ICMP Trace Back

1
ICMP Trace Back

• NCTU CSIE NetAdm 2004Authors 9117018 ???
• 9217026 ???

2
Introduction

• IETF Internet-draft
• DDoS
• Spoofed source IP address
• New ICMP message format (iTrace)

3
How does it work
Figure . working process
4
What is done on the routers

• Statistically pick packets (1/20000 is
  recommended)
• Generate ICMP traceback messages (iTrace)
• Set TTL to 255
• iTrace contains the next and previous hop ,a
  timestamp and headers of the selected packet

5
More insights on iTrace

• 0 1 2
  3

• TLV recursive TAG-LENGTH-VALUE

• 1-octet Tag
• 2-octet Length

6
Tag in iTrace

• 0x01 Back Link
• 0x02 Forward Link
• 0x03 Interface Name
• 0x04 IPv4 Address Pair
• 0x05 IPv6 Address Pair
• 0x06 MAC Address Pair
• 0x07 Operator-Defined Link Identifier

• 0x08 Timestamp
• 0x09 Traced Packet Contents
• 0x0A Probability
• 0x0B RouterId
• 0x0C HMAC Authentication Data
• 0x0D Key Disclosure List
• 0x0E Key Disclosure
• 0x0F Public-Key Information

7
What is done on the victim

• Path Reconstruction
• Sort by TTL
• Thousands of packets

8
Issues

• Few Useful iTraces in major DDoS
• Aware of the topology and routing if partial
  deployment
• Subverted routers can generate fake iTraces
• DDOS with a lot of reflectors
• Sources must be evil or corrupted

9
Intention-driven iTrace

• More Useful/Valuable iTraces
• Same number of iTraces generated on each router
• Compatible with current scheme
• Should be simple, efficient, secure, and scaleable

10
Cont.

• Performance

11
Cont.

• Value(iTr) F(Attack iTr.pkt, Intention
  iTr.dst-ID, HopCount iTr.rtr-ID?Tr.dst-ID,
• Received iTr.rtr-ID?Tr.dst-ID, Generated
  iTr.rtr-ID )
• Every packet is associated with a value