View
236
Download
0
Embed Size (px)
Citation preview
IP Traceback With IP Traceback With Deterministic Packet MarkingDeterministic Packet Marking
Andrey Belenky and Nirwan AnsariAndrey Belenky and Nirwan Ansari
IEEE communication letters, VOL. 7, NIEEE communication letters, VOL. 7, NO. 4 April 2003O. 4 April 2003
林怡彣林怡彣
IntroductionIntroduction
IP traceback problemIP traceback problem– The problem of identifying the source of the ofThe problem of identifying the source of the of
fending packetsfending packets– Source Source : : zombiezombie ;; reflectorreflector ;; spoofed addspoofed add
ress …ress …
SolutionSolution– Rely on the routers (PPMRely on the routers (PPM ;; ICMP)ICMP)
Only for DOSOnly for DOS
– Centralized management (log of packet infor.)Centralized management (log of packet infor.)Large overhead, complex, not scalable Large overhead, complex, not scalable
Deterministic Packet MarkingDeterministic Packet Marking
Each packet is marked when it enters the networkOnly mark IncomiOnly mark Incoming packets ng packets MarkMark :: address iaddress information of this nformation of this interfaceinterface16 bit ID + 1 bit Fl16 bit ID + 1 bit Flagag
PPM VS DPMPPM VS DPM
Router are treated as atomic unitsRouter are treated as atomic units– IP address of a router IP address of a router
IP address of one of its interfacesIP address of one of its interfaces– Packet traveling in different direction Packet traveling in different direction
considered different considered different
Mark spoofingMark spoofing– Use coding technique (but not 100%)Use coding technique (but not 100%)
Spoofed mark will be overwrittenSpoofed mark will be overwritten
PPM VS DPM (2)PPM VS DPM (2)
PPM (full path)PPM (full path) ;; DPM (address of the ingDPM (address of the ingress router)ress router)– In datagram packet network In datagram packet network
Every packet is individually routedEvery packet is individually routedFull path tracebackFull path traceback is as good as is as good as address of an ingaddress of an ingress point ress point
– ISP use different IP addressISP use different IP addresspublic addresses for interfaces to customers and other networksprivate addressing plans within their own networks
Coding of a markCoding of a mark
Flag =0 Flag =0 address bits 0~15 address bits 0~15
Flag =1 Flag =1 address bits 16~31 address bits 16~31
RandomlyRandomly setting flag value setting flag value
How many packet are enoughHow many packet are enough ??– nn :: the number of received packets the number of received packets – The probability of successfully generate the ingress IP The probability of successfully generate the ingress IP
address is greater than address is greater than – 2 packets 2 packets 75% 75% ;; 4 packets 4 packets 93.75%93.75%
6 packets 6 packets 98.43%98.43% ;; 10 packets 10 packets 99.9%99.9%
n5.01
ProsPros
Simple to implementSimple to implementIntroduces no bandwidth Introduces no bandwidth Practically no processing overheadPractically no processing overheadsuitable for a variety of attacks [not just (D)DoS]Backward compatible with equipment which doeBackward compatible with equipment which does not implement it s not implement it does not have inherent security flawsDo not reveal internet topologyDo not reveal internet topologyNo mark spoofingNo mark spoofingScalableScalable
Future workFuture work
The fragmentation/reassembly problem– Only less than 0.5% packetOnly less than 0.5% packet– SolveSolve :: The ID field for all fragments has to be assig
ned the same address bits
Attacker change IP frequently during attack– Solve : making the destination rely only on the mark
s & the hash value of the ingress router
Analyze the coding techniqueAnalyze the coding technique
IPv6 implementation IPv6 implementation
Tracing Multiple Attackers with Tracing Multiple Attackers with Deterministic Packet Marking Deterministic Packet Marking
Andrey Belenky and Nirwan AnsariAndrey Belenky and Nirwan Ansari
IEEE PACRIM’03, August 2003IEEE PACRIM’03, August 2003
The problem with the basic DPM(1)The problem with the basic DPM(1)
two hosts with the same Source Address at tack the victimexex : :
The ingress addresses corresponding to these two attackers are A0 and A1
The victim will receive A0[0], A0[1], A1[0], A1[1]
A0[0].A0[1], A0[0].A1[1], A1[0].A0[1], A1[0].A1[1]
Rate of false positive=50%
address ingress identified ofnumber totaltheaddress imgress identifiedy incorrectl
positive false of rate
The problem with the basic DPM The problem with the basic DPM (2)(2)
Change source addressChange source address
Reconstruction Reconstruction
個個 areareaa
each area each area hashas k k seg segmentsments
Each segEach segment has ment has bits bits
area
d2
a2
AnalysisAnalysis
N : the number of ingress router
When false positive rate = 0
When – The expected number of different values the s
egment will take is
dN 2dN 2
dN
aaa 2
2
1122
Analysis (2)Analysis (2)
– The expected number of permutations that result in a given digest for a given area
– The number of false positives for a given area
Analysis (3)Analysis (3)
– The total number of total false positiveThe total number of total false positive
– The max number of NThe max number of N