IP Traceback in Cloud Computing Through Deterministic Flow Marking
E N D
Presentation Transcript
IP Traceback in Cloud ComputingThrough Deterministic Flow Marking MouiadAbid Hani Presentation figures are from references given on slide 21. Presented By
Introduction • IP traceback problem • The problem of identifying the source of the offending packets (DoS and DDoS attacks) • Source: zombie; reflector; spoofed addresses …etc. • Solution • Rely on the routers (PPM) • Only for DOS • Rely on the ingress routers only (DPM and DFM) for DDoS and DoS. • Centralized management (log of packet infor.) • Large overhead, complex, not scalable
Why Cloud Computing? • Cloud Computing is Traditional Distributed Environment (TDE). • Cloud Computing is vulnerable to any attack targeting TDEs. • DoS and DDoS are targeting TDEs. • DoS and DDoS targeting the availability of a service. • The Cost in cloud computing will be greater.
Deterministic Packet Marking (DPM) • Eachpacket is marked when it enters the network • Only mark Incoming packets • Mark:address information of this interface • 16 bit ID + 1 bit Flag
Coding of a mark • Flag =0 address bits 0~15 • Flag =1 address bits 16~31 • Randomly setting flag value • How many packet are enough? • n:the number of received packets • The probability of successfully generate the ingress IP address is greater than • 2 packets 75%;4 packets 93.75% 6 packets 98.43%;10 packets 99.9%
Pros • Simple to implement • Introduces no bandwidth • Practically no processing overhead • suitable for a variety of attacks [not just (D)DoS] • Backward compatible with equipment which does not implement it • does not have inherent security flaws • Do not reveal internet topology • No mark spoofing • Scalable
Schematics Pad Ideal hash
Reconstruction Area • each area has k segments • Each segment has bits area
DPM Limitations • Can not handle the fragmentation/ reassembly problem • All packets need to be marked • Can trace the attack only to ingress router • Can handle up to 2058 attack sources • Does not support IPv6 implementation
Deterministic Flow Marking • Based on DPM • Only the first K packets need to be marked • Can trace the attack to the attacker’s node • Can handle up to 64K attack sources • Does not support IPv6 implementation • Can not handle subverted router problem
DFM Limitations • Can not handle the fragmentation/ reassembly problem • Does not support IPv6 implementation • Using 42-byte signature to authenticate the whole flow
The Proposed Solutions • Using the IPv6 header Flow Label field to hold the mark • Using MD4 algorithm instead of elliptic curve signature within the packet (not assured till now). • The fragmentation/reassembly problem is not an issue in IPv6 protocol.
Conclusion • DFM is more practical and efficient than DPM • DFM and DPM can not prevent DDoS attack but try to trace the source of it • DFM need some improvements to be fully applicable on Intrusion Detection Systems.
References Vahid A. F. Nur A. Zincir-Heywood, “IP traceback through (authenticated) deterministic flow marking: an empirical evaluation”, EURASIP Journal on Information Security, Vol. 1, No. 5, pp. 1-24, 2013. Xiang, Y., W. Zhou and M. Guo, “Flexible deterministic packet marking: An IP traceback system to find the real source of attacks”, IEEE Transactions on Parallel and Distributed Systems, Vol. 20, No. 4, pp. 567-580, 2009. Vahid A. F. Nur A. Zincir-Heywood, “On Evaluating IP Traceback Schemes: A Practical Perspective”, IEEE Communications, Pp: 127-134 Andrey Belenky and Nirwan Ansari, “IP Traceback with Deterministic Packet Marking”, IEEE COMMUNICATIONS LETTERS, VOL. 7, NO. 4, pp: 162-164, 2003. Andrey Belenky and Nirwan Ansari, “Tracing Multiple Attackers with Deterministic Packet Marking (DPM)”, pp: 49-52, 2003.
