Presentation is loading. Please wait.

Presentation is loading. Please wait.

Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song."— Presentation transcript:

1

2 Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song

3 problem : Distributed Denial of Service (DDoS) attacks continue to plague the Internet. Defense against these attacks is complicated by spoofed source IP addresses, which make it difficult to determine a packet’s true origin.

4 soloution We propose Pi : (short for Path Identifier), a new packet marking approach in which a path fingerprint is embedded in each packet, enabling a victim to identify packets traversing the same paths through the Internet on a per packet basis, regardless of source IP address spoofing.

5 Example on October 21, 2002, an attacker flooded the root DNS servers with traffic in an effort to deprive the Internet of the DNS name lookup service (which would have paralyzed the majority of Internet applications). Only five out of thirteen root servers were able to withstand the attack.

6 The traceback mechanism The routers mark information on packets. The path information is used to install filters. The assumption here is that we need to reconstract the exact path to the attacker.

7 Hence the shortcomings are : The victim must receive large numbers of packets before it is able to reconstract the path that they are taking Routers and/or victims need to perform non trivial operations in marking packets or in reconstructing paths.

8 Network filtering is done on a per- flow or per network basis using coarse identification criteria rather on a per- packet basis. The victim has to rely on upstream routers to perform packet filtering,even once the attack paths have been identified

9 A new approach for defending against Ddos attacks Reconstructing the exact path is not necessary – a particular path is enough. The victim classify a single packet as malicious in order to filter out all subsequent packets with the same marking.

10 The main difference between the methods : Our packet marking is deterministic. all the other marking methods are probabilistic in nature – the victim needs to collect a large number of packets to reconstruct the path.

11 The advantages are : The scheme is light-weight,for the routers for marking. for the victims for decoding and filtering.

12 Differend Ddos attacks : Network resourse attack. Server resourse attack. Server memory attack.

13

14 The new approach is based on the idea that the packets arriving at the victim have some distinctive marking. The victim can overcome the attack easily.

15 Distinctive marking We take the Internet as a complete binary tree. The root is the server,the nodes are the leaves. Therefore we have a lot of paths between the victim and the attacker.

16 We propose the path identifier to be embedded by routers in the IP identification field of every packet they forward. The path identifier will act as the distinctive marking which the victim can use to filter incoming packets.

17 Because every router has only local knowledge (last and next hop) of a particular path,the marking for an entire path in the PI is not guaranteed to be globally uniqe.

18 However the benefits of the single packet deterministic marking allows the victim to develop a packet filter to protect itself during such attack.

19 The basic PI marking scheme In its simplest form,we propose an n-bit scheme where a router marks the last n bits of its IP address in the IP identification field of the packets it forwards.

20 To determine the location within the field to mark the bits,we break the field into [16/n] different marking sections,and use the value of the packet ’ s TTL,modulo [16/n] as an index into the section of the field mark.

21

22 Ip address hashing We find that the distribution of the last bits of the IP addresses of the routers from our sample internet data is highly skewed. This is problematic because if,for example,ISPs tended to designate router IP addresses with the last byte as 0.

23 Then many of our packet markings would be zero,which would make the PI markings for different paths less likely to be distinguishable from each other.

24 Idealy,we would like to maximize the entropy of the bits that we mark with,to reduce the likelihood of marking,collisions (where two different paths have the same PI marking).

25 To solve this problem,we have routers mark packets using the last n bits from the hash of their ip addresses, Rather than from their ip addresses alone.

26 Edge marking in PI We now describe a mechanism to increase the entropy in an individual router ’ s marking.Consider the fan-in topology shown in figure 4 :

27

28 We compute the probability that the victim cannot distinguish the markings of a packet that traverses routers R1 and R3 from the markings of a packet that traverses rrouters R2 and R3. P[M(R1) = M(R2)] = 1/2^n

29 The probability that the two paths have the same marking now becomes : P[(M(Ri -> R1) = M(Rj ->R2))&& (M(R1-> R3)= M(R2->R3))] = 1/2^n*1/2^n = 1/2^2n

30 Edge marking decreases the probability that the two paths have the same marking by a factor of 2^n.

31 Suppressing nearby router markings The limited space in the ip identification field causes routers close to the victim to overwrite the markings of routers farther away. A simple mechanism to achieve this would be to have a router not mark a packet if the destination ip addresses of that packet matches a route obtained through an interior Gateway protocol(IGP).

32 The use of BGP has the effect of keeping routing tables small at lower tier ISP networks,which only need to know internal routes and a single route to all external addresses.

33 The basic filter scheme The victim can record the marking of identified attack packets and drop subsequent incoming packets matching any of those markings.

34 Advantages The reaction time is fast A little memory resourses But it limits the victims flexibility.

35 TTL unwrapping In order to make the attack more effective the attacker can modify its TTL of its packets in order to have the first hop router start marking in anyone of the sections of the ip identification field.

36 Threshold filtering There is another attack on our filtering strategy,which we call a marking saturation attack. In this attack,a large number of attackers spread throughout the internet all send packets to a single victim in the hope of having the victim classify every marking as an attacker marking,and thus drop all incoming packets.

37 This attack requires an attacker of immense means,since it requires at least 2^16 zombie nodes,distributed in such a way that each attacker has a differing PI marking.

38 Advanced filters The PI mechanism can also be used to detect spoofed ip addresses,with an appropriate filter. The victim need only build a table correlating the PI mark of a packet to its source ip addresses,during non-attack time.

39 When under attack,the victim can check to see if the source ip addresses of incoming packets match against the ip addresses of their PI marks from the table.

40 Reflector attack There are many potential uses for a PI filter that detects spoofed ip addresses. In a particular type of DDOS attack,known as a reflector attack,attackers send request packets to various services whose responses are of far larger size than the requests themselves. (e.g DNS).

41 Reflector A PI filter capable of detecting spoofed ip addresses running on on the reflectr ’ s server would immediately detect the spoofed source ip addresses of the requests and refrain from sending a response,thus halting the attack.

42 Traceroutes The ip spoofed detection filter can also be used for a limited form of traditional ip traceback – given a PI mark,the victim can check the list of ip addresses from the table that match the mark and simply perform traceroutes to those ip addresses.

43 Filtering in the network The PI marking scheme can also support other antiDDOS systems. For example,the Pushback system uses downstream routers that identify aggregates(packets from one or more flows hat have certain characteristic,such source or destination addresses) And send rate-limit requests to upstream routers,along with an aggregate identifier.

44 Pushback The PI marking can also be used to move Pushback filters closer to the attacker,as the marking is an identifier of the path towards the attacker. However,the pushback router needs to consider that the PI markings are not unique,as multiple paths may exhibit the same marking.

45 Thank you very much Do not forget to tip Hagay avraham the 3rd.

Download ppt "Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

Similar presentations

Ads by Google