Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Router Architecture : Building high-performance routers Ian Pratt
Sampling and Flow Measurement Eric Purpus 5/18/04.
IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Efficient IP-Address Lookup with a Shared Forwarding Table for Multiple Virtual Routers Author: Jing Fu, Jennifer Rexford Publisher: ACM CoNEXT 2008 Presenter:
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
© 2008 Andreas Haeberlen, MPI-SWS 1 Pretty Good Packet Authentication Andreas Haeberlen MPI-SWS / Rice University Rodrigo Rodrigues MPI-SWS Peter Druschel.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
1 Interconnection ECS 152A. 2 Interconnecting with hubs r Backbone hub interconnects LAN segments r Extends max distance between nodes r But individual.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
Security Robert Grimm New York University. Introduction  Traditionally, security focuses on  Protection (authentication, authorization)  Privacy (encryption)
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
NET-REPLAY: A NEW NETWORK PRIMITIVE Ashok Anand Aditya Akella University of Wisconsin, Madison.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Guide to TCP/IP, Third Edition
Semester 1 Module 8 Ethernet Switching Andres, Wen-Yuan Liao Department of Computer Science and Engineering De Lin Institute of Technology
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 24 November 11, 2004.
Sarang Dharmapurikar With contributions from : Praveen Krishnamurthy,
The Network Layer. Network Projects Must utilize sockets programming –Client and Server –Any platform Please submit one page proposal Can work individually.
Tracking and Tracing Cyber-Attacks
SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
IP Forwarding.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Traceback Methods  Packet Marking  Hash-based Conclusion References.
Chapter 22 Network Layer: Delivery, Forwarding, and Routing Part 5 Multicasting protocol.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.
Traceback Pat Burke Yanos Saravanos. Agenda Introduction Problem Definition Benchmarks and Metrics Traceback Methods  Packet Marking  Hash-based Conclusion.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Connecting Devices CORPORATE INSTITUTE OF SCIENCE & TECHNOLOGY, BHOPAL Department of Electronics and.
Distributed Denial-of-Service Attack Detection (and Mitigation?) Mukesh Agarwal, Aditya Akella, Ashwin Bharambe.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授 2004/3/26.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Jessica Kornblum DSL Seminar Nov. 2, 2001 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio,
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
Denial of Service attack in IPv6 networks and Counter measurements
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
Error and Control Messages in the Internet Protocol
Defending Against DDoS
Single-Packet IP Traceback
Hubs Hubs are essentially physical-layer repeaters:
Defending Against DDoS
Network Core and QoS.
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
Chapter 4 Network Layer Computer Networking: A Top Down Approach 5th edition. Jim Kurose, Keith Ross Addison-Wesley, April Network Layer.
Network Core and QoS.
Presentation transcript:

Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer SigComm Aug San Diego, Ca Presented by Chris Dion

Tonight’s Outline Introduction to the problem What is IP Traceback? Some Previous Work Overview of the Proposed Solution Implementation/Simulation

Internet Anonymity Not all attacks are large flooding DOS attacks Well placed single packet attacks can be just as effective These packets can be spoofed to appear from almost anywhere How can we track these attacks and find their origin?

Current Methods Use of ingress filtering to limit source address –Not all routers can look at every packets source address Spoofed addresses are all to often found –NAT –Mobile IP –Hybrid satellite architectures

IP Traceback Some Assumptions about the network –Packets may be Multi- or broadcast Tracing system must be prepared for multiple packets –Attackers can get into routers Tracing must not be confounded by a motivated attacker –Routing behavior of network can be unstable Tracing must be prepared to handle divergent information –Packet Size Should not grow due to Tracing –End hosts may be resource constrained –Tracing is an infrequent operation Can use routers control path vs. data path

Attack Path Attack packet #1 Attack packet #2 Possible Compromised Routers Victim

Packet Transformations Packets may be modified for number of valid reasons –Packet fragmentation –IP option processing –ICMP processing –Packet duplication –NAT –IPsec Tunneling Less then 3% of Internet traffic in 2000 Attackers can use these!

