Title: HashBased IP Traceback
1Hash-Based IP Traceback
- Alex C. Snoeren, Craig Partridge, Luis A.
Sanchez, Christine E. Jones, Fabrice
Tchakountio, Stephen T. Kent and W. Timothy
Strayer - BBN Technologies
- MIT Laboratories
- Megisto Systems
- Published SIGCOMM 2001
2Authors have unknowingly contributed slides to
this presentation ?
3DOS Attacks!
- CSI/FBI 2001 Computer Crime Report
- 61 IDS, 95 firewalls (sample 530)
- 36 detected DOS attacks (sample 538)
- 27.6 financial loss (sample 344)
- GRC.com
- 8 days of attacks
- UDP fragmentation/ICMP flood attacks on 2 T1
connections - 474 Windows PCs, coordinated
- 2.4 billion packets!
4Who is attacking?
- IP Traceback
- Trace the path of IP packet(s) to their source
- Why is this difficult?
- IP networks are stateless
- Spoofed source addresses
- Many administration layers
5Approach Log-Based Traceback
R
R
A
R
R
R
R
R7
R4
R6
R5
R
R3
R1
R2
V
6Logging Challenges
- Attack path reconstruction is difficult
- Packet may be transformed as it moves through the
network - Full packet storage is problematic
- Memory requirements are prohibitive at high line
speeds (OC-192 is 10Mpkt/sec) - Extensive packet logs are a privacy risk
- Traffic repositories may aid eavesdroppers
7Source Path Isolation Engine Goals
- Trace a single IP packet back to source
- Asymmetric attacks (e.g. Fraggle, Teardrop,
ping-of-death) - Minimal cost (resource usage)
- Maintain privacy (prevent eavesdropping)
- Robustness (min. false pos., no false neg.)
8Assumptions
- Network
- Packets can be addressed to 1 hosts (multicast,
broadcast) - Duplicate packets may exist in network
- Router infrastructure is unstable
- End hosts have restrained network resources
- Attacker
- Aware of Traceback mechanisms
- Routers may be subverted
- Mechanism
- Packet size should not grow due to Traceback
- Traceback is infrequent?
9Goals
- Find attack graph for single packet
- Minimal cost (resource usage)
- Maintain privacy (prevent eavesdropping)
- Robustness (min. false pos., no false neg.)
10SPIE Architecture
- DGA Data Generation Agent
- computes and stores digests of each packet on
forwarding path. - Deploy 1 DGA per router
- SCAR SPIE Collection and Reduction agent
- Long term storage for needed packet digests
- Assembles attack graph for local topology
- STM SPIE Traceback Manager
- Interfaces with IDS
- Verifies integrity and authenticity of Traceback
call - Sends requests to SCAR for local graphs
- Assembles attack graph from SCAR input
111 IDS identifies attack packet
9 Send attack graph to IDS
2 Sends Packet, Time, Last Hop
3 Authenticates and verifies IDS request
8 Assemble local graphs, query for missing
info
4 Provisions SCARs to collect local DGA
digests
7 Collect SCAR local graphs
6 Identify routers with Packets digest and
construct graph
5 Collect digest tables, time intervals,
hash functions
12Goals
- Find attack graph for single packet
- Minimal cost (resource usage)
- Maintain privacy (prevent eavesdropping)
- Robustness (min. false pos., no false neg.)
13Data Generation Agents
- Compute packet digest
- Store in Bloom filter
- Flush filter every time interval, t
14Packet Digests
- Compute hash(p)
- Invariant fields of p only
- 28 bytes hash input, 0.00092 WAN collision rate
- Fixed sized hash output, n-bits
- Compute k independent digests
- Increased robustness
- Reduced collisions, reduced false positive rate
15Hash input Invariant Content
Total Length
Ver
TOS
HLen
Identification
Fragment Offset
M F
D F
Checksum
TTL
Protocol
28 bytes
Source Address
Destination Address
Options
First 8 bytes of Payload
Remainder of Payload
16Hashing Properties
- Each hash function
- Uniform distribution of input - output
- H1(x) H1(y) for some x,y - unlikely
- Use k independent hash functions
- Collisions among k functions independent
- H1(x) H2(y) for some x,y - unlikely
- Cycle k functions every time interval, t
17Digest Storage Bloom Filters
- Fixed structure size
- Uses 2n bit array
- Initialized to zeros
- Insertion
- Use n-bit digest as indices into bit array
- Set to 1
- Membership
- Compute k digests, d1, d2, etc
- If (filterdi1) for all i, router forwarded
packet
n bits
1
H(P)
2n bits
18Router Resource TradeoffsMaintain same False
Positive Rate
- 4 variables n, k, b, t
- Small n, larger k, smaller t (limited Memory)
- Large n, smaller k, larger t (limited CPU)
- Small b, larger t (limited Bandwidth)
- k - n2, t - 0
- n memory, need n2 storage
- k CPU, need kh(p) at line rates
- b bandwidth, number of neighbors
- t saturation rate, application responsiveness
19SPIE Collection and Reduction Agent
- Polls DGAs for digest tables, hash functions,
time intervals - Time critical operation
- Constructs local attack graph
- Reverse Path Flooding
- For each router,
- Compute k hashes of p with local hash functions
- Membership test ( tablehi (p)1 for all i)
- Sends Result to STM
20SPIE Traceback Manager
- Interface to IDS System
- Receives attack signature for p
- Returns attack graph
- Authenticates/Verifies (no details)
- Provisions SCARs
- Send(packet, last hop router, arrival time)
- Assembles local graph
- Fills holes in graph
21Goals
- Find attack graph for single packet
- Minimal cost (resource usage)
- Maintain privacy (prevent eavesdropping)
- Robustness (min. false pos., no false neg.)
22SPIE Performance
- Local false positive rate (n, k,b)
- Length of time digests are stored (t)
- IDS-STM-SCAR-DGA
- Accuracy of attack graphs
- Derived from local false positive rates
- Type of traffic, WAN 0.00092, LAN 0.139
- Network topology
- Why?
23Fuzziness and assumptions!
24Simulation Setup
- ISP backbone, 70 routers, T-1 to OC-3 links
- Avg. link utilization, topology for 1 week
- Randomly selected attacker, victim
- Send 1000 packets
- 5000 sample size
- Background traffic same
- P false positive rate
25Simulation Results
1
1
1
1
Random Graph
Real ISP, 100 Utilization
Real ISP, Actual Utilization
0.8
0.8
0.8
0.8
0.6
0.6
0.6
0.6
Expected Number of False Positives
0.4
0.4
0.4
0.4
0.2
0.2
0.2
0.2
0
0
0
0
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
0
5
10
15
20
25
30
Length of Attack Path (in hops)
Length of Attack Path (in hops)
Length of Attack Path (in hops)
Length of Attack Path (in hops)
26Conclusion
- Find attack graph for single packet
- Log every packet at every router
- Minimal cost (resource usage)
- Store fixed-sized hash(p), not p
- 0.05 link bandwidth per time
- Distribute graph creation (attack sub-graphs)
- Maintain privacy (prevent eavesdropping)
- Authenticate Traceback (IDS- STM call)
- No header fields stored
- Robustness (min. false pos., no false neg.)?
27Food for Thought
- How important is privacy of IP packets?
- Anyone with network access along the path can
sniff packets - What about false negatives?
- Communication latency?
- Problems with small packet flows
- More computation at end host - longer detection
cycle - Identify attack signature?
- 28 bytes enough?
- Flooding attacks cause higher false pos