GOSSIB vs. IP Traceback Rumors - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

GOSSIB vs. IP Traceback Rumors

Description:

Many packets required for DDoS attack. Routers. Mark ... Group Of Strongly SImilar Birthdays. Partial-birthday attack. Single-chunk replacement allowed ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 15
Provided by: marcel69
Category:

less

Transcript and Presenter's Notes

Title: GOSSIB vs. IP Traceback Rumors


1
GOSSIB vs.IP Traceback Rumors
  • Marcel Waldvogel

2
Distributed Denial of Service
  • Conditions
  • Large numbers ofunwitting slaves
  • Fake source addresses
  • Countermeasure
  • Stop slaves
  • Way out
  • Identification of culprits
  • Slaves, Relays, Masters
  • Fixing problems
  • How to identify?
  • Probabilistic packet marking does not work

3
Outline
  • Probabilistic Packet Marking
  • Compressed Edge Fragment Sampling
  • How it works
  • GOSSIB
  • Weaknesses of CEFS
  • Exploits
  • Results
  • Recommendations for DDoS prevention

4
Introducing PPM and CEFS
  • (Practical) Network Support for IP Traceback
    Savage et al. 2000, 2001
  • Assumption
  • Many packets required for DDoS attack
  • Routers
  • Mark packets with low probability
  • System under attack
  • Reconstruct attack graph

5
Requirements
  • Many different attackers
  • Graph reconstruction
  • Tree rooted at attacker
  • Vertices and edges
  • Assumptions
  • Sources and firstrouters untrusted
  • Routers closer to attackertrusted
  • Mark packet with edge

6
Compressed Edge Fragment Sampling
  • Edge requires 232 bits
  • Only some 16 bits partiallyavailable in IP
    header (IP ID)
  • Encoding
  • 5 bits distance
  • 3 bits fragment ID
  • 4 bits fragment
  • 4 bits partial checksum
  • Fragmentation
  • 84 bit of curr ? next
  • 84 bit of hash(curr) ? hash(next)
  • Indexed by fragment ID

7
Reconstruction at Victim
  • Select all fragments with distance0
  • Pick any set of 8 fragments with distinct
    fragment ID
  • Verify reconstructed previous hop address with
    hash
  • Add to list of routers at distance0, if match
  • Repeat until all combinations checked
  • Forall i ? 1..max, select fragments with
    distancei
  • Pick any set of 8 fragments with distinct
    fragment ID
  • Try for all prev ? (set of routers at distance
    i 1)
  • next curr.address ? prev
  • Add to list of routers at distance i and to
    graph,if hash(next) ? hash(prev) curr.hash
  • Repeat until all combinations checked

8
GOSSIB Goals
  • Observation
  • Reconstruction is exponential in time
  • Single edge needs at least 8 fragments
  • GOSSIB Goals
  • Complicate reconstruction time
  • Add fake edges to render graph useless
  • Add fake edges with less than 8 fragments

An attacker can add fake edges 2.5 times more
efficient than "good" routers can add real edges
9
GOSSIB Operation
  • GOSSIB
  • Group Of Strongly SImilar Birthdays
  • Partial-birthday attack
  • Single-chunk replacement allowed
  • as long as hash still matches
  • Result
  • 8 fragments for single(true) edge
  • 9 fragments for two fake edges

Address
Hash
10
Results
  • Generalizations
  • 2 edges using 10 fragments (2 differences)
  • d edges using k fragments
  • Evaluation
  • Modeling hash function as random process
  • Experimental enumeration

11
Interrelated Collisions
  • Fragments can be reused in other contexts
  • Relationship graph
  • Independent of attack graph!

0
1
2 attack edges
0
1
2
3 attack edges
7 attack edges
12
Complex Relationships
  • Largest
  • 17 edges
  • 55/56 fragments
  • 3.25 e/f
  • Efficient
  • 11 edges
  • 35 fragments
  • 3.18 e/f

13
Summary
  • State explosion
  • Easily introduce false edges
  • Basically anywhere in graph
  • Not closer than closest attacker
  • Stop closest attackers before
  • Statistically hard to determine
  • Not talked about
  • IP already creates state explosion
  • Statistically easy to determine
  • (with fewer than a few thousand attackers)
  • Reuse of collisions

14
Other Approaches
  • Secure end systems
  • Ingress filtering, SAVE Li 2002
  • Stepwise pushback
  • Park 2000, Ioannidis 2002, Mahajan 2001
  • Propabilistic packet marking
  • Reverse Tree Song 2001
  • Algebraic, polynomial Dean 2002
  • IETF itrace working group
  • Dynamic pricing Mankins 2001
  • Early Warning Cabrera 2001, Mahajan 2001
  • XenoService Yan 2000
  • Distinguishing DDoS from normal bursty traffic?
Write a Comment
User Comments (0)
About PowerShow.com