Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy.

Published byAnissa Holland Modified over 9 years ago

Similar presentations

Presentation on theme: "Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy."— Presentation transcript:

1 Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy Strayer BBN Technologies + MIT Laboratories ++ Megisto Systems Published SIGCOMM 2001

2 Who is attacking? r IP Traceback m Trace the path of IP packet(s) to their source r Why is this difficult? m IP networks are stateless m Spoofed source addresses m Many administration layers

3 Approach: Log-Based Traceback V R R1R1 R2R2 R3R3 RR RR R4R4 AR RR7R7 R6R6 R5R5

4 Logging Challenges r Attack path reconstruction is difficult m Packet may be transformed as it moves through the network r Full packet storage is problematic m Memory requirements are prohibitive at high line speeds (OC-192 is ~10Mpkt/sec) r Extensive packet logs are a privacy risk m Traffic repositories may aid eavesdroppers

5 Source Path Isolation Engine Goals r Trace a single IP packet back to source m Asymmetric attacks (e.g. Fraggle, Teardrop, ping-of-death) r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

6 Assumptions r Network: m Packets can be addressed to 1+ hosts (multicast, broadcast) m Duplicate packets may exist in network m Router infrastructure is unstable r Attacker: m Aware of Traceback mechanisms m Routers may be subverted r Mechanism: m Packet size should not grow due to Traceback

7 Goals r Find attack graph for single packet r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

8 SPIE Architecture r DGA: Data Generation Agent m computes and stores digests of each packet on forwarding path. m Deploy 1 DGA per router r SCAR: SPIE Collection and Reduction agent m Long term storage for needed packet digests m Assembles attack graph for local topology r STM: SPIE Traceback Manager m Interfaces with IDS m Verifies integrity and authenticity of Traceback call m Sends requests to SCAR for local graphs m Assembles attack graph from SCAR input

9 STM SCAR Router DGA DGA/Router DGA Router SCAR Router DGA DGA/Router Router DGA IDS 1: IDS identifies attack packet 2: Sends Packet, Time, Last Hop 3: Authenticates and verifies IDS request 4: Provisions SCAR’s to collect local DGA digests 5: Collect digest tables, time intervals, hash functions 6: Identify routers with Packet’s digest and construct graph 7: Collect SCAR local graphs 8: Assemble local graphs, query for missing info 9: Send attack graph to IDS

10 Goals r Find attack graph for single packet r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

11 Data Generation Agents r Compute “packet digest” r Store in Bloom filter r Flush filter every time interval, t

12 Packet Digests r Compute hash(p) m Invariant fields of p only m 28 bytes hash input, 0.00092% WAN collision rate m Fixed sized hash output, n-bits r Compute k independent digests m Increased robustness m Reduced collisions, reduced false positive rate

13 Hash input: Invariant Content Total Length Identification Checksum VerTOSHLen TTLProtocol Source Address Destination Address Fragment Offset MFMF DFDF Options Remainder of Payload First 8 bytes of Payload 28 bytes

14 Hashing Properties r Each hash function m Uniform distribution of input -> output H1(x) = H1(y) for some x,y -> unlikely r Use k independent hash functions m Collisions among k functions independent m H1(x) = H2(y) for some x,y -> unlikely r Cycle k functions every time interval, t

15 Digest Storage: Bloom Filters r Fixed structure size m Uses 2 n bit array m Initialized to zeros r Insertion m Use n-bit digest as indices into bit array m Set to ‘1’ r Membership m Compute k digests, d 1, d 2, etc… m If (filter[d i ]=1) for all i, router forwarded packet 1 n bits 2 n bits H(P) H 2 (P) H k (P) H 3 (P) H 1 (P) 1 1 1...

16 16 Hash-Based IP Traceback 1 n bits 2 n bits H 2 (P) H k (P) H 3 (P) H 1 (P) 1 1 1... Total Length Identification Checksum VerTOSHLen TTLProtocol Source Address Destination Address Fragment Offset MFMF DFDF Options Remainder of Payload First 8 bytes of Payload 28 bytes DGA SCAR Bloom Filter

17 SPIE Collection and Reduction Agent r Polls DGA’s for digest tables, hash functions, time intervals m Time critical operation r Constructs local attack graph m Reverse Path Flooding m For each router, Compute k * hashes of p with local hash functions Membership test ( table[h i (p)]==1 for all i) r Sends Result to STM

18 SPIE Traceback Manager r Interface to IDS System m Receives attack signature for p m Returns attack graph r Authenticates/Verifies (no details) r Provisions SCAR’s m Send(packet, last hop router, arrival time) r Assembles local graph r Fills holes in graph

19 Goals r Find attack graph for single packet r Minimal cost (resource usage) r Maintain privacy (prevent eavesdropping) r Robustness (min. false pos., no false neg.)

20 20 Memory utilization r A Bloom filter is described in terms of: m Number of digest/hash functions (k) m The ratio of data items to be stored (n) to memory capacity (m) r The effective false positive rate (P) for a Bloom filter that uses m-bits memory to store n packets with k digest functions is given by:

21 SPIE Performance r Local false positive rate (n, k,b) r Length of time digests are stored (t) m IDS->STM->SCAR->DGA r Accuracy of attack graphs m Derived from local false positive rates m Network topology Why?

22 Conclusion r Find attack graph for single packet m Log every packet at every router r Minimal cost (resource usage) m Store fixed-sized hash(p), not p m 0.05% link bandwidth per time m Distribute graph creation (attack sub-graphs) r Maintain privacy (prevent eavesdropping) m Authenticate Traceback (IDS-> STM call) m No header fields stored r Robustness (min. false pos., no false neg.)?

23 23 Packet Marking Vs. Packet Logging Packet MarkingPacket Logging Basic methodrouters write their IDs (IP address) in the forwarded packets (deterministic/probabilistic) packet information (digests or signatures) is written into router's buffer (det./prob.) Number of attack packets needed to infer an attack path a large number of attack packets (probabilistic); single attack packet (deterministic) Same as packet marking Overheadno buffer overhead at routers; but high packet overhead; router CPU overhead for marking high buffer overhead at routers; but no packet overhead; router CPU overhead for logging Collecting path information not a big issue, i.e., can be done using the attack packets coordination among routers required ExamplesProbabilistic Packet MarkingHash-based Traceback

Download ppt "Hash-Based IP Traceback Alex C. Snoeren +, Craig Partridge, Luis A. Sanchez ++, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent and W. Timothy."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Attacks and Defenses Nick Feamster CS 4251 Spring 2008.

Attacks and Defenses Nick Feamster CS 4251 Spring 2008.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6961:Internet Protocols Quiz 1: Solutions Time: 60 min (strictly enforced) Points: 50 YOUR.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6961:Internet Protocols Quiz 1: Solutions Time: 60 min (strictly enforced) Points: 50 YOUR.
Look-up problem IP address did we see the IP address before?

Look-up problem IP address did we see the IP address before?
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Payload Attribution via Hierarchical Bloom Filters

Payload Attribution via Hierarchical Bloom Filters
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.

Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.

Hash-Based IP Traceback Alex C. Snoeren, Craig Partidge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, and W. Timothy Strayer.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,

BUFFALO: Bloom Filter Forwarding Architecture for Large Organizations Minlan Yu Princeton University Joint work with Alex Fabrikant,

Similar presentations

Ads by Google