View
10
Download
0
Category
Preview:
Citation preview
1
Advanced Networking Laboratory
IP Tracebackby Deterministic Packet Marking
Nirwan AnsariAdvanced Networking Laboratory
http://web.njit.edu/~angDepartment of Electrical and Computer Engineering
New Jersey Institute of TechnologyNewark, NJ 07102-1982, USA.
2nd Sendai International Workshop on Internet Security and Management@Hotel Sendai Plaza, Sendai, Japan, January 27-30, 2004
Advanced Networking Laboratory© 2004 Nirwan Ansari
AcknowledgementsAndrey BelenkyDong Wei Zhiqiang Gao
2
Advanced Networking Laboratory© 2004 Nirwan Ansari
Outline
Motivation for IP TracebackCurrently available techniques to cope with anonymous attacksFramework and Evaluation MetricsOverview of IP Traceback SchemesDeterministic Packet MarkingIP Traceback implications and challengersConclusion/Future Work
Advanced Networking Laboratory© 2004 Nirwan Ansari
What is an anonymous attack?
I would like to inflict some damage on host V
How about I flood host V with a bunch of packets
BUT, host V will know who I am by looking at the SA of the packets I send!
I will change the SA field on every packet I send to V to some other value!
I will do it myself or use one of the readily available programs on the Internet for that purpose
SA: My SA
Data
SA: Some Other SA
3
Advanced Networking Laboratory© 2004 Nirwan Ansari
Filtering and Access Control
A
List of Valid Addresses
A.B.C.x A.B.C.y A.B.w.z
Yes Route
No
Drop
Does SA of the packet matches the list?
V
List of Blocked Addresses
X.Y.Z.a X.Y.Z.b X.Y.c.d
No Route
Yes
Drop
Does SA of the packet matches the list?
Ingress Filtering
Access Control
Advanced Networking Laboratory© 2004 Nirwan Ansari
SYN Flood
SYNLet’s talk
SYN/ACK
I’m ready
Allocate Recourses
ACKLet’s go
SCTCP 3-way handshake
SYN Flood
Allocate Recourses
V
I’m readySYN
SYN/ACK
SYNSYN/ACK
TCP three-way handshake does not get completed
Resources remain allocated
When resources are exhausted, the server crashes or goes off-line
4
Advanced Networking Laboratory© 2004 Nirwan Ansari
SYN Flood Protection
Allocate Recourses
V
I’m readySYN
SYN/ACK
SYNSYN/ACK
Firewall initiates ACK timeout for every SYN it receives, if it is exceeded the firewall resets the connection on behalf of the attacker
Firewall keeps track of the number of half-opened connections and starts dropping old half-opened connections if this number exceeds a certain threshold
Advanced Networking Laboratory© 2004 Nirwan Ansari
Backscatter and Black-hole router
V
ISP
?
Notify ISP
5
Advanced Networking Laboratory© 2004 Nirwan Ansari
Motivation for IP Traceback
V
Intrusion Detection System (IDS)
Attack!!!
Who attacked me?I will look at the Source Address (SA) field of IP pkt. and find out!
Source Address is SPOOFED!
Need IP Traceback!!!
