ip traceback by deterministic packet marking

1

Advanced Networking Laboratory

IP Tracebackby Deterministic Packet Marking

Nirwan AnsariAdvanced Networking Laboratory

http://web.njit.edu/~angDepartment of Electrical and Computer Engineering

New Jersey Institute of TechnologyNewark, NJ 07102-1982, USA.

2nd Sendai International Workshop on Internet Security and Management@Hotel Sendai Plaza, Sendai, Japan, January 27-30, 2004

Advanced Networking Laboratory© 2004 Nirwan Ansari

AcknowledgementsAndrey BelenkyDong Wei Zhiqiang Gao

2


Outline

Motivation for IP TracebackCurrently available techniques to cope with anonymous attacksFramework and Evaluation MetricsOverview of IP Traceback SchemesDeterministic Packet MarkingIP Traceback implications and challengersConclusion/Future Work


What is an anonymous attack?

I would like to inflict some damage on host V

How about I flood host V with a bunch of packets

BUT, host V will know who I am by looking at the SA of the packets I send!

I will change the SA field on every packet I send to V to some other value!

I will do it myself or use one of the readily available programs on the Internet for that purpose

SA: My SA

Data

SA: Some Other SA

3


Filtering and Access Control

A

List of Valid Addresses

A.B.C.x A.B.C.y A.B.w.z

Yes Route

No

Drop

Does SA of the packet matches the list?

V

List of Blocked Addresses

X.Y.Z.a X.Y.Z.b X.Y.c.d

No Route

Yes

Drop

Does SA of the packet matches the list?

Ingress Filtering

Access Control


SYN Flood

SYNLet’s talk

SYN/ACK

I’m ready

Allocate Recourses

ACKLet’s go

SCTCP 3-way handshake

SYN Flood

Allocate Recourses

V

I’m readySYN

SYN/ACK

SYNSYN/ACK

TCP three-way handshake does not get completed

Resources remain allocated

When resources are exhausted, the server crashes or goes off-line

4


SYN Flood Protection

Allocate Recourses

V

I’m readySYN

SYN/ACK

SYNSYN/ACK

Firewall initiates ACK timeout for every SYN it receives, if it is exceeded the firewall resets the connection on behalf of the attacker

Firewall keeps track of the number of half-opened connections and starts dropping old half-opened connections if this number exceeds a certain threshold


Backscatter and Black-hole router

V

ISP

?

Notify ISP

5


Motivation for IP Traceback

V

Intrusion Detection System (IDS)

Attack!!!

Who attacked me?I will look at the Source Address (SA) field of IP pkt. and find out!

Source Address is SPOOFED!

Need IP Traceback!!!


What is IP Traceback

A mechanism of identifying the source of any packet on the Internet

Envisioned for identifying the human attacker

Technical Reality…Can only identify the host which originated the attack packetsSometimes it would be possible to only identify the organization which owns the host

NAT, Firewalls, etc…

IP Traceback may be limited to identifying the ingress point of the packets on the Internet

6


IP Traceback is NOT

IP Traceback is not an attack prevention mechanism

Firewalls, filtering

IP Traceback is not an attack detection mechanisms

Intrusion Detection Systems (IDS)

IP Traceback cannot stop an attack in progress


Metrics for Evaluation of SchemesISP InvolvementNumber of Attack Packets Needed for TracebackEffect of Partial DeploymentProcessing OverheadBandwidth OverheadMemory RequirementsEase of EvasionProtectionScalabilityNumber of functions needed to be implementedAbility to handle major DDoS attacksAbility to handle transformed packets

7


Ideal Traceback Scheme

Low number of attack packets required for tracebackAbility to deploy partiallyLow processing overhead on the routers Low bandwidth overhead on the networkMinimal ISP involvementDoes NOT disclose topology of the ISPScalableAble to traceback ALL types of attacks


Proposed IP Traceback SchemesEnd-host storage

Original PPM & Numerous Modifications to PPMiTrace

Specialized RoutingOverlay NetworkIP Traceback with IPSec

Packet LoggingFeature TracingHash-based IP Traceback

State of the network inferenceControlled Flooding

Edge MarkingDeterministic Packet Marking

8


A VR1

R2

R3

R4

R5

R6

R7 R9

R10R8

R11R12

Probabilistic Packet Marking (PPM)

