Practical Network Support for IP Traceback

1
Practical Network Supportfor IP Traceback
Stefan Savage, David Wetherall, Anna Karlin, and
Tom Anderson

• Sara Sprenkle
• February 24, 2000

2
The Problem

• denial of service attacks
• consume resources of remote host or network
• simple to implement (Trinoo)
• spoofing addresses
• difficult to prevent
• more difficult to trace

3
The Problem

• denial of service attacks
• increased number and frequency
• coordinate distributed attacks
• better technology

4
Outline

• related work
• proposed solution
• algorithms
• making it work
• experimental results
• future work

5
Related Work

• ingress filtering
• link testing
• input debugging
• controlled flooding
• logging

6
Related Work

• ingress filtering
• block packets with bad source addresses
• mgmt overhead - moderate
• network overhead - low
• router overhead - moderate

7
Related Work

• link testing
• input debugging
• determine input port of attack packets
• attack signature - common feature
• strengths
• network overhead, distributed
• weaknesses
• management, router overhead
• post-mortem capability

8
Related Work

• link testing
• input debugging
• controlled flooding
• flood links with bursts of traffic
• note changes to attack packets
• strengths
• mgmt, router overhead
• weaknesses
• a denial of service attack itself
• distributed, post-mortem - poor

9
Related Work

• logging
• key routers log packets
• trace packets path
• strengths
• post-mortem
• weaknesses
• high resource demand

10
Marking Algorithms Overview

• mark packets with router address
• deterministically or probabilistically
• trace attack using marked packets
• strengths
• independent of ISP management
• little network overhead, traffic
• trace distributed attacks, attacks post-mortem

11
Definitions
A1
A2
A3
R5
R7
R6
R3
R4
R2
victim
R1
V
12
Definitions
A1
A2
A3
attack origin
R5
R7
R6
R3
R4
R2
R1
V
13
Definitions
A1
A2
A3
R5
R7
R6
R3
R4
R2
attack path
exact traceback R6, R3, R2, R1
R1
V
14
Definitions
A1
A2
A3
R5
R7
R6
R3
R4
R2
approx. traceback R5, R6, R3, R2, R1
R1
V
15
Marking Algorithms

• marking procedure
• by routers
• add information to packet
• path reconstruction procedure
• by victim
• use information in marked packets
• convergence time
• of packets to reconstruct the attack path

16
Assumptions

• attacker can generate any packet
• multiple attackers may conspire
• attackers may be aware they are being traced
• packets may be lost or reordered

17
Design Assumptions

• attackers send numerous packets
• route between attacker and victim is fairly
  stable
• routers have limited CPU and memory
• routers are not widely compromised

18
Node Append

• append address of each node to the end of the
  packet
• complete, ordered list of routers ? attack path

original packet
router list
19
Node Append

• append address of each node to the end of the
  packet
• complete, ordered list of routers ? attack path
• robust, converges quickly
• high router overhead
• fragmentation

20
Node Sampling

• reserve node field in packet header
• router writes address in node field with
  probability p

21
Node Sampling
R1
R2
R3
22
Node Sampling
R1
R2
R3
23
Node Sampling
R1
R2
R3
24
Node Sampling
R1
R2
R3
25
Node Sampling

• reserve node field in packet header
• router writes address in node field with
  probability p
• reconstruct path using relative of node samples
• additional write, checksum update
• robust against one attacker if p gt 0.5

26
Node Sampling

• limitations
• slow convergence
• need many packets
• order of 100, 000 packets
• cant trace multiple attackers

27
Edge Sampling

• store edges instead of nodes
• start and end addresses
• distance from edge to victim

28
Edge Sampling
R1
R2
R3
29
Edge Sampling
R1
R2
R3
30
Edge Sampling
R1
R2
R3
31
Edge Sampling
R1
R2
R3
32
Edge Sampling

• store edges instead of nodes
• start and end addresses
• distance from edge to victim
• optimal p 1/d
• (1/d) ? p, good enough
• converges on order of x00 packets
• depends on d and p
• robust
• limited by addl space requirement

33
Encoding

• overload the IP identification field
• used for fragmentation
• decreases the space requirement
• increases convergence time

34
Decreasing Space Requirements

• XOR the edges IP addresses
• d1, no XOR, just IP addr
• a ? b ? a a

35
Using XOR
attack path
a
b
c
d
v
resulting XOR edges
b ? c
c ? d
d
a ? b
36
Using XOR
c ? d
d
reconstructed path
b ? c
a ? b
37
Subdividing edge-id

• divide the edge-id into k non-overlapping packets
• need offset of fragment

38
Creating unique edge-ids

• edge-id fragments are not unique
• with multiple attackers, multiple edge fragments
  with the same offset and distance
• bit-interleave hash code with IP address

39
Creating unique edge-ids
Address
Hash(Address)
0000...1111
00111100
Bit-interleave
00000101...11111010
0
k-1
send k fragments into network
40
Candidate edge-ids

• combine all permutations of fragments at each
  distance with disjoint offset values
• check that the hash matches hash of the addres

41
Constructing Candidate Edges
0
k-1
No, reject
00000101...11111010
0000...1111
00111100
Hash(Address)?
Address?
?
00111100
Hash(Address?)
Yes, correct address
42
Evaluation

• longer convergence time
• divide edge-id into 8 fragments
• attackers distance is 10 hops
• 2150 packets to converge with 95 certainty
• few seconds

43
Evaluation

• robustness wrt multiple attackers
• hash length 32 bits
• fragments 8
• 10 distinct routers at the same distance
• gt97 probability with no errors
• distinct paths

44
Picking Parameters

• choosing k
• smaller k
• smaller space requirements
• larger k
• computational overhead increases
• robustness decreases

45
IP header encoding

• separate issue from algorithms
• overload the 16-bit identification field
• used to differentiate IP frags

46
Encoding Edge Fragments
offset
edge fragment
21
5
8
8
distance
47
IP header encoding

• backwards compatibility
• two problems
• writing same values into id fields of frags from
  different datagrams
• writing different values into id fields of frags
  of same datagrams

48
Fragmentation Issues

• upstream from marking router
• mark fragments with probability q
• prepend ICMP echo reply header
• full edge data
• receiver loses packet
• still get edge info
• q p
• increases loss rate, preserves data

49
Fragmentation Issues

• downstream from marking router
• if a fragment is lost
• remaining fragments are stuck in victims
  reassembly buffer
• future fragmented packets may be reassembled with
  them
• set the Dont Fragment flag on every marked
  packet
• degrades communication
• no data corruption

50
Testing the Algorithm

• simulator
• creates random paths
• originates attacks
• marking probability is 1/25
• 1,000 random test runs
• vary path lengths

51
Experimental Results
number of packets to reconstruct paths
52
Future Work

• suffix validation
• spoof end edges
• include a router secret
• attack origin (host)
• include hint about input port of packet
• finding attacker (person)
• find source, not attacker

53
Summary Conclusions

• traceback algorithms based on packet marking
• edge sampling
• efficient
• robust multi-attacker traceback
• convergence time and robustness vs. per-packet
  space requirements
• trace after x,000 packets