IP Traceback:A New DenialofService Deterrent - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

IP Traceback:A New DenialofService Deterrent

Description:

Symantec's ManHunt: Deploy its ManHunt agents to network. Communicating with router support ManHunt. MANAnet: Mark the packets in IP option. 25 ... – PowerPoint PPT presentation

Number of Views:193
Avg rating:3.0/5.0
Slides: 27
Provided by: dslabCsi
Category:

less

Transcript and Presenter's Notes

Title: IP Traceback:A New DenialofService Deterrent


1
IP TracebackA New Denial-of-Service Deterrent?
  • 2003 IEEE SECURITY PRIVACY 03
  • HASSAN ALJIFRI
  • University of Miami

2
Outline
  • Introduction
  • Current IP traceback approaches
  • Link testing
  • Logging
  • ICMP based traceback
  • Packet marking
  • Pratical solution for IP traceback
  • Conclusin

3
Introduction (cont.)
  • DOS( Denial of Service )
  • DDOS ( Distributed Denial of Service)
  • Spoofed IP address
  • Falsification of the source address in IP header.
  • IP traceback
  • To identify the address of the true source of the
    packets causing a DoS.

4
Introduction (cont.)
  • Ingress filtering
  • To set up router to ensure that the packets
    routed with valid source addresses.
  • The process not automated
  • Routine traffic measurements between ISP are not
    shared.
  • Some ISPs refuse to install inbound filters to
    stop source address spoofing.

5
Current IP traceback approaches(cont.)
  • Reative
  • Link test
  • Input debugging
  • Controlled flooding
  • Proactive
  • Logging
  • Messaging
  • Marking

6
Current IP traceback approaches(cont.)
  • Reavtive
  • Most of them require ISP cooperation.
  • Cant be used for post-attack.
  • Proactive
  • The victim can use resulting traceback data for
    attack path reconstruction.

7
Current Ip traceback approaches (cont.)
  • Support for incremental implementation
  • ISP cooperation should not be required
  • Success should not depend on how long the attack
    lasts.

8
Current IP traceback approaches (cont.)
  • The key requirements for IP traceback methods
  • Compatibility
  • Existing protocol
  • Existing router
  • Network infrastructure
  • Overhead
  • Network traffic
  • Time
  • Resources

9
Link testing (cont.)
10
Link testing Input debugging
  • To determine the attack traffics specific
    characteristics.
  • Use Attack signature to determine the incoming
    link on the router.
  • To apply it until the traffics source is
    identifiedor the trace leaves the current ISPs
    border.

11
Table 1 AD of input debugging
12
Link testing-controlled flooding
  • Using a map of the known Internet topology around
    the victim
  • Flooding each incoming network link on the
    routers
  • Observing how this affects the attack traffics
    intensity
  • Deducing which link carries the attack traffic.

13
AD of controlled flooding.
14
Logging (cont.)
15
Logging (cont.)
  • Alex Snoeren SPIE
  • Source Path Isolation engine
  • Storing only a hash digest
  • Tatsuya Baba and Shigeyuki Matsuda
  • An overlay network of sensors
  • detect potential attack traffic
  • Tracing agents (tracers) log the attack packets
    on request
  • Managing agents

16
Logging
17
ICMP-based traceback (cont.)
18
ICMP-based traceback (cont.)
  • Router would generate an ICMP traceback message
    for only one in 20000 packets.
  • Intension-driven ICMP traceback
  • Decision module select packet to be generate
    message.
  • Generation moduleprocess chosen packet and sends
    a new message

19
ICMP-based traceback (cont.)
20
ICMP-based traceback
21
Packet marking (cont.)
22
Packet marking (cont.)
  • Stefan Savage
  • Probabilistic traffic-sampling (4)
  • Compression methods.

23
Packet marking (cont.)
24
Practical solutions for IP traceback
  • Symantecs ManHunt
  • Deploy its ManHunt agents to network
  • Communicating with router support ManHunt
  • MANAnet
  • Mark the packets in IP option

25
Practical solutions for IP traceback (cont.)
  • Peakflow
  • FloodGuard
  • Detectors direct an attack on a protected domain
  • Actuator analyzes its ingress traffic to
    traceback to next upstream actuator.

26
Conclusion
  • Widely deployed
  • DDOS
  • Resource intensive
  • Network overhead
  • Post-attack analysis.
Write a Comment
User Comments (0)
About PowerShow.com