Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center of Excellence in Information Assurance, King Saud University, KSA Department of Computer Science, International Islamic University, Islamabad, PAKISTAN Information Systems Department, College of Computer and Information Sciences, King Saud University, KSA Internet Technology and Secured Transactions (ICITST), 2010 International Conference Advisor : I-Long Lin, Han-Chieh Chao Student : Shih-Hao Peng Date : 2011/05/24
Outline Abstract Introduction Related Work Problem Definition Proposed Solution Validation and Comparison Conclusion 2
Abstract Most of the attacks on networks are launched through spoofed IP addresses The researchers introduce a technique to identify the origin of the spoofed user Many traceback techniques are introduced but all have few drawbacks – Load – Delay – Implantation on all the routers of the world 3
Abstract(Cont.) All the existing IP traceback techniques require an efficient marking technique A new single packet IP traceback technique to identify the source of the packet is introduced in this paper This technique reduces the network delay and does not require any marking technique 4
Introduction Spoofing can be blind or non blind Blind : attacker sends several packets to the targeted user with sample sequence number Non blind : during transformation of data between host and server, attackers corrupt the data stream and re- establish the new connection itself Spoofing attacks can be mitigated by implementing Ingress and Egress filtering on border routers 5
Introduction(Cont.) To block private IP addresses on upstream routers implement ACL(Access Control List) This will prevent someone from sending spoofed traffic to the internet Spoofing threats also can be removed by implementing encryption and authentication 6
Related Work Abraham Yaar et al. proposed a Path Identification (PI) mechanism, helps to identify the source of attack packets When packet reaches to a router, every router marks its information in identification field of IP header All the routers try to identify the mark in the identification field To increase the performance of PI several methods are used: IP address hashing, node omission and edge marking 7
Related Work(Cont.) Amit et al presented Speedy IP Traceback (SIPT) approach in which MAC address of the attacker and IP Address of the boundary router is used to identify and traceback the attacker When a packet reaches at the gateway, the gateway router converts the 48 bit MAC address of the user and 32 bits of its own IP address into total 16 bits It adds these 16 bits into the identification field of the IP header 8
Problem Definition A few techniques require implementation on all the routers of the world – It is not practical to implement the solution on all the routers of the world – it is implemented then involvement of the every intermediate router will results in higher network delay Authors are making the SIPT technique as the base to formulate our problem, because it is the latest available IP traceback technique 9
Problem Definition(Cont.) SIPT has lot of limitations – It requires a marking technique that on one side marks the 80 bits into 16 bits and on the other side regenerate the 80 bits from these 16 bits – It communicates the MAC address of the user, which is the private property of the user so it compromise on the privacy issues – It encourages the reflected attacks A receiver may put a false claim that a user with a particular MAC address tries to launch an attack on it 10
Problem Definition(Cont.) SIPT approach 11
Proposed Solution Authors proposed a new IP traceback technique which works on single packet IP traceback – It requires only one packet to start the traceback procedure – It eliminates the need of any marking technique Authors proposed solution will not share the MAC address of a user with others The propose solution will be implemented on the ISP routers Authors will allocate a 16 bit Identity to all the ISPs of the world 12
Proposed Solution(Cont.) According to authors survey currently there are 13,000 ISPs in the world Whenever a packet reaches at the ISP gateway it adds its 16 bit identity in the field and keeps the log on the basis of the MAC address of the users When this message arrives at the ISP gateway of the receiver, the receiver ISP removes the 16 bit Identity of the sender's ISP and makes its own log file The information of the ISP's Identity remains only between the ISPs 13
Proposed Solution(Cont.) If a receiver detects an attack, it sends a complaint to its ISP The receiver's ISP checks its log and find out the ISP of that particular IP address After finding out the ISP identity, the victim ISP consults the Identity list to find the IP address of that ISP it forwards the complaint to attacker's ISP Upon receiving the complaint the attacker's ISP find out the MAC address of the attacker from its log file and penalize the attacker 14
Proposed Solution(Cont.) Since victim submits an attack complaint to its ISP so the ISP gateway inspects the complaint before forwarding it to the attacker's gateway The victim's gateway consults its log file to verify that whether really attack is launched from this IP address at the specified time or the victim is launching a false complaint 15
Proposed Solution(Cont.) ISP Identity Based Traceback 16
Validation and Comparison Authors compare it with the two most important and efficient traceback techniques – Path Identification(PI) – Speedy IP Traceback(SIPT) Authors divide their validation phase into two different mechanisms named as Fixed and Intelligent Fixed Mechanism : User is in learning phase and it is fixed that which one is an attack packet and which one is legitimate 17
Validation and Comparison(Cont.) Intelligent Mechanism : As soon as ISP receives the attack complaint from any of its user it first checks its log to decide whether the complaint is genuine or it is a false complaint Author’s proposed solution in doesn't matter that what type of topology network have Author’s solution is independent from network topology because intermediate routers are not involved in it 18
Validation and Comparison(Cont.) False Claims 19
Validation and Comparison(Cont.) Authors measure the packet delay in case of our proposed solution and compare it with the existing solutions Average Delay 20
Conclusion The proposed IP traceback technique will require implementation on only the ISPs Single packet will ensure the accurate traceback Marking technique is no more required This paper purely focuses on IPv4, however how to implement this solution in IPv6 is still an open question Authors can use extension header for it but it will cost more 21