Agenda Last time: finished brief overview of buffer-overflow attacks Today: IP Traceback SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 What and Why IP Traceback: Why is this important and useful? If done properly, can be used to limit DDoS attacks Post-mortem analysis, investigation into other kinds network of attacks Potential drawback? operation of tracing the source of an IP packet Abused by repressive regimes/organization Why is it difficult? Potentially resource-intensive, target for DoS itself Internet is stateless Backward compatibility (think of source-routing) Avoid the new scheme itself being “spoofed” The “true” identity of an attacker may be unknown, still SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 2 Overview of existing approaches 1. 2. 3. 4. 5. 6. 7. Ingress filtering Input debugging Controlled flooding Logging ICMP traceback Probabilistic Packet Marking (PPM) Hash-based [one of your reading assignments] SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 3 Ingress filtering Routers block packets that arrive with illegitimate sources addresses Requires the interface to be configured with a range of valid IPs Quite feasible at customer network at the edge Drawbacks At higher level ISP, traffic load is higher, “valid” IP range is ambiguous With hundreds or thousands of customers, one can forge IP of another without much troubles Not all ISPs do this. Many don’t because there’s administrative burden, no economic incentive, interfere with services requiring spoofing (mobile IP) SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 4 Input debugging Use “input debugging” feature of routers to do traceback Input debugging allows operators to filter particular packets (with some kind of signature) on some egress port and determine which ingress port they come from Manually: call the upstream router operator Automatically: some ISPs have tools to do this Drawbacks: Often too slow Management overhead Coordination with other ISPs is difficult, and very slow SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 5 Controlled Flooding Selectively flood a link to observe attack traffic, with the help of some Internet map This does not require intermediate operator intervention Drawbacks This is a form of DoS itself Requires the map, which itself is non-trivial Poorly suited for DDoS Only effective for on-going attacks, cannot be use for post-mortem analysis SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 6 ICMP Traceback Every router samples with low probability (1/20K) one of the packets it’s forwarding Copy the content into a special ICMP traceback along the path to the destination, containing Destination then use this info to do traceback Drawbacks Back link, forward link, authentication, ICMP traffic is also differentiated and may be filtered Requires input-debugging which may not be available in some router architecture Requires key distribution architecture to avoid itself being attacked However, this is quite effective SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 7 Probabilistic Packet Marking (PPM) Idea proposed by Burch & Cheswick First scheme proposed by Stefan Savage et al We’ll look at this idea in details SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 8 PPM: Assumptions An attacker may generate any packet Multiple attackers may conspire Attackers are aware that they’re being traced Packets may be lost or re-ordered Attackers send numerous packets Route between attacker(s) and receiver is fairly stable Routers and both CPU and memory limited Routers are not widely compromised Compatible with current IP protocol SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 9 PPM: Node Append The most basic algorithm Each router appends its IP into the packet Pros: Robust and quick to converge Cons: High router overhead Interfere with MTU discovery, IP fragmentation, … SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 10 PPM: Node sampling Reserve some 32-bit field in each IP packet A router randomly puts its IP in this field with probability p Victim receive multiple packets, use this database to approximately reconstruct the path. How? Probability of receiving a packet d hops away is p(1-p)d-1, p shoulde be > ½. This probability is monotonic in d, we can use the frequency of IPs to reconstruct path to the destination Drawbacks Inferring is a slow process Requires a sufficient number of received packets, e.g. for d=15, p = 0.51, we need 42000 packets before the furthest router is “seen” at the target Not effective against multiple attackers: routers at the same distance from different source are sampled with the same rate SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 11 PPM: Edge Sampling Idea: sample the “edges” on the paths instead of nodes: Reserve 2 32-bit fields on every packet, FROM & TO One more field (8 bits) called HOP Sampling is done as follows. Fix a probability p Chose x at random in [0, 1) If x < p then write IP into packet.FROM Else if packet.HOP = 0 then write IP into packet.TO packet.HOP++ SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 12 PPM: Edge Sampling Time to converge dominated by time to receive a sample from the furthest router, roughly 1/[p(1-p)d-1] Expected number of packets required to work properly is at most ln(d)/[p(1-p)d-1] Pros Choose p = 1/d for optimal result In practice, choose p=1/25 (as path lengths often <= 25) Single attacker: any packet written by attacker will necessarily has distance at least the distance of true attack path Multiple attacker: the above applies to the closest attacker Quite robust Cons Not backward compatible (requires > 64 more bits) SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 13 Encoding Issues Compress edge segment sampling: 3 techniques Next router fills FROM XOR TO into the 32-bit space Partition address into k fragments, sends fragment along with fragment offset, next-hop router use the the offset to send the right fragment. Over time, all fragments of all edge IDs are received. XORing makes edge ID not unique, compute a hash of an IP, interleave it with actual IP, then do fragmentation Expected # of packets needed to reconstruct path is k ln(kd)/[p(1-p)d-1] For instance, if k=8, d=10, p=1/25, then we need about 1300 packets on average In practice: overload 16-bit identification field in each IP packet with 3-bit offset (k=8), 5 bit distance (32 hops), 8-bit edge fragment SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 14 Formalization of the Problem b: number of extra header bits in each packet n: number of bits used to describe a path Investigate the tradeoff between b, convergence time, and total number of packets needed to reconstruct the attack path(s) with high probability SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 15 Interesting Results by Micah Adler Single path attacks: b=1 works! Requires θ((2+ε)2n) packets for any ε Showed that, for b=1, Ώ(2n) packets is necessary For general b, Adler gave a protocol that uses O(bn22b(2+ε)4n/2^b) packets, and showed Ώ(2b2n/2^b) is necessary Multiple path attacks, say k paths At least log(2k-1) header bits is needed [regardless of the number of received packets] For a restricted class of attacker strategies, log(2k+1) bits are sufficient SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 16 Open Problems Close the upper-lower bound gap when b=1, single path attack For multiple path attacks, there’s still a lot to be done, e.g. Devise protocols for all attacker’s strategies Computational complexity has not been addressed properly … SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 17 Brainstorming What kind of information does the victim need? Where can we store this information? How can the routers be instructed to store this information? This is the protocol How effective is the protocol? This requires probabilistic analysis, information theoretic analysis Drawbacks of PPM-related schemes? Requires large number of packets Not exact science SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 18 A Simple Model for Upper Bounding Assumptions [to be relaxed later] Packet delivery paths form a tree rooted at the victim v Assume the tree is full-binary, depth = n Each path can be encoded with B1B2…Bn Want routers to send victim the string B1B2…Bn Protocol Idea: encode the string into a probability of victim receiving bit-1 packets What’s the most natural way to do this? Prob[packet with bit-1 received] = the binary number represented by B1B2…Bn divided by 2n, i.e. How do we realize this? SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 19 A Simple Protocol Each router knows its bit Bi With probability ½, it forwards the bit as it is With probability ½, it set the bit to be Bi If original bit is 0, then p is as expected If original bit is 1, then p is as expected + 1/2n Need to “fix” this case Next time [I’ll talk a little bit about information theory] SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 20