Tracing Cyber Attacks Areej Al-Bataineh Frequently, presenters must deliver material of a technical nature to an audience unfamiliar with the topic or vocabulary. The material may be complex or heavy with detail. To present technical material effectively, use the following guidelines from Dale Carnegie Training®.   Consider the amount of time available and prepare to organize your material. Narrow your topic. Divide your presentation into clear segments. Follow a logical progression. Maintain your focus throughout. Close the presentation with a summary, repetition of the key steps, or a logical conclusion. Keep your audience in mind at all times. For example, be sure data is clear and information is relevant. Keep the level of detail and vocabulary appropriate for the audience. Use visuals to support key points or steps. Keep alert to the needs of your listeners, and you will have a more receptive audience. 11/19/2018 Tracing Cyber Attacks

Tracing cyber attacks from the practical perspective Zhiqiang Gao and Nirwan Ansari Communications Magazine, IEEE May 2005 http://www.comsoc.org/tutorials/Ansari In your opening, establish the relevancy of the topic to the audience. Give a brief preview of the presentation and establish value for the listeners. Take into account your audience’s interest and expertise in the topic when choosing your vocabulary, examples, and illustrations. Focus on the importance of the topic to your audience, and you will have more attentive listeners. 11/19/2018 Tracing Cyber Attacks

Outline Introduction IP Traceback Objective Classification of IP Traceback Schemes Evaluation of Representative Schemes Conclusion Future Work If you have several points, steps, or key ideas use multiple slides. Determine if your audience is to understand a new idea, learn a process, or receive greater depth to a familiar concept. Back up each point with adequate explanation. As appropriate, supplement your presentation with technical support data in hard copy or on disc, e-mail, or the Internet. Develop each point adequately to communicate with your audience. 11/19/2018 Tracing Cyber Attacks

Introduction Denial of service (DoS/DDoS) attacks Disrupt legitimate access Costs victims financial and productivity loss Why Easy to conduct? Prevalence of attack tools Stateless nature of Internet Address Spoofing (Anonymous Attacks) Gain illegitimate access Hide attack source 11/19/2018 Tracing Cyber Attacks

Intrusion Countermeasure Prevention Source/Network/Victim-based Detection Mitigation Rate limiting/statistical/path-based Response IP Traceback 11/19/2018 Tracing Cyber Attacks

IP Traceback Objective Difficult Locate the actual source of attack packets Difficult Source Address Spoofing Many attack sources (DDoS) Host in stepping stone chain Reflector Zombie 11/19/2018 Tracing Cyber Attacks

Objectives Grasp global view Foundation for Classify Traceback schemes Select typical schemes Focus on practicality Foundation for Developing efficient schemes And Effective schemes 11/19/2018 Tracing Cyber Attacks

Classification 11/19/2018 Tracing Cyber Attacks

Evaluation Metrics Based on Practicality Minimum number of packets required for path reconstruction The less the better The computational overhead Good design minimize it Effectiveness under partial deployment Deployment implies more cost Robustness The ability to perform tracing reliably under adverse conditions 11/19/2018 Tracing Cyber Attacks

Representative Schemes Probabilisic Packet Marking (PPM) Savage et al (2001) ICMP traceback (iTrace) Bellovin (2000) Source Path Isolation Engine (SPIE) Snoeren et al (2002) Algebraic-bases Traceback Approach (ATA) Dean et al (2002) Determinnistic Packet Marking (DPM) Belenky and Ansari (2003) Overlay-based solution (Center-Track) Stone (2000) 11/19/2018 Tracing Cyber Attacks

Basic PPM 11/19/2018 Tracing Cyber Attacks

PPM Variants Edge-Sampling with p(1-p)^d-i probability 11/19/2018 Tracing Cyber Attacks

PPM Variants Net result in (c) and final result in (d) 11/19/2018 Tracing Cyber Attacks

Analysis of PPM Pros Cons Good for DoS, not for large-scale DDoS Low router overhead Support of incremental deployment “Post-mortem” tracing Cons Heavy computational load for path reconstruction High false-positives Spoofed marking Unaware of path length (d) in advance Subverted routers Good for DoS, not for large-scale DDoS 11/19/2018 Tracing Cyber Attacks

