Network Support For IP Traceback

1
Network Support For IP Traceback

• Stefan Savage, David Wetherall, Anna Karlin and
  Tom Anderson

Teng Fei - Umass April, 2002
2
Outline

• Motivation
• Related work
• Proposed solution
• Experimental results
• Future work

3
The Problem

• Denial of Service (DoS) attack
• remotely consume resource of server or network
• Increase in number and frequency
• simple to implement (Trinoo)

4
Difficult To Trace

• Indirection
• attacking packets sent from slave machines, which
  under the control of a remote master machine
• Spoof of IP source addresses
• Disguise their location using incorrect IP
  addresses, hence the true origin is lost

5
DoS Counter Measures

• Ingress filtering
• Link testing
• input debugging
• controlled flooding
• Logging

6
Ingress Filtering

• Block packets with invalid source addresses
• Pros
• Moderate management/network overhead
• Cons
• require widespread deployment
• hard to do in backbone/transit network

7
Link Testing

• Start from victim and test upstream links
• Recursively repeat until source is located
• Assume attack remains active until trace complete

8
Input Debugging

• Victim recognize attack signature
• Install filter on upstream router
• Pros
• May use software to help coordinate
• Cons
• Require cooperation between ISPs
• Considerable management overhead

9
Controlled Flooding

• Flooding link with large bursts of traffic during
  attack
• Observe attacking packet rate change to determine
  the source
• Pros
• Ingenious
• Cons
• Itself a denial of service - possible worse

10
Logging

• Key routers logging packets
• Data mining to analysis
• Pros
• Post mortem
• Cons
• High resource demand

11
ICMP Traceback

• Sample packets with low probability
• Copy data and path information in a new ICMP
  packet
• Pros
• reconstruct path information with large amount of
  packet
• Cons
• ICMP may be filtered

12
Packet Marking Traceback

• Mark packets with router address
• deterministically or probabilistically
• Trace attack using marked packets
• Pros
• Require no cooperation with ISPs
• Does not cause heavy network overhead
• Can trace attack post mortem

13
DoS Scenario Seen by Victim
A1
A2
A3
R5
R7
R6
R3
R4
R2
victim
R1
V
14
Multiple Attackers
A1
A2
A3
attack origin
R5
R7
R6
R3
R4
R2
R1
V
15
Exact Traceback Problem
A1
A2
A3
R5
R7
R6
R3
R4
R2
attack path
exact traceback R6, R3, R2, R1
R1
V
16
Approximate Traceback Problem
A1
A2
A3
R5
R7
R6
R3
R4
R2
approx. traceback R5, R6, R3, R2, R1
R1
V
17
Marking Algorithms

• Marking procedure
• by routers
• add information to packets
• Path reconstruction procedure
• by victim
• use information in marked packets
• Convergence time
• of packets to reconstruct the attack path

18
DoS Attack Assumptions

• Attacker may generate any packet
• Multiple attackers may conspire
• Attackers may be aware they are being traced
• packets may be lost or reordered

19
Design Assumptions

• Attackers send numerous packets
• Route between attacker and victim is fairly
  stable
• Routers have limited CPU and memory
• Routers are not widely compromised

20
Basic Marking Algorithms

• Node Append
• Node Sampling
• Edge Sampling

21
Node Append

• Append address of each node to the end of the
  packet
• Complete, ordered list of routers attack path

original packet
router list
22
Node Append

• Pros
• complete, ordered attack path
• converge quickly (single packet)
• Cons
• infeasibly high router overhead
• attacks can create false path information

23
Node Sampling

• Reserve node file in packet header
• Router write address in node field with
  probability p
• Reconstruct path using relative of node samples
• Only require additional write, checksum update
• robust against single attacker when p gt 0.5

24
Node Sampling
R1
R2
R3
25
Node Sampling
R1
R2
R3
26
Node Sampling
R1
R2
R3
27
Node Sampling
R1
R2
R3
28
Cons Of Node Sampling

• Slow convergence
• need many packets
• usually order of 10,000 - 100,000
• Can not trace multiple attackers

29
Edge Sampling

• Edge represent routers at each end of the link
• Store edges instead of nodes
• start and end addresses of edge routers
• distance from edge to victim

30
Packet Marking Algorithm

• A router writes its own address in the start
  field, and 0 into the distance field
• Distance field is zero means the packet is
  already marked
• router writes its own address in the end address
  field and increase the distance field by 1

31
Edge Sampling
R1
R2
R3
32
Edge Sampling
R1
R2
R3
33
Edge Sampling
R1
R2
R3
34
Edge Sampling
R1
R2
R3
35
Path Reconstuction

• Consider G is a graph with root v
• Insert tuples (start, end, distance) into G
• Remove any edge (x, y, d) with d ! distance from
  x to v in G
• Extract path from G.

