A Topologyaware Single Packet Attack Traceback Scheme

1
A Topology-aware Single Packet Attack Traceback
Scheme
Linfeng Zhang and Yong Guan Department of
Electrical and Computer Engineering Information
Assurance Center, Iowa State University August
30, 2006
SecureComm 2006
2
Outline

• Identifying who is attacking you.
• Our passive attack attribution approach TOPO
• Topology-aware Traceback
• k-adaptive Mechanism for Bloom Filters
• Summary and Plan for the next

3
Identifying Attack Source

• Its clear that we need better (and more secure)
  IT technology
• But that, by itself, is not enough!
• Often insiders Users with privileged access but
  with improper training or untoward motives
• Unexpected interactions and failures
• We need reliable methodologies for investigation
  when an untoward event occurs.
• Fix collateral damage
• Identify the causes
• Prosecute the responsible person
• Therefore, we have to know who is the attacker
  and where he/she is.

4
Identifying Attack Source

• Why is this problem so hard?
• Caller-ID does not exist
• IP Packet headers are not authenticated
• Spoofing of source IP addresses - A host can
  put any source IP address it wishes in packets it
  sends
• Attackers are adapting to hide themselves
• Use of network traffic relays (e.g., stepping
  stones, anonymity proxy, etc.)
• Use of concealment techniques (e.g., delay and
  chaff perturbations)
• Use of normal network traffic (e.g., VoIP) as
  carrier for attack traffic
• Use small number of packets, even a single
  packet, e.g., LAND, Ping of Death, Teardrop
• All in all, attack traffic looks more and more
  like normal communications

5
Our Traceback Scheme TOPO

• Our Goal Design an effective single packet
  attack traceback scheme.
• We take a passive and log-based approach Use
  Bloom Filters

R6
R5
R4
R3
R2
R1
Framework of TOPO
Attack Graph
6
Our Traceback Scheme TOPO

• Bloom filter a space-efficient data structure to
  respond membership queries.
• m Bit Size
• n Number of Inserted Elements
• k Number of Hash Functions

0
1
Query Packet x?
0
1
Packet 1
Packet 2
0
0
1
0
0
1
. . .
. . .
. . .
m bits

• f False Positive Rate

. . .
When
0
0
1
0
7
Our Traceback Scheme TOPO

• Two problems that lead to false attributions

• Problem 1 Unnecessary Queries
• Produce false attributions

• Problem 2 Optimal k
• Give m and n, when the false positive
  rate f achieve the minimum value.
• A router has to decide k to optimize f without
  knowing the number of arriving packets n.
  Impossible.
• Naïve Solution Build a lot of Bloom filters with
  different k, and store the optimal one.
  Memory-Consuming!

8
Our Traceback Scheme TOPO
Routers behaviors when receiving a packet
Archive 1 for
Bloom Filter
0
Pred. 1
Packet
0
1
Pred. 2
0
h1
1




1
1
Pred. n


Packet Signature
Archive 2 for


hash
hk

1
Pred. 1
0
h2
1
0
Pred. 2

0

Predecessor List


1
Pred. n
Predecessor 1

Predecessor Identifier
Archive j for
Predecessor 2

0
Pred. 1

1
Pred. 2
new?
Y



Predecessor i
insert



0
Pred. n
9
Our Traceback Scheme TOPO
Routers behaviors when receiving a query message
Bloom Filter
Query Message
0
arrival time t
1
h1
all 1?
Y
Query Predecessor i
1


Packet Signature


hash
hk

h2
1
0
Predecessor List
Predecessor 1
Predecessor Identifier
Archive j for
Predecessor 2

0
Pred. 1


1
Pred. 2


Predecessor i



0
Pred. n
10
Our Traceback Scheme TOPO
Topology-aware traceback reduces false
attributions
R6
R6
R5
R5
R4
R4
R3
R3
R2
R2
R1
R1
Attack Graph
Attack Graph
TOPO
Without Topology Info.
11
Our Traceback Scheme TOPO
k-adaptive Mechanism for Bloom Filters
A packet comes
h1(P)2
0
0
0
1
1
1
1
1
bijection
h3(P)4
1
0
0
1
h2(P)7
1
0
0
0
1
1
1
1
0
koptimal 1, 2 or 3?
12
Our Traceback Scheme TOPO
k-adaptive Mechanism for Bloom Filters

