w. j. cheng shih chien university 2006 an efficient ip traceback approach an efficeient ip traceback...
Post on 19-Dec-2015
219 views
TRANSCRIPT
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
An Efficeient IP Traceback Approach
Wang-Jiunn Cheng
Maria R. Lee
Chung-Han Sheng
Shih Chien University
Taipei, Taiwan
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
Does IP Traceback be a Business Issue?
• February 9, 2000 - Cyberassaults hit Yahoo, Buy.com, eBay, CNN and Amazon. The attacks on them have followed a pattern that is a DOS (denial-of-service) attack…
• Is IP Traceback a New DOS deterrent?Hassan Aljifiry, IEEE Security & Privacy, Vol 1, No 3, May/June 2003The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. IP traceback—the ability to trace IP packets to their origins—is a significant step toward identifying, and thus stopping, attackers.
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
Does IP Traceback be a Business Issue? (cont’d)
• The stateless IP routers lacks security features, which allows IP Spoofing, such that the malicious packets can freely attack the whole Internet at anytime, anywhere.
• Current Status: Internet is still under attack! (Smurf, SYN Flood, Fraggle, Tribal Flood Net, Trinoo, TFN2K, etc.)
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
What are IP Traceback for?
• Most of the approaches discussed in this subject were inspired by DoS and DDoS attacks.
• In general, IP traceback is not limited only to DoS and DDoS attacks.
• The task of identifying the actual source of the packets is complicated by the fact that the IP address can be forged or spoofed.
• IP traceback techniques neither prevent nor stop the attack; they are used only for identification of the sources of the offending packets during and after the attack.
• IP traceback may be limited to identifying the point where the packets constituting the attack entered the Internet.
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
Which Approach is the Best One?(Link-testing traceback)
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
Which Approach is the Best One?(Logging traceback)
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
Which Approach is the Best One?(ICMP-based traceback)
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
Which Approach is the Best One?(Packet marking traceback)
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
How to conceive a tracebck?
Internet
Small Area Network Small Area Network Small Area Network
End-Users
Keeper(Router)
…
… … …
Attacker Victim
HA HV
KA KV
Label switched virtual tunneltracebackable in nature
Local spoof-free
Local spoof-free
Keeper-based Internet Topology
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
VA 11
How to conceive a tracebck? (cont’d)
Label-switching tunnel
Internet
Keeper
Attacker Victim
KA KV
LAKA
SANSAN
AV1 2 LVKV3 4 AV5 6
VA
78910
12
Keeper
HA HV
LA A:V KV:LV
Label switching Table of KA
KA:LAV:ALV
Label switching Table of KV
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
How to conceive a tracebck? (cont’d)
The Modified IP Header. Darkened areas represent underutilized bits
Version H. Length Type of Service Total Length
Fragement ID
Time to Live Protocol
Source IP Address
Destination IP Address
Header Checksum
Fragement OffsetFlags
1 reserved bit as marked bit
Target Keeper’s IP Addressss Target Keeper’s Label
W. J. Cheng Shih Chien University 2006
An Efficient IP Traceback Approach
How to conceive a tracebck? (cont’d)
Local spoofing free
bypass
routerMAC
bypassspoof mark
ARPmatch
spoof
marked
unicast
Yes No
Yes
Yes
No
No
No
Yes