Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Published byShawn Goldsby Modified over 9 years ago

Similar presentations

Presentation on theme: "Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides."— Presentation transcript:

1 Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides courtesy of Teng Fei - Umass April, 2002 1

2  Denial of Service (DoS) attack  Remotely consume resource of server or network  Increase in number and frequency  Simple to implement  DoS attacks are difficult to trace:  Indirection  Attacking packets sent from slave machines, which under the control of a remote master machine  Spoof of IP source addresses  Disguise their location using incorrect IP addresses, hence the true origin is lost 2

3  Mark packets with router address  deterministically or probabilistically  Trace attack using marked packets  Pros  Require no cooperation with ISPs  Does not cause heavy network overhead  Can trace attack “post mortem” 3

4 A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 attack origin 4 victim V

5 A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 V attack path exact traceback R 6, R 3, R 2, R 1 5

6 A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 V approx. traceback R 5, R 6, R 3, R 2, R 1 6

7  I. Marking procedure  by routers  add information to packets  II. Path reconstruction procedure  by victim  use information in marked packets  convergence time : # of packets to reconstruct the attack path 7

8  I. Node Append  II. Node Sampling  III. Edge Sampling 8

9  Append address of each node to the end of the packet  Complete, ordered list of routers attack path original packet router list 9

10  Pros  complete, ordered attack path  converge quickly (single packet)  Cons  infeasibly high router overhead  attacks can create false path information 10

11  Reserve node file in packet header  Router write address in node field with probability p  Reconstruct path using relative # of node samples  Only require additional write, checksum update 11

12 R1R1 R1R1 R2R2 R3R3 12

13 R1R1 R1R1 R2R2 R3R3 13

14 R1R1 R1R1 R2R2 R3R3 14

15 R1R1 R3R3 R2R2 R3R3 15

16  Cons :  Slow convergence  need many packets  usually order of 10,000 - 100,000  Can not trace multiple attackers ▪ 16

17  Edge represent routers at each end of the link  Store edges instead of nodes  start and end addresses of edge routers  distance from edge to victim 17 R1R1 R2R2

18  A router writes its own address in the start field, and 0 into the distance field  Distance field of 0 means the packet is already marked  router writes its own address in the end address field and increase the distance field by 1  Other routers may then reset these fields. Otherwise, the distance field is incremented 18

19 R1R1 R2R2 R3R3 R1R1 #1 19

20 R1R1 R2R2 R3R3 R1R1 #10 20

21 R1R1 R2R2 R3R3 R1R1 R2R2 1 21

22 R1R1 R2R2 R3R3 R1R1 R2R2 2 22

23  Consider G is a graph with root v  Insert tuples (start, end, distance) into G  Remove any edge ( x, y, d ) with d != distance from x to v in G  Extract path from G 23

24  Pros  Converge much faster than node sampling  Efficiently discern multiple attacks  Cons  Space: requires additional space in the IP header- 72 bits of space in every IP packet (2 x 32 bit IP address and 8 bit for distance)  Compatibility ▪ 24

25  Overload the IP identification field  used for fragmentation  Decreases the space requirement  store the XOR of the edge addresses (edge-id)- B XOR A XOR B = A  Pros:  Reduced space  Cons:  Increases reconstruction time 25

26 a b cdv attack path resulting XOR edges a XOR b b XOR cc XOR dd 26

27 a XOR b b XOR c c XOR dd c reconstructed path b a 27

28  Reduce per packet space more by dividing the edge-id (XORed address) into k non- overlapping packets, and store only 1 of them  Need offset of fragment 28

29  Problem: Edge-id fragments are not unique  with multiple attackers, multiple edge fragments with the same offset and distance  Solutoin: Bit-interleave hash code with IP address 29

30 0000...1111 Address Hash(Address) 0011…1100 00000101...11111010 Bit-interleave send k fragments into network 0k-1 30

31  Combine all permutations of fragments at each distance with disjoint offset values  Check that the hash matches hash of the address 31

32 0000...1111 Address? Hash(Address)? 0011…1100 00000101...11111010 0 k-1 Hash(Address?) 0011…1100 =? No, reject Yes, correct address 32

33  Overload the 16-bit identification field  used to differentiate IP fragments 33

34  Simulator  Create random paths  Originate attacks  Marking probability is 1/25  1,000 random test runs  vary path lengths 34

35 number of packets to reconstruct paths 35

36  Thanks for listening  Questions? 36

37  Suffix validation  spoof end edges  include a router “secret”  Attack origin (host)  Find attacker (person) 37

38  Steven M. Bellovin ICMP Traceback Message AT&T http://www.research.att.com/~smb/papers/draft-bellovin-itrace- 00.txt http://www.research.att.com/~smb/papers/draft-bellovin-itrace- 00.txt  Alex Snoeren Hash-Based IP Traceback BBN SigCOMM http://www.acm.org/sigcomm/sigcomm2001/p1-snoeren.pdf http://www.acm.org/sigcomm/sigcomm2001/p1-snoeren.pdf 38

39  Stefan Savage Practical Network Support For IP Traceback http://www.cs.washington.edu/homes/savage/papers/UW-CSE- 00-02-01.pdf http://www.cs.washington.edu/homes/savage/papers/UW-CSE- 00-02-01.pdf  Sara Sprenkle Practical Network Support Duke University http://www.duke.edu/~ses12/presentations/nerdSavage.ppt http://www.duke.edu/~ses12/presentations/nerdSavage.ppt  Hal Burch IP Traceback Carnegie Mellon University http://axp.missouri.edu/~cecs481/Talks/rrp83a.ppt http://axp.missouri.edu/~cecs481/Talks/rrp83a.ppt 39

40  Ingress filtering  Link testing  input debugging  controlled flooding  Logging 40

41  Block packets with invalid source addresses  Pros  Moderate management/network overhead  Cons  require widespread deployment  hard to do in backbone/transit network 41

42  Start from victim and test upstream links  Recursively repeat until source is located  Assume attack remains active until trace complete 42

43  Victim recognize attack signature  Install filter on upstream router  Pros  May use software to help coordinate  Cons  Require cooperation between ISPs  Considerable management overhead 43

44  Flooding link with large bursts of traffic during attack  Observe attacking packet rate change to determine the source  Pros  Ingenious  Cons  Itself a denial of service - possible worse 44

45  Key routers logging packets  Data mining to analysis  Pros  Post mortem  Cons  High resource demand 45

46  Sample packets with low probability  Copy data and path information in a new ICMP packet  Pros  reconstruct path information with large amount of packet  Cons  ICMP may be filtered 46

47  Attacker may generate any packet  Multiple attackers may conspire  Attackers may be aware they are being traced  packets may be lost or reordered 47

48  Attackers send numerous packets  Route between attacker and victim is fairly stable  Routers have limited CPU and memory  Routers are not widely compromised 48

49  Backwards compatibility  Two problems  Writing same values into id fields of frags from different datagrams  Writing different values into id fields of frags of same datagrams 49

50  Copy data into ICMP packet  Check the checksum at higher level  etc 50

51  Longer convergence time  divide edge-id into 8 fragments  attacker’s distance is 10 hops  2150 packets to converge with 95% certanty  few seconds  Robust with multiple attackers 51

Download ppt "Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
EEC-484/584 Computer Networks Lecture 10 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 10 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
Examining IP Header Fields

Examining IP Header Fields
Internet Networking Spring 2003

Internet Networking Spring 2003
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

Similar presentations

Ads by Google