R12 - R9 - R4 - R2-R1

Buffer of Marked Packets Reconstruction

Processing Reconstructed Route

Incoming Packet Stream Outgoing Packet Stream

Marked Packet with prob. p


Highlights of Evaluation of PPM

ISP Involvement: LowProcessing Overhead: During Traceback and at the Victim onlyAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: Thousands

9


A VR1

R2

R3

R4

R5

R6

R7 R9

R10R8

R11R12

ICMP Traceback (iTrace)Incoming Packet Stream Outgoing Packet Stream

ICMP Packet with address info

1/20,000

R12 - R9 - R4 - R2-R1

Reconstructed Route

R12

R2

R9

Sort


Highlights of Evaluation of iTrace

ISP Involvement: LowProcessing Overhead: During Traceback and at the Victim onlyEase of Evasion: HighAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: Thousands

10


A V

Edge Routers

Core Routers Physical

Links

Overlay Network (CenterTrack)

TR

Tunnels

Attack Path without Overlay

Attack Path with Overlay


Highlights of Evaluation of Overlay

ISP Involvement: HighProcessing Overhead: Every packetAbility to handle major DDoS Attacks: GoodNumber of Attack Packets required for traceback: 1Other:

Single ISP onlySingle point of failure

11


A VR1

R2

R3

R4

R5

R6

R7

R10R8

R11

R12

R9

IP Traceback with IPSec


Highlights of Evaluation of IPSecTraceback

ISP Involvement: HighProcessing Overhead: HighAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: FairOther:

Single ISP only

12


A V

R4R9

R1R2

R3

R5

R6

R7

R10

R8

R11 Data Generation Agent

R12

Source Path Isolation Engine (SPIE)

Packet

Header+Hash( ) Bloom

Filter

SPIE TracebackManager

SPIE Collection and Reduction Agent


Highlights of Evaluation of SPIE

ISP Involvement: HighProcessing Overhead: LowAbility to handle major DDoS Attacks: GoodNumber of Attack Packets required for traceback: 1Other:

Fair ScalabilityStrict timing constraints on the traceback process

13


Controlled Flooding

A VR1

R2

R3

R4

R5

R6

R7 R9

R10R8

R11

R12

Controlled Flooding Equipment


Highlights of Evaluation of Controlled FloodingISP Involvement: NoneProcessing Overhead: NoneAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: HugeOther:

DoS attacks onlyManual, Unsafe, InconsistentHuge bandwidth overhead during the tracebackTraceback is possible only while the attack is in progress

14


PPM iTrace Overlay Hash-based IP Traceback

Controlled Flooding

Tracebackwith IPSec

ISP Involvement Low Low high high None HighScalability High High Poor Fair N/A PoorVendor Involvement(# of functions to implement) 2 2 None 3 1 None

Number of Attack Packets Required for Traceback Thousands Thousands 1 1 Huge Fair

Is Partial Deployment Within a Single ISP Possible? Yes Yes No Yes N/A Yes

Is Prior Knowledge of Topology and Routing Required for Traceback?

Yes, only if deployed partially

Yes, only ifdeployed partially

NoYes, only if deployed partially

Yes Yes

Is Inter-ISP Deployment Possible Yes Yes No Yes Yes YesEvery Packet Low Low Low Low None NoneNetwork

Processing Overhead During Traceback None None Low Low None High

Every Packet None None None None None NoneVictim Processing Overhead During Traceback High High None None Fair High

Every Packet None Low High None None NoneBandwidth Overhead During Traceback None None None Low Huge High

Network None Low Low Fair None NoneMemory Requirements Victim High High None None Low NoneEase of Evasion Low High Low Low N/A LowProtection High High Fair Fair N/A HighAbility to Handle Packet Transformations Good Good Good Good Good Good

Ability to Handle Major DDoSAttacks Poor Poor Good Good Unable Poor

Limitations DoS and DDoSattacks only

DoS and DDoSattacks only

Single ISP.Single point of

failure.

Strict timing constraint on

tracebackprocess.

Single Point of Failure

DoS only. Manual. Unsafe.

Inconsistent. Traceback is possible only while attack is

in progress

Single ISP.


