Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
15-441: Computer Networking Lecture 26: Networking Future.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
EEC-484/584 Computer Networks Lecture 10 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
CS335 Networking & Network Administration Tuesday, May 11, 2010.
Examining IP Header Fields
Internet Networking Spring 2003
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
04/12/2001ecs289k, spring ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IP (Internet Protocol) –the network level protocol in the Internet. –Philosophy – minimum functionality in IP, smartness at the end system. –What does.
Pi : A Path Identification Mechanism to Defend against DDos Attacks.
Tracking and Tracing Cyber-Attacks
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Chapter 81 Internet Protocol (IP) Our greatest glory is not in never failing, but in rising up every time we fail. - Ralph Waldo Emerson.
CS4550 Computer Networks II IP : internet protocol, part 2 : packet formats, routing, routing tables, ICMP read feit chapter 6.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
By Rod Lykins.  Brief DDoS Introduction  Packet Marking Overview  Other DDoS Defense Mechanisms.
DoS/DDoS attack and defense
Internet Protocol Version 4 VersionHeader Length Type of Service Total Length IdentificationFragment Offset Time to LiveProtocolHeader Checksum Source.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
Jessica Kornblum DSL Seminar Nov. 2, 2001 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio,
Foundations of Network and Computer Security J J ohn Black Lecture #14 Oct 11 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
ID NO : 1070 S. VARALAKSHMI Sethu Institute Of Tech IV year -ECE department CEC Batch : AUG 2012.
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
“Practical Network Support for IP Traceback”
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
Defending Against DDoS
Single-Packet IP Traceback
Defending Against DDoS
Preventing Internet Denial-of-Service with Capabilities
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
DDoS Attack and Its Defense
ITIS 6167/8167: Network and Information Security
Presentation transcript:

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides courtesy of Teng Fei - Umass April,

 Denial of Service (DoS) attack  Remotely consume resource of server or network  Increase in number and frequency  Simple to implement  DoS attacks are difficult to trace:  Indirection  Attacking packets sent from slave machines, which under the control of a remote master machine  Spoof of IP source addresses  Disguise their location using incorrect IP addresses, hence the true origin is lost 2

 Mark packets with router address  deterministically or probabilistically  Trace attack using marked packets  Pros  Require no cooperation with ISPs  Does not cause heavy network overhead  Can trace attack “post mortem” 3

A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 attack origin 4 victim V

A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 V attack path exact traceback R 6, R 3, R 2, R 1 5

A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 V approx. traceback R 5, R 6, R 3, R 2, R 1 6

 I. Marking procedure  by routers  add information to packets  II. Path reconstruction procedure  by victim  use information in marked packets  convergence time : # of packets to reconstruct the attack path 7

 I. Node Append  II. Node Sampling  III. Edge Sampling 8

 Append address of each node to the end of the packet  Complete, ordered list of routers attack path original packet router list 9

 Pros  complete, ordered attack path  converge quickly (single packet)  Cons  infeasibly high router overhead  attacks can create false path information 10

 Reserve node file in packet header  Router write address in node field with probability p  Reconstruct path using relative # of node samples  Only require additional write, checksum update 11

R1R1 R1R1 R2R2 R3R3 12

R1R1 R1R1 R2R2 R3R3 13

R1R1 R1R1 R2R2 R3R3 14

R1R1 R3R3 R2R2 R3R3 15

 Cons :  Slow convergence  need many packets  usually order of 10, ,000  Can not trace multiple attackers ▪ 16

 Edge represent routers at each end of the link  Store edges instead of nodes  start and end addresses of edge routers  distance from edge to victim 17 R1R1 R2R2

 A router writes its own address in the start field, and 0 into the distance field  Distance field of 0 means the packet is already marked  router writes its own address in the end address field and increase the distance field by 1  Other routers may then reset these fields. Otherwise, the distance field is incremented 18

