Schemes for IP Traceback - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Schemes for IP Traceback

Description:

Using MAC (Message Authentication Codes). Two parties can share a secret key K. ... guarantees that nobody can forge a MAC of a message without knowing the key. ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 24
Provided by: lgao1
Category:

less

Transcript and Presenter's Notes

Title: Schemes for IP Traceback


1
Schemes for IP Traceback
  • Li Gao
  • Computer Forensics
  • Fall 2004

2
  • Problems DoS (Denial-of-Service) attacks
  • Existed schemes
  • Basic Marking Algorithms
  • Advanced Marking Algorithm
  • Authenticated Marking Algorithm
  • An Algebraic Approach

3
DoS (Denial-of-Service)
  • Definition Denial-of-Service attacks consume the
    resources of a remote host or network, thereby
    denying or degrading service to legitimate users.
  • Weakness of TCP/IP the source host itself
    fills in the IP source host id, there is no
    provision in TCP/IP to discover the true origin
    of a packet.

4
Existed schemes
  • Ingress filtering is to configure routers to
    block packets that arrive with illegitimate
    source addresses.
  • Disadvantages
  • Effectiveness depends on widespread
    deployment. ISPs were discouraged by
    administrative burden.

5
Existed schemes
  • Input debugging the victim recognize its being
    attacked and develop an attack signature that
    describe a common feature in all attack packets.
  • Disadvantages
  • management overhead. Multiple ISPs
    communications are required.

6
Existed schemes
  • Controlled flooding test links by flooding them
    with large bursts of traffic and observing how
    this perturbs traffic from the attacker.
  • Disadvantages
  • 1. controlled flooding is itself a
    denial-of-service attack
  • 2. only effective at tracing an on-going
    attack and cannot be used post-morterm.

7
Basic Marking Algorithms
V victim R router A attacker
8
Basic Marking Algorithms
  • Node append algorithm
  • Marking procedure at router R
  • for each packet w, append R to w
  • Path reconstruction procedure at victim v
  • for any packet w from attacker
  • extract path (Ri...Rj) from the suffix
    w

9
Basic Marking Algorithms
  • Node append algorithm
  • Disadvantage
  • 1. high router overhead incurred by appending
    data to packets on fly.
  • 2. impossible to ensure that there is
    sufficient unused space in the packet for the
    complete list.

10
Basic Marking Algorithms
  • Edge sampling
  • Marking procedure at router R
  • for each packet w
  • let x be a random number from 0..1)
  • if xltp then
  • write R into w.start and 0 into
    w.distance
  • else
  • if w.distance 0 then
  • write R into w.end
  • increment w.distance

11
Basic Marking Algorithms
  • Edge sampling
  • Path reconstruction procedure at victim v
  • let G be a tree with root v
  • let edges in G be tuples (start, end,
    distance)
  • for each packet w from attacker
  • if w.distance 0 then
  • insert edge (w.start,v,0) into
    G
  • else
  • insert edge (w.start, w.end,
    w.distance) into G
  • emove any edge (x,y,d) with d ?
    distance from x to v in G
  • extract path (Ri...Rj) by enumerating
    acyclic paths in G

12
Basic Marking Algorithms
  • Edge sampling
  • Disadvantage
  • still requires 72 bits of space in every IP
    packet (two 32-bit IP address and 8 bits for
    distance to represent the theoretical maximum
    number of hops allowed using IP)

13
Basic Marking Algorithms
  • Compressed edge fragment sampling

14
Basic Marking Algorithms
  • Compressed edge fragment sampling

15
Basic Marking Algorithms
  • Compressed edge fragment sampling
  • Disadvantage
  • 1. High computation overhead, because it needs
    to check a large number of combinations of the
    fragments
  • 2. Large number of false positives. Ex. 25
    Distributed attacks, It takes days to reconstruct
    the attack graph and results in thousands of
    false positive.

16
Advanced Marking Algorithm
  • Key observation
  • If the victim knows the map of its upstream
    routers, it does not need the full IP address in
    the packet marking to reconstruct the attacking
    graph, and hence the marking scheme can be more
    communication and computation efficient.

17
Advanced Marking Algorithm
18
Advanced Marking Algorithm
19
Advanced Marking Algorithm
20
Advanced Marking Algorithm
?d denotes the set of edge fields marked with a
distance d. Sd denotes the set of routers d hop
away from the victim in reconstructed attack
graph.
21
Advanced Marking Algorithm
  • Disadvantage
  • A fundamental shortcoming of the advanced
    marking schemes is that the packet markings not
    authenticated.

22
Authenticated Marking Algorithm
  • Using MAC (Message Authentication Codes). Two
    parties can share a secret key K.
  • well-designed MAC guarantees that nobody can
    forge a MAC of a message without knowing the key.
  • Each router shares a key with victim. Router
    apply a MAC function to its IP address instead of
    a hash function.

23
An Algebraic Approach
At beginning of a path, Let FullPath0,j0. Each
router i on the path calculates
FullPathi,j(FullPathi-1,j?XjRi) where Xj is a
random value passed in each paket, Ri is the
routers IP address. At the packets destination
FullPath will equal (RnXn-1Rn-1Xn-2R2XR1)
Write a Comment
User Comments (0)
About PowerShow.com