Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Similar presentations


Presentation on theme: "Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides."— Presentation transcript:

1 Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides courtesy of Teng Fei - Umass April,

2  Denial of Service (DoS) attack  Remotely consume resource of server or network  Increase in number and frequency  Simple to implement  DoS attacks are difficult to trace:  Indirection  Attacking packets sent from slave machines, which under the control of a remote master machine  Spoof of IP source addresses  Disguise their location using incorrect IP addresses, hence the true origin is lost 2

3  Mark packets with router address  deterministically or probabilistically  Trace attack using marked packets  Pros  Require no cooperation with ISPs  Does not cause heavy network overhead  Can trace attack “post mortem” 3

4 A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 attack origin 4 victim V

5 A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 V attack path exact traceback R 6, R 3, R 2, R 1 5

6 A1A1 A2A2 A3A3 R5R5 R3R3 R6R6 R7R7 R4R4 R2R2 R1R1 V approx. traceback R 5, R 6, R 3, R 2, R 1 6

7  I. Marking procedure  by routers  add information to packets  II. Path reconstruction procedure  by victim  use information in marked packets  convergence time : # of packets to reconstruct the attack path 7

8  I. Node Append  II. Node Sampling  III. Edge Sampling 8

9  Append address of each node to the end of the packet  Complete, ordered list of routers attack path original packet router list 9

10  Pros  complete, ordered attack path  converge quickly (single packet)  Cons  infeasibly high router overhead  attacks can create false path information 10

11  Reserve node file in packet header  Router write address in node field with probability p  Reconstruct path using relative # of node samples  Only require additional write, checksum update 11

12 R1R1 R1R1 R2R2 R3R3 12

13 R1R1 R1R1 R2R2 R3R3 13

14 R1R1 R1R1 R2R2 R3R3 14

15 R1R1 R3R3 R2R2 R3R3 15

16  Cons :  Slow convergence  need many packets  usually order of 10, ,000  Can not trace multiple attackers ▪ 16

17  Edge represent routers at each end of the link  Store edges instead of nodes  start and end addresses of edge routers  distance from edge to victim 17 R1R1 R2R2

18  A router writes its own address in the start field, and 0 into the distance field  Distance field of 0 means the packet is already marked  router writes its own address in the end address field and increase the distance field by 1  Other routers may then reset these fields. Otherwise, the distance field is incremented 18

19 R1R1 R2R2 R3R3 R1R1 #1 19

20 R1R1 R2R2 R3R3 R1R1 #10 20

21 R1R1 R2R2 R3R3 R1R1 R2R2 1 21

22 R1R1 R2R2 R3R3 R1R1 R2R2 2 22

23  Consider G is a graph with root v  Insert tuples (start, end, distance) into G  Remove any edge ( x, y, d ) with d != distance from x to v in G  Extract path from G 23

24  Pros  Converge much faster than node sampling  Efficiently discern multiple attacks  Cons  Space: requires additional space in the IP header- 72 bits of space in every IP packet (2 x 32 bit IP address and 8 bit for distance)  Compatibility ▪ 24

25  Overload the IP identification field  used for fragmentation  Decreases the space requirement  store the XOR of the edge addresses (edge-id)- B XOR A XOR B = A  Pros:  Reduced space  Cons:  Increases reconstruction time 25

26 a b cdv attack path resulting XOR edges a XOR b b XOR cc XOR dd 26

27 a XOR b b XOR c c XOR dd c reconstructed path b a 27

28  Reduce per packet space more by dividing the edge-id (XORed address) into k non- overlapping packets, and store only 1 of them  Need offset of fragment 28

29  Problem: Edge-id fragments are not unique  with multiple attackers, multiple edge fragments with the same offset and distance  Solutoin: Bit-interleave hash code with IP address 29

30 Address Hash(Address) 0011… Bit-interleave send k fragments into network 0k-1 30

31  Combine all permutations of fragments at each distance with disjoint offset values  Check that the hash matches hash of the address 31

32 Address? Hash(Address)? 0011… k-1 Hash(Address?) 0011…1100 =? No, reject Yes, correct address 32

33  Overload the 16-bit identification field  used to differentiate IP fragments 33

34  Simulator  Create random paths  Originate attacks  Marking probability is 1/25  1,000 random test runs  vary path lengths 34

35 number of packets to reconstruct paths 35

36  Thanks for listening  Questions? 36

37  Suffix validation  spoof end edges  include a router “secret”  Attack origin (host)  Find attacker (person) 37

38  Steven M. Bellovin ICMP Traceback Message AT&T 00.txt 00.txt  Alex Snoeren Hash-Based IP Traceback BBN SigCOMM 38

39  Stefan Savage Practical Network Support For IP Traceback pdf pdf  Sara Sprenkle Practical Network Support Duke University  Hal Burch IP Traceback Carnegie Mellon University 39

40  Ingress filtering  Link testing  input debugging  controlled flooding  Logging 40

41  Block packets with invalid source addresses  Pros  Moderate management/network overhead  Cons  require widespread deployment  hard to do in backbone/transit network 41

42  Start from victim and test upstream links  Recursively repeat until source is located  Assume attack remains active until trace complete 42

43  Victim recognize attack signature  Install filter on upstream router  Pros  May use software to help coordinate  Cons  Require cooperation between ISPs  Considerable management overhead 43

44  Flooding link with large bursts of traffic during attack  Observe attacking packet rate change to determine the source  Pros  Ingenious  Cons  Itself a denial of service - possible worse 44

45  Key routers logging packets  Data mining to analysis  Pros  Post mortem  Cons  High resource demand 45

46  Sample packets with low probability  Copy data and path information in a new ICMP packet  Pros  reconstruct path information with large amount of packet  Cons  ICMP may be filtered 46

47  Attacker may generate any packet  Multiple attackers may conspire  Attackers may be aware they are being traced  packets may be lost or reordered 47

48  Attackers send numerous packets  Route between attacker and victim is fairly stable  Routers have limited CPU and memory  Routers are not widely compromised 48

49  Backwards compatibility  Two problems  Writing same values into id fields of frags from different datagrams  Writing different values into id fields of frags of same datagrams 49

50  Copy data into ICMP packet  Check the checksum at higher level  etc 50

51  Longer convergence time  divide edge-id into 8 fragments  attacker’s distance is 10 hops  2150 packets to converge with 95% certanty  few seconds  Robust with multiple attackers 51


Download ppt "Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides."

Similar presentations


Ads by Google