IP Traceback: A New DOS Deterrent

1
IP Traceback A New DOS Deterrent?

• Hassan Aljifiry, IEEE Security Privacy, Vol 1,
  No 3, May/June 2003

2
Outline

• The role of IP addresses
• IP traceback classification and requirements
• Current IP traceback approaches
• Link testing
• Input debugging
• Controlled flooding
• Logging
• ICMP-based traceback
• Packet marking

3
The role of IP addresses

• Ideally all network traffic should contain source
  information
• TCP/IP lacks security features, which allows IP
  Spoofing
• Technical and political factors have prevented
  the deployment of IP address manipulation
  counter-measures.
• The trace of the source is the first step
  necessary in finding the true identity of DDOS
  attacks.

4
IP traceback methods requirements

• compatibility with existing network protocols
• insignificant network traffic overhead
• support for incremental implementation
• compatibility with existing hardware
  infrastructure
• effective against DDOS
• minimal overhead in terms of time and resources

5
IP traceback classification

• Reactive Initiated in response to attack
• Must be completed while attack is in progress
• Require large degree of ISP cooperation
• Not very effective against multi-pronged attack
  (DDOS)
• Most effective for Controlled Networks

• Proactive Record information as packets are
  routed.
• Resulting traceback data can be used for path
  reconstruction, leading to attack identification
• Shows the most potential for use on Uncontrolled
  Networks such as the Internet

6
Current IP traceback approaches

• Link testing
• Logging
• ICMP-based traceback
• Packet marking

7
Link testing (Reactive)
8
Link-testing Input debugging
A router feature allows administrators to
determine incoming network links for specific
packets. Given the packet signature, the ISP can
determine the origin

• Advantages
• Compatible with existing protocols
• Insignificant network traffic overload
• Supports incremental implementation
• Compatible with existing hardware infrastructure

• Disadvantages
• High time and resource overhead
• Cooperation of all ISPs along the path is
  necessary
• Attack must last long enough for a successful
  trace
• Less suitable for DDOS

9
Link-testing Controlled flooding
Generate burst of network traffic from the victim
to the upward link. Changes in the attack
traffics frequency and intensity help deduce
the upstream router.

• Advantages
• Compatible with existing protocols
• Support for incremental implementation
• Compatible with existing hardware infrastructure

• Disadvantages
• Serves as a kind of DDOS
• Requires accurate map of network topology
• Attack must last long enough
• Less suitable for DDOS
• ISP cooperation is necessary along the path

10
Logging (Proactive)
11
Logging

• Advantages
• Compatible with existing protocols
• Support for an incremental implementation
• Compatible with existing hardware infrastructure
• Can trace a single packet

• Disadvantages
• High time and resource overhead
• Sharing of logging information among ISPs leads
  to logistic and legal issues
• Less suitable for DDOS

• Mitigation of the high resource overhead
• Logging only a probabilistic sample of the data.
• Overlay network built of sensors (able to detect
  attack traffic,
• tracing agents, and managing agents.

12
ICMP-based traceback (Proactive)
Results of an IETF Wkgp, established in July
2000, to develop ICMP traceback based on iTrace
(www.ietf.org/html.charters/itrace-charter.html)
13
ICMP-based traceback

• Advantages
• Compatible with existing protocols
• Supports incremental implementation
• Allows post-attack analysis
• Promising and expandable technology for dealing
  with DDOS attacks
• No ISP cooperation required
• Compatible with existing hardware infrastructure

• Disadvantages
• Additional network traffic, even with very low
  frequency
• Attackers could inject false ICMP traceback
  messages to mask the origin (unless encryption
  scheme is used)
• ICMP traffic is increasingly being filtered
• Very few ICMP traceback messages from distant
  routers in the case of a DDOS attack

14
Packet marking (Proactive)

• To be effective, packet size should not be
  increased
• Must be secure to prevent false marking
• Must work with existing IP header settings

15
Packet marking

• Record Route Option (RFC 791)
• Increases packet length at each router hop
• RRO field is susceptible to tampering
• Probabilistic Packet Marking
• 1/25 packets are marked to avoid overhead
• Packets store information about only one link in
  the route.
• Compressed-edge fragment sampling. Victim
  collects enough information to reconstruct each
  edge of the attack.
• Hash of IP addresses, Algebraic techniques
  (coding and machine learning theory), etc

16
Packet marking

• Advantages
• Can be deployed incrementally and appear to be
  low cost
• Works with existing hardware infrastructure
• Effective against DDOS attacks
• No ISP cooperation required
• Allows post attack analysis

• Disadvantages
• Requires modifications to existing protocols
• Produces false positive paths
• Victim must receive minimum number of packets
• Cannot handle fragmentation
• Does not work with IPv6 and is not compatible
  with IPSec