Introduction to IP Traceback

交通大學 電信系 李程輝 教授

2

Outline

Introduction Ingress Filtering Packet Marking Packet Digesting Summary

3

Introduction

4

Introduction

Internet becomes ubiquitous The impact of network attackers is getting more

and more significant

Two kind of attackers A few well-targeted packets

Ex: Teardrop attack

Denial-of-service (DoS) & distributed DoS (DDoS) Typically conducted by flooding network links with large

amounts of traffics

5

DDoS

(a) Direct DDoS (b) reflector attacker

6

The Difficulty to Catch the Attacker

The anonymous feature of the IP protocol Can’t identify the true source of an IP datagram if th

e source wishes to conceal it Solution ： ingress filtering

Somewhere spoofed source address are legal Network address translators (NATs) Mobile IP

7

IP Traceback Problem

IP traceback problem The problem of identifying the source of the

offending packets Source means

Zombie Reflector Spoofed address Ingress point to the traceback-enabled network One or more compromised routers within the enabled

network

8

IP Traceback Problem - Solution

Packet marking To cope with DDoS attacks Router marks packets with it’s identifications Victim can reconstruct the attack path if sufficient

number of packets are collected

Packet digesting For attacks that require only a few packets Require storage of audit trails on the routers Victim ask routers if the offending packet passed

before

9

Evaluation Metrics for IP Traceback Technique (1)

ISP Involvement Number of Attacking Packets Needed for

Traceback The Effect of Partial Deployment Processing Overhead Bandwidth Overhead Memory Requirements Ease of Evasion

10

Evaluation Metrics for IP Traceback Technique (2)

Protection Scalability Number of Functions Needed to Implement Ability to Handle Major DDoS Attacks Ability to Trace Transformed Packets

Network Address Translation (NAT) Tunneling ICMP packet Duplication of a packet in multicast

11

Ingress Filtering

12

Ingress Filtering

Limit source addresses of IP datagrams from a network to addresses belonging to that network

If ingress filtering is not deployed everywhere attackers can still spoof any address on the Internet

13

Why Don’t People Run Ingress Filtering ？

It is easy! It improves security! Why not run it? Some people run it In current routers It is implemented in the slow path in the software

not the hardware It is easy

For the routers close to the edge of the networks where addressing rules are well defined

It becomes complex and inefficientFor transit networks where packets with a different source

address can enter the network in multiple locations

14

Packet Marking

15

Packet Marking

Probabilistic packet marking (PPM) ICMP traceback (iTrace) Deterministic packet marking (DPM)

16

Probabilistic Packet Marking

Routers mark packets that pass through them

Packets for marking are selected with probability p=0.04

17

Router Marking

18

Pros & Cons

Pros High stability Still can work under partial deployment No bandwidth overhead Low network processing overhead (decide which

packet should be marked) Cons

Only for DoS & DDoS attacks Victim requires high memory and high processing

overhead Without authentication mark spoofing may happen

19

Ability to Trace Transformed Packets

Can handle packet modification transformation of the packets directed to the victim

The ID field used for fragmentation is used for the mark If a single fragment of the original datagram is marked The reassembly function would fail at the destinationSolution: select a lower probability of marking for

fragmented packet Tunneling may create a problem for reconstruction

If marks are extracted before the outer header is removed

20

ICMP Traceback (iTrace)

ICMP traceback message (iTrace) Next hop Previous hop Timestamp As many bytes of

the traced packet TTL=255

21

“Intension-Driven” iTrace

Attack[V] =1, victim V is attacked

Intension[V] =1, victim V wants to receive ICMP traceback message

Received[R→V] How many iTrace messages from router R to victim V have bee

n received Generated[R]

The number of iTrace messages generated by router R for all destinations

The value of ICMP packet can be a function of

1)ed[R]1)(GeneratV]R(Received[

V]HopCount[RV]Intention[Attack[V]

22

Architecture

Introduce a new bit – intension bit The intension bit in routing table will set to 1 if one has

intension to receive ICMP packet Decision Module

“Choose” one from routing table prefer the one with the highest value

23

Pros & Cons

The pros and cons of iTrace is similar to that of PPM

Except iTrace has bandwidth overhead ； PPM has no ban

dwidth overhead Without authentication fake ICMP packet may be g

enerated more easily

24

Deterministic Packet Marking

Each packet is marked when it enters the network

Only mark Incoming packets

Mark ： address information of this interface

16 bit ID + 1 bit Reserved Flag

25

PPM vs. DPM

Mark spoofing (PPM) Use coding technique (but not 100%) (DPM) Spoofed mark will be overwritten

The received information (PPM) Full path (DPM) Address of the ingress router

26

Method 1 -The Information of Marks

Pad

Ideal hash

27

Method 1- Reconstruction Process area Each area ha

s k segments Each segmen

t has

bits

area

d2

a2

28

Method 1- Performance

M ： the number of all routers N ： the number of attackers (ingress routers) Use d bits to indicate hash value of router There will be m routers that have the same digest

The expected number of different values the segment will take is

m

aaa

2

1122

d

Mm

2

29

Method 1- Example

M=4096, N=1024, d=10, a=4, s=3 Choose N balls in boxes, each box has m balls (m=

M/ =4) 4 balls w boxes

3 balls x boxes

2 balls y boxes

1 balls z boxes

F(w,x,y,z) ： combinations of deterministic w, x, y, z

d2d2

kkkk

zyxwzyxwF

1

4442

4443

4444

444 )

2

11(22)

2

11(22)

2

11(22)

2

11(22),,,(

30

Method 1- Example

P(w,x,y,z) ： The probability of deterministic w, x, y, z

A ： the number of false address combination

The number of total false positive= A/ =346.57 Each attacker will produce 0.338 false positive

20481024

41

42

43

44 )()()()(

),,,(!!!!

