Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.
-
date post
22-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.
![Page 1: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/1.jpg)
Path identificationby hagay avraham the
third
Composers :Abraham
Yaar,Adrian Perrig and Dawn Song
![Page 2: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/2.jpg)
problem: Distributed Denial of Service (DDoS) attacks continue to
plague the Internet. Defense against these attacks is complicated
by spoofed source IP addresses, which make it difficult to determine a packet’s true origin.
![Page 3: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/3.jpg)
soloution
We propose Pi: (short for Path Identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling
a victim to identify packets traversing the same paths
through the Internet on a per packet basis, regardless of
source IP address spoofing.
![Page 4: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/4.jpg)
Example on October 21, 2002, an attacker flooded the root DNS servers with traffic in an effort to deprive
the Internet of the DNS name lookup service (which would have paralyzed the majority of Internet applications).
Only five out of thirteen root servers were able to withstand
the attack.
![Page 5: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/5.jpg)
The traceback mechanism
The routers mark information on packets .
The path information is used to install filters.
The assumption here is that we need to reconstract the exact path
to the attacker .
![Page 6: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/6.jpg)
Hence the shortcomings are:
The victim must receive large numbers of packets before it is able
to reconstract the path that they are taking
Routers and/or victims need to perform non trivial operations in
marking packets or in reconstructing paths .
![Page 7: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/7.jpg)
Network filtering is done on a per-flow or per network basis using
coarse identification criteria rather on a per- packet basis.
The victim has to rely on upstream routers to perform packet
filtering,even once the attack paths have been identified
![Page 8: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/8.jpg)
A new approach for defending against Ddos attacks
Reconstructing the exact path is not necessary – a particular path is
enough.The victim classify a single packet as
malicious in order to filter out all subsequent packets with the same
marking.
![Page 9: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/9.jpg)
The main difference between the methods:
Our packet marking is deterministic.
all the other marking methods are probabilistic in nature – the victim needs to collect a large number of
packets to reconstruct the path.
![Page 10: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/10.jpg)
The advantages are:
The scheme is light-weight,for the routers for marking.
for the victims for decoding and filtering.
![Page 11: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/11.jpg)
Differend Ddos attacks:
Network resourse attack.Server resourse attack.Server memory attack.
![Page 12: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/12.jpg)
![Page 13: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/13.jpg)
The new approach is based on the idea that the packets arriving at the
victim have some distinctive marking.
The victim can overcome the attack easily.
![Page 14: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/14.jpg)
Distinctive markingWe take the Internet as a complete
binary tree.The root is the server,the nodes are
the leaves.Therefore we have a lot of paths
between the victim and the attacker.
![Page 15: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/15.jpg)
We propose the path identifier to be embedded by routers in the IP
identification field of every packet they forward.
The path identifier will act as the distinctive marking which the victim
can use to filter incoming packets.
![Page 16: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/16.jpg)
Because every router has only local knowledge (last and next hop) of a particular path,the marking for an
entire path in the PI is not guaranteed to be globally uniqe.
![Page 17: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/17.jpg)
However the benefits of the single packet deterministic marking allows the victim to develop a packet filter to protect itself during such attack.
![Page 18: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/18.jpg)
The basic PI marking scheme
In its simplest form,we propose an n-bit scheme where a router marks the
last n bits of its IP address in the IP identification field of the packets it
forwards.
![Page 19: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/19.jpg)
To determine the location within the field to mark the bits,we break the field into [16/n] different marking sections,and use the value of the packet’s TTL,modulo [16/n] as an index into the section of the field
mark.
![Page 20: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/20.jpg)
![Page 21: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/21.jpg)
Ip address hashingWe find that the distribution of the
last bits of the IP addresses of the routers from our sample internet
data is highly skewed.This is problematic because if,for
example,ISPs tended to designate router IP addresses with the last
byte as 0.
![Page 22: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/22.jpg)
Then many of our packet markings would be zero,which would make the
PI markings for different paths less likely to be distinguishable from
each other.
![Page 23: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/23.jpg)
Idealy,we would like to maximize the entropy of the bits that we mark
with,to reduce the likelihood of marking,collisions
(where two different paths have the same PI marking.)
![Page 24: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/24.jpg)
To solve this problem,we have routers mark packets using the last
n bits from the hash of their ip addresses,
Rather than from their ip addresses alone.
