Upload
ambrose-stevens
View
224
Download
2
Tags:
Embed Size (px)
Citation preview
2
Introduction Today’s Internet infrastructure is
extremely vulnerable to motivated and well equipped attackers.– Denial of service attacks– Single well-targeted packet attacks
To institute accountability for these attacks, the source of individual packets must be identified.
3
Today’s IP Network
The IP protocol has difficulty to identify the true source of an IP datagram.– Stateless and destination based routing
w/o source authentication– Legitimately spoofed source addresses
• NAT, Mobile IP, IPSec
Ingress filtering
4
Source Path Isolation Engine Challenges in constructing a tracing
system– Determining which packets to trace– Maintain privacy– Minimizing cost
The proposed SPIE can– reduces memory consumption with bloom
filters– verifies packets while maintains privacy by
packet digests
5
Assumptions on a Traceback System Packets may be addressed to more than
one physical host
Duplicate packets may exist in the network
Routers may be subverted, but not often
Attackers are aware they are being traced
Continued…
6
Assumptions on a Traceback System The routing behavior of the network may be
unstable
The packet size should not grow as a result of tracing
End hosts may be resource constrained
Traceback is an infrequent operation
7
Design Goals An optimal IP traceback system would
– precisely identify the source of an arbitrary IP packet
– construct an attack path when co-opted routers exist
– construct an attack graph when multiple indistinguishable packets exist
– produce no false negatives while attempting to minimize false positives
– not expand the eavesdropping capabilities of a malicious party
9
Design Goals An optimum traceback system should trace
packets through valid transformation back to the source of the original packet.
Transformation categories– Packet encapsulation– Packet generation– Common packet transformation (RFC 181
2)
10
Related Works Two approaches to determine the route of
a packet flow are auditing and inferring.
Inferring (Burch and Cheswick)– Floods candidate links and monitors variations– Network topology and large packet floods
Specialized routing (Stone)– Overlay tracking network– Long-live flow and routing change
11
Auditing End-host schemes
– Routers notify the packet destination of their presence on the route by in-band or out-of-band signaling.
Infrastructure schemes– Log packets at various points throughout
the network.– Space and privacy considerations
Input debugging & IDIP– High overhead
12
Packet Digesting Auditing by computing and storing 32-
bit packet digests reduces storage requirements and prevents eavesdropping.
SPIE computes digests over the invariant portion of the IP header and the first 8 bytes of the payload (totally 28 bytes).
Continued…
16
SPIE Architecture
DGA: Data Generation AgentSCAR: SPIE Collection and ReductionSTM: SPIE Traceback ManagerIDS: Intrusion Detection System
17
Traceback Processing IDS provide STM with a packet, P, victim, V, and
time of attack, T. STM verifies message’s authenticity and integ
rity. STM immediately asks all SCARs to poll their DG
As for relevant traffic digests. Each SCAR responds with a partial attack graph. STM constructs a composite attack graph and r
eturns it to IDS
18
Transformation Processing
Packet being transformed are put on the control path, thus relaxing the timing requirements.
Transform Lookup Table (TLT):
a. Pointerb. Flow caching
Indirect (I) flag:
Continued…
19
Transformation Processing 29-bit packet digest field implies eight disti
nct packet digests map to the same TLT entry.– Rarity of packet transformations– Sparsity of the digest table– Uniformity of the digesting function
SPIE considers the security gateway or NAT functionality of routers as a separate entity to manage TLT growth.
20
Graph Construction Simulating Reverse-Path Flooding (RPF), SC
ARs construct attack graphs by examining the digest tables.
22
Discussion Reliable and timely SPIE communication
– Out-of-band channel– Higher priority
Inter-domain cooperation– Authentication
Denial of service through transformation– Performance & policy