Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.

Published bySanna-Kaisa Lahtinen Modified over 5 years ago

Similar presentations

Presentation on theme: "IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where."— Presentation transcript:

1 IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where packet comes from: May be able to determine attacker May be able to determine bot participating in a DDoS attack Another approach: get rid of spoofed packets with ingress filtering (see “Attack” slides) Introduction

2 Methods for finding source
Manual methods using current IP routing Link testing Logging Marking algorithms Routers mark packets Introduction

3 Link testing Victim recognizes attack signature
Common feature in all attack packets, eg, same source IP address Victim informs network operator Operator installs filter on upstream router Router “input debugging” feature determines responsible ingress link, leading to an upstream router Apply procedure again, until get to border of ISP Result: router at border filters out malicious traffic before reaching target Cons To go beyond an ISP, ISPs need to coordinate Considerable management overhead Introduction

4 Logging: Forensics Key routers log packets
Use data mining to find path Pros Post mortem – works after attack stops Cons High resource demand: need to store and process tons of data Introduction

5 Marking Algorithms Overview
mark packets with router addresses deterministically or probabilistically trace attack using marked packets strengths independent of ISP management little network overhead, traffic trace distributed attacks, attacks post-mortem drawback: need to get routers to mark IP packets Introduction

6 Marking: Assumptions Assumptions Most routers remain uncompromised
Attacker sends many packets Route from attacker to victim remains relatively stable A1 A2 A3 A4 A5 R6 R7 R8 R9 R10 R12 V Introduction

7 Marking Algorithms marking procedure path reconstruction procedure
by routers add information to packet path reconstruction procedure by victim use information in marked packets convergence time # of packets to reconstruct the attack path Introduction

8 Node Append original packet router list
append address of each router to the end of the packet complete, ordered list of routers in attack path Problem: Requires space in packet Path can be long No extra fields in current IP format: Changes to packet format are not practical original packet router list Introduction

9 Node Sampling (1) reserve a field in packet header for marking router writes its address in packet with prob p R1 R1 R2 R3 Introduction

10 Node Sampling (2) R1 R1 R2 R3 reserve node field in packet header
router writes its address in node field with probability p R1 R1 R2 R3 Introduction

11 Node Sampling (3) R3 R1 R2 R3 reserve node field in packet header
router writes its address in node field with probability p R3 R1 R2 R3 Introduction

12 Node Sampling (4) Router: additional write, checksum update
Victim receives many attack packets, many with marking Victim attempts to reconstruct path from unordered samples. Observe the router IPs in the marking field Probability that received packet has been marked by router d hops away: p(1-p)d-1 Rank each router IP by the number of marks it has received; router with most marks is likely the closest router Introduction

13 Node sampling (5) Problems
Large number of packets are needed to get markings from upstream routers Multiple attack sources Introduction

14 Edge Sampling store edges instead of router Arriving packet contains
start and end addresses distance from edge to victim Arriving packet contains Address of last marked edge Number of hops edge is from destination Choose edge for marking with prob p If chosen, set counter to 0 Otherwise, increment counter Introduction

15 Edge Sampling: picture
Packet received R1 receives packet from source or another router Packet contains space for start, end, distance packet s e d R1 R2 R3 Introduction

16 Edge Sampling: picture
Begin writing edge R1 chooses to write start of edge Sets distance to 0 packet R1 R1 R2 R3 Introduction

17 Edge Sampling Finish writing edge R2 chooses not to overwrite edge
Distance is 0 Write end of edge, increment distance to 1 packet R1 R2 1 R1 R2 R3 Introduction

18 Edge Sampling Increment distance R3 chooses not to overwrite edge
Increment distance to 2 packet R1 R2 2 R1 R2 R3 Introduction

19 Path reconstruction Extract identifiers from attack packets
Build graph rooted at victim Each (start,end,distance) tuple is an edge Traverse edges from root to find attack paths # packets needed to reconstruct path E(X) < where p is marking probability, d is length of path p = 1/d optimal ln(d) p(1-p)d-1 Introduction

20 Experimental convergence time
Introduction

21 Summary of marking Can determine attack path with a relatively small number of attack packets Need to include addresses, counter in IP datagram Suggestion: compress to 16 bits, include in fragmentation fields (see paper) See “Practical Network Support for IP Traceback” by Savage et al. Introduction

Download ppt "IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where."

Similar presentations

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Routing and Routing Protocols Introduction to Static Routing.

Routing and Routing Protocols Introduction to Static Routing.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
1 Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:  SD, ED mark start,

1 Token Passing: IEEE802.5 standard  4 Mbps  maximum token holding time: 10 ms, limiting packet length  packet (token, data) format:  SD, ED mark start,
Pi : A Path Identification Mechanism to Defend against DDos Attacks.

Pi : A Path Identification Mechanism to Defend against DDos Attacks.
WAN technologies and routing Packet switches and store and forward Hierarchical addresses, routing and routing tables Routing table computation Example.

WAN technologies and routing Packet switches and store and forward Hierarchical addresses, routing and routing tables Routing table computation Example.

Similar presentations

Ads by Google