IP Traceback with DPM

A1

VBackbone Routers

DPM DPM

DPM

DPM

DPM

DPM Enabled Edge Routers DPM

A2

15


Basic DPM

10.0.15.01

A

A

128.235.104.1

128.235.104.19

128.235.55.6 128.235.55.1DPM


DPM Principles

Interface, not the Router is a unit of Traceback

DPM

Edge Interface

(DPM)

BackboneInterface

Mark

Don’t Mark

Don’tMark

Don’t Mark

Edge Interface

BackboneInterface

Don’tMark

Mark

Mark

Don’t Mark

DPM PPM-like

16


DPM Principles (con’t)

Only the ingress DPM-enabled edge interface marks packets

DPM Traceback = Ingress AddressFor datagram networks (e.g. Internet), Ingress Address is as good as full-path traceback

ALL packets are marked by DPM-enabled interface only

Prevents mark spoofingDecreases traceback time


DPM Mark

Fragment ID

Version Type of ServiceH. Length Total Length

Fragment Offset

Time to Live Protocol Header Checksum

Source IP Address

Destination IP Address

Flags

17


Basic DPM Mark Encoding

16-bit

32-bit Ingress IP Address

Random Selector (0 or 1)

MUX

p = 0.5

17-bit Mark

16-bit16-bit

1-bit


DPM Ingress Address Reconstruction

ASA3,1 1

Mark

Source Address: SA_3

Data

HeaderPacket

ASA,0 ASA,1

SA_0 ASA0,0 ASA0,1SA_1 ASA1,1SA_2 ASA2,0SA_3 ASA3,0

SA_N-3 AN-3,0 AN-3,1SA_N-2 AN-2,0SA_N-1 AN-1,0

Source Address

V

18


Basic DPM – Limitations

Basic DPM assumes that the addresses of the attackers are

unique unchanged for the duration of the attack

Not the case for most real Internet attacks


Inability to Handle Identical SA

Reconstruction of Ingress Addresses will produce a lot of false addresses

A4

VBackbone Routers

DPM

DPM

DPM

DPM

DPM

DPM Enabled Edge Routers

DPM

A5 128.235.251.25 A0,0 A0,1

128.235.251.25

128.235.251.25

A6

A7 AN

A3 A2 A1

128.235.251.25 128.235.251.25 128.235.251.25

128.235.251.25128.235.251.25

128.235.251.25AN,0 A0,1

AN-1,0 A0,1

A0,0 AN,1

AN,0 AN,1

AN-1,0 AN,1

19


Inability to Handle Identical SA (cont’d)

Number of attackers with the same SA: NPermutations of ingress address segments: N 2

Number of false positives: N 2 - NNumber of correctly reconstructed ingress addresses: N

Rate of false positives:

For N = 10, rate of false positives is 90%!

2

2

NNN −


Inability to Handle SA Inconsistency

Ingress Addresses will neverbe reconstructed, since none of the SA’s will have both segments of the address

A4VBackbone

RoutersDPM DPM

DPM

DPM

DPM DPM Enabled Edge Routers

DPM

SA changes for every packet

ASA,0 ASA,1

128.235.251.25 A1,0200.35.25.4 A1,164.11.14.50 A1,0

176.16.10.201 A1,0

56.12.205.239 A1,0129.53.26.211 A1,0141.44.69.12 A1,0

Source Address

20


General Principle of Handling SA inconsistency

Ingress Addresses must be reconstructed using ONLY 17-bit DPM mark

DPM Mark cannot be spoofedOther fields (such as SA) can be spoofed and cannot be relied upon

The 17-bit DPM mark must carry a certain piece of information which

would differentiate between the segments of different ingress addresseswould recognize the segments of the same ingress address


Single Hash Function Modification –Mark Encoding

32-bit Ingress IP Address

0..0

a-bit a-bit a-bit a-bit

H(x)

32 d d-bit

Random Selector [0..k-1]

p = 1/k

MUX

17-bit DPM Mark

0

1

k-2

k-1

Address BitsDigest

Segment Num

ber

21


Single Hash Function Modification –Reconstruction; RecTbl

0

2d-1

1

RecTbl0 1 2 3 4 5 6 7

0123456789

101112131415

Area

Segment

Bit

298

2 Processes run at the victimMark RecordingAddress Recovery

In this Examplek=8, a=4, d=10, s=31024 (210) areas of RecTbl8 segments in each area16 bits in each segment


