Introduction to IP Traceback

1
Introduction to IP Traceback

• ???? ???
• ??? ??
• 2004/3/26

2
Outline

• Introduction
• Ingress Filtering
• Packet Marking
• Packet Digesting
• Summary

3
Introduction
4
Introduction

• Internet becomes ubiquitous
• The impact of network attackers is getting more
  and more significant
• Two kind of attackers
• A few well-targeted packets
• Ex Teardrop attack
• Denial-of-service (DoS) distributed DoS (DDoS)
• Typically conducted by flooding network links
  with large amounts of traffics

5
DDoS
(a) Direct DDoS (b)
reflector attacker
6
The Difficulty to Catch the Attacker

• The anonymous feature of the IP protocol
• Cant identify the true source of an IP datagram
  if the source wishes to conceal it
• Solutioningress filtering
• Somewhere spoofed source address are legal
• Network address translators (NATs)
• Mobile IP

7
IP Traceback Problem

• IP traceback problem
• The problem of identifying the source of the
  offending packets
• Source means
• Zombie
• Reflector
• Spoofed address
• Ingress point to the traceback-enabled network
• One or more compromised routers within the
  enabled network

8
IP Traceback Problem - Solution

• Packet marking
• To cope with DDoS attacks
• Router marks packets with its identifications
• Victim can reconstruct the attack path if
  sufficient number of packets are collected
• Packet digesting
• For attacks that require only a few packets
• Require storage of audit trails on the routers
• Victim ask routers if the offending packet passed
  before

9
Evaluation Metrics for IP Traceback Technique (1)

• ISP Involvement
• Number of Attacking Packets Needed for Traceback
• The Effect of Partial Deployment
• Processing Overhead
• Bandwidth Overhead
• Memory Requirements
• Ease of Evasion

10
Evaluation Metrics for IP Traceback Technique (2)

• Protection
• Scalability
• Number of Functions Needed to Implement
• Ability to Handle Major DDoS Attacks
• Ability to Trace Transformed Packets
• Network Address Translation (NAT)
• Tunneling
• ICMP packet
• Duplication of a packet in multicast

11
Ingress Filtering
12
Ingress Filtering

• Limit source addresses of IP datagrams from a
  network to addresses belonging to that network
• If ingress filtering is not deployed everywhere
  attackers can still spoof any address on the
  Internet

13
Why Dont People Run Ingress Filtering?

• It is easy! It improves security! Why not run it?
• Some people run it in current routers
• It is implemented in the slow path in the
  software not the hardware
• It is easy
• ?For the routers close to the edge of the
  networks where addressing rules are well defined
• It becomes complex and inefficient
• ?For transit networks where packets with a
  different source address can enter the network in
  multiple locations

14
Packet Marking
15
Packet Marking

• Probabilistic packet marking (PPM)
• ICMP traceback (iTrace)
• Deterministic packet marking (DPM)

16
Probabilistic Packet Marking

• Routers mark packets that pass through them
• Packets for marking are selected with probability
  p0.04

17
Router Marking
18
Pros Cons

• Pros
• High stability
• Still can work under partial deployment
• No bandwidth overhead
• Low network processing overhead (decide which
  packet should be marked)
• Cons
• Only for DoS DDoS attacks
• Victim requires high memory and high processing
  overhead
• Without authentication mark spoofing may happen

19
Ability to Trace Transformed Packets

• Can handle packet modification transformation of
  the packets directed to the victim
• The ID field used for fragmentation is used for
  the mark
• If a single fragment of the original datagram is
  marked
• The reassembly function would fail at the
  destination
• Solution select a lower probability of marking
  for fragmented packet
• Tunneling may create a problem for reconstruction
• If marks are extracted before the outer header is
  removed

20
ICMP Traceback (iTrace)

• ICMP traceback message (iTrace)
• Next hop
• Previous hop
• Timestamp
• As many bytes of the traced packet
• TTL255

21
Intension-Driven iTrace

• AttackV
• 1, victim V is attacked
• IntensionV
• 1, victim V wants to receive ICMP traceback
  message
• ReceivedR?V
• How many iTrace messages from router R to victim
  V have been received
• GeneratedR
• The number of iTrace messages generated by router
  R for all destinations
• The value of ICMP packet can be a function of

22
Architecture

• Introduce a new bit intension bit
• The intension bit in routing table will set to 1
  if one has intension to receive ICMP packet
• Decision Module
• Choose one from routing table
• prefer the one with the highest value

23
Pros Cons

• The pros and cons of iTrace is similar to that of
  PPM
• Except
• iTrace has bandwidth overheadPPM has no
  bandwidth overhead
• Without authentication fake ICMP packet may be
  generated more easily

24
Deterministic Packet Marking

• Each packet is marked when it enters the network
• Only mark Incoming packets
• Markaddress information of this interface
• 16 bit ID 1 bit Reserved Flag

