Presentation is loading. Please wait.

Presentation is loading. Please wait.

04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California,"— Presentation transcript:

1 04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ wu@cs.ucdavis.edu

2 04/22/2001ecs289K: Intention Driven iTrace2 A Statistic Problem with iTrace Routers closer to the victims have higher probability to generate iTrace packets toward the true victims. Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets.

3 04/22/2001ecs289K: Intention Driven iTrace3 “Usefulness” Let’s think??

4 04/22/2001ecs289K: Intention Driven iTrace4 Two answers It carries attack packets. It carries attack packets from a router that is very close to the original slaves

5 04/22/2001ecs289K: Intention Driven iTrace5 Two measures P(U-iTrace) –When an iTrace message is generated, what is the probability that this iTrace message is “useful” (i.e., it carries an attack packet)? P(U-iT-sec) –What is probability for a router to generate at least ONE “useful” iTrace message in a second?

6 04/22/2001ecs289K: Intention Driven iTrace6 Example: Multi-S Single-V SlaveR1R1 R2R2 Victim 1K attack-pkt/sec 19K normal-pkt/sec P(U-iTrace) = 5% #iTrace/sec = 1 P(U-iT-sec) = 5% 4K attack-pkt/sec 196K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% 200K attack-pkt/sec 200K normal-pkt/sec P(U-iTrace) = 50% #iTrace/sec = 20 P(U-iT-sec) = 99.999% 980K attack-pkt/sec 20K normal-pkt/sec P(U-iTrace) = 98% #iTrace/sec = 50 P(U-iT-sec) = 100%

7 04/22/2001ecs289K: Intention Driven iTrace7 Motivation About (K* 0.005%) of our network resources will be spent on iTrace packets. Then, we hope we can spend the resources on more “useful” iTrace packets.

8 04/22/2001ecs289K: Intention Driven iTrace8 Three Types of Nodes DDoS victim with the intention to trace the slaves. DDoS victim without the intention. non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones).

9 04/22/2001ecs289K: Intention Driven iTrace9 Intention-driven iTrace Different destination hosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets. –We propose to add one “iTrace-intention” bit. Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example.

10 04/22/2001ecs289K: Intention Driven iTrace10 a little mathematics... S2V: 2% S2B:48% S2C:25% S2D:25% I: 1 I: 0 I: 1 Intention for receiving iTrace. V’s probability to receive iTrace packets: 7.41% 0.02 / (0.02 + 0 + 0 + 0.25) = 0.0741 P iTrace (V) = (P traffic (V) * I(V)) / (P traffic (n) * I(n))

11 04/22/2001ecs289K: Intention Driven iTrace11 Example: Multi-S Two-V SlaveR1R1 R2R2 Victim 4K att-v1-pkt/sec 50K att-v2-pkt/sec 146K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% I(Victim-1) = 1 P(U-iTrace) = 7.4% P(U-iT-sec) = 53.7% P(U-iTrace) = 25% #iTrace/sec = 10 P(U-iT-sec) = 95% I(Victim-2) = 1 P(U-iTrace) = 92.6% P(U-iT-sec) = 100.0%

12 04/22/2001ecs289K: Intention Driven iTrace12

13 04/22/2001ecs289K: Intention Driven iTrace13

14 04/22/2001ecs289K: Intention Driven iTrace14

15 04/22/2001ecs289K: Intention Driven iTrace15

16 04/22/2001ecs289K: Intention Driven iTrace16

17 04/22/2001ecs289K: Intention Driven iTrace17 Issues How to determine the intention bit? –Policy to set the bit. How to distribute the intention bits to routers globally? –Utilize/extend BGP! How to use the intention bits at each router?

18 04/22/2001ecs289K: Intention Driven iTrace18 How to distribute I(n)? YABE: (Yet Another BGP Extension) –For every BGP route update, we include I(n) as a new string in the community attribute: 0x[iTrace-Intention]:0x[0-1] (optional & transitive) –These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute. aggregation: I(new) = max {I(n)} –Rate-Limiting on Intention Update: should not be more frequent than Keep-Alive messages. should not trigger any major route computation.

19 04/22/2001ecs289K: Intention Driven iTrace19 The iTrace Statistics Model Packet buffering Routing table lookup Forward process iTrace Stochastic Process Should this packet be iTraced? Yes, we should generate an iTrace for this packet?

