1. IP Spoofing CIS 610 Week 2: 13-JAN-2004

2. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned by Morris in 1985 in his paper A Weakness in the 4.2BSD Unix TCP/IP Software n First CERT advisory on an attack using IP Spoofing in 1995

3. Attacks: DoS n TCP SYN flooding: attacker spoofs the IP address of unavailable host(s) to initiate multiple connections to the victim n smurfing/fraggling: attacker spoofs IP address of victim in a ICMP (smurf) or UDP (fraggle) echo request to a broadcast address n more...

4. Attacks: Usurpation n Session hijacking: attacker determines TCP seq number, attacker takes over send part of one end of TCP session. n Man-in-the-middle: as above but attacker sniffs traffic & can usurp one end (send and receive) of session n Routing redirect: redirects victim from original host to attacker’s machine

5. Valid uses of IP Spoofing n Mobile IP n NAT n Encapsulation (tunneling) n Unidirectional link technologies (e.g., satellite link)

6. Solutions n Two basic approaches: preventive and reactive n Reactive includes traceback (discussed later) n Preventive includes source address filtering and ingress filtering/firewalling n Discussion: which is better?

7. Reactive Solutions n “Practical Network Support for IP Traceback,” S. Savage et al., SIGCOMM ‘00 n “Hash-Based IP Traceback,” A. Snoeren et al., SIGCOMM ‘01

8. Practical Network Support for IP Traceback n Problem: how to determine the real source of an IP packet n Solution: allow for routers along a path to probabilistically mark packets along the way

9. Practical Network Support for IP Traceback (cont) n Current work on the subject includes ingress filtering, link testing (input debugging and controlled flooding), logging and ICMP traceback n Each of these has its own benefits as well as drawbacks ex: logging is accurate, but takes LOTS of storage

10. Practical Network Support for IP Traceback (cont) n Solution is packet marking-embedding routing information in an unused field in the IP header with some probability n When victim receives enough packets, the probability that it can recreate the attack path is very high

11. Practical Network Support for IP Traceback (cont) n Assumptions: - an attacker may generate any packet - multiple attackers may conspire - attackers may be aware they are being traced - packets may be lost or reordered - the route between attacker and victim is fairly stable - routers are both CPU and memory limited - routers are not widely compromised

12. Practical Network Support for IP Traceback (cont) n Marking algorithm used is edge sampling; edge’s start,end addresses and distance from victim are conveyed n Without encoding, size of mark is 72 bits; where to put it?

13. Practical Network Support for IP Traceback (cont) n Mark is compressed using 3 techniques: –XOR IP addresses that comprise the edge –Sub-divide the above into k non- overlapping fragments, and send randomly-selected fragment and offset –Bit-interleave IP addresses (used above) with random hashes of themselves to enforce uniqueness of fragments

14. Practical Network Support for IP Traceback (cont) n Encoded mark, 16 bits, put into the IP Identification field n Problems when packet is fragmented (ID field identifies fragments); studies show <.25% of packets are fragmented n Set don’t fragment flag on marked packets, and prepend ICMP “echo reply” header to mark already-fragmented packets

15. Practical Network Support for IP Traceback (cont) n Authors simulated marking; graph mean, median and 95 th percentile for number of packets required to reconstruct paths of varying lengths over 1000 runs n Most paths can be resolved with between 1K and 2K packets, max ~4K. By comparison, DoS attacks frequently send hundreds or thousands of packets per second

16. Practical Network Support for IP Traceback (cont) n Limitations/Future work: –Backwards compatibility: incompatible with IPSec, negatively impacts users who require IP fragmentation, and IPv6 does not have an ID field –Distributed attacks: the greater the number of attack paths, the greater the probability of misattributing an edge –Path validation: Attacker can insert false edges into previously unmarked packet –Attack origin detection: Traceback IDs the most immediate router, not host, from which attack was launched

17. Practical Network Support for IP Traceback (cont) n Conclusions/contributions: –Explore traceback algorithms based on packet marking –Edge sampling enables traceback and can be incrementally deployed, efficiently implemented –Encoding edges and overloading packet’s ID field provides tracing information while not forcing modifications to existing infrastructure