!1024

C

CCCCzyxwP

zyxw

zyxw

]),,,()[,,,( 4

1024

0

3

41024

2

3410242341024

2341024

NzyxwFzyxwPAw

w

x

xw

y

yxw

yxwz

d2

31

Method 2

The 17 useable bits are divided into two parts g-bits mark h-bits mark identifier

For example: g=14, h=3 present the IP address321 aaa

32

Method 2

The false positive rate is The reconstruction process is complex

The requires number of matches

For N=1K The false positive rate= The requires number of matches=

80

7

2

N

)2222( 6673852441032 NNNNNN

)1512(230

1021

33

Method 3

34

Method 3

First stage Need 6 hashes Need matches The false positive rate

For N=1K, The false positive rate=0.25

Second stage Need hashes Need matches The false positive rate is bounded by

For N=1K, The false positive rate is bounded by 0.4883%

N)2223( 35421372 NNNNN

424 2Nr

)221)(1( 242102 NNrN )22)(1( 242102 NNrN

383 2)1( rN

35

Packet Digesting Source Path Isolation Engine

(SPIE)

36

Packet Digesting

Compute digest over The invariant portion of the IP header (16 bytes) The first 8 bytes of the payload (8 bytes) 24 bytes sufficient to differentiate all packets

37

Prefix Length & Collision Probability

A WAN trace from an OC-3 gateway router A LAN trace from an active 100Mb Ethernet segment

38

Bloom Filter (1)

A technique that simply stores the digests

＊ For each packet arrived

Step-1 Use k different hash function computes k independent n-bits digests

Step-2 Set the corresponding bits in the bits digest tablen2

39

Bloom Filter (2)

If any one of them is zero The packet was not stored in the table

If all the bits are one It is highly likely the packet was stored It is possible that some set of other insertions caused all

the bits to be set Restriction

Can only store a limited number of digests Saturated filters can be swapped out for a new, empty

filter Change to a new filter loss the previous digest

information

40

Architecture (1)

Data Generation Agent (DGA) SPIE Collection and Reduction Agents (SCARs) SPIE Traceback Manager (STM)

41

Architecture (2)

DGA SPIE enhanced router 1. produce packet digest 2. store digests table annotated – time & hash function

SCARs Concentration points for several routers 1. produce local attack graph

42

Architecture (3)

STM Control the whole SPIE system The interface to requesting packet trace 1. verifies the authenticity 2. dispatch the request to the appropriate SCARs 3. gather the resulting attack graphs 4. complete the attack graph 5. replies to the IDS

43

Traceback Processing

IDS determine an exceptional event has occurred

STM cryptographically verifies its authenticity

SCAR poll its DGAs & produce partial attack graph

packet, P ； victim, V ； time of attack, T

P ； V ； T

another SCAR

T’ – the packet enter the regionP’ – the entering packetV’ – the border router between the two network

terminateno yes

44

Graph Construction

Reverse path flooding R8 ； R9 R7 R4 ； S5 ； R5 R3 ； R2

The SCAR don’t need to query DGAs sequentially

45

Ability to Trace Transformed Packets (1)

Transform lookup table (TLT) Record sufficient packet data at the time of

transformation to allow the original packet to be reconstructed

1st field ： a digest of the transformed packet

2nd field ： the type of transformation (include a flag I)

3rd field ： a variable amount of packet data

46

Ability to Trace Transformed Packets (2)

Flag I (indirect flag)(1)For some transformations, such as NAT, the 32bits

data field is not enough.Set I=1, the third field is treated as a pointer

(2)In many case (e.g., tunneling or NAT), packets undergoing a particular transformation are related

It is possible to reduce the storage requirement by suppressing duplicate packet data

Flag I is used for flow caching, or at least identification, so that the packets within the flow can be correlated and stored appropriately.

47

Summary

48

Summary In recent years much interest and consideration have

been paid to the topic of securing the Internet infrastructure

To detect the offending packets IDS (Intrusion Detection System) becomes more and more important

Detecting the offending packets (IDS) find out attackers (IP traceback)

Several methods have been proposed Each has its own advantages and disadvantages None of the methods described in this article has been

used on the Internet When economic or political incentives become strong

enough to justify deployment of IP traceback, some new requirements and metrics for evaluation might emerge

49

References

R. K. C. Chang, “Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial,” IEEE Commun. Mag., Oct. 2002, pp. 42–51.

A. Belenky and N. Ansari, “On IP traceback,” IEEE Communications Magazine, vol. 41, no. 7, July 2003

S. Savage et al., “Network Support for IP Traceback,” IEEE/ACM Trans. Net., vol. 9, no. 3, June 2001, pp. 226–37.

D. X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. INFOCOM,2001, vol. 2, pp. 878–86.

S. F. Wu et al., “On Design and Evaluation of ‘Intention-Driven’ ICMP Traceback,” Proc. 10th Int’l. Conf. Comp. Commun. and Nets., 2001, pp. 159–65.

A. Belenky and N. Ansari “IP Traceback With Deterministic Packet Marking,” IEEE Communications Letters, Vol.7, NO. 4,April 2003

A. Belenky and N. Ansari “Tracing Multiple Attackers With Deterministic Packet Marking,” IEEE PACRIM’03, August 2003

A. C. Snoeren et al., “Single-Packet IP Traceback,” IEEE/ACM Trans. Net., vol. 10, no. 6, Dec. 2002, pp. 721–34.