Presentation is loading. Please wait.

Presentation is loading. Please wait.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview."— Presentation transcript:

1 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview of buffer-overflow attacks Today: IP Traceback

2 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 2 What and Why IP Traceback: operation of tracing the source of an IP packet Why is this important and useful? If done properly, can be used to limit DDoS attacks Post-mortem analysis, investigation into other kinds network of attacks Potential drawback? Abused by repressive regimes/organization Why is it difficult? Potentially resource-intensive, target for DoS itself Internet is stateless Backward compatibility (think of source-routing) Avoid the new scheme itself being “spoofed” The “true” identity of an attacker may be unknown, still

3 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 3 Overview of existing approaches 1. Ingress filtering 2. Input debugging 3. Controlled flooding 4. Logging 5. ICMP traceback 6. Probabilistic Packet Marking (PPM) 7. Hash-based [one of your reading assignments]

4 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 4 Ingress filtering Routers block packets that arrive with illegitimate sources addresses Requires the interface to be configured with a range of valid IPs Quite feasible at customer network at the edge Drawbacks At higher level ISP, traffic load is higher, “valid” IP range is ambiguous With hundreds or thousands of customers, one can forge IP of another without much troubles Not all ISPs do this. Many don’t because there’s administrative burden, no economic incentive, interfere with services requiring spoofing (mobile IP)

5 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 5 Input debugging Use “input debugging” feature of routers to do traceback Input debugging allows operators to filter particular packets (with some kind of signature) on some egress port and determine which ingress port they come from Manually: call the upstream router operator Automatically: some ISPs have tools to do this Drawbacks: Often too slow Management overhead Coordination with other ISPs is difficult, and very slow

6 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 6 Controlled Flooding Selectively flood a link to observe attack traffic, with the help of some Internet map This does not require intermediate operator intervention Drawbacks This is a form of DoS itself Requires the map, which itself is non-trivial Poorly suited for DDoS Only effective for on-going attacks, cannot be use for post-mortem analysis

7 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 7 ICMP Traceback Every router samples with low probability (1/20K) one of the packets it’s forwarding Copy the content into a special ICMP traceback along the path to the destination, containing Back link, forward link, authentication, Destination then use this info to do traceback Drawbacks ICMP traffic is also differentiated and may be filtered Requires input-debugging which may not be available in some router architecture Requires key distribution architecture to avoid itself being attacked However, this is quite effective

8 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 8 Probabilistic Packet Marking (PPM) Idea proposed by Burch & Cheswick First scheme proposed by Stefan Savage et al We’ll look at this idea in details

9 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 9 PPM: Assumptions An attacker may generate any packet Multiple attackers may conspire Attackers are aware that they’re being traced Packets may be lost or re-ordered Attackers send numerous packets Route between attacker(s) and receiver is fairly stable Routers and both CPU and memory limited Routers are not widely compromised Compatible with current IP protocol

10 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 10 PPM: Node Append The most basic algorithm Each router appends its IP into the packet Pros: Robust and quick to converge Cons: High router overhead Interfere with MTU discovery, IP fragmentation, …

11 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 11 PPM: Node sampling Reserve some 32-bit field in each IP packet A router randomly puts its IP in this field with probability p Victim receive multiple packets, use this database to approximately reconstruct the path. How? Probability of receiving a packet d hops away is p(1-p) d-1, p shoulde be > ½. This probability is monotonic in d, we can use the frequency of IPs to reconstruct path to the destination Drawbacks Inferring is a slow process Requires a sufficient number of received packets, e.g. for d=15, p = 0.51, we need 42000 packets before the furthest router is “seen” at the target Not effective against multiple attackers: routers at the same distance from different source are sampled with the same rate

12 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 12 PPM: Edge Sampling Idea: sample the “edges” on the paths instead of nodes: Reserve 2 32-bit fields on every packet, FROM & TO One more field (8 bits) called HOP Sampling is done as follows. Fix a probability p Chose x at random in [0, 1) If x < p then write IP into packet.FROM Else if packet.HOP = 0 then write IP into packet.TO packet.HOP++

13 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 13 PPM: Edge Sampling Time to converge dominated by time to receive a sample from the furthest router, roughly 1/[p(1-p) d-1 ] Expected number of packets required to work properly is at most ln(d)/[p(1-p) d-1 ] Choose p = 1/d for optimal result In practice, choose p=1/25 (as path lengths often <= 25) Pros Single attacker: any packet written by attacker will necessarily has distance at least the distance of true attack path Multiple attacker: the above applies to the closest attacker Quite robust Cons Not backward compatible (requires > 64 more bits)

