regardless of the number of received packets]
    • For a restricted class of attacker strategies, log(2k+1) bits are sufficient

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

open problems
Open Problems
  • Close the upper-lower bound gap when b=1, single path attack
  • For multiple path attacks, there’s still a lot to be done, e.g.
    • Devise protocols for all attacker’s strategies
    • Computational complexity has not been addressed properly

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

brainstorming
Brainstorming
  • What kind of information does the victim need?
  • Where can we store this information?
  • How can the routers be instructed to store this information?
    • This is the protocol
  • How effective is the protocol? This requires probabilistic analysis, information theoretic analysis
  • Drawbacks of PPM-related schemes?
    • Requires large number of packets
    • Not exact science

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

a simple model for upper bounding
A Simple Model for Upper Bounding
  • Assumptions [to be relaxed later]
    • Packet delivery paths form a tree rooted at the victim v
    • Assume the tree is full-binary, depth = n
    • Each path can be encoded with B1B2…Bn
    • Want routers to send victim the string B1B2…Bn
  • Protocol
    • Idea: encode the string into a probability of victim receiving bit-1 packets
    • What’s the most natural way to do this?
    • Prob[packet with bit-1 received] = the binary number represented by B1B2…Bn divided by 2n, i.e.
    • How do we realize this?

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo

a simple protocol
A Simple Protocol
  • Each router knows its bit Bi
  • With probability ½, it forwards the bit as it is
  • With probability ½, it set the bit to be Bi
  • If original bit is 0, then p is as expected
  • If original bit is 1, then p is as expected + 1/2n
    • Need to “fix” this case
    • Next time [I’ll talk a little bit about information theory]

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo