Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College of Computing Georgia Institute of Technology (Joint work with Jun Li, Minho Sung, Li Li) 2004 IEEE Symposium on Security and Privacy

Introduction Internet DDoS attack is real threat - on websites · Yahoo, CNN, Amazon, eBay, etc (Feb. 2000)  services were unavailable for several hours - on Internet infrastructure · 13 root DNS servers (Oct, 2002)  7 of them were shut down completely First step to counter attack : identification of attackers - IP spoofing enables attackers to hide their identity - IP Traceback : mechanism to trace the attack sources

State of IP Traceback Assumptions “inherited” from the literature - attackers send lots of packets - Traceback scheme uses limited space in IP header - attackers are aware of the effort and can sabotage Two main types of proposed traceback techniques (1) Probabilistic Packet Marking (PPM) scheme a. routers : probabilistically mark each packet with partial path info using some coding algorithms b. victim : reconstruct the attacking paths using some decoding algorithms

State of IP Traceback (Cont.) Two main types of proposed traceback techniques (2) Hash-based scheme a. routers : store packet digests b. victim : uses recursive lookup to reconstruct the attack path Victim attacker packet digest “Have you seen this packet?” “yes”

Scalability Problems of Two Approaches PPM schemes - limited marking field (17-bits) - cannot scale to large number of attackers Hash-based scheme - recording 100% of the packet digests - infeasible for high-speed links Our objective : design a traceback scheme that is scalable both to the number of attackers and to high link speed

Outline of the talk  Overview of our solution  Design detail  Information theoretic framework  Performance Evaluation  Related work, Future work, Conclusion

Design Overview Our idea : store digests of sampled packets only - use small sampling rate p (such as 3.3%) - small storage and computational cost - can scale to OC-192 or OC-768 link speed - Let us go across the DRAM/SRAM speed barrier the challenge of the sampling - one packet traceback is not possible : need to obtain larger number of attack packets - independent random sampling will not work -- need to improve “correlation factor” Victim attacker packet digest correlation

Information-theoretic framework overview Information-theoretic framework to solve an optimization problem (1) given fixed resource constraints (e.g. we can use 0.4 bits per packet in bloom filter in average), what is the best parameter setting for number of hash functions and sampling probability? - relationship between resource constrains and two parameters resource constraints = number of hash functions  sampling probability - two tradeoffs higher number of hash functions gives less false positive rate in bloom filter higher sampling probability gives higher sampling correlation (easier traceback) ex) when s=0.4, which set is best? (8 hash, 5% sampling) vs (12 hash, 3.3% sampling) vs (16 hash, 2.5% sampling)

Information-theoretic framework overview Information-theoretic framework to establish a lower bound (2) what’s the lower bound of the size of the evidence to achieve a certain level of traceback accuracy? - there is a tradeoff between the number of attack packets used for traceback (evidence) vs the accuracy of the traceback ex) we want to find the minimum size of the evidence for identifying more than 90% of the attack sources

Outline of the talk  Overview of our solution  Design Detail  Information theoretic framework  Performance Evaluation  Related work, Future work, Conclusion

One-bit Random Marking and Sampling(ORMS) Basic idea - each router sample the packet with probability p - ORMS make correlation factor be larger than 50% : we sample more than 50% of the packet which are sampled at previous router - use 1 bit marking for coordinating the sampling p Sample all marked packets p/2 Sample unmarked packet with probability p/(2-p) correlation : total sampling probability : Sample and mark Sample and not mark p/ correlation factor (sampled by both) : ( > 50% because 0<p<1 )

One-bit Random Marking and Sampling(ORMS) why not trajectory sampling? - the attacker can use hash values that escape sampling design tampering-resistant scheme - Why save p/2 of marked packets, and p/2 of unmarked packets? Why not simply save all packets that are marked with 1? tamperingjump-startstationary 0  r  1 r : rate of marked packets make r to p/2 using dual-leaky-bucket r = p/2 - “jump-start” in first hop using dual leaky bucket scheme Victim attacker Other host send marked normal traffics send unmarked attack traffics

Traceback Processing Victim attacker packet digest 1. Collect a set of attack packets L v 2. Check router S, a neighbor of the victim, with L v 3. Check each router R ( neighbor of S ) with L s LvLv S “Have you seen any of these packets? “yes” R LsLs “You are convicted! Use these evidences to make your L s ”

Traceback Processing Victim attacker packet digest 4. Pass L v to R to be used to make new L s 5. Repeat these processes S R “You are convicted! Use these evidences to make your L s ” “Have you seen any of these packets? “yes” LvLv LsLs