25
The Information of Marks
Pad
Ideal hash
26
Reconstruction Process

• area
• Each area has k segments
• Each segment has
• bits

area
27
PPM vs. DPM

• Mark spoofing
• (PPM) Use coding technique (but not 100)
• (DPM) Spoofed mark will be overwritten
• The received information
• (PPM) Full path
• (DPM) Address of the ingress router

28
Packet Digesting Source Path Isolation Engine
(SPIE)
29
Packet Digesting

• Compute digest over
• The invariant portion of the IP header (16 bytes)
• The first 8 bytes of the payload (8 bytes)
• 24 bytes ? sufficient to differentiate all
  packets

30
Prefix Length Collision Probability

• A WAN trace from an OC-3 gateway router
• A LAN trace from an active 100Mb Ethernet segment

31
Bloom Filter (1)

• A technique that simply stores the digests

For each packet arrived Step-1 Use k different
hash function computes k independent n-bits
digests Step-2 Set the corresponding bits in the
bits digest table
32
Bloom Filter (2)

• If any one of them is zero
• The packet was not stored in the table
• If all the bits are one
• It is highly likely the packet was stored
• It is possible that some set of other insertions
  caused all the bits to be set
• Restriction
• Can only store a limited number of digests
• Saturated filters can be swapped out for a new,
  empty filter
• Change to a new filter? loss the previous digest
  information

33
Architecture (1)

• Data Generation Agent (DGA)
• SPIE Collection and Reduction Agents (SCARs)
• SPIE Traceback Manager (STM)

34
Architecture (2)

• DGA
• SPIE enhanced router
• 1. produce packet digest
• 2. store digests
• table annotated time hash function
• SCARs
• Concentration points for several routers
• 1. produce local attack graph

35
Architecture (3)

• STM
• Control the whole SPIE system
• The interface to requesting packet trace
• 1. verifies the authenticity
• 2. dispatch the request to the appropriate SCARs
• 3. gather the resulting attack graphs
• 4. complete the attack graph
• 5. replies to the IDS

36
Traceback Processing
T the packet enter the region P the
entering packet V the border router between
the two network
packet, P victim, V time of attack, T
P V T
no
yes
terminate
37
Graph Construction

• Reverse path flooding
• R8R9
• R7
• R4S5R5
• R3R2
• The SCAR dont need to query DGAs sequentially

38
Ability to Trace Transformed Packets (1)

• Transform lookup table (TLT)
• Record sufficient packet data at the time of
  transformation to allow the original packet to be
  reconstructed
• 1st fielda digest of the transformed packet
• 2nd fieldthe type of transformation (include a
  flag I)
• 3rd fielda variable amount of packet data

39
Ability to Trace Transformed Packets (2)

• Flag I (indirect flag)
• (1)For some transformations, such as NAT, the
  32bits data field is not enough.
• ?Set I1, the third field is treated as a pointer
  
• (2)In many case (e.g., tunneling or NAT), packets
  undergoing a particular transformation are
  related
• ?It is possible to reduce the storage requirement
  by suppressing duplicate packet data
• ?Flag I is used for flow caching, or at least
  identification, so that the packets within the
  flow can be correlated and stored appropriately.

40
Summary
41
Summary

• In recent years much interest and consideration
  have been paid to the topic of securing the
  Internet infrastructure
• To detect the offending packets IDS (Intrusion
  Detection System) becomes more and more important
• Detecting the offending packets (IDS)? find out
  attackers (IP traceback)
• Several methods have been proposed
• Each has its own advantages and disadvantages
• None of the methods described has been used on
  the Internet
• When economic or political incentives become
  strong enough to justify deployment of IP
  traceback, some new requirements and metrics for
  evaluation might emerge

42
References

• R. K. C. Chang, Defending against Flooding-Based
  Distributed Denial-of-Service Attacks A
  Tutorial, IEEE Commun. Mag., Oct. 2002, pp.
  4251.
• A. Belenky and N. Ansari, On IP traceback, IEEE
  Communications Magazine, vol. 41, no. 7, July
  2003
• S. Savage et al., Network Support for IP
  Traceback, IEEE/ACM Trans. Net., vol. 9, no. 3,
  June 2001, pp. 22637.
• D. X. Song and A. Perrig, Advanced and
  Authenticated Marking Schemes for IP Traceback,
  Proc. INFOCOM,2001, vol. 2, pp. 87886.
• S. F. Wu et al., On Design and Evaluation of
  Intention-Driven ICMP Traceback, Proc. 10th
  Intl. Conf. Comp. Commun. and Nets., 2001, pp.
  15965.
• A. Belenky and N. Ansari IP Traceback With
  Deterministic Packet Marking, IEEE
  Communications Letters, Vol.7, NO. 4,April 2003
• A. Belenky and N. Ansari Tracing Multiple
  Attackers With Deterministic Packet Marking,
  IEEE PACRIM03, August 2003
• A. C. Snoeren et al., Single-Packet IP
  Traceback, IEEE/ACM Trans. Net., vol. 10, no. 6,
  Dec. 2002, pp. 72134.