• A Q m bits table can record the results of
  (2Q-1) m-bit size Bloom filters with different
  k.
• Example
• k1ltk2ltk3ltk4ltk5ltk6ltk7
• where Hi is the ith Bloom filters
  hash function set.
• Bijection between 7 Bloom filters and a 3m-bit
  table.

bijection
(The 7 bits with the same index in these Bloom
filters only have 8 possible combinations.)
13
Existing Traceback Schemes

• Four primary groups
• Packet Marking PPM, DPM, APM
• ICMP Traceback iTrace (ICMP, Bellovin)
• Log-based Traceback log-based or Bloom
  filter-based
• Active Probing Change-and-then-observe,
  Centertrack
• Only log-based schemes can traceback single
  packet attacks.
• BBNs SPIE (Source Path Isolation Engine)
• A. C. Snoeren, et al., Single-Packet IP
  Traceback. IEEE/ACM Transactions on Networking,
  Dec. 2002.
• Hierarchical Bloom Filter
• K. Shanmugasundaram, et al., Payload Attribution
  via Hierarchical Bloom Filters, in ACM CCS 2004,
  Washington DC, USA, Oct. 2004.

14
Analytical Results
Where extra_queries Number of extra
unnecessary queries. innocent_hosts Number
of innocent hosts being falsely attributed.
15
Experimental Results

• Data Source
• CAIDAs Skitter Monitor Data
• A topology map viewed from a single origin to
  317,218 destinations.

SPIE
TOPO
(b) Expected Number of Innocent Hosts vs. f
(a) Expected Number of Unnecessary Queries vs. f
16
Experimental Results (cont.)

• When packets number n is unknown a priori and
  varies widely, k-adaptive scheme generally can
  achieve better performance than Bloom
  filter-based schemes using fixed number of hash
  functions.

Figure False Positive Rate vs. Bit per Element
(m/n)
17
Summary Future Plan

• Summary
• Designed TOPO, a topology-aware single packet
  attack traceback scheme
• Reduce false attributions and unnecessary
  queries.
• Memory-efficient k-adaptive mechanism to optimize
  space requirement.
• Future Work
• Further improve the schemes processing overhead
  and space requirement
• Acknowledgments This research is supported by
  DTO/ARDA.

18
Thanks

• Questions and Suggestions

19
Upstream Degrees

• Data Source
• CAIDAs Internet Topology Data Kit 0304.
• Total of 192,244 nodes and 636643 directed links.
• Results
• More than 99 routers have less than 25 upstream
  predecessors.
• Average degree is as low as 3.31.
• Therefore, it is adequate for a router to build
  and store its predecessor lists.

20
Problem 2 Optimal K

• Give m and n, when the false positive rate f
  achieve the minimum value.
• The routers must decide the k in advance without
  knowing the upcoming packets number n.
• A fixed k can not always achieve the optimal
  false positive rate when packets number n varies.
• Naïve Solution Build a lot of Bloom filters with
  different k, and store the optimal one.
  Memory-Consuming!

Figure False Positive Rate vs. Bit per Element
(m/n)
21
Experimental Results of k-Adaptive

• Suppose a router is designed to store traceback
  information within 1 hour with the granularity of
  1 minute. It divides its memory to 61 equal parts
  and each part is 1M bits. 1 part is used to store
  the current minutes packets, and 60 parts are
  for these 60 archived Bloom filters each with 1M
  bits.
• The hash functions number is fixed to k4.
• Now we divide its memory into 63 parts and each
  part is 0.9683M bits. 3 parts are used as a table
  to store the information for 7 Bloom filters with
  different number of hash functions k11, k24,
  k37, k410, k513, k616, k719.
• The following figure shows that when packets
  number n varies in a large range, our adaptive
  scheme generally can achieve better performance
  than the Bloom filter with fixed number of hash
  functions. Our performance is close to the
  optimal value.