Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Lecture 5 - Routing On the Flat Labels M.Sc Ilya Nikolaevskiy Helsinki Institute for Information Technology (HIIT)
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Firewalls and Intrusion Detection Systems
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
CSCI 4550/8556 Computer Networks Comer, Chapter 19: Binding Protocol Addresses (ARP)
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.
Tracking and Tracing Cyber-Attacks
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
Chapter 13 – Network Security
Monitoring for network security and management Cyber Solutions Inc.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
IDRM: Inter-Domain Routing Protocol for Mobile Ad Hoc Networks C.-K. Chau, J. Crowcroft, K.-W. Lee, S. H.Y. Wong.
IP Forwarding.
Information-Centric Networks07a-1 Week 7 / Paper 1 Internet Indirection Infrastructure –Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Traceback Methods  Packet Marking  Hash-based Conclusion References.
Introduction to IPv6 Presented by:- ASHOK KUMAR MAHTO(09-026) & ROHIT KUMAR(09-034), BRANCH -ECE.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
Multimedia & Mobile Communications Lab.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
1 IEX8175 RF Electronics Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
Mobile IP 순천향대학교 전산학과 문종식
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授 2004/3/26.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Jessica Kornblum DSL Seminar Nov. 2, 2001 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio,
Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.
Defending Against DDoS
IPv6 / IP Next Generation
Single-Packet IP Traceback
Defending Against DDoS
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
DDoS Attack and Its Defense
Presentation transcript:

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01

2 Introduction  Today’s Internet infrastructure is extremely vulnerable to motivated and well equipped attackers. –Denial of service attacks –Single well-targeted packet attacks  To institute accountability for these attacks, the source of individual packets must be identified.

3 Today’s IP Network  The IP protocol has difficulty to identify the true source of an IP datagram. –Stateless and destination based routing w/o source authentication –Legitimately spoofed source addresses NAT, Mobile IP, IPSec  Ingress filtering

4 Source Path Isolation Engine  Challenges in constructing a tracing system –Determining which packets to trace –Maintain privacy –Minimizing cost  The proposed SPIE can –reduces memory consumption with bloom filters –verifies packets while maintains privacy by packet digests

5 Assumptions on a Traceback System  Packets may be addressed to more than one physical host  Duplicate packets may exist in the network  Routers may be subverted, but not often  Attackers are aware they are being traced Continued…

6 Assumptions on a Traceback System  The routing behavior of the network may be unstable  The packet size should not grow as a result of tracing  End hosts may be resource constrained  Traceback is an infrequent operation

7 Design Goals  An optimal IP traceback system would –precisely identify the source of an arbitrary IP packet –construct an attack path when co-opted routers exist –construct an attack graph when multiple indistinguishable packets exist –produce no false negatives while attempting to minimize false positives –not expand the eavesdropping capabilities of a malicious party

8 Attack Graph

9 Design Goals  An optimum traceback system should trace packets through valid transformation back to the source of the original packet.  Transformation categories –Packet encapsulation –Packet generation –Common packet transformation (RFC 1812)

10 Related Works  Two approaches to determine the route of a packet flow are auditing and inferring.  Inferring (Burch and Cheswick) –Floods candidate links and monitors variations –Network topology and large packet floods  Specialized routing (Stone) –Overlay tracking network –Long-live flow and routing change

11 Auditing  End-host schemes –Routers notify the packet destination of their presence on the route by in-band or out-of-band signaling.  Infrastructure schemes –Log packets at various points throughout the network. –Space and privacy considerations  Input debugging & IDIP –High overhead

12 Packet Digesting  Auditing by computing and storing 32-bit packet digests reduces storage requirements and prevents eavesdropping.  SPIE computes digests over the invariant portion of the IP header and the first 8 bytes of the payload (totally 28 bytes). Continued…

13 Packet Digesting

14 Prefix Collision

15 Bloom Filter There are multiple, independent hashes which change over time at each router.

16 SPIE Architecture DGA: Data Generation Agent SCAR: SPIE Collection and Reduction STM: SPIE Traceback Manager IDS: Intrusion Detection System

17 Traceback Processing  IDS provide STM with a packet, P, victim, V, and time of attack, T.  STM verifies message’s authenticity and integrity.  STM immediately asks all SCARs to poll their DGAs for relevant traffic digests.  Each SCAR responds with a partial attack graph.  STM constructs a composite attack graph and returns it to IDS

18 Transformation Processing  Packet being transformed are put on the control path, thus relaxing the timing requirements.  Transform Lookup Table (TLT): a. Pointer b. Flow caching Indirect (I) flag: Continued…

19 Transformation Processing  29-bit packet digest field implies eight distinct packet digests map to the same TLT entry. –Rarity of packet transformations –Sparsity of the digest table –Uniformity of the digesting function  SPIE considers the security gateway or NAT functionality of routers as a separate entity to manage TLT growth.

20 Graph Construction  Simulating Reverse-Path Flooding (RPF), SCARs construct attack graphs by examining the digest tables.

21 DGA Hardware

22 Discussion  Reliable and timely SPIE communication –Out-of-band channel –Higher priority  Inter-domain cooperation –Authentication  Denial of service through transformation –Performance & policy

23 Conclusion and Future Works  SPIE contributes on tracing a single packet with privacy and low storage.  SPIE deals with complex packet transformations in high-speed routers.  Future works of SPIE include –extending time period of traceability –reduce information of de-transformation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.