Advanced Networking Laboratory© 2004 Nirwan Ansari
What is IP Traceback
A mechanism of identifying the source of any packet on the Internet
Envisioned for identifying the human attacker
Technical Reality…Can only identify the host which originated the attack packetsSometimes it would be possible to only identify the organization which owns the host
NAT, Firewalls, etc…
IP Traceback may be limited to identifying the ingress point of the packets on the Internet
6
Advanced Networking Laboratory© 2004 Nirwan Ansari
IP Traceback is NOT
IP Traceback is not an attack prevention mechanism
Firewalls, filtering
IP Traceback is not an attack detection mechanisms
Intrusion Detection Systems (IDS)
IP Traceback cannot stop an attack in progress
Advanced Networking Laboratory© 2004 Nirwan Ansari
Metrics for Evaluation of SchemesISP InvolvementNumber of Attack Packets Needed for TracebackEffect of Partial DeploymentProcessing OverheadBandwidth OverheadMemory RequirementsEase of EvasionProtectionScalabilityNumber of functions needed to be implementedAbility to handle major DDoS attacksAbility to handle transformed packets
7
Advanced Networking Laboratory© 2004 Nirwan Ansari
Ideal Traceback Scheme
Low number of attack packets required for tracebackAbility to deploy partiallyLow processing overhead on the routers Low bandwidth overhead on the networkMinimal ISP involvementDoes NOT disclose topology of the ISPScalableAble to traceback ALL types of attacks
Advanced Networking Laboratory© 2004 Nirwan Ansari
Proposed IP Traceback SchemesEnd-host storage
Original PPM & Numerous Modifications to PPMiTrace
Specialized RoutingOverlay NetworkIP Traceback with IPSec
Packet LoggingFeature TracingHash-based IP Traceback
State of the network inferenceControlled Flooding
Edge MarkingDeterministic Packet Marking
8
Advanced Networking Laboratory© 2004 Nirwan Ansari
A VR1
R2
R3
R4
R5
R6
R7 R9
R10R8
R11R12
Probabilistic Packet Marking (PPM)
R12 - R9 - R4 - R2-R1
Buffer of Marked Packets Reconstruction
Processing Reconstructed Route
Incoming Packet Stream Outgoing Packet Stream
Marked Packet with prob. p
Advanced Networking Laboratory© 2004 Nirwan Ansari
Highlights of Evaluation of PPM
ISP Involvement: LowProcessing Overhead: During Traceback and at the Victim onlyAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: Thousands
9
Advanced Networking Laboratory© 2004 Nirwan Ansari
A VR1
R2
R3
R4
R5
R6
R7 R9
R10R8
R11R12
ICMP Traceback (iTrace)Incoming Packet Stream Outgoing Packet Stream
ICMP Packet with address info
1/20,000
R12 - R9 - R4 - R2-R1
Reconstructed Route
R12
R2
R9
Sort
Advanced Networking Laboratory© 2004 Nirwan Ansari
Highlights of Evaluation of iTrace
ISP Involvement: LowProcessing Overhead: During Traceback and at the Victim onlyEase of Evasion: HighAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: Thousands
10
Advanced Networking Laboratory© 2004 Nirwan Ansari
A V
Edge Routers
Core Routers Physical
Links
Overlay Network (CenterTrack)
TR
Tunnels
Attack Path without Overlay
Attack Path with Overlay
Advanced Networking Laboratory© 2004 Nirwan Ansari
Highlights of Evaluation of Overlay
ISP Involvement: HighProcessing Overhead: Every packetAbility to handle major DDoS Attacks: GoodNumber of Attack Packets required for traceback: 1Other:
Single ISP onlySingle point of failure
11
Advanced Networking Laboratory© 2004 Nirwan Ansari
A VR1
R2
R3
R4
R5
R6
R7
R10R8
R11
R12
R9
IP Traceback with IPSec
Advanced Networking Laboratory© 2004 Nirwan Ansari
Highlights of Evaluation of IPSecTraceback
ISP Involvement: HighProcessing Overhead: HighAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: FairOther:
Single ISP only
12
Advanced Networking Laboratory© 2004 Nirwan Ansari
A V
R4R9
R1R2
R3
R5
R6
R7
R10
R8
R11 Data Generation Agent
R12
Source Path Isolation Engine (SPIE)
Packet
Header+Hash( ) Bloom
Filter
SPIE TracebackManager
SPIE Collection and Reduction Agent
Advanced Networking Laboratory© 2004 Nirwan Ansari
Highlights of Evaluation of SPIE
ISP Involvement: HighProcessing Overhead: LowAbility to handle major DDoS Attacks: GoodNumber of Attack Packets required for traceback: 1Other:
Fair ScalabilityStrict timing constraints on the traceback process
13
Advanced Networking Laboratory© 2004 Nirwan Ansari
Controlled Flooding
A VR1
R2
R3
R4
R5
R6
R7 R9
R10R8
R11
R12
Controlled Flooding Equipment
Advanced Networking Laboratory© 2004 Nirwan Ansari
Highlights of Evaluation of Controlled FloodingISP Involvement: NoneProcessing Overhead: NoneAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: HugeOther:
DoS attacks onlyManual, Unsafe, InconsistentHuge bandwidth overhead during the tracebackTraceback is possible only while the attack is in progress
14
Advanced Networking Laboratory© 2004 Nirwan Ansari
PPM iTrace Overlay Hash-based IP Traceback
Controlled Flooding
Tracebackwith IPSec
ISP Involvement Low Low high high None HighScalability High High Poor Fair N/A PoorVendor Involvement(# of functions to implement) 2 2 None 3 1 None
Number of Attack Packets Required for Traceback Thousands Thousands 1 1 Huge Fair
Is Partial Deployment Within a Single ISP Possible? Yes Yes No Yes N/A Yes
Is Prior Knowledge of Topology and Routing Required for Traceback?
