HashBased IP Traceback

1
Hash-Based IP Traceback

• Alex C. Snoeren, Craig Partridge, Luis A.
  Sanchez, Christine E. Jones, Fabrice
  Tchakountio, Stephen T. Kent and W. Timothy
  Strayer
• BBN Technologies
• MIT Laboratories
• Megisto Systems
• Published SIGCOMM 2001

2
Authors have unknowingly contributed slides to
this presentation ?

3
DOS Attacks!

• CSI/FBI 2001 Computer Crime Report
• 61 IDS, 95 firewalls (sample 530)
• 36 detected DOS attacks (sample 538)
• 27.6 financial loss (sample 344)
• GRC.com
• 8 days of attacks
• UDP fragmentation/ICMP flood attacks on 2 T1
  connections
• 474 Windows PCs, coordinated
• 2.4 billion packets!

4
Who is attacking?

• IP Traceback
• Trace the path of IP packet(s) to their source
• Why is this difficult?
• IP networks are stateless
• Spoofed source addresses
• Many administration layers

5
Approach Log-Based Traceback
R
R
A
R
R
R
R
R7
R4
R6
R5
R
R3
R1
R2
V
6
Logging Challenges

• Attack path reconstruction is difficult
• Packet may be transformed as it moves through the
  network
• Full packet storage is problematic
• Memory requirements are prohibitive at high line
  speeds (OC-192 is 10Mpkt/sec)
• Extensive packet logs are a privacy risk
• Traffic repositories may aid eavesdroppers

7
Source Path Isolation Engine Goals

• Trace a single IP packet back to source
• Asymmetric attacks (e.g. Fraggle, Teardrop,
  ping-of-death)
• Minimal cost (resource usage)
• Maintain privacy (prevent eavesdropping)
• Robustness (min. false pos., no false neg.)

8
Assumptions

• Network
• Packets can be addressed to 1 hosts (multicast,
  broadcast)
• Duplicate packets may exist in network
• Router infrastructure is unstable
• End hosts have restrained network resources
• Attacker
• Aware of Traceback mechanisms
• Routers may be subverted
• Mechanism
• Packet size should not grow due to Traceback
• Traceback is infrequent?

9
Goals

• Find attack graph for single packet
• Minimal cost (resource usage)
• Maintain privacy (prevent eavesdropping)
• Robustness (min. false pos., no false neg.)

10
SPIE Architecture

• DGA Data Generation Agent
• computes and stores digests of each packet on
  forwarding path.
• Deploy 1 DGA per router
• SCAR SPIE Collection and Reduction agent
• Long term storage for needed packet digests
• Assembles attack graph for local topology
• STM SPIE Traceback Manager
• Interfaces with IDS
• Verifies integrity and authenticity of Traceback
  call
• Sends requests to SCAR for local graphs
• Assembles attack graph from SCAR input

11
1 IDS identifies attack packet
9 Send attack graph to IDS
2 Sends Packet, Time, Last Hop
3 Authenticates and verifies IDS request
8 Assemble local graphs, query for missing
info
4 Provisions SCARs to collect local DGA
digests
7 Collect SCAR local graphs
6 Identify routers with Packets digest and
construct graph
5 Collect digest tables, time intervals,
hash functions
12
Goals

• Find attack graph for single packet
• Minimal cost (resource usage)
• Maintain privacy (prevent eavesdropping)
• Robustness (min. false pos., no false neg.)

13
Data Generation Agents

• Compute packet digest
• Store in Bloom filter
• Flush filter every time interval, t

14
Packet Digests

• Compute hash(p)
• Invariant fields of p only
• 28 bytes hash input, 0.00092 WAN collision rate
• Fixed sized hash output, n-bits
• Compute k independent digests
• Increased robustness
• Reduced collisions, reduced false positive rate

15
Hash input Invariant Content
Total Length
Ver
TOS
HLen
Identification
Fragment Offset
M F
D F
Checksum
TTL
Protocol
28 bytes
Source Address
Destination Address
Options
First 8 bytes of Payload
Remainder of Payload
16
Hashing Properties

• Each hash function
• Uniform distribution of input - output
• H1(x) H1(y) for some x,y - unlikely
• Use k independent hash functions
• Collisions among k functions independent
• H1(x) H2(y) for some x,y - unlikely
• Cycle k functions every time interval, t

17
Digest Storage Bloom Filters

• Fixed structure size
• Uses 2n bit array
• Initialized to zeros
• Insertion
• Use n-bit digest as indices into bit array
• Set to 1
• Membership
• Compute k digests, d1, d2, etc
• If (filterdi1) for all i, router forwarded
  packet

n bits
1
H(P)
2n bits
18
Router Resource TradeoffsMaintain same False
Positive Rate

• 4 variables n, k, b, t
• Small n, larger k, smaller t (limited Memory)
• Large n, smaller k, larger t (limited CPU)
• Small b, larger t (limited Bandwidth)
• k - n2, t - 0
• n memory, need n2 storage
• k CPU, need kh(p) at line rates
• b bandwidth, number of neighbors
• t saturation rate, application responsiveness

19
SPIE Collection and Reduction Agent

• Polls DGAs for digest tables, hash functions,
  time intervals
• Time critical operation
• Constructs local attack graph
• Reverse Path Flooding
• For each router,
• Compute k hashes of p with local hash functions
• Membership test ( tablehi (p)1 for all i)
• Sends Result to STM

20
SPIE Traceback Manager

• Interface to IDS System
• Receives attack signature for p
• Returns attack graph
• Authenticates/Verifies (no details)
• Provisions SCARs
• Send(packet, last hop router, arrival time)
• Assembles local graph
• Fills holes in graph

21
Goals

• Find attack graph for single packet
• Minimal cost (resource usage)
• Maintain privacy (prevent eavesdropping)
• Robustness (min. false pos., no false neg.)

22
SPIE Performance

• Local false positive rate (n, k,b)
• Length of time digests are stored (t)
• IDS-STM-SCAR-DGA
• Accuracy of attack graphs
• Derived from local false positive rates
• Type of traffic, WAN 0.00092, LAN 0.139
• Network topology
• Why?

23
Fuzziness and assumptions!
24
Simulation Setup

• ISP backbone, 70 routers, T-1 to OC-3 links
• Avg. link utilization, topology for 1 week
• Randomly selected attacker, victim
• Send 1000 packets
• 5000 sample size
• Background traffic same
• P false positive rate

25
Simulation Results
1
1
1
1
Random Graph
Real ISP, 100 Utilization
Real ISP, Actual Utilization
0.8
0.8
0.8
0.8
0.6
0.6
0.6
0.6
Expected Number of False Positives
0.4
0.4
0.4
0.4
0.2
0.2
0.2
0.2
0
0
0
0
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
Length of Attack Path (in hops)
Length of Attack Path (in hops)
Length of Attack Path (in hops)
Length of Attack Path (in hops)
26
Conclusion

• Find attack graph for single packet
• Log every packet at every router
• Minimal cost (resource usage)
• Store fixed-sized hash(p), not p
• 0.05 link bandwidth per time
• Distribute graph creation (attack sub-graphs)
• Maintain privacy (prevent eavesdropping)
• Authenticate Traceback (IDS- STM call)
• No header fields stored
• Robustness (min. false pos., no false neg.)?

27
Food for Thought

• How important is privacy of IP packets?
• Anyone with network access along the path can
  sniff packets
• What about false negatives?
• Communication latency?
• Problems with small packet flows
• More computation at end host - longer detection
  cycle
• Identify attack signature?
• 28 bytes enough?
• Flooding attacks cause higher false pos