20 04/22/2001ecs289K: Intention Driven iTrace20 iTrace Trigger Packet buffering Routing table lookup Forward process iTrace Stochastic Process If yes, pick the N th packet in the buffer…. Should we generate an iTrace message now? iTrace Trigger

21 04/22/2001ecs289K: Intention Driven iTrace21 A simple design BGP table I(n) iTrace bit iTrace Process Add two bits to the routing table: (1). I(n): Intention Bit Value associated with this entry (2). iTrace bit: whether we need to generate an iTrace message for this entry now. per ~20K pkts

22 04/22/2001ecs289K: Intention Driven iTrace22 Handling an iTrace Trigger BGP table I(n) iTrace bit iTrace Process If all I(n)’s are zero, shut-off the iTrace trigger process. Set the iTrace bit on all the entries with I(n) = 1.

23 04/22/2001ecs289K: Intention Driven iTrace23 152.1.23.0/2410 169.20.3.0/2400 192.1.0.0/1600 207.3.4.183/2010 152.1.0.0/1610 155.0.0.0/1600 152.1.23.0/2411 169.20.3.0/2400 192.1.0.0/1600 207.3.4.183/2011 152.1.0.0/1611 155.0.0.0/1600 (1). Before iTrace trigger: (2). After iTrace trigger: I(n) iTrace bit

24 04/22/2001ecs289K: Intention Driven iTrace24 152.1.23.0/24 169.20.3.0/24 192.1.0.0/16 207.3.4.183/20 152.1.0.0/16 155.0.0.0/16 (3). After iTrace sent: 10 00 00 10 10 00 I(n) iTrace bit

25 04/22/2001ecs289K: Intention Driven iTrace25 Processing Overhead Processing for each data packet: 1. if the iTrace flag bit is 1, (1). send an iTrace message for this data packet. (2). reset all the iTrace bits to 0. 1/20K iTrace message trigger occurs: 1. Set all the iTrace bits on if I(n) = 1.

26 04/22/2001ecs289K: Intention Driven iTrace26 The Aggregation Problem SlaveR1R1 R2R2 Victim 4K att-v1-pkt/sec 50K att-v2-pkt/sec 146K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% I(Victim-1) = 1 P(U-iTrace) = 7.4% for 4K traffic. P(U-iT-sec) = 53.7% 4K att-v1-pkt/sec 16K agg-v1-pkt/sec 50K att-v2-pkt/sec 130K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18% I(Victim-1) = 1 P(U-iTrace) = 5.7% for 20K traffic. P(U-iT-sec) = 44.4%

27 04/22/2001ecs289K: Intention Driven iTrace27 Summary for Intention iTrace Improve the probability of “useful” iTrace. Require some “minor” changes to the router forwarding process. Require another BGP extension. –We need to verify that this extension will be interoperable well with existing BGP nodes. The amount of generated iTrace messages should be no more than the current iTrace proposal.

Download ppt "04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California,"

Similar presentations

Network II.5 simulator ..

Network II.5 simulator ..
04/12/2001ecs289k, spring 20011 ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.

04/12/2001ecs289k, spring ecs298k: BGP Routing Protocol (2) lecture #4 Dr. S. Felix Wu Computer Science Department University of California, Davis.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.

IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.
NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Fundamentals of Computer Networks ECE 478/578 Lecture #13: Packet Switching (2) Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #13: Packet Switching (2) Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
21-23 November, 2012, 5th IDCS, Wu Yi Shan, China Smartening the Environment using Wireless Sensor Networks in a Developing Country Presented By Al-Sakib.

21-23 November, 2012, 5th IDCS, Wu Yi Shan, China Smartening the Environment using Wireless Sensor Networks in a Developing Country Presented By Al-Sakib.
CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.

CECS 474 Computer Network Interoperability Notes for Douglas E. Comer, Computer Networks and Internets (5 th Edition) Tracy Bradley Maples, Ph.D. Computer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
02/15/2007ecs2361 Tracing & Traceability S. Felix Wu UC Davis

02/15/2007ecs2361 Tracing & Traceability S. Felix Wu UC Davis
MANETs Routing Dr. Raad S. Al-Qassas Department of Computer Science PSUT

MANETs Routing Dr. Raad S. Al-Qassas Department of Computer Science PSUT
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
08/02/2001S. Felix Wu and Dan Massey1 iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently.

08/02/2001S. Felix Wu and Dan Massey1 iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
02/06/2006ecs236 winter 20061 Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.

02/06/2006ecs236 winter Intrusion Detection ecs236 Winter 2006: Intrusion Detection #4: Anomaly Detection for Internet Routing Dr. S. Felix Wu Computer.
03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis

03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis

Similar presentations

Ads by Google