18. Hash-based IP Traceback n Problem: current IP traceback methods rely on large streams of packets, cannot track individual packets n Solution: hash-based technique for IP traceback that can track even a single IP packet

19. Hash-based IP Traceback (cont) n Challenges: which packets to trace, privacy, minimizing cost (storage space as well as CPU cycles) n Paper presents SPIE (Source Path Isolation Engine), enables IP traceback n Bloom filters (discussed later) reduce memory requirements associated with packet storage; packet digests, not packets, stored

20. Hash-based IP Traceback (cont) n Assumptions: –Packets may be addressed to more than one physical host –Duplicate packets may exist in the network –Routers may be subverted, but not often –Attackers are aware that they are being traced –The routing behavior of the network may be unstable –The packet size should not grow as a result of tracing –End Hosts may be resource constrained –Traceback is an infrequent operation

21. Hash-based IP Traceback (cont) n Goal: should be able to identify source of any piece of data n Source defined as one of: ingress point to traceback-enabled network; actual host or network of origin; or one or more compromised routers within the enabled network n Want to build an attack graph built of >= 1 attack paths along which attack packets are sent

22. Hash-based IP Traceback (cont) n Hashes must be resilient to normal network transformations (i.e., decrement of TTL) as well as packet modification n >3% (not including NAT) of IP traffic undergoes common transformation

23. Hash-based IP Traceback (cont) n Packet Digesting: –32-bit packet digests stored, not packets; protects confidentiality –Hash input includes (relatively) nonvolatile fields of IP Header (20 bytes) and first 8 bytes of payload –Results in a very low collision domain, that gets worse as traffic tends towards homogeneity, as on LANs.

24. Hash-based IP Traceback (cont) n Bloom filters –Compute k distinct packet digests for each packet, use n-bit results to index into a 2 n –sized bit array –Bit array initialized to all zeros, bits set to 1 when packet digest indexing them received –To check if packet has traversed the router, look at Bloom filter and elements at each of the k indexes for that packet. If any of them are 0, then packet has not traversed the router

25. Hash-based IP Traceback (cont) n Hash Functions –3 restrictions: Each function must distribute highly correlated set of input values uniformly Hash function collisions independent of one another Functions must be straightforward to compute

26. Hash-based IP Traceback (cont) n Architecture: –Data Generation Agent (DGA) produces digests and digest tables, page them out –SPIE Collection and Reduction (SCAR) agent, upon receiving traceback request, pulls digest tables from DGA and builds attack graphs –SPIE Traceback Manager (STM) interfaces with IDS, sends requests to SCARs and aggregate SCARs’ attack graphs for reporting to IDS

27. Hash-based IP Traceback (cont) n Transformations: –SPIE maintains Transformation Lookup Table (TLT) which stores digest of transformed packet (29 bits), type of transformation (3 bits), and packet data (32 bits) –If >32 bits, can use first bit of transformation as indirect flag, indicates that packet data is a pointer to data –Some transformations not recoverable (I.e., NAT); these will be looked at as special-purpose gateways, out of scope of the paper

28. Hash-based IP Traceback (cont) n Graph construction done by recursively checking along reverse path for routers with packet digests corresponding to attack packet n Resource requirements expressed in terms of k and the amount of memory used to store packet digests. n Performance characterized by length of time for which packet digests are kept and the accuracy of candidate attack graphs

29. Hash-based IP Traceback (cont) n Timing –Note that the window of time in which one must detect an attack shrinks with the increase of the number of packets processed; fast links suggest smaller windows –The above can be tempered by allotting more fast storage to maintenance of SPIE- related information

30. Summary n Traceback methods –Reactive; don’t prevent, for instance DoS attacks –End-user-triggered; performed upon the request of a victim—victim must know he/she’s being attacked –Network-maintained

31. Hash-based IP Traceback (cont) n Discussion –Tracebacks will often be requested when network is having problems; may influence the accuracy of said traceback unless requested out-of-band –Incremental deployment can severely limit the scope of the attack graph –Occasionally, the victim may not want to send the attack packet needed by SPIE to traceback –Transformations can be costly to invert and/or recover from