Practical Network Support for IP Traceback

1
Practical Network Support for IP Traceback

• Stefan Savage, David Wetherall, Anna Karlin and
  Tom Anderson
• Department of Computer Science and Engineering
• University of Washington
• Seattle, WA, USA
• Presentation by David Allen
• Adapted from pg 44-62 of
• http//www.thefengs.com/wuchang/work/courses/cs576
  _spring2005/summaries/18.ppt

2
Motivation

• DoS attacks
• Hard to address.
• Simple to implement.
• Difficult to prevent.
• Difficult to trace.
• Difficult to get help from upstream ISP.
• IP spoofing
• TCP/IP protocol allows spoofed IP addresses.
• Attacks can be anonymous and indirect.

3
Problem

• Goal
• Determine path from packets
• Assumptions
• an attacker may generate any packet
• multiple attackers may conspire
• attackers may be aware they are being traced
• packets may be lost or reordered
• attackers send numerous packets
• the route between attacker and victim is fairly
  stable
• routers are both CPU and memory limited
• routers are not widely compromised

4
Traceback Schemes

• Record Route
• Input Debugging
• Controlled Flooding
• Logging
• ICMP Traceback
• Probabilistic Packet Marking

5
Traceback Record Route

• Record Path
• Each router adds IP address to packet.
• Victim reads path from packet.
• Problems
• Requires space in packet.
• Unknown path size.
• Modifying all packets in transit is infeasible.

6
Traceback Input Debugging

• Input Debugging
• Many routers can filter egress port packets and
  determine ingress port.
• Problems
• Slow process to communicate packet signature for
  filter to upstream providers.
• Difficult to get ISP cooperation.
• Only works while attack is active.

7
Traceback Controlled Flooding

• Controlled Flooding
• With a map of Internet topology.
• Iteratively flood upstream links.
• Observing changes in rates of attack packets
  reveals route.
• Problems
• Form of a DoS attack itself.
• Must have good map.
• Noisy results.
• Only works while attack is active.

8
Traceback Logging

• Logging
• Log packets at key routers.
• Use data mining techniques to determine path.
• Problems
• Enormous resource requirements.
• Large-scale inter-provider database integration.

9
Traceback ICMP Traceback

• ICMP Traceback
• Routers periodically issue traceback ICMP
  messages to destination.
• Sample with low probability 1/20,000.
• Messages contains information about adjacent
  routers.
• Problems
• Attacker can spoof messages.
• Requires some signature and trust management.
• Difficult to use if only some routers participate.

10
Traceback Probabilistic Packet Marking

• Probabilistic Packet Marking
• Probabilistically store router address in packet
  using an IP header field (IP identifier).
• Fixed space regardless of path length.
• Router distance inferred from frequency of
  frequency of marked packets.
• Problems
• IP identifier
• Breaks reconstruction of fragmented packets.
• lt 0.25 of traffic fragmented
• Probability must gt 0.5 to be robust against
  attacker.
• Large probability decreases chance of seeing
  packets marked by far routers.

11
Probabilistic Packet Marking Edge sampling

• Edge sampling
• Two addresses Start and End
• Distance Number of hops since edge stored.
• Procedure
• with probability p
• write address into Start
• write 0 into Distance
• otherwise
• if Distance is 0, write address into End
• increment Distance

12
Probabilistic Packet Marking Edge sampling

• Edge sampling
• Easy for victim to reconstruct path to attacker.
• Probably can be much less than for simple
  marking.
• Optimal is p lt 1/d.
• Effective for multiple attackers.
• Number of required packets grows linearly.
• Problems
• Impossible to trust route further away than the
  closest attacker.
• Require additional space in IP packet header.
• 2x 32 bit addresses, 8 bit distance.

13
Edge sampling Reduce Space Requirement - XOR

• XOR two addresses for each edge together.

14
Edge sampling Reduce Space Requirement -
Subdivide

• Break XORed addresses into k fragments.
• Store only 1 fragment in packet with offset value.

15
Edge sampling Reduce Space Requirement - Hash

• Multiple attackers may produce non-unique edges
  with same distance.
• Add error detection
• Interleave IP with hash of itself.

16
Edge sampling Reduce Space Requirement - Hash
17
Edge sampling Reduce Space Requirement - Storage

• Final size 16 bits

18
Edge sampling Path Reconstruction
19
Edge sampling Final

• Problems
• Path reconstruction does not scale well against
  distributed attacks.
• Compatibility problems with IPsec.
• Only traces attack, does nothing to stop it.