GOSSIB vs. IP Traceback Rumors

1
GOSSIB vs.IP Traceback Rumors

• Marcel Waldvogel

2
Distributed Denial of Service

• Conditions
• Large numbers ofunwitting slaves
• Fake source addresses
• Countermeasure
• Stop slaves
• Way out
• Identification of culprits
• Slaves, Relays, Masters
• Fixing problems
• How to identify?
• Probabilistic packet marking does not work

3
Outline

• Probabilistic Packet Marking
• Compressed Edge Fragment Sampling
• How it works
• GOSSIB
• Weaknesses of CEFS
• Exploits
• Results
• Recommendations for DDoS prevention

4
Introducing PPM and CEFS

• (Practical) Network Support for IP Traceback
  Savage et al. 2000, 2001
• Assumption
• Many packets required for DDoS attack
• Routers
• Mark packets with low probability
• System under attack
• Reconstruct attack graph

5
Requirements

• Many different attackers
• Graph reconstruction
• Tree rooted at attacker
• Vertices and edges
• Assumptions
• Sources and firstrouters untrusted
• Routers closer to attackertrusted
• Mark packet with edge

6
Compressed Edge Fragment Sampling

• Edge requires 232 bits
• Only some 16 bits partiallyavailable in IP
  header (IP ID)
• Encoding
• 5 bits distance
• 3 bits fragment ID
• 4 bits fragment
• 4 bits partial checksum
• Fragmentation
• 84 bit of curr ? next
• 84 bit of hash(curr) ? hash(next)
• Indexed by fragment ID

7
Reconstruction at Victim

• Select all fragments with distance0
• Pick any set of 8 fragments with distinct
  fragment ID
• Verify reconstructed previous hop address with
  hash
• Add to list of routers at distance0, if match
• Repeat until all combinations checked
• Forall i ? 1..max, select fragments with
  distancei
• Pick any set of 8 fragments with distinct
  fragment ID
• Try for all prev ? (set of routers at distance
  i 1)
• next curr.address ? prev
• Add to list of routers at distance i and to
  graph,if hash(next) ? hash(prev) curr.hash
• Repeat until all combinations checked

8
GOSSIB Goals

• Observation
• Reconstruction is exponential in time
• Single edge needs at least 8 fragments
• GOSSIB Goals
• Complicate reconstruction time
• Add fake edges to render graph useless
• Add fake edges with less than 8 fragments

An attacker can add fake edges 2.5 times more
efficient than "good" routers can add real edges
9
GOSSIB Operation

• GOSSIB
• Group Of Strongly SImilar Birthdays
• Partial-birthday attack
• Single-chunk replacement allowed
• as long as hash still matches
• Result
• 8 fragments for single(true) edge
• 9 fragments for two fake edges

Address
Hash
10
Results

• Generalizations
• 2 edges using 10 fragments (2 differences)
• d edges using k fragments
• Evaluation
• Modeling hash function as random process
• Experimental enumeration

11
Interrelated Collisions

• Fragments can be reused in other contexts
• Relationship graph
• Independent of attack graph!

0
1
2 attack edges
0
1
2
3 attack edges
7 attack edges
12
Complex Relationships

• Largest
• 17 edges
• 55/56 fragments
• 3.25 e/f
• Efficient
• 11 edges
• 35 fragments
• 3.18 e/f

13
Summary

• State explosion
• Easily introduce false edges
• Basically anywhere in graph
• Not closer than closest attacker
• Stop closest attackers before
• Statistically hard to determine
• Not talked about
• IP already creates state explosion
• Statistically easy to determine
• (with fewer than a few thousand attackers)
• Reuse of collisions

14
Other Approaches

• Secure end systems
• Ingress filtering, SAVE Li 2002
• Stepwise pushback
• Park 2000, Ioannidis 2002, Mahajan 2001
• Propabilistic packet marking
• Reverse Tree Song 2001
• Algebraic, polynomial Dean 2002
• IETF itrace working group
• Dynamic pricing Mankins 2001
• Early Warning Cabrera 2001, Mahajan 2001
• XenoService Yan 2000
• Distinguishing DDoS from normal bursty traffic?