R1R1 R2R2 R3R3 R1R1 #1 19

R1R1 R2R2 R3R3 R1R1 #10 20

R1R1 R2R2 R3R3 R1R1 R2R2 1 21

R1R1 R2R2 R3R3 R1R1 R2R2 2 22

 Consider G is a graph with root v  Insert tuples (start, end, distance) into G  Remove any edge ( x, y, d ) with d != distance from x to v in G  Extract path from G 23

 Pros  Converge much faster than node sampling  Efficiently discern multiple attacks  Cons  Space: requires additional space in the IP header- 72 bits of space in every IP packet (2 x 32 bit IP address and 8 bit for distance)  Compatibility ▪ 24

 Overload the IP identification field  used for fragmentation  Decreases the space requirement  store the XOR of the edge addresses (edge-id)- B XOR A XOR B = A  Pros:  Reduced space  Cons:  Increases reconstruction time 25

a b cdv attack path resulting XOR edges a XOR b b XOR cc XOR dd 26

a XOR b b XOR c c XOR dd c reconstructed path b a 27

 Reduce per packet space more by dividing the edge-id (XORed address) into k non- overlapping packets, and store only 1 of them  Need offset of fragment 28

 Problem: Edge-id fragments are not unique  with multiple attackers, multiple edge fragments with the same offset and distance  Solutoin: Bit-interleave hash code with IP address 29

Address Hash(Address) 0011… Bit-interleave send k fragments into network 0k-1 30

 Combine all permutations of fragments at each distance with disjoint offset values  Check that the hash matches hash of the address 31

Address? Hash(Address)? 0011… k-1 Hash(Address?) 0011…1100 =? No, reject Yes, correct address 32

 Overload the 16-bit identification field  used to differentiate IP fragments 33

 Simulator  Create random paths  Originate attacks  Marking probability is 1/25  1,000 random test runs  vary path lengths 34

number of packets to reconstruct paths 35

 Thanks for listening  Questions? 36

 Suffix validation  spoof end edges  include a router “secret”  Attack origin (host)  Find attacker (person) 37

 Steven M. Bellovin ICMP Traceback Message AT&T 00.txt 00.txt  Alex Snoeren Hash-Based IP Traceback BBN SigCOMM

 Stefan Savage Practical Network Support For IP Traceback pdf pdf  Sara Sprenkle Practical Network Support Duke University  Hal Burch IP Traceback Carnegie Mellon University

 Ingress filtering  Link testing  input debugging  controlled flooding  Logging 40

 Block packets with invalid source addresses  Pros  Moderate management/network overhead  Cons  require widespread deployment  hard to do in backbone/transit network 41

 Start from victim and test upstream links  Recursively repeat until source is located  Assume attack remains active until trace complete 42

 Victim recognize attack signature  Install filter on upstream router  Pros  May use software to help coordinate  Cons  Require cooperation between ISPs  Considerable management overhead 43

 Flooding link with large bursts of traffic during attack  Observe attacking packet rate change to determine the source  Pros  Ingenious  Cons  Itself a denial of service - possible worse 44

 Key routers logging packets  Data mining to analysis  Pros  Post mortem  Cons  High resource demand 45

 Sample packets with low probability  Copy data and path information in a new ICMP packet  Pros  reconstruct path information with large amount of packet  Cons  ICMP may be filtered 46

 Attacker may generate any packet  Multiple attackers may conspire  Attackers may be aware they are being traced  packets may be lost or reordered 47

 Attackers send numerous packets  Route between attacker and victim is fairly stable  Routers have limited CPU and memory  Routers are not widely compromised 48

 Backwards compatibility  Two problems  Writing same values into id fields of frags from different datagrams  Writing different values into id fields of frags of same datagrams 49

 Copy data into ICMP packet  Check the checksum at higher level  etc 50

 Longer convergence time  divide edge-id into 8 fragments  attacker’s distance is 10 hops  2150 packets to converge with 95% certanty  few seconds  Robust with multiple attackers 51