Single Hash Function Modification –Reconstruction; Mark Recording

1000 0000 1110 1011 1111 1011 0001 1001

IP Address: 128.235.251.25

10000000111010111111101100011001

1000

0000

1110

1011

1111

1011

0001

1001

100101010

100101010

100101010

100101010

100101010

100101010

100101010

100101010

000

001

010

011

100

101

110

111

H(x)

232 2d

0100101010

0 1 2 3 4 5 6 701234567 29889

101112131415

1000 0100101010 000

0000 0100101010 001

1110 0100101010 010

1011 0100101010 011

1111 0100101010 100

1011 0100101010 101

0001 0100101010 110

1001 0100101010 111=298

22


Single Hash Function Modification –Reconstruction; Address Recovery

0123456789

101112131415

0 1 2 3 4 5 6 7

298

H(x)0011 0000 1101 1011 0100 0111 0001 0001

?=

0011 0000 1101 1011 0100 0111 0001 1001

0011 0000 1101 1011 0100 0111 0001 0001H(x)?

=

0011 0111 1101 1011 0100 0111 0001 0001

H(x)?=

After more permutations….


Single Hash Function Modification –Reconstruction; False Positives (FP)

0123456789

101112131415

0 1 2 3 4 5 6 7

298

0011 0111 1101 1011 1111 0111 0001 0001

?=

H(x)

IP Address: 55.183.239.2330011011110110111111011111101001

This ingress address was never transmitted in DPM marks

It is a false positive

23


Single Hash Function Modification –Performance MetricsFalse Positives

cannot be completely avoidedusually expressed as rate or percentage customary accepted rates are 1% to 5%

Expected Number of datagrams required for reconstruction, E[D]

Since marks are picked at random at DPM interface, more than k datagrams would be needed

For a given k, there will be NMAX attackers, whose ingress addresses will be possible to reconstruct with FP rate of 1% AND E[D] datagrams will be required for the reconstruction

)1...1

11(][ ++−

+=kk

kDE


Single Hash Function Modification –Performance Evaluation

NMAX is a maximum N, which results in false positive rate of no greater than 1%

NMAX = 2048 is a significant improvement from 1 in basic DPM

a k s d NMAX E[D] 1 32 5 11 2048 130 2 16 4 11 2048 55 4 8 3 10 1066 22 8 4 2 7 139 8

16 2 1 0 1 2

24


Contribution to the field

DPM – Novel IP Traceback Mechanism which:Does not introduce any bandwidth overheadIntroduces little processing overhead on the networkRequires few packets from the attacking hosts for tracebackDoes not reveal ISP network topologyScalableSuited for various kinds of anonymous attacksHandles fragmented trafficCapable of performing traceback post-mortem


Conclusion

IP Traceback is a single problem in Internet Security and Homeland SecurityNone of the approaches proposed up to date satisfy the criteria of the ideal schemeIP Traceback problem is still open…

25


Further WorksTracing slaves from reflectors in DDoS Attacks

cooperation among different domains“trust” relationshiptremendous logsauthentication●●●

Wireless networks prone to attacksroamingtremendous logsauthentication●●●

Stepping stones


References related to IP traceback

A. Belenky and N. Ansari, “Accommodating Fragmentation in Deterministic Packet Marking (DPM),” Proc. IEEE GLOBECOM 2003, Dec. 1-5, 2003, pp. 1374–1378.A. Belenky and N. Ansari, “On IP Traceback,” IEEE Communications Magazine, Vol. 41, No. 7, pp. 142-153, July 2003.A. Belenky and N. Ansari, “Tracing multiple attackers with deterministic packet marking (DPM) ,” Proc. IEEE PacRim 2003, Aug. 28-30, 2003, pp. 49-52.A. Belenky and N. Ansari, “IP Traceback with Deterministic Packet Marking,” IEEE Communications Letters, Vol. 7, No. 4, pp. 162-164, April 2003. D. Wei and N. Ansari, “Implementing IP Traceback in the Internet --- An ISP Perspective,” Proc. 3rd Annual IEEE Workshop on Information Assurance, West Point, New York, 17-19, June 2002, pp. 326-332.

26


Link state updates Wireless TCP (TCP-Jersey)Anomaly detectionOptical networks: OBS, protection and restoration, RPR, metropolitan networksIntserv/Diffserv IntegrationQoS in multimedia communicationsQoS support in VPNsData hiding

Other on-going research at ANL


Questions ?

ip traceback by deterministic packet marking

Documents