IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
CS335 Networking & Network Administration Tuesday, May 11, 2010.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Examining IP Header Fields
Payload Attribution via Hierarchical Bloom Filters
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.
Tracking and Tracing Cyber-Attacks
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Traceback Methods  Packet Marking  Hash-based Conclusion References.
Chapter 81 Internet Protocol (IP) Our greatest glory is not in never failing, but in rising up every time we fail. - Ralph Waldo Emerson.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
Packet-Marking Scheme for DDoS Attack Prevention
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
DoS/DDoS attack and defense
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授 2004/3/26.
Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.
K. Salah1 Security Protocols in the Internet IPSec.
Jessica Kornblum DSL Seminar Nov. 2, 2001 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio,
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
“Practical Network Support for IP Traceback”
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Defending Against DDoS
Single-Packet IP Traceback
Internet Protocol (IP)
Defending Against DDoS
IP - The Internet Protocol
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
Net 323 D: Networks Protocols
IP - The Internet Protocol
DDoS Attack and Its Defense
ITIS 6167/8167: Network and Information Security
IP - The Internet Protocol
Presentation transcript:

IP Spoofing CIS 610 Week 2: 13-JAN-2004

Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned by Morris in 1985 in his paper A Weakness in the 4.2BSD Unix TCP/IP Software n First CERT advisory on an attack using IP Spoofing in 1995

Attacks: DoS n TCP SYN flooding: attacker spoofs the IP address of unavailable host(s) to initiate multiple connections to the victim n smurfing/fraggling: attacker spoofs IP address of victim in a ICMP (smurf) or UDP (fraggle) echo request to a broadcast address n more...

Attacks: Usurpation n Session hijacking: attacker determines TCP seq number, attacker takes over send part of one end of TCP session. n Man-in-the-middle: as above but attacker sniffs traffic & can usurp one end (send and receive) of session n Routing redirect: redirects victim from original host to attacker’s machine

Valid uses of IP Spoofing n Mobile IP n NAT n Encapsulation (tunneling) n Unidirectional link technologies (e.g., satellite link)

Solutions n Two basic approaches: preventive and reactive n Reactive includes traceback (discussed later) n Preventive includes source address filtering and ingress filtering/firewalling n Discussion: which is better?

Reactive Solutions n “Practical Network Support for IP Traceback,” S. Savage et al., SIGCOMM ‘00 n “Hash-Based IP Traceback,” A. Snoeren et al., SIGCOMM ‘01

Practical Network Support for IP Traceback n Problem: how to determine the real source of an IP packet n Solution: allow for routers along a path to probabilistically mark packets along the way

Practical Network Support for IP Traceback (cont) n Current work on the subject includes ingress filtering, link testing (input debugging and controlled flooding), logging and ICMP traceback n Each of these has its own benefits as well as drawbacks ex: logging is accurate, but takes LOTS of storage

Practical Network Support for IP Traceback (cont) n Solution is packet marking-embedding routing information in an unused field in the IP header with some probability n When victim receives enough packets, the probability that it can recreate the attack path is very high

Practical Network Support for IP Traceback (cont) n Assumptions: - an attacker may generate any packet - multiple attackers may conspire - attackers may be aware they are being traced - packets may be lost or reordered - the route between attacker and victim is fairly stable - routers are both CPU and memory limited - routers are not widely compromised

Practical Network Support for IP Traceback (cont) n Marking algorithm used is edge sampling; edge’s start,end addresses and distance from victim are conveyed n Without encoding, size of mark is 72 bits; where to put it?

Practical Network Support for IP Traceback (cont) n Mark is compressed using 3 techniques: –XOR IP addresses that comprise the edge –Sub-divide the above into k non- overlapping fragments, and send randomly-selected fragment and offset –Bit-interleave IP addresses (used above) with random hashes of themselves to enforce uniqueness of fragments

Practical Network Support for IP Traceback (cont) n Encoded mark, 16 bits, put into the IP Identification field n Problems when packet is fragmented (ID field identifies fragments); studies show <.25% of packets are fragmented n Set don’t fragment flag on marked packets, and prepend ICMP “echo reply” header to mark already-fragmented packets

Practical Network Support for IP Traceback (cont) n Authors simulated marking; graph mean, median and 95 th percentile for number of packets required to reconstruct paths of varying lengths over 1000 runs n Most paths can be resolved with between 1K and 2K packets, max ~4K. By comparison, DoS attacks frequently send hundreds or thousands of packets per second

