1 / 23

Hash-Based IP Traceback

Hash-Based IP Traceback. Best Student Paper ACM SIGCOMM’01. Introduction. Today’s Internet infrastructure is extremely vulnerable to motivated and well equipped attackers. Denial of service attacks Single well-targeted packet attacks

bobbiewilliams
Télécharger la présentation

Hash-Based IP Traceback

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01

  2. Introduction • Today’s Internet infrastructure is extremely vulnerable to motivated and well equipped attackers. • Denial of service attacks • Single well-targeted packet attacks • To institute accountability for these attacks, the source of individual packets must be identified.

  3. Today’s IP Network • The IP protocol has difficulty to identify the true source of an IP datagram. • Stateless and destination based routing w/o source authentication • Legitimately spoofed source addresses • NAT, Mobile IP, IPSec • Ingress filtering

  4. Source Path Isolation Engine • Challenges in constructing a tracing system • Determining which packets to trace • Maintain privacy • Minimizing cost • The proposed SPIE can • reduces memory consumption with bloom filters • verifies packets while maintains privacy by packet digests

  5. Assumptions on a Traceback System • Packets may be addressed to more than one physical host • Duplicate packets may exist in the network • Routers may be subverted, but not often • Attackers are aware they are being traced Continued…

  6. Assumptions on a Traceback System • The routing behavior of the network may be unstable • The packet size should not grow as a result of tracing • End hosts may be resource constrained • Traceback is an infrequent operation

  7. Design Goals • An optimal IP traceback system would • precisely identify the source of an arbitrary IP packet • construct an attack path when co-opted routers exist • construct an attack graph when multiple indistinguishable packets exist • produce no false negatives while attempting to minimize false positives • not expand the eavesdropping capabilities of a malicious party

  8. Attack Graph

  9. Design Goals • An optimum traceback system should trace packets through valid transformation back to the source of the original packet. • Transformation categories • Packet encapsulation • Packet generation • Common packet transformation (RFC 1812)

  10. Related Works • Two approaches to determine the route of a packet flow are auditing and inferring. • Inferring (Burch and Cheswick) • Floods candidate links and monitors variations • Network topology and large packet floods • Specialized routing (Stone) • Overlay tracking network • Long-live flow and routing change

  11. Auditing • End-host schemes • Routers notify the packet destination of their presence on the route by in-band or out-of-band signaling. • Infrastructure schemes • Log packets at various points throughout the network. • Space and privacy considerations • Input debugging & IDIP • High overhead

  12. Packet Digesting • Auditing by computing and storing 32-bit packet digests reduces storage requirements and prevents eavesdropping. • SPIE computes digests over the invariant portion of the IP header and the first 8 bytes of the payload (totally 28 bytes). Continued…

  13. Packet Digesting

  14. Prefix Collision

  15. Bloom Filter There are multiple, independent hashes which change over time at each router.

  16. SPIE Architecture DGA: Data Generation Agent SCAR: SPIE Collection and Reduction STM: SPIE Traceback Manager IDS: Intrusion Detection System

  17. Traceback Processing • IDS provide STM with a packet, P, victim, V, and time of attack, T. • STM verifies message’s authenticity and integrity. • STM immediately asks all SCARs to poll their DGAs for relevant traffic digests. • Each SCAR responds with a partial attack graph. • STM constructs a composite attack graph and returns it to IDS

  18. a. Pointer b. Flow caching Indirect (I) flag: Transformation Processing • Packet being transformed are put on the control path, thus relaxing the timing requirements. • Transform Lookup Table (TLT): Continued…

  19. Transformation Processing • 29-bit packet digest field implies eight distinct packet digests map to the same TLT entry. • Rarity of packet transformations • Sparsity of the digest table • Uniformity of the digesting function • SPIE considers the security gateway or NAT functionality of routers as a separate entity to manage TLT growth.

  20. Graph Construction • Simulating Reverse-Path Flooding (RPF), SCARs construct attack graphs by examining the digest tables.

  21. DGA Hardware

  22. Discussion • Reliable and timely SPIE communication • Out-of-band channel • Higher priority • Inter-domain cooperation • Authentication • Denial of service through transformation • Performance & policy

  23. Conclusion and Future Works • SPIE contributes on tracing a single packet with privacy and low storage. • SPIE deals with complex packet transformations in high-speed routers. • Future works of SPIE include • extending time period of traceability • reduce information of de-transformation

More Related