Development and Solutions Advaned and Authenticated PPM Proposed by Song et al (2001) Victim knows the mapping of upstream routers Solves problems 1,2, and 3 PPM with Non-Preemptive Compensation Proposed by Tseng et al (2004) Use counters to complement the marking info loss from upstream routers May address 1,3, and decrease false-positives (2) 11/19/2018 Tracing Cyber Attacks

Development and Solutions Problem 4 Not easy to resolve in the IP layer d is known at AS level Problem 5 More difficult to resolve To solve, verification of marking info embedded by upstream routers should be done No scheme has this feature yet! 11/19/2018 Tracing Cyber Attacks

Basic DPM 11/19/2018 Tracing Cyber Attacks

Analysis of DPM Pros Cons Effectively handles DoS attack Path construction is simpler Cons High false positives for DDoS attack Cannot identify the ingress router if attacker uses different source IP addresses for each packet 11/19/2018 Tracing Cyber Attacks

Development and Solutions Tracing Multiple Attackers with DPM Proposed by Belenky and Ansari (2003) Uses hash function to contain the identity of the ingress edge router Victim uses identity to combine packets from the same source better than PPM Far less false positives than PPM Handles reflector-based DDoS Subverted routers problem (5) 11/19/2018 Tracing Cyber Attacks

iTrace 11/19/2018 Tracing Cyber Attacks

Analysis of iTrace Marking procedure similar to PPM Shares pros and cons Differences Requires additional bandwidth More marking bits can be used (1,2 solved) Requires far fewer ICMP messages than PPM for path reconstruction 11/19/2018 Tracing Cyber Attacks

Comparison of ICMP and PPM 11/19/2018 Tracing Cyber Attacks

Development and Solutions Intention-Driven ICMP traceback technology Proposed by Mankin et al (2001) Adds some intellegence to the marking procedure Path reconstruction is gleaned quickly Solves problems 1 and 2 Problem 3 may be addressed using PKI, but increase overhead at routers Further work on problems 4 and 5 is needed 11/19/2018 Tracing Cyber Attacks

Basic SPIE 11/19/2018 Tracing Cyber Attacks

Analysis of SPIE Deterministic logging scheme Pros Cons Supports advanced functions like single packet tracing, transformed packet tracing (wireless) Cons Requires additional infrastructure Incurs very heavy computational, management, and storage overhead Not scalable Limited applicability 11/19/2018 Tracing Cyber Attacks

Development and Solutions Large-scale IP traceback Proposed by Li et al (2004) Logging scheme by sampling Construct attack tree by correlating samples Scale well for 5000 attack sources 11/19/2018 Tracing Cyber Attacks

Basic Center-Track 11/19/2018 Tracing Cyber Attacks

Analysis of Center-Track Pros Handles DDoS Cons Enforces heavy management burden on the network Wears out network resources (bandwidth, processing capability) due to tunnels maintenance Not scalable Limited applicability 11/19/2018 Tracing Cyber Attacks

Development and Solutions Secure Overlay Service (SOS) Associative defensive method Proactive approach Employ intensive filtering and anonymity Effectively mitigate DDoS attacks No false positives Low chance for compromised routers 11/19/2018 Tracing Cyber Attacks

Conclusion/Future Work IP Traceback technology is only the first step toward tackling DoS/DDos attacks Ideal tracing scheme trade-offs Identify indirect sources of DDoS Identify attackers who use stepping stone Integrating IDS with tracebak Automatic traceback Scalability Determine the best close for your audience and your presentation. Close with a summary; offer options; recommend a strategy; suggest a plan; set a goal. Keep your focus throughout your presentation, and you will more likely achieve your purpose. 11/19/2018 Tracing Cyber Attacks

Future Work Identify indirect sources of DDoS Identify attackers who use stepping stone Integrating IDS with tracebak Automatic traceback Scalability 11/19/2018 Tracing Cyber Attacks

Questions? 11/19/2018 Tracing Cyber Attacks