Tracking and Tracing Cyber-Attacks Howard F. Lipson, Ph.D. CERT® Coordination Center Outline • Problem with Internet Security • Shortfalls in the Current Internet Environment • Near-Term Solutions • Long-Term Solutions – Next-Generation Internet Protocol Problem with Internet Security (1) Problem with Internet Security (2) Shortfalls in the Current Internet Environment (1) • The Internet was never designed for tracking and tracing user behavior. – Functionality and performance are focused. • The Internet was not designed to resist highly untrustworthy users. – Only external attack is considered. • A packet’s source address is untrustworthy, which severely hinders tracking – IP-spoofed and intermediate nodes techniques are used. Shortfalls in the Current Internet Environment (2) • The current threat environment far exceeds the Internet’s design parameters. – There are more high-stake Internet applications. • The expertise of the average system administrator continues to decline. • Attacks often cross multiple administrative, jurisdictional, and national boundaries. Shortfalls in the Current Internet Environment (3) • • • • High-speed traffic hinders tracking. Tunnels impede tracking. Hackers destroy logs and other audit data. Anonymizers protect privacy by impeding tracking • The ability to link specific users to specific IP addresses is being lost. • Purely defensive approaches will fail, so deterrence through tracking and tracing is crucial. Near-Term Solutions (1) Hop-by-Hop IP Traceback ISP security broker attacker victim Or edge router • Labor-intensive • For tracing large packet flows with spoofed source addresses • DDoS attacks are extremely difficult to trace via this process Near-Term Solutions (2) CenterTrack • Optimizing the Hop-by-Hop IP traceback • Steps – Create an overlay network (IP tunneling) – In the event of a DoS attacks, the ISP diverts the flow of attack packets from the existing ISP network onto overlay tracking network – The attack packets can now be easily traced back, hop-by-hop, through the overlay network Near-Term Solutions (3) Ingress Filtering or Egress Filtering • Network Ingress Filtering – Discard all packets that contain source IP addresses that do not match the valid range of the customer’s known IP addresses. • Network egress Filtering – Corporate network administrator • IETF – Internet Best current Practices for the Internet Community Near-Term Solutions (4) Backscatter Traceback • Steps – The attack is reported to an ISP – The ISP configures all its router to reject all packets destined for the victim – Rejected packets are “returned to sender” – The ISP configures all of its router to blackhole many of the ICMP error packet with illegitimate destination IP address – Analysis by the blackhole machine quickly traces the attack to one or more routers at the outermost boundary of the ISP’s network – The ISP removes the filter blocking the victim’s IP address from all router except those serving as the entry points for the DDoS attack – The ISP asks neighboring ISPs, upstream of the attack, to continue the trace Near-Term Solutions (5) Probabilistic Approaches • ICMP Traceback – ICMP traceback message • Probabilistic Packet Marking – IP header Near-Term Solutions (6) Single-Packet IP Traceback • In theory – Keeping a log at each router in the Internet • Tamper-proof • Fully-authenticated – Technical infeasibility • Storage • Privacy • Hash-Based IP Traceback – Packet digests – Reduce storage requirement to 0.5% of the link capacity per unit of time and help privacy – Issues • Computational resources • Transformation information (Fragmentation, tunneling) corresponding to the packet digests is store in a transformation lookup table Long-Term Solutions (1) Issues of Next-Generation Internet Protocol • Next-generation Internet protocols will be required to deal with trust not on a binary basis. • Entry-point anonymity refer the in ability to link an Internet IP address to any human actor or organization. • Can next-generation protocols be designed so as to increase the cost to the attacker and decrease the cost to the defender? • Supporting vigilant resource consumption. • Supporting marketplace negotiation of trust versus privacy trade-offs (trust broker). • Next-generation Internet protocols must allow for variable levels of trust under various attack states (situation-sensitive). • Sufficient header space for tracking information. Long-Term Solutions (2) Emerging Next-Generation Security Protocols • Internet Protocol Security (IPSec) – Characteristics • AH (Authentication Header) • ESP (Encapsulating Security Payload) • IKE (Internet Key Exchange) – Shortfalls • Vigilant resource consumption • Fine-grained authentication of trust • Situation-sensitive • Internet Protocol Version 6 (IPv6) – Characteristics • • • • IP address is 128 bits long. IPSec built in. Flexible header structure Address space is enormous