Yes, only if deployed partially
Yes, only ifdeployed partially
NoYes, only if deployed partially
Yes Yes
Is Inter-ISP Deployment Possible Yes Yes No Yes Yes YesEvery Packet Low Low Low Low None NoneNetwork
Processing Overhead During Traceback None None Low Low None High
Every Packet None None None None None NoneVictim Processing Overhead During Traceback High High None None Fair High
Every Packet None Low High None None NoneBandwidth Overhead During Traceback None None None Low Huge High
Network None Low Low Fair None NoneMemory Requirements Victim High High None None Low NoneEase of Evasion Low High Low Low N/A LowProtection High High Fair Fair N/A HighAbility to Handle Packet Transformations Good Good Good Good Good Good
Ability to Handle Major DDoSAttacks Poor Poor Good Good Unable Poor
Limitations DoS and DDoSattacks only
DoS and DDoSattacks only
Single ISP.Single point of
failure.
Strict timing constraint on
tracebackprocess.
Single Point of Failure
DoS only. Manual. Unsafe.
Inconsistent. Traceback is possible only while attack is
in progress
Single ISP.
Advanced Networking Laboratory© 2004 Nirwan Ansari
IP Traceback with DPM
A1
VBackbone Routers
DPM DPM
DPM
DPM
DPM
DPM Enabled Edge Routers DPM
A2
15
Advanced Networking Laboratory© 2004 Nirwan Ansari
Basic DPM
10.0.15.01
A
A
128.235.104.1
128.235.104.19
128.235.55.6 128.235.55.1DPM
Advanced Networking Laboratory© 2004 Nirwan Ansari
DPM Principles
Interface, not the Router is a unit of Traceback
DPM
Edge Interface
(DPM)
BackboneInterface
Mark
Don’t Mark
Don’tMark
Don’t Mark
Edge Interface
BackboneInterface
Don’tMark
Mark
Mark
Don’t Mark
DPM PPM-like
16
Advanced Networking Laboratory© 2004 Nirwan Ansari
DPM Principles (con’t)
Only the ingress DPM-enabled edge interface marks packets
DPM Traceback = Ingress AddressFor datagram networks (e.g. Internet), Ingress Address is as good as full-path traceback
ALL packets are marked by DPM-enabled interface only
Prevents mark spoofingDecreases traceback time
Advanced Networking Laboratory© 2004 Nirwan Ansari
DPM Mark
Fragment ID
Version Type of ServiceH. Length Total Length
Fragment Offset
Time to Live Protocol Header Checksum
Source IP Address
Destination IP Address
Flags
17
Advanced Networking Laboratory© 2004 Nirwan Ansari
Basic DPM Mark Encoding
16-bit
32-bit Ingress IP Address
Random Selector (0 or 1)
MUX
p = 0.5
17-bit Mark
16-bit16-bit
1-bit
Advanced Networking Laboratory© 2004 Nirwan Ansari
DPM Ingress Address Reconstruction
ASA3,1 1
Mark
Source Address: SA_3
Data
HeaderPacket
ASA,0 ASA,1
SA_0 ASA0,0 ASA0,1SA_1 ASA1,1SA_2 ASA2,0SA_3 ASA3,0
SA_N-3 AN-3,0 AN-3,1SA_N-2 AN-2,0SA_N-1 AN-1,0
Source Address
V
18
Advanced Networking Laboratory© 2004 Nirwan Ansari
Basic DPM – Limitations
Basic DPM assumes that the addresses of the attackers are
unique unchanged for the duration of the attack
Not the case for most real Internet attacks
Advanced Networking Laboratory© 2004 Nirwan Ansari
Inability to Handle Identical SA