![Page 25: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/25.jpg)
Edge marking in PIWe now describe a mechanism to
increase the entropy in an individual router’s marking.Consider the fan-in
topology shown in figure 4:
![Page 26: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/26.jpg)
![Page 27: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/27.jpg)
We compute the probability that the victim cannot distinguish the
markings of a packet that traverses routers R1 and R3 from the
markings of a packet that traverses rrouters R2 and R3.
P[M(R1) = M(R2)] = 1/2^n
![Page 28: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/28.jpg)
The probability that the two paths have the same marking now
becomes: P[(M(Ri -> R1) = M(Rj ->R2)) &&(M(R1-> R3)= M(R2->R3) = ])
1/2^n*1/2^n = 1/2^2n
![Page 29: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/29.jpg)
Edge marking decreases the probability that the two paths have
the same marking by a factor of 2^n .
![Page 30: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/30.jpg)
Suppressing nearby router markings
The limited space in the ip identification field causes routers close to the victim to overwrite the markings of routers farther
away.A simple mechanism to achieve this
would be to have a router not mark a packet if the destination ip addresses of
that packet matches a route obtained through an interior Gateway protocol(IGP).
![Page 31: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/31.jpg)
The use of BGP has the effect of keeping routing tables small at lower tier ISP networks,which only need to
know internal routes and a single route to all external addresses .
![Page 32: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/32.jpg)
The basic filter schemeThe victim can record the marking of
identified attack packets and drop subsequent incoming packets
matching any of those markings.
![Page 33: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/33.jpg)
Advantages
The reaction time is fastA little memory resoursesBut it limits the victims flexibility.
![Page 34: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/34.jpg)
TTL unwrappingIn order to make the attack more
effective the attacker can modify its TTL of its packets in order to have
the first hop router start marking in anyone of the sections of the ip
identification field .
![Page 35: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/35.jpg)
Threshold filteringThere is another attack on our filtering
strategy,which we call a marking saturation attack.
In this attack,a large number of attackers spread throughout the internet all send packets to a single victim in the hope of having the victim classify every marking as an attacker marking,and thus drop all
incoming packets.
![Page 36: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/36.jpg)
This attack requires an attacker of immense means,since it requires at
least 2^16 zombie nodes,distributed in such a way that each attacker has
a differing PI marking.
![Page 37: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/37.jpg)
Advanced filtersThe PI mechanism can also be used
to detect spoofed ip addresses,with an appropriate filter.
The victim need only build a table correlating the PI mark of a packet
to its source ip addresses,during non-attack time.
![Page 38: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/38.jpg)
When under attack,the victim can check to see if the source ip
addresses of incoming packets match against the ip addresses of
their PI marks from the table.
![Page 39: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/39.jpg)
Reflector attackThere are many potential uses for a
PI filter that detects spoofed ip addresses.
In a particular type of DDOS attack,known as a reflector
attack,attackers send request packets to various services whose
responses are of far larger size than the requests themselves. (e.g DNS).
![Page 40: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/40.jpg)
ReflectorA PI filter capable of detecting
spoofed ip addresses running on on the reflectr’s server would
immediately detect the spoofed source ip addresses of the requests
and refrain from sending a response,thus halting the attack .
![Page 41: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/41.jpg)
TraceroutesThe ip spoofed detection filter can
also be used for a limited form of traditional ip traceback – given a PI
mark,the victim can check the list of ip addresses from the table that
match the mark and simply perform traceroutes to those ip addresses.
![Page 42: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/42.jpg)
Filtering in the networkThe PI marking scheme can also support
other antiDDOS systems.For example,the Pushback system uses
downstream routers that identify aggregates(packets from one or more
flows hat have certain characteristic,such source or destination addresses) And send rate-limit requests to upstream
routers,along with an aggregate identifier.
![Page 43: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/43.jpg)
PushbackThe PI marking can also be used to move
Pushback filters closer to the attacker,as the marking is an identifier of the path
towards the attacker.However,the pushback router needs to
consider that the PI markings are not unique,as multiple paths may exhibit the
same marking.
![Page 44: Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.](https://reader036.fdocuments.net/reader036/viewer/2022062516/56649d825503460f94a67a61/html5/thumbnails/44.jpg)
Thank you very muchDo not forget to tip
Hagay avraham the 3rd.