Single-Packet IP Traceback

Slides:



Advertisements
Similar presentations
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Advertisements

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Sampling and Flow Measurement Eric Purpus 5/18/04.
IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Chapter 5 The Network Layer.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Payload Attribution via Hierarchical Bloom Filters
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,
BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Internet Protocol (IP)
Tracking and Tracing Cyber-Attacks
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Traceback Methods  Packet Marking  Hash-based Conclusion References.
1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Dr. John P. Abraham Professor UTPA
Review: –Ethernet What is the MAC protocol in Ethernet? –CSMA/CD –Binary exponential backoff Is there any relationship between the minimum frame size and.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
EECB 473 DATA NETWORK ARCHITECTURE AND ELECTRONICS PREPARED BY JEHANA ERMY JAMALUDDIN Basic Packet Processing: Algorithms and Data Structures.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
19.1 Chapter 19 Network Layer: Logical Addressing Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Network Layer by peterl. forwarding table routing protocols path selection RIP, OSPF, BGP IP protocol addressing conventions datagram format packet handling.
1 Computer Communication & Networks Lecture 19 Network Layer: IP and Address Mapping Waleed Ejaz.
Internet Protocol Version 4 VersionHeader Length Type of Service Total Length IdentificationFragment Offset Time to LiveProtocolHeader Checksum Source.
THE CLASSIC INTERNET PROTOCOL (RFC 791) Dr. Rocky K. C. Chang 20 September
1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,
1 ECE 526 – Network Processing Systems Design System Implementation Principles I Varghese Chapter 3.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授 2004/3/26.
Jessica Kornblum DSL Seminar Nov. 2, 2001 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio,
BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,
Graciela Perera Department of Computer Science and Information Systems Slide 1 of 18 INTRODUCTION NETWORKING CONCEPTS AND ADMINISTRATION CSIS 3723 Graciela.
CPS216: Data-intensive Computing Systems
IP Routers – internal view
Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460
The New Internet Protocol
Chapter 4 Data Link Layer Switching
The New Internet Protocol
CS 457 – Lecture 10 Internetworking and IP
What’s “Inside” a Router?
Internet Protocol (IP)
Dr. John P. Abraham Professor UTPA
IP : Internet Protocol Surasak Sanguanpong
Chapter 20 Network Layer: Internet Protocol
Computer Architecture
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
Lecture 3: Main Memory.
Dr. John P. Abraham Professor UTPA
Router Construction Outline Switched Fabrics IP Routers
Chapter 15. Internet Protocol
Chapter 4 Network Layer Computer Networking: A Top Down Approach 5th edition. Jim Kurose, Keith Ross Addison-Wesley, April Network Layer.
Ch 17 - Binding Protocol Addresses
CS703 - Advanced Operating Systems
IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )
ITIS 6167/8167: Network and Information Security
Internet Protocol version 6 (IPv6)
Presentation transcript:

Single-Packet IP Traceback Alex C. Snoeren BBN Technologies (with Craig Partridge, Tim Strayer, Christine Jones, Fabrice Tchakountio, Beverly Schwartz, Matthew Condell, Bob Clements, and Steve Kent) Motivation – Way too long. Hari – Related work? Higher-level. Frans – Focus problem. Define Traceback – What do you do with the system?

SPIE in Action

Challenges to Logging Attack path reconstruction is difficult Packet may be transformed as it moves through the network Full packet storage is problematic Memory requirements are prohibitive at high line speeds (OC-192 is ~10Mpkt/sec) Extensive packet logs are a privacy risk Traffic repositories may aid eavesdroppers Path construction

Packet Digesting Record only invariant packet content Mask dynamic fields (TTL, checksum, etc.) Store information required to invert packet transformations at performing router Compute packet digests instead Use hash function to compute small digest Store probabilistically in Bloom filters Impossible to retrieve stored packets

Invariant Content Ver HLen TOS Total Length Identification M F Fragment Offset TTL Protocol Checksum 28 bytes Source Address Destination Address Options First 8 bytes of Payload Remainder of Payload

Bloom Filters Fixed structure size Insertion is easy Variable capacity Uses M bit array Initialized to zeros Insertion is easy Use ℓ-bit digest as indices into bit array ℓ bits 1 H2(P) Hk(P) H3(P) H1(P) 1 . . . Mitigate collisions by using k digests H(P) M bits Variable capacity Easy to adjust Store up to n packets

Limited Error Propagation Bloom filters may be mistaken Mistake frequency can be controlled Depends on capacity of full filters Neighboring routers won’t be fooled Vary hash functions used in Bloom filters Each router select hashes independently Long chains of mistakes highly unlikely Probability drops exponentially with length

False Positive Distribution

Adjusting Graph Accuracy False positives rate depends on: Length of the attack path, N Complexity of network topology, d Capacity of Bloom filters, P Bloom filter capacity is easy to adjust Required filter capacity varies with router speed and number of neighbors Appropriate capacity settings achieve linear error growth with path length

Simulation Results N/7 Nρ/(1-ρ) → ρ = 1/8 P = ρ Random Graph Real ISP, 100% Utilization Real ISP, Actual Utilization 0.8 0.8 0.8 0.8 Degree-Independent N/7 Nρ/(1-ρ) → ρ = 1/8 What are the actual numbers? 0.6 0.6 0.6 0.6 P = ρ Expected Number of False Positives 0.4 0.4 0.4 0.4 May be able to assume degree independence 0.2 0.2 0.2 0.2 P = ρ/d 5 5 5 5 10 10 10 10 15 15 15 15 20 20 20 20 25 25 25 25 30 30 30 30 Length of Attack Path (N)

How Big are Digests? Quick rule of thumb: ρ = 1/8, assuming degree independence Bloom filter k = 3, M/n = 5 bits per packet. Assume packets are ~1000 bits Filters require ~0.5% of link capacity Four OC-3s require 47MB per minute 128 OC-192 links need <100GB per minute Access times are equally important Current drives can write >3GB per minute OC-192 needs SRAM access times 4 OC-3 Hd needs 67GB/day

Filter Paging “Small” Bloom filters Store multiple filters Random access Need fast memory Store multiple filters Increase time span Ring buffer avoids memory copies Timestamp each bin Fence-post issues B G E C D F H A

Transformations Occasionally invariant content changes Network Address Translation (NAT) IP/IPsec Encapsulation, etc. IP Fragmentation ICMP errors/requests Routers need to invert these transforms Often requires additional information Can store this information at the router

Transform Lookup Table Only need to restore invariant content Often available from the transform (e.g., ICMP) Otherwise, save data at transforming router Index required data by transformed packet digest Record transform type and sufficient data to invert Bounded by transform performance of router Digest Packet Data C Type 28 bits 4 bits 32 bits

Prototype Implementation Implemented in PC-based routers Both FreeBSD and Linux implementations Packet digesting on kernel forwarding path Zero-copy kernel/user digest tables Digest tables and TLT stored in kernel space User-level query-support daemons Supports automatic topology discovery Queries automatically triggered by IDS

SPIEDER Approach SPIE DGA Encompassing Router (SPIEDER) external Each router has an internal Data Generation Agent (DGA) external DGA Router SPIE DGA Encompassing Router (SPIEDER)

Summary Hash-based traceback is viable With reasonable memory constraints Supports common packet transforms Timely tracing of individual packets Publicly available implementations FreeBSD/Linux versions available now SPIEDER-based solution in development http://www.ir.bbn.com/projects/SPIE