14 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 14 Encoding Issues Compress edge segment sampling: 3 techniques Next router fills FROM XOR TO into the 32-bit space Partition address into k fragments, sends fragment along with fragment offset, next-hop router use the the offset to send the right fragment. Over time, all fragments of all edge IDs are received. XORing makes edge ID not unique, compute a hash of an IP, interleave it with actual IP, then do fragmentation Expected # of packets needed to reconstruct path is k ln(kd)/[p(1-p) d-1 ] For instance, if k=8, d=10, p=1/25, then we need about 1300 packets on average In practice: overload 16-bit identification field in each IP packet with 3-bit offset (k=8), 5 bit distance (32 hops), 8-bit edge fragment

15 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 15 Formalization of the Problem b: number of extra header bits in each packet n: number of bits used to describe a path Investigate the tradeoff between b, convergence time, and total number of packets needed to reconstruct the attack path(s) with high probability

16 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 16 Interesting Results by Micah Adler Single path attacks: b=1 works! Requires θ((2+ε) 2n ) packets for any ε Showed that, for b=1, Ώ(2 n ) packets is necessary For general b, Adler gave a protocol that uses O(bn 2 2 b (2+ε) 4n/2^b ) packets, and showed Ώ(2 b 2 n/2^b ) is necessary Multiple path attacks, say k paths At least log(2k-1) header bits is needed [regardless of the number of received packets] For a restricted class of attacker strategies, log(2k+1) bits are sufficient

17 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 17 Open Problems Close the upper-lower bound gap when b=1, single path attack For multiple path attacks, there’s still a lot to be done, e.g. Devise protocols for all attacker’s strategies Computational complexity has not been addressed properly …

18 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 18 Brainstorming What kind of information does the victim need? Where can we store this information? How can the routers be instructed to store this information? This is the protocol How effective is the protocol? This requires probabilistic analysis, information theoretic analysis Drawbacks of PPM-related schemes? Requires large number of packets Not exact science

19 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 19 A Simple Model for Upper Bounding Assumptions [to be relaxed later] Packet delivery paths form a tree rooted at the victim v Assume the tree is full-binary, depth = n Each path can be encoded with B 1 B 2 …B n Want routers to send victim the string B 1 B 2 …B n Protocol Idea: encode the string into a probability of victim receiving bit-1 packets What’s the most natural way to do this? Prob[packet with bit-1 received] = the binary number represented by B 1 B 2 …B n divided by 2 n, i.e. How do we realize this?

20 SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 20 A Simple Protocol Each router knows its bit B i With probability ½, it forwards the bit as it is With probability ½, it set the bit to be B i If original bit is 0, then p is as expected If original bit is 1, then p is as expected + 1/2 n Need to “fix” this case Next time [I’ll talk a little bit about information theory]

Download ppt "SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
© MMII JW RyderCS 428 Computer Networking1 The Future of TCP/IP (IPv6)  Chapter 33  Evolution of TCP/IP intertwined with evolution of the global Internet.

© MMII JW RyderCS 428 Computer Networking1 The Future of TCP/IP (IPv6)  Chapter 33  Evolution of TCP/IP intertwined with evolution of the global Internet.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
1 6/14/2015 06:27 CS575Internetworking & Routers1 Rivier College CS575: Advanced LANs Chapter 13: Internetworking & Routers.

1 6/14/ :27 CS575Internetworking & Routers1 Rivier College CS575: Advanced LANs Chapter 13: Internetworking & Routers.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.

Shivkumar KalyanaramanRensselaer Q1-1 ECSE-6600: Internet Protocols Quiz 1 Time: 60 min (strictly enforced) Points: 50 YOUR NAME: Be brief, but DO NOT.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Sociological Influences on Mobile Wireless Networks Chunming Qiao, Ph.D., Professor University at Buffalo (SUNY) Director, Laboratory for Advanced Network.

Sociological Influences on Mobile Wireless Networks Chunming Qiao, Ph.D., Professor University at Buffalo (SUNY) Director, Laboratory for Advanced Network.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Layer-3 Routing Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.

Layer-3 Routing Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

Similar presentations

Ads by Google