IP Traceback With Deterministic Packet Marking

1
IP Traceback With Deterministic Packet Marking

• Andrey Belenky and Nirwan Ansari
• IEEE communication letters, VOL. 7, NO. 4 April
  2003
• ???

2
Introduction

• IP traceback problem
• The problem of identifying the source of the
  offending packets
• Source zombiereflectorspoofed address
• Solution
• Rely on the routers (PPMICMP)
• Only for DOS
• Centralized management (log of packet infor.)
• Large overhead, complex, not scalable

3
Deterministic Packet Marking

• Each packet is marked when it enters the network
• Only mark Incoming packets
• Markaddress information of this interface
• 16 bit ID 1 bit Flag

4
PPM
5
PPM VS DPM

• Router are treated as atomic units
• IP address of a router
• ? IP address of one of its interfaces
• Packet traveling in different direction
  considered different
• Mark spoofing
• Use coding technique (but not 100)
• ?Spoofed mark will be overwritten

6
PPM VS DPM (2)

• PPM (full path)DPM (address of the ingress
  router)
• In datagram packet network
• Every packet is individually routed
• Full path traceback is as good as address of an
  ingress point
• ISP use different IP address
• public addresses for interfaces to customers and
  other networks
• private addressing plans within their own networks

7
Coding of a mark

• Flag 0 ? address bits 015
• Flag 1 ? address bits 1631
• Randomly setting flag value
• How many packet are enough?
• nthe number of received packets
• The probability of successfully generate the
  ingress IP address is greater than
• 2 packets ? 754 packets ?93.75
• 6 packets ?98.4310 packets ?99.9

8
Pseudo code
9
Pros

• Simple to implement
• Introduces no bandwidth
• Practically no processing overhead
• suitable for a variety of attacks not just
  (D)DoS
• Backward compatible with equipment which does not
  implement it
• does not have inherent security flaws
• Do not reveal internet topology
• No mark spoofing
• Scalable

10
Future work

• The fragmentation/reassembly problem
• Only less than 0.5 packet
• SolveThe ID field for all fragments has to be
  assigned the same address bits
• Attacker change IP frequently during attack
• Solvemaking the destination rely only on the
  marks the hash value of the ingress router
• Analyze the coding technique
• IPv6 implementation

11
Tracing Multiple Attackers with Deterministic
Packet Marking

• Andrey Belenky and Nirwan Ansari
• IEEE PACRIM03, August 2003

12
The problem with the basic DPM(1)

• two hosts with the same Source Address at tack
  the victim
• ex
• The ingress addresses corresponding to these two
  attackers are A0 and A1
• The victim will receive A00, A01, A10,
  A11
• A00.A01, A00.A11, A10.A01,
  A10.A11
• Rate of false positive50

13
The problem with the basic DPM (2)

• Change source address

14
Schematics
Pad
Ideal hash
15
Reconstruction

• ?area
• each area has k segments
• Each segment has bits

area
16
Analysis

• Nthe number of ingress router
• When false positive rate 0
• When
• The expected number of different values the
  segment will take is

17
Analysis (2)

• The expected number of permutations that result
  in a given digest for a given area
• The number of false positives for a given area

18
Analysis (3)

• The total number of total false positive
• The max number of N

19
Analysis (4)

• The expected number of datagram

20
Analysis (5)
21
Conclusion

• capable of tracing thousands of simultaneous
  attackers during DDoS attack (just DDoS)
• The traceback process can be performed
  post-mortem, which allows for tracing the attacks
  that may not have been noticed initially
• Solve the two problem
• Need more marked packets