Practical Network Support for IP Traceback (cont) n Limitations/Future work: –Backwards compatibility: incompatible with IPSec, negatively impacts users who require IP fragmentation, and IPv6 does not have an ID field –Distributed attacks: the greater the number of attack paths, the greater the probability of misattributing an edge –Path validation: Attacker can insert false edges into previously unmarked packet –Attack origin detection: Traceback IDs the most immediate router, not host, from which attack was launched

Practical Network Support for IP Traceback (cont) n Conclusions/contributions: –Explore traceback algorithms based on packet marking –Edge sampling enables traceback and can be incrementally deployed, efficiently implemented –Encoding edges and overloading packet’s ID field provides tracing information while not forcing modifications to existing infrastructure

Hash-based IP Traceback n Problem: current IP traceback methods rely on large streams of packets, cannot track individual packets n Solution: hash-based technique for IP traceback that can track even a single IP packet

Hash-based IP Traceback (cont) n Challenges: which packets to trace, privacy, minimizing cost (storage space as well as CPU cycles) n Paper presents SPIE (Source Path Isolation Engine), enables IP traceback n Bloom filters (discussed later) reduce memory requirements associated with packet storage; packet digests, not packets, stored

Hash-based IP Traceback (cont) n Assumptions: –Packets may be addressed to more than one physical host –Duplicate packets may exist in the network –Routers may be subverted, but not often –Attackers are aware that they are being traced –The routing behavior of the network may be unstable –The packet size should not grow as a result of tracing –End Hosts may be resource constrained –Traceback is an infrequent operation

Hash-based IP Traceback (cont) n Goal: should be able to identify source of any piece of data n Source defined as one of: ingress point to traceback-enabled network; actual host or network of origin; or one or more compromised routers within the enabled network n Want to build an attack graph built of >= 1 attack paths along which attack packets are sent

Hash-based IP Traceback (cont) n Hashes must be resilient to normal network transformations (i.e., decrement of TTL) as well as packet modification n >3% (not including NAT) of IP traffic undergoes common transformation

Hash-based IP Traceback (cont) n Packet Digesting: –32-bit packet digests stored, not packets; protects confidentiality –Hash input includes (relatively) nonvolatile fields of IP Header (20 bytes) and first 8 bytes of payload –Results in a very low collision domain, that gets worse as traffic tends towards homogeneity, as on LANs.

Hash-based IP Traceback (cont) n Bloom filters –Compute k distinct packet digests for each packet, use n-bit results to index into a 2 n –sized bit array –Bit array initialized to all zeros, bits set to 1 when packet digest indexing them received –To check if packet has traversed the router, look at Bloom filter and elements at each of the k indexes for that packet. If any of them are 0, then packet has not traversed the router

Hash-based IP Traceback (cont) n Hash Functions –3 restrictions: Each function must distribute highly correlated set of input values uniformly Hash function collisions independent of one another Functions must be straightforward to compute

Hash-based IP Traceback (cont) n Architecture: –Data Generation Agent (DGA) produces digests and digest tables, page them out –SPIE Collection and Reduction (SCAR) agent, upon receiving traceback request, pulls digest tables from DGA and builds attack graphs –SPIE Traceback Manager (STM) interfaces with IDS, sends requests to SCARs and aggregate SCARs’ attack graphs for reporting to IDS

Hash-based IP Traceback (cont) n Transformations: –SPIE maintains Transformation Lookup Table (TLT) which stores digest of transformed packet (29 bits), type of transformation (3 bits), and packet data (32 bits) –If >32 bits, can use first bit of transformation as indirect flag, indicates that packet data is a pointer to data –Some transformations not recoverable (I.e., NAT); these will be looked at as special-purpose gateways, out of scope of the paper

Hash-based IP Traceback (cont) n Graph construction done by recursively checking along reverse path for routers with packet digests corresponding to attack packet n Resource requirements expressed in terms of k and the amount of memory used to store packet digests. n Performance characterized by length of time for which packet digests are kept and the accuracy of candidate attack graphs

Hash-based IP Traceback (cont) n Timing –Note that the window of time in which one must detect an attack shrinks with the increase of the number of packets processed; fast links suggest smaller windows –The above can be tempered by allotting more fast storage to maintenance of SPIE- related information

Summary n Traceback methods –Reactive; don’t prevent, for instance DoS attacks –End-user-triggered; performed upon the request of a victim—victim must know he/she’s being attacked –Network-maintained

Hash-based IP Traceback (cont) n Discussion –Tracebacks will often be requested when network is having problems; may influence the accuracy of said traceback unless requested out-of-band –Incremental deployment can severely limit the scope of the attack graph –Occasionally, the victim may not want to send the attack packet needed by SPIE to traceback –Transformations can be costly to invert and/or recover from