View
267
Download
5
Embed Size (px)
Citation preview
Introduction to IP Traceback
交通大學 電信系 李程輝 教授
2
Outline
Introduction Ingress Filtering Packet Marking Packet Digesting Summary
3
Introduction
4
Introduction
Internet becomes ubiquitous The impact of network attackers is getting more
and more significant
Two kind of attackers A few well-targeted packets
Ex: Teardrop attack
Denial-of-service (DoS) & distributed DoS (DDoS) Typically conducted by flooding network links with large
amounts of traffics
5
DDoS
(a) Direct DDoS (b) reflector attacker
6
The Difficulty to Catch the Attacker
The anonymous feature of the IP protocol Can’t identify the true source of an IP datagram if th
e source wishes to conceal it Solution : ingress filtering
Somewhere spoofed source address are legal Network address translators (NATs) Mobile IP
7
IP Traceback Problem
IP traceback problem The problem of identifying the source of the
offending packets Source means
Zombie Reflector Spoofed address Ingress point to the traceback-enabled network One or more compromised routers within the enabled
network
8
IP Traceback Problem - Solution
Packet marking To cope with DDoS attacks Router marks packets with it’s identifications Victim can reconstruct the attack path if sufficient
number of packets are collected
Packet digesting For attacks that require only a few packets Require storage of audit trails on the routers Victim ask routers if the offending packet passed
before
9
Evaluation Metrics for IP Traceback Technique (1)
ISP Involvement Number of Attacking Packets Needed for
Traceback The Effect of Partial Deployment Processing Overhead Bandwidth Overhead Memory Requirements Ease of Evasion
10
Evaluation Metrics for IP Traceback Technique (2)
Protection Scalability Number of Functions Needed to Implement Ability to Handle Major DDoS Attacks Ability to Trace Transformed Packets
Network Address Translation (NAT) Tunneling ICMP packet Duplication of a packet in multicast
11
Ingress Filtering
12
Ingress Filtering
Limit source addresses of IP datagrams from a network to addresses belonging to that network
If ingress filtering is not deployed everywhere attackers can still spoof any address on the Internet
13
Why Don’t People Run Ingress Filtering ?
It is easy! It improves security! Why not run it? Some people run it In current routers It is implemented in the slow path in the software
not the hardware It is easy
For the routers close to the edge of the networks where addressing rules are well defined
It becomes complex and inefficientFor transit networks where packets with a different source
address can enter the network in multiple locations
14
Packet Marking
15
Packet Marking
Probabilistic packet marking (PPM) ICMP traceback (iTrace) Deterministic packet marking (DPM)
16
Probabilistic Packet Marking
Routers mark packets that pass through them
Packets for marking are selected with probability p=0.04
17
Router Marking
18
Pros & Cons
Pros High stability Still can work under partial deployment No bandwidth overhead Low network processing overhead (decide which
packet should be marked) Cons
Only for DoS & DDoS attacks Victim requires high memory and high processing
overhead Without authentication mark spoofing may happen
19
Ability to Trace Transformed Packets
Can handle packet modification transformation of the packets directed to the victim
The ID field used for fragmentation is used for the mark If a single fragment of the original datagram is marked The reassembly function would fail at the destinationSolution: select a lower probability of marking for
fragmented packet Tunneling may create a problem for reconstruction
If marks are extracted before the outer header is removed
20
ICMP Traceback (iTrace)
ICMP traceback message (iTrace) Next hop Previous hop Timestamp As many bytes of
the traced packet TTL=255
21
“Intension-Driven” iTrace
Attack[V] =1, victim V is attacked
Intension[V] =1, victim V wants to receive ICMP traceback message
Received[R→V] How many iTrace messages from router R to victim V have bee
n received Generated[R]
The number of iTrace messages generated by router R for all destinations
The value of ICMP packet can be a function of
1)ed[R]1)(GeneratV]R(Received[
V]HopCount[RV]Intention[Attack[V]
22
Architecture
Introduce a new bit – intension bit The intension bit in routing table will set to 1 if one has
intension to receive ICMP packet Decision Module
“Choose” one from routing table prefer the one with the highest value
23
Pros & Cons
The pros and cons of iTrace is similar to that of PPM
Except iTrace has bandwidth overhead ; PPM has no ban
dwidth overhead Without authentication fake ICMP packet may be g
enerated more easily
24
Deterministic Packet Marking
Each packet is marked when it enters the network
Only mark Incoming packets
Mark : address information of this interface
16 bit ID + 1 bit Reserved Flag
25
PPM vs. DPM
Mark spoofing (PPM) Use coding technique (but not 100%) (DPM) Spoofed mark will be overwritten
The received information (PPM) Full path (DPM) Address of the ingress router
26
Method 1 -The Information of Marks
Pad
Ideal hash
27
Method 1- Reconstruction Process area Each area ha
s k segments Each segmen
t has
bits
area
d2
a2
28
Method 1- Performance
M : the number of all routers N : the number of attackers (ingress routers) Use d bits to indicate hash value of router There will be m routers that have the same digest
The expected number of different values the segment will take is
m
aaa
2
1122
d
Mm
2
29
Method 1- Example
M=4096, N=1024, d=10, a=4, s=3 Choose N balls in boxes, each box has m balls (m=
M/ =4) 4 balls w boxes
3 balls x boxes
2 balls y boxes
1 balls z boxes
F(w,x,y,z) : combinations of deterministic w, x, y, z
d2d2
kkkk
zyxwzyxwF
1
4442
4443
4444
444 )
2
11(22)
2
11(22)
2
11(22)
2
11(22),,,(
30
Method 1- Example
P(w,x,y,z) : The probability of deterministic w, x, y, z
A : the number of false address combination
The number of total false positive= A/ =346.57 Each attacker will produce 0.338 false positive
20481024
41
42
43
44 )()()()(
),,,(!!!!
