IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣

Introduction IP traceback problem –The problem of identifying the source of the offending packets –Source ： zombie ； reflector ； spoofed address … Solution –Rely on the routers (PPM ； ICMP) Only for DOS –Centralized management (log of packet infor.) Large overhead, complex, not scalable

Deterministic Packet Marking Each packet is marked when it enters the network Only mark Incoming packets Mark ： address information of this interface 16 bit ID + 1 bit Flag

PPM

PPM VS DPM Router are treated as atomic units –IP address of a router  IP address of one of its interfaces –Packet traveling in different direction considered different Mark spoofing –Use coding technique (but not 100%)  Spoofed mark will be overwritten

PPM VS DPM (2) PPM (full path) ； DPM (address of the ingress router) –In datagram packet network Every packet is individually routed Full path traceback is as good as address of an ingress point –ISP use different IP address public addresses for interfaces to customers and other networks private addressing plans within their own networks

Coding of a mark Flag =0  address bits 0~15 Flag =1  address bits 16~31 Randomly setting flag value How many packet are enough ？ –n ： the number of received packets –The probability of successfully generate the ingress IP address is greater than –2 packets  75% ； 4 packets  93.75% 6 packets  98.43% ； 10 packets  99.9% 6 packets  98.43% ； 10 packets  99.9%

Pseudo code

Pros Simple to implement Introduces no bandwidth Practically no processing overhead suitable for a variety of attacks [not just (D)DoS] Backward compatible with equipment which does not implement it does not have inherent security flaws Do not reveal internet topology No mark spoofing Scalable

Future work The fragmentation/reassembly problem –Only less than 0.5% packet –Solve ： –Solve ： The ID field for all fragments has to be assigned the same address bits Attacker change IP frequently during attack – –Solve ： making the destination rely only on the marks & the hash value of the ingress router Analyze the coding technique IPv6 implementation

Tracing Multiple Attackers with Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE PACRIM’03, August 2003

The problem with the basic DPM(1) two hosts with the same Source Address at tack the victim ex ： The ingress addresses corresponding to these two attackers are A0 and A1 The victim will receive A0[0], A0[1], A1[0], A1[1] A0[0].A0[1], A0[0].A1[1], A1[0].A0[1], A1[0].A1[1] Rate of false positive=50%

The problem with the basic DPM (2) Change source address

Schematics Pad Ideal hash

Reconstruction 個 area 個 area each area has k segments Each segment has bits area

Analysis N ： the number of ingress router When false positive rate = 0 When – –The expected number of different values the segment will take is

Analysis (2) – –The expected number of permutations that result in a given digest for a given area – –The number of false positives for a given area

Analysis (3) –The total number of total false positive –The max number of N

Analysis (4) –The expected number of datagram

Analysis (5)

Conclusion capable of tracing thousands of simultaneous attackers during DDoS attack (just DDoS) The traceback process can be performed post-mortem, which allows for tracing the attacks that may not have been noticed initially Solve the two problem Need more marked packets