Reconstruction of Ingress Addresses will produce a lot of false addresses
A4
VBackbone Routers
DPM
DPM
DPM
DPM
DPM
DPM Enabled Edge Routers
DPM
A5 128.235.251.25 A0,0 A0,1
128.235.251.25
128.235.251.25
A6
A7 AN
A3 A2 A1
128.235.251.25 128.235.251.25 128.235.251.25
128.235.251.25128.235.251.25
128.235.251.25AN,0 A0,1
AN-1,0 A0,1
A0,0 AN,1
AN,0 AN,1
AN-1,0 AN,1
19
Advanced Networking Laboratory© 2004 Nirwan Ansari
Inability to Handle Identical SA (cont’d)
Number of attackers with the same SA: NPermutations of ingress address segments: N 2
Number of false positives: N 2 - NNumber of correctly reconstructed ingress addresses: N
Rate of false positives:
For N = 10, rate of false positives is 90%!
2
2
NNN −
Advanced Networking Laboratory© 2004 Nirwan Ansari
Inability to Handle SA Inconsistency
Ingress Addresses will neverbe reconstructed, since none of the SA’s will have both segments of the address
A4VBackbone
RoutersDPM DPM
DPM
DPM
DPM DPM Enabled Edge Routers
DPM
SA changes for every packet
ASA,0 ASA,1
128.235.251.25 A1,0200.35.25.4 A1,164.11.14.50 A1,0
176.16.10.201 A1,0
56.12.205.239 A1,0129.53.26.211 A1,0141.44.69.12 A1,0
Source Address
20
Advanced Networking Laboratory© 2004 Nirwan Ansari
General Principle of Handling SA inconsistency
Ingress Addresses must be reconstructed using ONLY 17-bit DPM mark
DPM Mark cannot be spoofedOther fields (such as SA) can be spoofed and cannot be relied upon
The 17-bit DPM mark must carry a certain piece of information which
would differentiate between the segments of different ingress addresseswould recognize the segments of the same ingress address
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Mark Encoding
32-bit Ingress IP Address
0..0
a-bit a-bit a-bit a-bit
H(x)
32 d d-bit
Random Selector [0..k-1]
p = 1/k
MUX
17-bit DPM Mark
0
1
k-2
k-1
Address BitsDigest
Segment Num
ber
21
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Reconstruction; RecTbl
0
2d-1
1
RecTbl0 1 2 3 4 5 6 7
0123456789
101112131415
Area
Segment
Bit
298
2 Processes run at the victimMark RecordingAddress Recovery
In this Examplek=8, a=4, d=10, s=31024 (210) areas of RecTbl8 segments in each area16 bits in each segment
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Reconstruction; Mark Recording
1000 0000 1110 1011 1111 1011 0001 1001
IP Address: 128.235.251.25
10000000111010111111101100011001
1000
0000
1110
1011
1111
1011
0001
1001
100101010
100101010
100101010
100101010
100101010
100101010
100101010
100101010
000
001
010
011
100
101
110
111
H(x)
232 2d
0100101010
0 1 2 3 4 5 6 701234567 29889
101112131415
1000 0100101010 000
0000 0100101010 001
1110 0100101010 010
1011 0100101010 011
1111 0100101010 100
1011 0100101010 101
0001 0100101010 110
1001 0100101010 111=298
22
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Reconstruction; Address Recovery
0123456789
101112131415
0 1 2 3 4 5 6 7
298
H(x)0011 0000 1101 1011 0100 0111 0001 0001
?=
0011 0000 1101 1011 0100 0111 0001 1001
0011 0000 1101 1011 0100 0111 0001 0001H(x)?
