1 / 78

Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin

On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack. INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE. Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin. Agenda.

tracen
Télécharger la présentation

Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin

  2. Agenda • Abstract • Introduction • Probabilistic Packet Marking and Traceback • DoS traceback minimax problem • DDoS traceback problem • Dynamic PPM scheme OPLab, NTUIM

  3. Abstract • The optimal decision problem - the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume - can be expressed as a constrained minimax optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized. OPLab, NTUIM

  4. Introduction • Two contributions • First, it shows the trade-off relation between victim and attacker, which is a function of marking probability, path length, and traffic volume. • Second, for a given attack volume, by mounting DDoS attack, the uncertainty factor might be amplified. OPLab, NTUIM

  5. Probabilistic Packet Marking and Traceback OPLab, NTUIM

  6. Probabilistic Packet Marking and Traceback • Given network is as a directed graph G = (V,E), where V is the set of nodes and E is the set of edges. • The edgesdenote physical links between elements in V. Let S ⊂ V denote the set of attackers and let t ∋ V \ S denote the victim. |S| = 1 (DoS) OPLab, NTUIM

  7. Probabilistic Packet Marking and Traceback (con’t) • We assume that routes are fixed1, • And Attack path A is presented as 1. On the IP Internet, the majority of TCP sessions do not experience route changes during their connection lifetime. Generalization of PPM under dynamic routing (the routing process must be specified) is a problem for future work. OPLab, NTUIM

  8. Probabilistic Packet Marking and Traceback (con’t) E B A D G C F OPLab, NTUIM

  9. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  10. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  11. Probabilistic Packet Marking and Traceback (con’t) • A packet x is assumed to have a marking field where the identity of a (v, v’) ∊ E traversed can be inscribed. • A packet travels on the attack path A sequentially. At a hop vi∊ {v1, …, vd}, packet x is marked with the edge value (vi-1, vi) , i=1, 2,…, d. , with probability p (0 ≤ p≤ 1) where v0 = s. This is probabilistic marking. OPLab, NTUIM

  12. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  13. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  14. Path Sampling • αi(p) = p(1-p)d-i(1) • α0(p)=(1-p)d ( attacker can hide his identity or fool defender ) (2) • When N packets are transmitted, the expected value of packets reaching target t marked by ri is ni(p) = Nαi(p) Note that • α1(p)≦ α2(p)≦ …… ≦ αd(p) OPLab, NTUIM

  15. Path Sampling (con’t) • To receive a marked packet form v1 requires N≧1/α1(p) • Because N is under attacker’s control from purely sampling view point, edge(s, v1) is the weakest link. OPLab, NTUIM

  16. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  17. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  18. Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker ??? B E Packets marked by a router A G D Attack packets Marked by a router F C Attack packets OPLab, NTUIM

  19. Path Sampling (con’t) which has the solution p≦ ½. • In general, we may consider p ≦ 1-2-1/d , d = 10 then p≦ 0.067 OPLab, NTUIM

  20. Path Sampling (con’t) • The optimal selection of N, d, and x0 by the attacker, and correspondingly optimal selection of p by the victim to achieve their individual, conflicting objectives lies at the heart of the probabilistic PPM approach to source identification. OPLab, NTUIM

  21. Traceback Problem (con’t) • Marking spoofed variable x0 can be fixed by following thereotic argument • Let nsi(p) be the number of spoofed packets arriving at t marked by(ui,v1) no(p) = Σmi=1 nsi(p). If it holds that then all m+1 paths are equally likely yielding the same outcome in terms of collected marking values at t OPLab, NTUIM

  22. Traceback Problem (con’t) • We call m – a function of p and spoofing variable x0- the uncertainty factor with respect to marking probability p. • The larger m is, the more the processing cost incurred by the victim to trace back the attack source. OPLab, NTUIM

  23. Traceback Problem (con’t) • Thus, the objective of the attacker is to maximize m, whereas the objective of the victim is to minimize m OPLab, NTUIM

  24. Traceback Problem (con’t) • The formulation in (III.5) does not incorporate the attack volume N and thus unduly favors the victim. • A sampling constraint is added by requiring • Nα1(p) = N p(1-p)d-1≧1 (III.6) OPLab, NTUIM

  25. Traceback Problem (con’t) • Thus the refined minimax optimization reflecting the victim’s sampling constraint is given by • Nα1(p) = N p(1-p)d-1≧1 as a function of p has a unimodal (or bell) shape with peak at p = 1/d OPLab, NTUIM

  26. ANALYSIS OF SINGLE-SOURCE DOS ATTACK OPLab, NTUIM

  27. ANALYSIS OF SINGLE-SOURCE DOS ATTACK • And IV.1 can be derandomized - replaced by a deterministic procedure that emulates uniform generation. no(p) = Σmi=1 nsi(p). OPLab, NTUIM