Outline of the talk  Overview of our solution  Design Detail  Information-theoretic framework  Performance Evaluation  Related work, Future work, Conclusion

Why do we need theoretical foundation? Information-theoretic framework - view the traceback system as a communication channel - tradeoff between sampling rate and the size of packet digest : optimal parameter setting maximizes channel capacity (i.e. mutual information ) - tradeoff between the number of packets and the traceback accuracy : Information theory allows us to derive the lower bound on the number of packets (evidence) to achieve a certain level of traceback accuracy through Fano’s inequality

Concepts - Entropy H(X) : measures the uncertainty of X - Conditional entropy H(X|Y) : measures how much uncertainty remains for X given the observation of Y Fano’s inequality - Given an observation of Y, our estimation of X is We denote p e as - H(p e )  H(X|Y), if X is binary-valued Information Theory Background

Applications of Information Theory R1R1 LvLv LsLs What we can observe : X t1 + X f1, Y t + Y f We want to estimate Z Question : How to maximize our accuracy in estimating Z? Answer : minimize H(Z|X t1 +X f1,Y t +Y f ) X t1 X f1 YtYt YfYf N p : # of pkts in L v X t2 LvLv R2R2 false positive true positiveLegend: Victim Z=1 X t2

Parameter tuning : - k : number of hash functions in a Bloom filter - to maximize our accuracy in estimating Z, we would like to compute k* = argmin H( Z | X t1 +X f1, Y t +Y f ) k subject to the resource constraint ( s = k  p ) Applications of Information Theory s : average number of bits for each packet p : sampling probability

Applications of Information Theory Resource constraint: s = k  p = 0.4

Lower bound on the number of packets to achieve a certain level of traceback accuracy : Fano’s inequality : H(p e )  H( Z | X t1 +X f1, Y t +Y f ) Applications of Information Theory Parameters: s=0.4, k=12, p=3.3% (12  3.3% = 0.4)

Outline of the talk  Overview of our solution  Design Detail  Information-theoretic framework  Performance Evaluation  Related work, Future work, Conclusion

Three Topologies - Skitter data I, Skitter data II, Bell-lab’s data (routes from a host to 192,900, 158,181, 86,813 destinations) Host setting : - Victim : all three topologies are routes from a single origin to many destinations, assume this origin to be the victim - Attackers : randomly distributed among the destination hosts Performance Metrics - False Negative Ratio (FNR): the ratio of the number of missed routers to the number of infected routers - False Positive Ratio (FPR): the ratio of the number of incorrectly convicted routers to the number of convicted routers Simulation set-up

False Negative & False Positive on Skitter I topology Simulation results Parameters: s=0.4, k=12, p=3.3% (12  3.3% = 0.4)

Parameter tuning Verification of Theoretical Analysis Parameters: 1000 attackers, s = k  p = 0.4

Error levels by different k values Verification of Theoretical Analysis Parameters: 2000 attackers, N p =200,000

Lower bound on the number of packets to achieve a certain level of traceback accuracy Verification of Theoretical Analysis Parameters: s = 0.4, k = 12, p = 3.3%

Outline of the talk  Overview of our solution  Design Detail  Information-theoretic framework  Performance Evaluation  Related work, Future work, Conclusion

Related work (not exhaustive) PPM (Probabilistic Packet Marking) traceback schemes - S. Savage et al., Practical network support for IP traceback, SIGCOMM M.T.Goodrich, Efficient packet marking for large-scale IP traceback, ACM CCS 2002 Hash-based traceback scheme - Snoeren et al., Hash-based IP traceback, SIGCOMM 2001 Analysis of the traceback scheme and lower bounds - M. Adler, Tradeoffs in PPM for IP traceback, ACM STOC 2002

Discussion and future work 1. Is correlation factor 1/(2-p) optimal for coordination using one bit? 2. What if we use more that one bit for coordinating sampling? 3. How to optimally combine PPM and hash-based scheme – a Network Information Theory question. 4. How to know with 100% certainty that some packets are attack packets? How about we only know with p-certainty?

Conclusion New approach to IP traceback is presented - using sampling, the scheme can scale to very high link speed - ORMS, a novel sampling technique, is introduced Analysis using Information-theoretic framework - allows us to compute the optimal parameters - can be used to compute the trade-off between the amount of evidence and the traceback accuracy Simulation study - demonstrate the high performance of the scheme even with thousands of attackers and very low (3.3%) of sampling rate