36
Pros Cons Of Edge Sampling

• Pros
• Converge much faster than node sampling
• efficiently discern multiple attacks
• Cons
• requires additonal space in the IP header

37
Importan Issue

• Edge sampling requires 72 bits of space in every
  IP packet (2 - 32 bit IP address and 8 bit for
  distance)
• Addition data in packet is expensive
• Sending data out of band results more overhead
  and maybe a new incompatible protocol
• Solutions???

38
Encoding Issue

• Overload the IP identification field
• used for fragmentation
• Decreases the space requirement
• store the XOR of the edge addresses (edge-id)
• Increases reconstruction time

39
Compress Space Requirement

• XOR the edges IP addresses recursively
• if d 1, no XOR, just IP address
• end XOR start XOR end start

40
Marking With XOR
attack path
a
b
c
d
v
resulting XOR edges
b XOR c
c XOR d
d
a XOR b
41
Reconstructing With XOR
c XOR d
d
reconstructed path
b XOR c
a XOR b
42
Subdividing Edge-id

• Divide the edge-id into k non-overlapping packets
• Need offset of fragment

43
Creating Unique Edge-ids

• Edge-id fragments are not unique
• with multiple attackers, multiple edge fragments
  with the same offset and distance
• Bit-interleave has code with IP address

44
Creating Unique Edge-ids
Address
Hash(Address)
0000...1111
00111100
Bit-interleave
00000101...11111010
0
k-1
send k fragments into network
45
Candidate Edge-ids

• Combine all permutations of fragments at each
  distance with disjoint offset values
• Check that the hash matches hash of the address

46
Construction Candidate Edges
0
k-1
No, reject
00000101...11111010
0000...1111
00111100
Hash(Address)?
Address?
?
00111100
Hash(Address?)
Yes, correct address
47
Evaluation

• Longer convergence time
• divide edge-id into 8 fragments
• attackers distance is 10 hops
• 2150 packets to converge with 95 certanty
• few seconds
• Robust with multiple attackers

48
Picking Parameters

• Smaller k
• Larger space requirement
• Larger k
• Larger computational overhead
• Robustness decreases

49
IP Header Encoding

• Separate issue from algorithms
• Overload the 16-bit identification field
• used to differentiate IP fragments

50
Encoding Edge Fragments
offset
edge fragment
21
5
8
8
distance
51
IP Header Encoding

• Backwards compatibility
• Two problems
• Writing same values into id fields of frags from
  different datagrams
• Writing different values into id fields of frags
  of same datagrams

52
Fragmentation Issues

• Copy data into ICMP packet
• Check the checksum at higher level
• etc

53
Testing the Algorithm

• Simulator
• Create random paths
• Originate attacks
• Marking probability is 1/25
• 1,000 random test runs
• vary path lengths

54
Experimental Results
number of packets to reconstruct paths
55
Future Work

• Suffix validation
• spoof end edges
• include a router secret
• Attack origin (host)
• Find attacker (person)

56
Related Research

• Steven M. Bellovin ICMP Traceback Message
  ATThttp//www.research.att.com/smb/papers/draft
  -bellovin-itrace-00.txt
• Alex Snoeren Hash-Based IP Traceback BBN
  SigCOMMhttp//www.acm.org/sigcomm/sigcomm2001/p1-
  snoeren.pdf

57
References

• Stefan Savage Practical Network Support For IP
  Traceback http//www.cs.washington.edu/homes/savag
  e/papers/UW-CSE-00-02-01.pdf
• Sara Sprenkle Practical Network Support Duke
  Universityhttp//www.duke.edu/ses12/presentation
  s/nerdSavage.ppt
• Hal Burch IP Traceback Carnegie Mellon
  Universityhttp//axp.missouri.edu/cecs481/Talks/
  rrp83a.ppt