  28. ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) • Given p (determined by the victim), the attacker can achieve m = 1/p - 1 OPLab, NTUIM

  29. ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) • With constraint III.6 we can define and it can be checked that when d ≧2, L is convex in p OPLab, NTUIM

  30. ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) • It can be viewed as minimization problems of the objective function 1/p -1 over LN for N= N0, N0+1,…… • The next result gives a performance bound on the attacker’s ability to hide his identity under PPM. OPLab, NTUIM

  31. ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) • Theorem 2 shows that the maximum achievable uncertainty factor cannot exceed d-1, the distance between the attacker and victim. • And on the internet, most path lengths are bounded by 25 [29] • [29] Wolfgang Theilmann and Kurt Rothermel, “Dynamic distance maps of the Internet,” in Proc. of IEEE INFOCOM 2000, Mar. 2000. OPLab, NTUIM

  32. ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) • d = 10, N = 26 • Thus the attacker, by judiciously choosing the attack volume, can maximally hide his identity given by d-1. OPLab, NTUIM

  33. Approximation of Uncertainty Factor • Np(1-p)d-1≥ 1, The equation, Np(1-p)d-1= 1 , is transformed to the polynomial xn – xn-1 + cby substitution of p, N, d with1-x, 1/c, n, respectively. • We divide Np(1-p)d-1= 1 by N, andrepresent p as 1-x (0≤x≤1), thus, it becomes OPLab, NTUIM

  34. Approximation of Uncertainty Factor (con’t) • Assuming N≫ 1, thus, 1/N ≈ 0. • First consider xd-1 close to 1, left hand side becomes (1-1/N)d-1 ->1, as N -> ∞. • Next, When(1-1/N)d-1 -> 0, the approximate solution x = 1/N 1/d-1 OPLab, NTUIM

  35. Approximation of Uncertainty Factor (con’t) • Thus x is approximately 1-(1/N) or 1/N1/d-1. Therefore, OPLab, NTUIM

  36. Approximation of Uncertainty Factor (con’t) • The maximum uncertainty value m of the min-max optimization problem is given by • N = 105,d = 25 then m is 1.6247; • N = 107,d = 25 then m is 1.0446 OPLab, NTUIM

  37. Marking Probability OPLab, NTUIM

  38. Marking Probability (con’t) OPLab, NTUIM

  39. Marking Probability (con’t) • d ∝ 1/p • m ∝ 1/p • Given N, as distance d ↓, the expected number of spoofed packets, Ns ↑, at any given value of p • When the source of an attack is far from the victim, the attacker becomes more potent at impeding traceback OPLab, NTUIM

  40. Attack Distance OPLab, NTUIM

  41. Attack Distance (con’t) • Since the distance between an attacker and victim is bounded on the Internet, an attacker has limited ability to hide his location when subject to probabilistic packet marking. OPLab, NTUIM

  42. Attack Volume • To satisfy sampling constrain, N needs to be at least dd/(d-1)d-1 • As N increases, the victim can reduce the forgeable paths to less than d-1 OPLab, NTUIM

  43. V. DDoS Attack OPLab, NTUIM

  44. DDoS Attack • Following the uncertainty optimization framework, given a desired attack Volume N, an amplification factor of M can be trivially achieved by mounting N/M -volume attacks from Mseparate attack sites. OPLab, NTUIM

  45. DDoS Attack (con’t) • m*(∙)is a function depicting the optimum (i.e., minimax) uncertainty factor for the traffic volume given in the argument. OPLab, NTUIM

  46. DDoS Attack Model -Classification(con’t) • All-source traceback, • we assume the attacker is able to mount stateless intrusions when gathering attack hosts, and thus his objective is to maximize total uncertainty (vs. individual uncertainty in the any-source traceback case) since quick traceback of individual attack hosts does not present a danger with respect to revealing traceback information.. OPLab, NTUIM

  47. DDoS Attack Model – Classification (con’t) • The attacker’s objective is to maximize the number of forged paths that the victim has to process. • And the victim’s goal is to isolate or shut down traffic flow emanating from comprised hosts. OPLab, NTUIM

  48. DDoS Attack Model -Traceback Analysis • Given M distinct sources, each sources si sends Ni packets to victim v at di distant for 1 ≤ i ≤ M • An attack path is represented by Ai = (si, vi,1, vi,2, …vi,d, t).Without lossof generality, assume di ≤ d j, for i < j OPLab, NTUIM

  49. DDoS Attack Model -Traceback Analysis (con’t) • Thus the expected number of spoofed packets from si is for 1 ≤ i ≤ M • The expected number of packets marked by vi,1 is OPLab, NTUIM

  50. DDoS Attack Model -Traceback Analysis (con’t) OPLab, NTUIM

More Related