Some Previous work 2 approaches to determining route: –Audit of flow as it traverses network Can grow packet with route information, use fields in header, or use out-of-band signaling –Inference of flow based on its impact on state of network Systematically floods network and watch for variations in received packet flow Becomes infeasible when flow sizes approach a single packet

Packet Digests We do not need the entire packet –Reduces storage requirements –Need only packet header to determine attacker –Still need to uniquely determine packet –Security concerns Mask out fields that modify along a packets route: –Type of Service –TTL –Checksum –IP Options

IP Packet fields for Hash Input

Why 28 bytes? WAN trace from OC-3 gateway router LAN trace from active 100Mb segment For 28 bytes –.00092% WAN –.139 % LAN

Bloom filters Used to store digests in router From Communications of ACM July 1970 Computes k distinct packet digests for each packet using hash functions Uses results to index into a bit array Could potentially create false positives

Bloom filter n bit digests for each packet received K bit hash functions

Bloom Filters (cont) Restrictions on Hash Family –Must distribute a high correlated set of inputs (packet digests) –Independent collision events (false positives at one router is independent of neighboring routers) Called universal hash families –Must be easy to compute at high link speeds

Source Path Isolation Engine

SPIE System DGA – Data Generation Agent –Produces packet digests of each departing packet and stores them in a digest table –Represents the traffic forwarded in a given time interval SCAR – SPIE Collection and Reduction Agent –When attack is detected, SCAR product attack graph for it’s region STM- SPIE Traceback Manager –Interface to the intrusion detection system –Gathers complete attack graph

Traceback processing IDS will signal potential attack and give STM: –Packet P –Victim V, must be expressed in terms of the last-hop routers –Time of attack T, must be in a timely fashion STM immediately asks all SCARs in domain to poll DGAs for digests SCAR will give Attack graph, then STM will work backwards to identify source

What if Packet is Transformed? Need a TLT – Transform Lookup Table with each packet digest: IP Packet Digest Type of Transform (ICMP, NAT, etc.) Indirect flag Variable for Packet Data needed to transform

Graph Construction Each SCAR is responsible for it’s region After gathering all digest tables, simulates reverse-path flooding (RPF) If packet is found in router, node is marked and arrival time is the latest possible time to search

Graph Construction Example Attack Paths SPIE Queries

Implementation Universal hash family is simulated using MD5 Hashing (128-bit output) Random number is pre-pended to each packet for independency Output is taken as 4 32-bit digests Size of Digest Table varies with the total traffic capacity of the router

Possible DGA in hardware

False Positive Analysis Use probability of false positives at p=1/8d for a theoretical limit (d=degree of router’s neighbors) –Assuming 32 node path length, approaching diameter of the Internet For simulation used topology for a major ISP –70 backbone routers with T-1 (1.54 Mbps) to OC-3 (155 Mbps) Sent 1000 attack packets at a constant rate to one victim, with background traffic set to a fixed false-positive rate P

Simulation Result Low value was due to link utilizations Considerable Gap between theoretical and simulation

Time and Memory Analysis Give one minute to identify attack packet Memory will be linear with link capacity –We will consider Bloom filter with 3 digesting functions and a capacity factor of 5 for a false positive rate of P =.092 when full –Average sized packets (1000 bits) Using this we get a rule of thumb –SPIE requires 0.5% of total link capacity

Time and Memory Analysis (cont) 4 OC-3 links = 47 MB of storage 32 OC-192 links = 23.4GB for one minute Access Time is also important –Given DRAM cycle time of 50ns, routers processing more then 1 OC-192 will need SRAM (only 16Mb which must be paged)

Some Issues Traceback may be requested when the network is unstable –Possibly from the attack itself –Best solution would be out-of-band management –Priority handling may work for in-band ISP-ISP deployment –Possible sharing of SPIE infrastructure? –Grant STM requests to other domains

Conclusions Traceback of a single packet is very difficult SIPE’s key contribution is that it is feasible –Low Storage –Does not aid in eavesdropping –Complete System The future could discard packet digests probabilistically as they age to allow for longer traceback times