!1024
C
CCCCzyxwP
zyxw
zyxw
]),,,()[,,,( 4
1024
0
3
41024
2
3410242341024
2341024
NzyxwFzyxwPAw
w
x
xw
y
yxw
yxwz
d2
31
Method 2
The 17 useable bits are divided into two parts g-bits mark h-bits mark identifier
For example: g=14, h=3 present the IP address321 aaa
32
Method 2
The false positive rate is The reconstruction process is complex
The requires number of matches
For N=1K The false positive rate= The requires number of matches=
80
7
2
N
)2222( 6673852441032 NNNNNN
)1512(230
1021
33
Method 3
34
Method 3
First stage Need 6 hashes Need matches The false positive rate
For N=1K, The false positive rate=0.25
Second stage Need hashes Need matches The false positive rate is bounded by
For N=1K, The false positive rate is bounded by 0.4883%
N)2223( 35421372 NNNNN
424 2Nr
)221)(1( 242102 NNrN )22)(1( 242102 NNrN
383 2)1( rN
35
Packet Digesting Source Path Isolation Engine
(SPIE)
36
Packet Digesting
Compute digest over The invariant portion of the IP header (16 bytes) The first 8 bytes of the payload (8 bytes) 24 bytes sufficient to differentiate all packets
37
Prefix Length & Collision Probability
A WAN trace from an OC-3 gateway router A LAN trace from an active 100Mb Ethernet segment
38
Bloom Filter (1)
A technique that simply stores the digests
* For each packet arrived
Step-1 Use k different hash function computes k independent n-bits digests
Step-2 Set the corresponding bits in the bits digest tablen2
39
Bloom Filter (2)
If any one of them is zero The packet was not stored in the table
If all the bits are one It is highly likely the packet was stored It is possible that some set of other insertions caused all
the bits to be set Restriction
Can only store a limited number of digests Saturated filters can be swapped out for a new, empty
filter Change to a new filter loss the previous digest
information
40
Architecture (1)
Data Generation Agent (DGA) SPIE Collection and Reduction Agents (SCARs) SPIE Traceback Manager (STM)
41
Architecture (2)
DGA SPIE enhanced router 1. produce packet digest 2. store digests table annotated – time & hash function
SCARs Concentration points for several routers 1. produce local attack graph
42
Architecture (3)
STM Control the whole SPIE system The interface to requesting packet trace 1. verifies the authenticity 2. dispatch the request to the appropriate SCARs 3. gather the resulting attack graphs 4. complete the attack graph 5. replies to the IDS
43
Traceback Processing
IDS determine an exceptional event has occurred
STM cryptographically verifies its authenticity
SCAR poll its DGAs & produce partial attack graph
packet, P ; victim, V ; time of attack, T
P ; V ; T
another SCAR
T’ – the packet enter the regionP’ – the entering packetV’ – the border router between the two network
terminateno yes
44
Graph Construction
Reverse path flooding R8 ; R9 R7 R4 ; S5 ; R5 R3 ; R2
The SCAR don’t need to query DGAs sequentially
45
Ability to Trace Transformed Packets (1)
Transform lookup table (TLT) Record sufficient packet data at the time of
transformation to allow the original packet to be reconstructed
1st field : a digest of the transformed packet
2nd field : the type of transformation (include a flag I)
3rd field : a variable amount of packet data
46
Ability to Trace Transformed Packets (2)
Flag I (indirect flag)(1)For some transformations, such as NAT, the 32bits
data field is not enough.Set I=1, the third field is treated as a pointer
(2)In many case (e.g., tunneling or NAT), packets undergoing a particular transformation are related
It is possible to reduce the storage requirement by suppressing duplicate packet data
Flag I is used for flow caching, or at least identification, so that the packets within the flow can be correlated and stored appropriately.
47
Summary
48
Summary In recent years much interest and consideration have
been paid to the topic of securing the Internet infrastructure
To detect the offending packets IDS (Intrusion Detection System) becomes more and more important
Detecting the offending packets (IDS) find out attackers (IP traceback)
Several methods have been proposed Each has its own advantages and disadvantages None of the methods described in this article has been
used on the Internet When economic or political incentives become strong
enough to justify deployment of IP traceback, some new requirements and metrics for evaluation might emerge
49
References
R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” IEEE Commun. Mag., Oct. 2002, pp. 42–51.
A. Belenky and N. Ansari, “On IP traceback,” IEEE Communications Magazine, vol. 41, no. 7, July 2003
S. Savage et al., “Network Support for IP Traceback,” IEEE/ACM Trans. Net., vol. 9, no. 3, June 2001, pp. 226–37.
D. X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. INFOCOM,2001, vol. 2, pp. 878–86.
S. F. Wu et al., “On Design and Evaluation of ‘Intention-Driven’ ICMP Traceback,” Proc. 10th Int’l. Conf. Comp. Commun. and Nets., 2001, pp. 159–65.
A. Belenky and N. Ansari “IP Traceback With Deterministic Packet Marking,” IEEE Communications Letters, Vol.7, NO. 4,April 2003
A. Belenky and N. Ansari “Tracing Multiple Attackers With Deterministic Packet Marking,” IEEE PACRIM’03, August 2003
A. C. Snoeren et al., “Single-Packet IP Traceback,” IEEE/ACM Trans. Net., vol. 10, no. 6, Dec. 2002, pp. 721–34.