Title: Schemes for IP Traceback
1Schemes for IP Traceback
- Li Gao
- Computer Forensics
- Fall 2004
2- Problems DoS (Denial-of-Service) attacks
- Existed schemes
- Basic Marking Algorithms
- Advanced Marking Algorithm
- Authenticated Marking Algorithm
- An Algebraic Approach
3DoS (Denial-of-Service)
- Definition Denial-of-Service attacks consume the
resources of a remote host or network, thereby
denying or degrading service to legitimate users. - Weakness of TCP/IP the source host itself
fills in the IP source host id, there is no
provision in TCP/IP to discover the true origin
of a packet.
4Existed schemes
- Ingress filtering is to configure routers to
block packets that arrive with illegitimate
source addresses. - Disadvantages
- Effectiveness depends on widespread
deployment. ISPs were discouraged by
administrative burden.
5Existed schemes
- Input debugging the victim recognize its being
attacked and develop an attack signature that
describe a common feature in all attack packets. - Disadvantages
- management overhead. Multiple ISPs
communications are required.
6Existed schemes
- Controlled flooding test links by flooding them
with large bursts of traffic and observing how
this perturbs traffic from the attacker. -
- Disadvantages
- 1. controlled flooding is itself a
denial-of-service attack - 2. only effective at tracing an on-going
attack and cannot be used post-morterm.
7Basic Marking Algorithms
V victim R router A attacker
8Basic Marking Algorithms
- Node append algorithm
- Marking procedure at router R
- for each packet w, append R to w
- Path reconstruction procedure at victim v
- for any packet w from attacker
- extract path (Ri...Rj) from the suffix
w
9Basic Marking Algorithms
- Node append algorithm
- Disadvantage
- 1. high router overhead incurred by appending
data to packets on fly. - 2. impossible to ensure that there is
sufficient unused space in the packet for the
complete list.
10Basic Marking Algorithms
- Edge sampling
- Marking procedure at router R
- for each packet w
- let x be a random number from 0..1)
- if xltp then
- write R into w.start and 0 into
w.distance - else
- if w.distance 0 then
- write R into w.end
- increment w.distance
11Basic Marking Algorithms
- Edge sampling
- Path reconstruction procedure at victim v
- let G be a tree with root v
- let edges in G be tuples (start, end,
distance) - for each packet w from attacker
- if w.distance 0 then
- insert edge (w.start,v,0) into
G - else
- insert edge (w.start, w.end,
w.distance) into G - emove any edge (x,y,d) with d ?
distance from x to v in G - extract path (Ri...Rj) by enumerating
acyclic paths in G
12Basic Marking Algorithms
- Edge sampling
- Disadvantage
- still requires 72 bits of space in every IP
packet (two 32-bit IP address and 8 bits for
distance to represent the theoretical maximum
number of hops allowed using IP)
13Basic Marking Algorithms
- Compressed edge fragment sampling
14Basic Marking Algorithms
- Compressed edge fragment sampling
15Basic Marking Algorithms
- Compressed edge fragment sampling
- Disadvantage
- 1. High computation overhead, because it needs
to check a large number of combinations of the
fragments - 2. Large number of false positives. Ex. 25
Distributed attacks, It takes days to reconstruct
the attack graph and results in thousands of
false positive.
16Advanced Marking Algorithm
- Key observation
- If the victim knows the map of its upstream
routers, it does not need the full IP address in
the packet marking to reconstruct the attacking
graph, and hence the marking scheme can be more
communication and computation efficient.
17Advanced Marking Algorithm
18Advanced Marking Algorithm
19Advanced Marking Algorithm
20Advanced Marking Algorithm
?d denotes the set of edge fields marked with a
distance d. Sd denotes the set of routers d hop
away from the victim in reconstructed attack
graph.
21Advanced Marking Algorithm
- Disadvantage
- A fundamental shortcoming of the advanced
marking schemes is that the packet markings not
authenticated.
22Authenticated Marking Algorithm
- Using MAC (Message Authentication Codes). Two
parties can share a secret key K. - well-designed MAC guarantees that nobody can
forge a MAC of a message without knowing the key. - Each router shares a key with victim. Router
apply a MAC function to its IP address instead of
a hash function.
23An Algebraic Approach
At beginning of a path, Let FullPath0,j0. Each
router i on the path calculates
FullPathi,j(FullPathi-1,j?XjRi) where Xj is a
random value passed in each paket, Ri is the
routers IP address. At the packets destination
FullPath will equal (RnXn-1Rn-1Xn-2R2XR1)