Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy Strayer BBN Technologies + MIT Laboratories ++ Megisto Systems Published SIGCOMM 2001

Who is attacking? r IP Traceback m Trace the path of IP packet(s) to their source r Why is this difficult? m IP networks are stateless m Spoofed source addresses m Many administration layers

Approach: Log-Based Traceback V R R1R1 R2R2 R3R3 RR RR R4R4 AR RR7R7 R6R6 R5R5

Logging Challenges r Attack path reconstruction is difficult m Packet may be transformed as it moves through the network r Full packet storage is problematic m Memory requirements are prohibitive at high line speeds (OC-192 is ~10Mpkt/sec) r Extensive packet logs are a privacy risk m Traffic repositories may aid eavesdroppers

Source Path Isolation Engine Goals r Trace a single IP packet back to source m Asymmetric attacks (e.g. Fraggle, Teardrop, ping-of-death) r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

Assumptions r Network: m Packets can be addressed to 1+ hosts (multicast, broadcast) m Duplicate packets may exist in network m Router infrastructure is unstable r Attacker: m Aware of Traceback mechanisms m Routers may be subverted r Mechanism: m Packet size should not grow due to Traceback

Goals r Find attack graph for single packet r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

SPIE Architecture r DGA: Data Generation Agent m computes and stores digests of each packet on forwarding path. m Deploy 1 DGA per router r SCAR: SPIE Collection and Reduction agent m Long term storage for needed packet digests m Assembles attack graph for local topology r STM: SPIE Traceback Manager m Interfaces with IDS m Verifies integrity and authenticity of Traceback call m Sends requests to SCAR for local graphs m Assembles attack graph from SCAR input

STM SCAR Router DGA DGA/Router DGA Router SCAR Router DGA DGA/Router Router DGA IDS 1: IDS identifies attack packet 2: Sends Packet, Time, Last Hop 3: Authenticates and verifies IDS request 4: Provisions SCAR’s to collect local DGA digests 5: Collect digest tables, time intervals, hash functions 6: Identify routers with Packet’s digest and construct graph 7: Collect SCAR local graphs 8: Assemble local graphs, query for missing info 9: Send attack graph to IDS

Goals r Find attack graph for single packet r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

Data Generation Agents r Compute “packet digest” r Store in Bloom filter r Flush filter every time interval, t

Packet Digests r Compute hash(p) m Invariant fields of p only m 28 bytes hash input, % WAN collision rate m Fixed sized hash output, n-bits r Compute k independent digests m Increased robustness m Reduced collisions, reduced false positive rate

Hash input: Invariant Content Total Length Identification Checksum VerTOSHLen TTLProtocol Source Address Destination Address Fragment Offset MFMF DFDF Options Remainder of Payload First 8 bytes of Payload 28 bytes

Hashing Properties r Each hash function m Uniform distribution of input -> output H1(x) = H1(y) for some x,y -> unlikely r Use k independent hash functions m Collisions among k functions independent m H1(x) = H2(y) for some x,y -> unlikely r Cycle k functions every time interval, t

Digest Storage: Bloom Filters r Fixed structure size m Uses 2 n bit array m Initialized to zeros r Insertion m Use n-bit digest as indices into bit array m Set to ‘1’ r Membership m Compute k digests, d 1, d 2, etc… m If (filter[d i ]=1) for all i, router forwarded packet 1 n bits 2 n bits H(P) H 2 (P) H k (P) H 3 (P) H 1 (P)

16 Hash-Based IP Traceback 1 n bits 2 n bits H 2 (P) H k (P) H 3 (P) H 1 (P) Total Length Identification Checksum VerTOSHLen TTLProtocol Source Address Destination Address Fragment Offset MFMF DFDF Options Remainder of Payload First 8 bytes of Payload 28 bytes DGA SCAR Bloom Filter

SPIE Collection and Reduction Agent r Polls DGA’s for digest tables, hash functions, time intervals m Time critical operation r Constructs local attack graph m Reverse Path Flooding m For each router, Compute k * hashes of p with local hash functions Membership test ( table[h i (p)]==1 for all i) r Sends Result to STM

SPIE Traceback Manager r Interface to IDS System m Receives attack signature for p m Returns attack graph r Authenticates/Verifies (no details) r Provisions SCAR’s m Send(packet, last hop router, arrival time) r Assembles local graph r Fills holes in graph

Goals r Find attack graph for single packet r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

20 Memory utilization r A Bloom filter is described in terms of: m Number of digest/hash functions (k) m The ratio of data items to be stored (n) to memory capacity (m) r The effective false positive rate (P) for a Bloom filter that uses m-bits memory to store n packets with k digest functions is given by:

SPIE Performance r Local false positive rate (n, k,b) r Length of time digests are stored (t) m IDS->STM->SCAR->DGA r Accuracy of attack graphs m Derived from local false positive rates m Network topology Why?

Conclusion r Find attack graph for single packet m Log every packet at every router r Minimal cost (resource usage) m Store fixed-sized hash(p), not p m 0.05% link bandwidth per time m Distribute graph creation (attack sub-graphs) r Maintain privacy (prevent eavesdropping) m Authenticate Traceback (IDS-> STM call) m No header fields stored r Robustness (min. false pos., no false neg.)?

23 Packet Marking Vs. Packet Logging Packet MarkingPacket Logging Basic methodrouters write their IDs (IP address) in the forwarded packets (deterministic/probabilistic) packet information (digests or signatures) is written into router's buffer (det./prob.) Number of attack packets needed to infer an attack path a large number of attack packets (probabilistic); single attack packet (deterministic) Same as packet marking Overheadno buffer overhead at routers; but high packet overhead; router CPU overhead for marking high buffer overhead at routers; but no packet overhead; router CPU overhead for logging Collecting path information not a big issue, i.e., can be done using the attack packets coordination among routers required ExamplesProbabilistic Packet MarkingHash-based Traceback