IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.

Slides:



Advertisements
Similar presentations
Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.
Advertisements

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IPv4 - The Internet Protocol Version 4
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Routing and Routing Protocols Introduction to Static Routing.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
1 Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:  SD, ED mark start,
Pi : A Path Identification Mechanism to Defend against DDos Attacks.
WAN technologies and routing Packet switches and store and forward Hierarchical addresses, routing and routing tables Routing table computation Example.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
CSC 600 Internetworking with TCP/IP Unit 8: IP Multicasting (Ch. 17) Dr. Cheer-Sun Yang Spring 2001.
Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:  SD, ED mark start,
Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
GPSR: Greedy Perimeter Stateless Routing for Wireless Networks EECS 600 Advanced Network Research, Spring 2005 Shudong Jin February 14, 2005.
TRILL remaining issues Radia Perlman
Packet-Marking Scheme for DDoS Attack Prevention
Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”
Internet Protocol: Routing IP Datagrams Chapter 8.
1 Data Link Layer Lecture 23 Imran Ahmed University of Management & Technology.
By Rod Lykins.  Brief DDoS Introduction  Packet Marking Overview  Other DDoS Defense Mechanisms.
Dynamic Routing Protocols II OSPF
1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Fundamentals of Computer Networks ECE 478/578
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.
Foundations of Network and Computer Security J J ohn Black Lecture #14 Oct 11 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
ECE 544 Protocol Design Project 2016 Kiran Jatty Lasya Nandamuri Varun Vinnakota.
Introduction to Networks
Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)
Dynamic Routing Protocols II OSPF
“Practical Network Support for IP Traceback”
Improved Algorithms for Network Topology Discovery
ECE 544 Protocol Design Project 2016
Defending Against DDoS
Filtering Spoofed Packets
Introduction to Networking
Intra-Domain Routing Jacob Strauss September 14, 2006.
ECE 544 Protocol Design Project 2016
ECE 544 Protocol Design Project 2016
Defending Against DDoS
- Issues, Answers & A Comparison 江政祐 Henry, Cheng-You Chiang
Dynamic Routing Protocols II OSPF
ECE 544 Protocol Design Project 2016
Tracing Cyber Attacks Areej Al-Bataineh
Delivery and Routing of IP Packets
Network Support For IP Traceback
Memento: Making Sliding Windows Efficient for Heavy Hitters
COMP/ELEC 429/556 Introduction to Computer Networks
DDoS Attack and Its Defense
COMPUTER NETWORKS CS610 Lecture-16 Hammad Khalid Khan.
Dr. John P. Abraham Professor UTPA
ITIS 6167/8167: Network and Information Security
Presentation transcript:

IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where packet comes from: May be able to determine attacker May be able to determine bot participating in a DDoS attack Another approach: get rid of spoofed packets with ingress filtering (see “Attack” slides) Introduction

Methods for finding source Manual methods using current IP routing Link testing Logging Marking algorithms Routers mark packets Introduction

Link testing Victim recognizes attack signature Common feature in all attack packets, eg, same source IP address Victim informs network operator Operator installs filter on upstream router Router “input debugging” feature determines responsible ingress link, leading to an upstream router Apply procedure again, until get to border of ISP Result: router at border filters out malicious traffic before reaching target Cons To go beyond an ISP, ISPs need to coordinate Considerable management overhead Introduction

Logging: Forensics Key routers log packets Use data mining to find path Pros Post mortem – works after attack stops Cons High resource demand: need to store and process tons of data Introduction

Marking Algorithms Overview mark packets with router addresses deterministically or probabilistically trace attack using marked packets strengths independent of ISP management little network overhead, traffic trace distributed attacks, attacks post-mortem drawback: need to get routers to mark IP packets Introduction

Marking: Assumptions Assumptions Most routers remain uncompromised Attacker sends many packets Route from attacker to victim remains relatively stable A1 A2 A3 A4 A5 R6 R7 R8 R9 R10 R12 V Introduction

Marking Algorithms marking procedure path reconstruction procedure by routers add information to packet path reconstruction procedure by victim use information in marked packets convergence time # of packets to reconstruct the attack path Introduction

Node Append original packet router list append address of each router to the end of the packet complete, ordered list of routers in attack path Problem: Requires space in packet Path can be long No extra fields in current IP format: Changes to packet format are not practical original packet router list Introduction

Node Sampling (1) reserve a field in packet header for marking router writes its address in packet with prob p R1 R1 R2 R3 Introduction

Node Sampling (2) R1 R1 R2 R3 reserve node field in packet header router writes its address in node field with probability p R1 R1 R2 R3 Introduction

Node Sampling (3) R3 R1 R2 R3 reserve node field in packet header router writes its address in node field with probability p R3 R1 R2 R3 Introduction

Node Sampling (4) Router: additional write, checksum update Victim receives many attack packets, many with marking Victim attempts to reconstruct path from unordered samples. Observe the router IPs in the marking field Probability that received packet has been marked by router d hops away: p(1-p)d-1 Rank each router IP by the number of marks it has received; router with most marks is likely the closest router Introduction

Node sampling (5) Problems Large number of packets are needed to get markings from upstream routers Multiple attack sources Introduction

Edge Sampling store edges instead of router Arriving packet contains start and end addresses distance from edge to victim Arriving packet contains Address of last marked edge Number of hops edge is from destination Choose edge for marking with prob p If chosen, set counter to 0 Otherwise, increment counter Introduction

Edge Sampling: picture Packet received R1 receives packet from source or another router Packet contains space for start, end, distance packet s e d R1 R2 R3 Introduction

Edge Sampling: picture Begin writing edge R1 chooses to write start of edge Sets distance to 0 packet R1 R1 R2 R3 Introduction

Edge Sampling Finish writing edge R2 chooses not to overwrite edge Distance is 0 Write end of edge, increment distance to 1 packet R1 R2 1 R1 R2 R3 Introduction

Edge Sampling Increment distance R3 chooses not to overwrite edge Increment distance to 2 packet R1 R2 2 R1 R2 R3 Introduction

Path reconstruction Extract identifiers from attack packets Build graph rooted at victim Each (start,end,distance) tuple is an edge Traverse edges from root to find attack paths # packets needed to reconstruct path E(X) < where p is marking probability, d is length of path p = 1/d optimal ln(d) p(1-p)d-1 Introduction

Experimental convergence time Introduction

Summary of marking Can determine attack path with a relatively small number of attack packets Need to include addresses, counter in IP datagram Suggestion: compress to 16 bits, include in fragmentation fields (see paper) See “Practical Network Support for IP Traceback” by Savage et al. Introduction

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.