Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single-Packet IP Traceback

Published byMelvin Adam Morris Modified over 6 years ago

Similar presentations

Presentation on theme: "Single-Packet IP Traceback"— Presentation transcript:

1 Single-Packet IP Traceback
Alex C. Snoeren BBN Technologies (with Craig Partridge, Tim Strayer, Christine Jones, Fabrice Tchakountio, Beverly Schwartz, Matthew Condell, Bob Clements, and Steve Kent) Motivation – Way too long. Hari – Related work? Higher-level. Frans – Focus problem. Define Traceback – What do you do with the system?

2 SPIE in Action

3 Challenges to Logging Attack path reconstruction is difficult
Packet may be transformed as it moves through the network Full packet storage is problematic Memory requirements are prohibitive at high line speeds (OC-192 is ~10Mpkt/sec) Extensive packet logs are a privacy risk Traffic repositories may aid eavesdroppers Path construction

4 Packet Digesting Record only invariant packet content
Mask dynamic fields (TTL, checksum, etc.) Store information required to invert packet transformations at performing router Compute packet digests instead Use hash function to compute small digest Store probabilistically in Bloom filters Impossible to retrieve stored packets

5 Invariant Content Ver HLen TOS Total Length Identification
M F Fragment Offset TTL Protocol Checksum 28 bytes Source Address Destination Address Options First 8 bytes of Payload Remainder of Payload

6 Bloom Filters Fixed structure size Insertion is easy Variable capacity
Uses M bit array Initialized to zeros Insertion is easy Use ℓ-bit digest as indices into bit array ℓ bits 1 H2(P) Hk(P) H3(P) H1(P) 1 . . . Mitigate collisions by using k digests H(P) M bits Variable capacity Easy to adjust Store up to n packets

7 Limited Error Propagation
Bloom filters may be mistaken Mistake frequency can be controlled Depends on capacity of full filters Neighboring routers won’t be fooled Vary hash functions used in Bloom filters Each router select hashes independently Long chains of mistakes highly unlikely Probability drops exponentially with length

8 False Positive Distribution

9 Adjusting Graph Accuracy
False positives rate depends on: Length of the attack path, N Complexity of network topology, d Capacity of Bloom filters, P Bloom filter capacity is easy to adjust Required filter capacity varies with router speed and number of neighbors Appropriate capacity settings achieve linear error growth with path length

10 Simulation Results N/7 Nρ/(1-ρ) → ρ = 1/8 P = ρ
Random Graph Real ISP, 100% Utilization Real ISP, Actual Utilization 0.8 0.8 0.8 0.8 Degree-Independent N/7 Nρ/(1-ρ) → ρ = 1/8 What are the actual numbers? 0.6 0.6 0.6 0.6 P = ρ Expected Number of False Positives 0.4 0.4 0.4 0.4 May be able to assume degree independence 0.2 0.2 0.2 0.2 P = ρ/d 5 5 5 5 10 10 10 10 15 15 15 15 20 20 20 20 25 25 25 25 30 30 30 30 Length of Attack Path (N)

11 How Big are Digests? Quick rule of thumb:
ρ = 1/8, assuming degree independence Bloom filter k = 3, M/n = 5 bits per packet. Assume packets are ~1000 bits Filters require ~0.5% of link capacity Four OC-3s require 47MB per minute 128 OC-192 links need <100GB per minute Access times are equally important Current drives can write >3GB per minute OC-192 needs SRAM access times 4 OC-3 Hd needs 67GB/day

12 Filter Paging “Small” Bloom filters Store multiple filters
Random access Need fast memory Store multiple filters Increase time span Ring buffer avoids memory copies Timestamp each bin Fence-post issues B G E C D F H A

13 Transformations Occasionally invariant content changes
Network Address Translation (NAT) IP/IPsec Encapsulation, etc. IP Fragmentation ICMP errors/requests Routers need to invert these transforms Often requires additional information Can store this information at the router

14 Transform Lookup Table
Only need to restore invariant content Often available from the transform (e.g., ICMP) Otherwise, save data at transforming router Index required data by transformed packet digest Record transform type and sufficient data to invert Bounded by transform performance of router Digest Packet Data C Type 28 bits 4 bits 32 bits

15 Prototype Implementation
Implemented in PC-based routers Both FreeBSD and Linux implementations Packet digesting on kernel forwarding path Zero-copy kernel/user digest tables Digest tables and TLT stored in kernel space User-level query-support daemons Supports automatic topology discovery Queries automatically triggered by IDS

16 SPIEDER Approach SPIE DGA Encompassing Router (SPIEDER) external
Each router has an internal Data Generation Agent (DGA) external DGA Router SPIE DGA Encompassing Router (SPIEDER)

17 Summary Hash-based traceback is viable
With reasonable memory constraints Supports common packet transforms Timely tracing of individual packets Publicly available implementations FreeBSD/Linux versions available now SPIEDER-based solution in development

Download ppt "Single-Packet IP Traceback"

Similar presentations

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Sampling and Flow Measurement Eric Purpus 5/18/04.

Sampling and Flow Measurement Eric Purpus 5/18/04.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Payload Attribution via Hierarchical Bloom Filters

Payload Attribution via Hierarchical Bloom Filters
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.

Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.

Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,

Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,
BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,

BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Internet Protocol (IP)

Internet Protocol (IP)
Tracking and Tracing Cyber-Attacks

Tracking and Tracing Cyber-Attacks

Similar presentations

Ads by Google