IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣
Introduction IP traceback problem –The problem of identifying the source of the offending packets –Source : zombie ; reflector ; spoofed address … Solution –Rely on the routers (PPM ; ICMP) Only for DOS –Centralized management (log of packet infor.) Large overhead, complex, not scalable
Deterministic Packet Marking Each packet is marked when it enters the network Only mark Incoming packets Mark : address information of this interface 16 bit ID + 1 bit Flag
PPM
PPM VS DPM Router are treated as atomic units –IP address of a router IP address of one of its interfaces –Packet traveling in different direction considered different Mark spoofing –Use coding technique (but not 100%) Spoofed mark will be overwritten
PPM VS DPM (2) PPM (full path) ; DPM (address of the ingress router) –In datagram packet network Every packet is individually routed Full path traceback is as good as address of an ingress point –ISP use different IP address public addresses for interfaces to customers and other networks private addressing plans within their own networks
Coding of a mark Flag =0 address bits 0~15 Flag =1 address bits 16~31 Randomly setting flag value How many packet are enough ? –n : the number of received packets –The probability of successfully generate the ingress IP address is greater than –2 packets 75% ; 4 packets 93.75% 6 packets 98.43% ; 10 packets 99.9% 6 packets 98.43% ; 10 packets 99.9%
Pseudo code
Pros Simple to implement Introduces no bandwidth Practically no processing overhead suitable for a variety of attacks [not just (D)DoS] Backward compatible with equipment which does not implement it does not have inherent security flaws Do not reveal internet topology No mark spoofing Scalable
Future work The fragmentation/reassembly problem –Only less than 0.5% packet –Solve : –Solve : The ID field for all fragments has to be assigned the same address bits Attacker change IP frequently during attack – –Solve : making the destination rely only on the marks & the hash value of the ingress router Analyze the coding technique IPv6 implementation
Tracing Multiple Attackers with Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE PACRIM’03, August 2003
The problem with the basic DPM(1) two hosts with the same Source Address at tack the victim ex : The ingress addresses corresponding to these two attackers are A0 and A1 The victim will receive A0[0], A0[1], A1[0], A1[1] A0[0].A0[1], A0[0].A1[1], A1[0].A0[1], A1[0].A1[1] Rate of false positive=50%
The problem with the basic DPM (2) Change source address
Schematics Pad Ideal hash
Reconstruction 個 area 個 area each area has k segments Each segment has bits area
Analysis N : the number of ingress router When false positive rate = 0 When – –The expected number of different values the segment will take is
Analysis (2) – –The expected number of permutations that result in a given digest for a given area – –The number of false positives for a given area
Analysis (3) –The total number of total false positive –The max number of N
Analysis (4) –The expected number of datagram
Analysis (5)
Conclusion capable of tracing thousands of simultaneous attackers during DDoS attack (just DDoS) The traceback process can be performed post-mortem, which allows for tracing the attacks that may not have been noticed initially Solve the two problem Need more marked packets