1 / 19

Practical Network Support for IP Traceback

This presentation discusses practical methods for IP traceback in the context of DoS attacks. It explores various traceback schemes, including Record.Route, Input Debugging, Controlled Flooding, Logging, ICMP Traceback, and Probabilistic Packet Marking.

Download Presentation

Practical Network Support for IP Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Practical Network Support for IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson Department of Computer Science and Engineering University of Washington Seattle, WA, USA Presentation by David Allen Adapted from: pg 44-62 of http://www.thefengs.com/wuchang/work/courses/cs576_spring2005/summaries/18.ppt

  2. Motivation • DoS attacks • Hard to address. • Simple to implement. • Difficult to prevent. • Difficult to trace. • Difficult to get help from upstream ISP. • IP spoofing • TCP/IP protocol allows spoofed IP addresses. • Attacks can be anonymous and indirect.

  3. Problem • Goal • Determine path from packets • Assumptions • an attacker may generate any packet • multiple attackers may conspire • attackers may be aware they are being traced • packets may be lost or reordered • attackers send numerous packets • the route between attacker and victim is fairly stable • routers are both CPU and memory limited • routers are not widely compromised

  4. Traceback Schemes • Record Route • Input Debugging • Controlled Flooding • Logging • ICMP Traceback • Probabilistic Packet Marking

  5. Traceback: Record Route • Record Path • Each router adds IP address to packet. • Victim reads path from packet. • Problems • Requires space in packet. • Unknown path size. • Modifying all packets in transit is infeasible.

  6. Traceback: Input Debugging • Input Debugging • Many routers can filter egress port packets and determine ingress port. • Problems • Slow process to communicate packet signature for filter to upstream providers. • Difficult to get ISP cooperation. • Only works while attack is active.

  7. Traceback: Controlled Flooding • Controlled Flooding • With a “map” of Internet topology. • Iteratively flood upstream links. • Observing changes in rates of attack packets reveals route. • Problems • Form of a DoS attack itself. • Must have good map. • Noisy results. • Only works while attack is active.

  8. Traceback: Logging • Logging • Log packets at key routers. • Use data mining techniques to determine path. • Problems • Enormous resource requirements. • Large-scale inter-provider database integration.

  9. Traceback: ICMP Traceback • ICMP Traceback • Routers periodically issue traceback ICMP messages to destination. • Sample with low probability: 1/20,000. • Messages contains information about adjacent routers. • Problems • Attacker can spoof messages. • Requires some signature and trust management. • Difficult to use if only some routers participate.

  10. Traceback: Probabilistic Packet Marking • Probabilistic Packet Marking • Probabilistically store router address in packet using an IP header field (IP identifier). • Fixed space regardless of path length. • Router distance inferred from frequency of frequency of marked packets. • Problems • IP identifier • Breaks reconstruction of fragmented packets. • < 0.25% of traffic fragmented • Probability must > 0.5 to be robust against attacker. • Large probability decreases chance of seeing packets marked by far routers.

  11. Probabilistic Packet Marking: Edge sampling • Edge sampling • Two addresses: Start and End • Distance: Number of hops since edge stored. • Procedure • with probability p • write address into Start • write 0 into Distance • otherwise • if Distance is 0, write address into End • increment Distance

  12. Probabilistic Packet Marking: Edge sampling • Edge sampling • Easy for victim to reconstruct path to attacker. • Probably can be much less than for simple marking. • Optimal is p <= 1/d. • Effective for multiple attackers. • Number of required packets grows linearly. • Problems • Impossible to trust route further away than the closest attacker. • Require additional space in IP packet header. • 2x 32 bit addresses, 8 bit distance.

  13. Edge sampling: Reduce Space Requirement - XOR • XOR two addresses for each edge together.

  14. Edge sampling: Reduce Space Requirement - Subdivide • Break XORed addresses into k fragments. • Store only 1 fragment in packet with offset value.

  15. Edge sampling: Reduce Space Requirement - Hash • Multiple attackers may produce non-unique edges with same distance. • Add error detection: • Interleave IP with hash of itself.

  16. Edge sampling: Reduce Space Requirement - Hash

  17. Edge sampling: Reduce Space Requirement - Storage • Final size: 16 bits

  18. Edge sampling: Path Reconstruction

  19. Edge sampling: Final • Problems: • Path reconstruction does not scale well against distributed attacks. • Compatibility problems with IPsec. • Only traces attack, does nothing to stop it.

More Related