=
0011 0111 1101 1011 0100 0111 0001 0001
H(x)?=
After more permutations….
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Reconstruction; False Positives (FP)
0123456789
101112131415
0 1 2 3 4 5 6 7
298
0011 0111 1101 1011 1111 0111 0001 0001
?=
H(x)
IP Address: 55.183.239.2330011011110110111111011111101001
This ingress address was never transmitted in DPM marks
It is a false positive
23
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Performance MetricsFalse Positives
cannot be completely avoidedusually expressed as rate or percentage customary accepted rates are 1% to 5%
Expected Number of datagrams required for reconstruction, E[D]
Since marks are picked at random at DPM interface, more than k datagrams would be needed
For a given k, there will be NMAX attackers, whose ingress addresses will be possible to reconstruct with FP rate of 1% AND E[D] datagrams will be required for the reconstruction
)1...1
11(][ ++−
+=kk
kDE
Advanced Networking Laboratory© 2004 Nirwan Ansari
Single Hash Function Modification –Performance Evaluation
NMAX is a maximum N, which results in false positive rate of no greater than 1%
NMAX = 2048 is a significant improvement from 1 in basic DPM
a k s d NMAX E[D] 1 32 5 11 2048 130 2 16 4 11 2048 55 4 8 3 10 1066 22 8 4 2 7 139 8
16 2 1 0 1 2
24
Advanced Networking Laboratory© 2004 Nirwan Ansari
Contribution to the field
DPM – Novel IP Traceback Mechanism which:Does not introduce any bandwidth overheadIntroduces little processing overhead on the networkRequires few packets from the attacking hosts for tracebackDoes not reveal ISP network topologyScalableSuited for various kinds of anonymous attacksHandles fragmented trafficCapable of performing traceback post-mortem
Advanced Networking Laboratory© 2004 Nirwan Ansari
Conclusion
IP Traceback is a single problem in Internet Security and Homeland SecurityNone of the approaches proposed up to date satisfy the criteria of the ideal schemeIP Traceback problem is still open…
25
Advanced Networking Laboratory© 2004 Nirwan Ansari
Further WorksTracing slaves from reflectors in DDoS Attacks
cooperation among different domains“trust” relationshiptremendous logsauthentication●●●
Wireless networks prone to attacksroamingtremendous logsauthentication●●●
Stepping stones
Advanced Networking Laboratory© 2004 Nirwan Ansari
References related to IP traceback
A. Belenky and N. Ansari, “Accommodating Fragmentation in Deterministic Packet Marking (DPM),” Proc. IEEE GLOBECOM 2003, Dec. 1-5, 2003, pp. 1374–1378.A. Belenky and N. Ansari, “On IP Traceback,” IEEE Communications Magazine, Vol. 41, No. 7, pp. 142-153, July 2003.A. Belenky and N. Ansari, “Tracing multiple attackers with deterministic packet marking (DPM) ,” Proc. IEEE PacRim 2003, Aug. 28-30, 2003, pp. 49-52.A. Belenky and N. Ansari, “IP Traceback with Deterministic Packet Marking,” IEEE Communications Letters, Vol. 7, No. 4, pp. 162-164, April 2003. D. Wei and N. Ansari, “Implementing IP Traceback in the Internet --- An ISP Perspective,” Proc. 3rd Annual IEEE Workshop on Information Assurance, West Point, New York, 17-19, June 2002, pp. 326-332.
26
Advanced Networking Laboratory© 2004 Nirwan Ansari
Link state updates Wireless TCP (TCP-Jersey)Anomaly detectionOptical networks: OBS, protection and restoration, RPR, metropolitan networksIntserv/Diffserv IntegrationQoS in multimedia communicationsQoS support in VPNsData hiding
Other on-going research at ANL
Advanced Networking Laboratory© 2004 Nirwan Ansari
Questions ?
Recommended