W. J. Cheng Shih Chien University 2006 An Efficient IP Traceback Approach An Efficeient IP Traceback Approach Wang-Jiunn Cheng Maria R. Lee Chung-Han Sheng.

W. J. Cheng Shih Chien University 2006

An Efficient IP Traceback Approach

An Efficeient IP Traceback Approach

Wang-Jiunn Cheng

Maria R. Lee

Chung-Han Sheng

Shih Chien University

Taipei, Taiwan



Does IP Traceback be a Business Issue?

• February 9, 2000 - Cyberassaults hit Yahoo, Buy.com, eBay, CNN and Amazon. The attacks on them have followed a pattern that is a DOS (denial-of-service) attack…

• Is IP Traceback a New DOS deterrent?Hassan Aljifiry, IEEE Security & Privacy, Vol 1, No 3, May/June 2003The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. IP traceback—the ability to trace IP packets to their origins—is a significant step toward identifying, and thus stopping, attackers.



Does IP Traceback be a Business Issue? (cont’d)

• The stateless IP routers lacks security features, which allows IP Spoofing, such that the malicious packets can freely attack the whole Internet at anytime, anywhere.

• Current Status: Internet is still under attack! (Smurf, SYN Flood, Fraggle, Tribal Flood Net, Trinoo, TFN2K, etc.)



What are IP Traceback for?

• Most of the approaches discussed in this subject were inspired by DoS and DDoS attacks.

• In general, IP traceback is not limited only to DoS and DDoS attacks.

• The task of identifying the actual source of the packets is complicated by the fact that the IP address can be forged or spoofed.

• IP traceback techniques neither prevent nor stop the attack; they are used only for identification of the sources of the offending packets during and after the attack.

• IP traceback may be limited to identifying the point where the packets constituting the attack entered the Internet.



Which Approach is the Best One?(Link-testing traceback)



Which Approach is the Best One?(Logging traceback)



Which Approach is the Best One?(ICMP-based traceback)



Which Approach is the Best One?(Packet marking traceback)



How to conceive a tracebck?

Internet

Small Area Network Small Area Network Small Area Network

End-Users

Keeper(Router)

…

… … …

Attacker Victim

HA HV

KA KV

Label switched virtual tunneltracebackable in nature

Local spoof-free

Local spoof-free

Keeper-based Internet Topology



VA 11

How to conceive a tracebck? (cont’d)

Label-switching tunnel

Internet

Keeper

Attacker Victim

KA KV

LAKA

SANSAN

AV1 2 LVKV3 4 AV5 6

VA

78910

12

Keeper

HA HV

LA A:V KV:LV

Label switching Table of KA

KA:LAV:ALV

Label switching Table of KV




The Modified IP Header. Darkened areas represent underutilized bits

Version H. Length Type of Service Total Length

Fragement ID

Time to Live Protocol

Source IP Address

Destination IP Address

Header Checksum

Fragement OffsetFlags

1 reserved bit as marked bit

Target Keeper’s IP Addressss Target Keeper’s Label




Local spoofing free

bypass

routerMAC

bypassspoof mark

ARPmatch

spoof

marked

unicast

Yes No

Yes

Yes

No

No

No

Yes





How to conceive a tracebck?

W. J. Cheng Shih Chien University 2006 An Efficient IP Traceback Approach An Efficeient IP Traceback Approach Wang-Jiunn Cheng Maria R. Lee Chung-Han Sheng.

Documents