Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.

Published byJerome Rich Modified over 8 years ago

Similar presentations

Presentation on theme: "Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer."— Presentation transcript:

1 Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer BBN Technologies † MIT Laboratory for Computer Science

2 Network Security Risks Tools readily available to attackers  network server attacks  performance degradation attacks DOS DDOS  Single packet attacks (Stop 0A in TCPIP.sys, Teardrop, Ping-of-death) Accidental (unintentional) attacks

3 Approaches Firewalls - prevent attack packets from reaching the victim  some attack packets look quite innocent  hard to predict all possible attacks  does not get at the source of the problem  continue to consume network resources Traceback - identify the source of attack packets  For a given packet, find the path to source

4 Why Traceback is hard Internet Protocol permits anonymity  Attackers can “spoof” source address Fraggle/Smurf, etc  IP forwarding maintains no audit trails Some spoofing is legitimate (NATs, mobile IP, etc) Attacks may be short-lived Packets change hop by hop Routing instability

5 Why Traceback is hard ( continued ) Network may carry multiple identical packets (attacks, multicast, broadcast) Routers may be compromised Attackers may be aware they are being traced Increasing packet size is frowned on Will consume network resources Ingress filtering of limited value

6 Traceback Goal Reconstruct the attack path of a packet where the path consists of every router on the path from the source to the victim Reconstruct the attack graph which may result from multiple copies of an attack packet injected by different sources Need to be able to detect false positives with a high degree of accuracy

7 Approaches to Traceback Path data can be noted in several places  In the packet itself [Savage et al.],  At the destination [I-Trace], or  In the network infrastructure Logging: a naïve in-network approach  Record each packet forwarding event  Can trace a single packet to a source router, ingress point, or subverted router(s)

8 Log-Based Traceback V R R1R1 R2R2 R3R3 RR RR R4R4 AR RR7R7 R6R6 R5R5

9 Challenges to Logging Attack path reconstruction is difficult  Packet may be transformed as it moves through the network Full packet storage is problematic  Memory requirements are prohibitive at high line speeds (OC-192 is ~10Mpkt/sec) Extensive packet logs are a privacy risk  Traffic repositories may aid eavesdroppers

10 Solution: Packet Digesting Record only invariant packet content  Mask dynamic fields (TTL, checksum, etc.)  Store information required to invert packet transformations at performing router Compute packet digests instead  Use hash function to compute small digest  Store probabilistically in Bloom filters Impossible to retrieve stored packets

11 Invariant Content Total Length Identification Checksum VerTOSHLen TTLProtocol Source Address Destination Address Fragment Offset MFMF DFDF Options Remainder of Payload First 8 bytes of Payload 28 bytes

12 Impact of Traffic Diversity 1e-06 1e-05 0.0001 0.001 0.01 0.1 1 2022242628303234363840 Fraction of Collided Packets Prefix Length (in bytes) WAN (6031 hp) LAN (2879 hp)

13 Variable capacity  Easy to adjust  Page when full Bloom Filters Fixed structure size  Uses 2 n bit array  Initialized to zeros Insertion is easy  Use n-bit digest as indices into bit array 1 n bits 2 n bits H(P) H 2 (P) H k (P) H 3 (P) H 1 (P) 1 1 1...  Mitigate collisions by using multiple digests

14 Mistake Propagation is Limited Bloom filters may be mistaken  Mistake frequency can be controlled  Depends on capacity of full filters Neighboring routers won’t be fooled  Vary hash functions used in Bloom filters  Each router select hashes independently Long chains of mistakes highly unlikely  Probability drops exponentially with length

15 Adjusting Graph Accuracy False positives rate depends on:  Length of the attack path  Complexity of network topology  Capacity of Bloom filters Bloom filter capacity is easy to adjust  Required filter capacity varies with router speed and number of neighbors  Appropriate capacity settings achieve linear error growth with path length

16 Simulation Results 0 0.2 0.4 0.6 0.8 1 051015202530 Length of Attack Path (in hops) Random Graph 0 0.2 0.4 0.6 0.8 1 051015202530 Length of Attack Path (in hops) 0 0.2 0.4 0.6 0.8 1 051015202530 Length of Attack Path (in hops) Real ISP, 100% Utilization 0 0.2 0.4 0.6 0.8 1 051015202530 Length of Attack Path (in hops) Degree-Independent Expected Number of False Positives Real ISP, Actual Utilization

17 How long can digests last? Filters require 0.5% of link capacity  Four OC-3s require 47MB per minute  A single drive can store a whole day Access times are equally important  Current drives can write >3GB per minute  OC-192 needs SRAM access times Still viable tomorrow  128 OC-192 links need <100GB per minute

18 Prototype Implementation Implemented on a FreeBSD PC router  Packet digesting on kernel forwarding path  Bloom filters stored in kernel space  Zero-copy kernel/user table move User-level query-support daemons  Supports topology discovery through gated  Queries automatically triggered by IDS

19 Summary Hash-based traceback is viable  With reasonable memory constraints  Supports common packet transforms  Timely tracing of individual packets Publicly Available Implementation  FreeBSD version will be available soon  Linux port coming shortly thereafter…. http://www.ir.bbn.com/projects/SPIE

20 SPIE Architecture Data Generation Agents (DGAs)  Compute packet digests & maintain tables  Reside in, at, or near each router Collection & reduction agents (SCARs)  Maintain local topology information  Generate attack sub-graphs Traceback manager (STM)  Authenticates and manages query process

21 Transformations Occasionally invariant content changes  Network Address Translation (NAT)  IP/IPsec Encapsulation, etc. Packets sometimes give rise to others  IP Fragmentation  ICMP errors (smurf attacks) Routers need to invert these transforms  Often requires additional information

22 Transform Lookup Table Only need to restore invariant content  Often available from the transform (e.g., ICMP) Otherwise, save data at transforming router  Index required data by transformed packet digest  Record transform type and sufficient data to invert  Use indirect storage for complicated transforms DigestPacket DataIType 29 bits3 bits32 bits

23 Hardware Implementation

Download ppt "Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Attacks and Defenses Nick Feamster CS 4251 Spring 2008.

Attacks and Defenses Nick Feamster CS 4251 Spring 2008.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
4 IP Address (IPv4)  A unique 32-bit number  Identifies an interface (on a host, on a router, …)  Represented in dotted-quad notation 0000110000100010.

4 IP Address (IPv4)  A unique 32-bit number  Identifies an interface (on a host, on a router, …)  Represented in dotted-quad notation
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Payload Attribution via Hierarchical Bloom Filters

Payload Attribution via Hierarchical Bloom Filters
CSCI 4550/8556 Computer Networks Comer, Chapter 20: IP Datagrams and Datagram Forwarding.

CSCI 4550/8556 Computer Networks Comer, Chapter 20: IP Datagrams and Datagram Forwarding.

Similar presentations

Ads by Google