This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Advanced Networking Laboratory
IP Tracebackby Deterministic Packet Marking
Nirwan AnsariAdvanced Networking Laboratory
http://web.njit.edu/~angDepartment of Electrical and Computer Engineering
New Jersey Institute of TechnologyNewark, NJ 07102-1982, USA.
2nd Sendai International Workshop on Internet Security and Management@Hotel Sendai Plaza, Sendai, Japan, January 27-30, 2004
Motivation for IP TracebackCurrently available techniques to cope with anonymous attacksFramework and Evaluation MetricsOverview of IP Traceback SchemesDeterministic Packet MarkingIP Traceback implications and challengersConclusion/Future Work
Firewall initiates ACK timeout for every SYN it receives, if it is exceeded the firewall resets the connection on behalf of the attacker
Firewall keeps track of the number of half-opened connections and starts dropping old half-opened connections if this number exceeds a certain threshold
A mechanism of identifying the source of any packet on the Internet
Envisioned for identifying the human attacker
Technical Reality…Can only identify the host which originated the attack packetsSometimes it would be possible to only identify the organization which owns the host
NAT, Firewalls, etc…
IP Traceback may be limited to identifying the ingress point of the packets on the Internet
Metrics for Evaluation of SchemesISP InvolvementNumber of Attack Packets Needed for TracebackEffect of Partial DeploymentProcessing OverheadBandwidth OverheadMemory RequirementsEase of EvasionProtectionScalabilityNumber of functions needed to be implementedAbility to handle major DDoS attacksAbility to handle transformed packets
Low number of attack packets required for tracebackAbility to deploy partiallyLow processing overhead on the routers Low bandwidth overhead on the networkMinimal ISP involvementDoes NOT disclose topology of the ISPScalableAble to traceback ALL types of attacks
ISP Involvement: LowProcessing Overhead: During Traceback and at the Victim onlyAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: Thousands
ISP Involvement: LowProcessing Overhead: During Traceback and at the Victim onlyEase of Evasion: HighAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: Thousands
ISP Involvement: HighProcessing Overhead: Every packetAbility to handle major DDoS Attacks: GoodNumber of Attack Packets required for traceback: 1Other:
Highlights of Evaluation of Controlled FloodingISP Involvement: NoneProcessing Overhead: NoneAbility to handle major DDoS Attacks: PoorNumber of Attack Packets required for traceback: HugeOther:
DoS attacks onlyManual, Unsafe, InconsistentHuge bandwidth overhead during the tracebackTraceback is possible only while the attack is in progress
ISP Involvement Low Low high high None HighScalability High High Poor Fair N/A PoorVendor Involvement(# of functions to implement) 2 2 None 3 1 None
Number of Attack Packets Required for Traceback Thousands Thousands 1 1 Huge Fair
Is Partial Deployment Within a Single ISP Possible? Yes Yes No Yes N/A Yes
Is Prior Knowledge of Topology and Routing Required for Traceback?
Yes, only if deployed partially
Yes, only ifdeployed partially
NoYes, only if deployed partially
Yes Yes
Is Inter-ISP Deployment Possible Yes Yes No Yes Yes YesEvery Packet Low Low Low Low None NoneNetwork
Processing Overhead During Traceback None None Low Low None High
Every Packet None None None None None NoneVictim Processing Overhead During Traceback High High None None Fair High
Every Packet None Low High None None NoneBandwidth Overhead During Traceback None None None Low Huge High
Network None Low Low Fair None NoneMemory Requirements Victim High High None None Low NoneEase of Evasion Low High Low Low N/A LowProtection High High Fair Fair N/A HighAbility to Handle Packet Transformations Good Good Good Good Good Good
Ability to Handle Major DDoSAttacks Poor Poor Good Good Unable Poor
Limitations DoS and DDoSattacks only
DoS and DDoSattacks only
Single ISP.Single point of
failure.
Strict timing constraint on
tracebackprocess.
Single Point of Failure
DoS only. Manual. Unsafe.
Inconsistent. Traceback is possible only while attack is
Single Hash Function Modification –Performance MetricsFalse Positives
cannot be completely avoidedusually expressed as rate or percentage customary accepted rates are 1% to 5%
Expected Number of datagrams required for reconstruction, E[D]
Since marks are picked at random at DPM interface, more than k datagrams would be needed
For a given k, there will be NMAX attackers, whose ingress addresses will be possible to reconstruct with FP rate of 1% AND E[D] datagrams will be required for the reconstruction
DPM – Novel IP Traceback Mechanism which:Does not introduce any bandwidth overheadIntroduces little processing overhead on the networkRequires few packets from the attacking hosts for tracebackDoes not reveal ISP network topologyScalableSuited for various kinds of anonymous attacksHandles fragmented trafficCapable of performing traceback post-mortem
IP Traceback is a single problem in Internet Security and Homeland SecurityNone of the approaches proposed up to date satisfy the criteria of the ideal schemeIP Traceback problem is still open…
A. Belenky and N. Ansari, “Accommodating Fragmentation in Deterministic Packet Marking (DPM),” Proc. IEEE GLOBECOM 2003, Dec. 1-5, 2003, pp. 1374–1378.A. Belenky and N. Ansari, “On IP Traceback,” IEEE Communications Magazine, Vol. 41, No. 7, pp. 142-153, July 2003.A. Belenky and N. Ansari, “Tracing multiple attackers with deterministic packet marking (DPM) ,” Proc. IEEE PacRim 2003, Aug. 28-30, 2003, pp. 49-52.A. Belenky and N. Ansari, “IP Traceback with Deterministic Packet Marking,” IEEE Communications Letters, Vol. 7, No. 4, pp. 162-164, April 2003. D. Wei and N. Ansari, “Implementing IP Traceback in the Internet --- An ISP Perspective,” Proc. 3rd Annual IEEE Workshop on Information Assurance, West Point, New York, 17-19, June 2002, pp. 326-332.
Link state updates Wireless TCP (TCP-Jersey)Anomaly detectionOptical networks: OBS, protection and restoration, RPR, metropolitan networksIntserv/Diffserv IntegrationQoS in multimedia communicationsQoS support in VPNsData hiding