Tracking and Tracing Cyber

Tracking and Tracing
Howard F. Lipson, Ph.D.
CERT® Coordination Center
• Problem with Internet Security
• Shortfalls in the Current Internet
• Near-Term Solutions
• Long-Term Solutions
– Next-Generation Internet Protocol
Problem with Internet Security (1)
Problem with Internet Security (2)
Shortfalls in the Current Internet
Environment (1)
• The Internet was never designed for tracking and
tracing user behavior.
– Functionality and performance are focused.
• The Internet was not designed to resist highly
untrustworthy users.
– Only external attack is considered.
• A packet’s source address is untrustworthy, which
severely hinders tracking
– IP-spoofed and intermediate nodes techniques are used.
Shortfalls in the Current Internet
Environment (2)
• The current threat environment far exceeds
the Internet’s design parameters.
– There are more high-stake Internet applications.
• The expertise of the average system
administrator continues to decline.
• Attacks often cross multiple administrative,
jurisdictional, and national boundaries.
Shortfalls in the Current Internet
Environment (3)
High-speed traffic hinders tracking.
Tunnels impede tracking.
Hackers destroy logs and other audit data.
Anonymizers protect privacy by impeding
• The ability to link specific users to specific IP
addresses is being lost.
• Purely defensive approaches will fail, so
deterrence through tracking and tracing is crucial.
Near-Term Solutions (1)
Hop-by-Hop IP Traceback
ISP security broker
edge router
• Labor-intensive
• For tracing large packet flows with spoofed source
• DDoS attacks are extremely difficult to trace via this
Near-Term Solutions (2)
• Optimizing the Hop-by-Hop IP traceback
• Steps
– Create an overlay network (IP tunneling)
– In the event of a DoS attacks, the ISP diverts
the flow of attack packets from the existing ISP
network onto overlay tracking network
– The attack packets can now be easily traced
back, hop-by-hop, through the overlay network
Near-Term Solutions (3)
Ingress Filtering or Egress Filtering
• Network Ingress Filtering
– Discard all packets that contain source IP addresses that
do not match the valid range of the customer’s known
IP addresses.
• Network egress Filtering
– Corporate network administrator
– Internet Best current Practices for the Internet
Near-Term Solutions (4)
Backscatter Traceback
• Steps
– The attack is reported to an ISP
– The ISP configures all its router to reject all packets destined for
the victim
– Rejected packets are “returned to sender”
– The ISP configures all of its router to blackhole many of the ICMP
error packet with illegitimate destination IP address
– Analysis by the blackhole machine quickly traces the attack to one
or more routers at the outermost boundary of the ISP’s network
– The ISP removes the filter blocking the victim’s IP address from all
router except those serving as the entry points for the DDoS attack
– The ISP asks neighboring ISPs, upstream of the attack, to continue
the trace
Near-Term Solutions (5)
Probabilistic Approaches
• ICMP Traceback
– ICMP traceback message
• Probabilistic Packet Marking
– IP header
Near-Term Solutions (6)
Single-Packet IP Traceback
• In theory
– Keeping a log at each router in the Internet
• Tamper-proof
• Fully-authenticated
– Technical infeasibility
• Storage
• Privacy
• Hash-Based IP Traceback
– Packet digests
– Reduce storage requirement to 0.5% of the link capacity per unit of time
and help privacy
– Issues
• Computational resources
• Transformation information (Fragmentation, tunneling) corresponding to the
packet digests is store in a transformation lookup table
Long-Term Solutions (1)
Issues of Next-Generation Internet Protocol
• Next-generation Internet protocols will be required to deal with trust
not on a binary basis.
• Entry-point anonymity refer the in ability to link an Internet IP address
to any human actor or organization.
• Can next-generation protocols be designed so as to increase the cost to
the attacker and decrease the cost to the defender?
• Supporting vigilant resource consumption.
• Supporting marketplace negotiation of trust versus privacy trade-offs
(trust broker).
• Next-generation Internet protocols must allow for variable levels of
trust under various attack states (situation-sensitive).
• Sufficient header space for tracking information.
Long-Term Solutions (2)
Emerging Next-Generation Security Protocols
• Internet Protocol Security (IPSec)
– Characteristics
• AH (Authentication Header)
• ESP (Encapsulating Security Payload)
• IKE (Internet Key Exchange)
– Shortfalls
• Vigilant resource consumption
• Fine-grained authentication of trust
• Situation-sensitive
• Internet Protocol Version 6 (IPv6)
– Characteristics
IP address is 128 bits long.
IPSec built in.
Flexible header structure
Address space is enormous