Agenda Last time: finished brief overview of buffer-overflow attacks Today: IP Traceback

advertisement
Agenda


Last time: finished brief overview of buffer-overflow
attacks
Today: IP Traceback
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
1
What and Why

IP Traceback:


Why is this important and useful?



If done properly, can be used to limit DDoS attacks
Post-mortem analysis, investigation into other kinds network of
attacks
Potential drawback?


operation of tracing the source of an IP packet
Abused by repressive regimes/organization
Why is it difficult?





Potentially resource-intensive, target for DoS itself
Internet is stateless
Backward compatibility (think of source-routing)
Avoid the new scheme itself being “spoofed”
The “true” identity of an attacker may be unknown, still
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
2
Overview of existing approaches
1.
2.
3.
4.
5.
6.
7.
Ingress filtering
Input debugging
Controlled flooding
Logging
ICMP traceback
Probabilistic Packet Marking (PPM)
Hash-based [one of your reading assignments]
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
3
Ingress filtering

Routers block packets that arrive with illegitimate
sources addresses



Requires the interface to be configured with a range of
valid IPs
Quite feasible at customer network at the edge
Drawbacks



At higher level ISP, traffic load is higher, “valid” IP range
is ambiguous
With hundreds or thousands of customers, one can forge
IP of another without much troubles
Not all ISPs do this. Many don’t because there’s
administrative burden, no economic incentive, interfere
with services requiring spoofing (mobile IP)
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
4
Input debugging

Use “input debugging” feature of routers to do
traceback




Input debugging allows operators to filter particular
packets (with some kind of signature) on some egress
port and determine which ingress port they come from
Manually: call the upstream router operator
Automatically: some ISPs have tools to do this
Drawbacks:



Often too slow
Management overhead
Coordination with other ISPs is difficult, and very slow
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
5
Controlled Flooding



Selectively flood a link to observe attack traffic, with
the help of some Internet map
This does not require intermediate operator
intervention
Drawbacks




This is a form of DoS itself
Requires the map, which itself is non-trivial
Poorly suited for DDoS
Only effective for on-going attacks, cannot be use for
post-mortem analysis
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
6
ICMP Traceback


Every router samples with low probability (1/20K)
one of the packets it’s forwarding
Copy the content into a special ICMP traceback
along the path to the destination, containing



Destination then use this info to do traceback
Drawbacks




Back link, forward link, authentication,
ICMP traffic is also differentiated and may be filtered
Requires input-debugging which may not be available in
some router architecture
Requires key distribution architecture to avoid itself being
attacked
However, this is quite effective
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
7
Probabilistic Packet Marking (PPM)



Idea proposed by Burch & Cheswick
First scheme proposed by Stefan Savage et al
We’ll look at this idea in details
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
8
PPM: Assumptions









An attacker may generate any packet
Multiple attackers may conspire
Attackers are aware that they’re being traced
Packets may be lost or re-ordered
Attackers send numerous packets
Route between attacker(s) and receiver is fairly
stable
Routers and both CPU and memory limited
Routers are not widely compromised
Compatible with current IP protocol
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
9
PPM: Node Append



The most basic algorithm
Each router appends its IP into the packet
Pros:


Robust and quick to converge
Cons:


High router overhead
Interfere with MTU discovery, IP fragmentation, …
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
10
PPM: Node sampling



Reserve some 32-bit field in each IP packet
A router randomly puts its IP in this field with probability p
Victim receive multiple packets, use this database to
approximately reconstruct the path. How?



Probability of receiving a packet d hops away is
p(1-p)d-1, p shoulde be > ½.
This probability is monotonic in d, we can use the frequency of IPs
to reconstruct path to the destination
Drawbacks



Inferring is a slow process
Requires a sufficient number of received packets, e.g. for d=15, p =
0.51, we need 42000 packets before the furthest router is “seen” at
the target
Not effective against multiple attackers: routers at the same
distance from different source are sampled with the same rate
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
11
PPM: Edge Sampling

Idea: sample the “edges” on the paths instead of
nodes:



Reserve 2 32-bit fields on every packet, FROM & TO
One more field (8 bits) called HOP
Sampling is done as follows. Fix a probability p


Chose x at random in [0, 1)
If x < p then
write IP into packet.FROM
Else
if packet.HOP = 0 then
write IP into packet.TO
packet.HOP++
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
12
PPM: Edge Sampling

Time to converge dominated by time to receive a sample
from the furthest router, roughly
1/[p(1-p)d-1]

Expected number of packets required to work properly is at
most ln(d)/[p(1-p)d-1]



Pros




Choose p = 1/d for optimal result
In practice, choose p=1/25 (as path lengths often <= 25)
Single attacker: any packet written by attacker will necessarily has
distance at least the distance of true attack path
Multiple attacker: the above applies to the closest attacker
Quite robust
Cons

Not backward compatible (requires > 64 more bits)
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
13
Encoding Issues

Compress edge segment sampling: 3 techniques




Next router fills FROM XOR TO into the 32-bit space
Partition address into k fragments, sends fragment along with
fragment offset, next-hop router use the the offset to send the right
fragment. Over time, all fragments of all edge IDs are received.
XORing makes edge ID not unique, compute a hash of an IP,
interleave it with actual IP, then do fragmentation
Expected # of packets needed to reconstruct path is k
ln(kd)/[p(1-p)d-1]


For instance, if k=8, d=10, p=1/25, then we need about
1300 packets on average
In practice: overload 16-bit identification field in each IP
packet with 3-bit offset (k=8), 5 bit distance (32 hops), 8-bit
edge fragment
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
14
Formalization of the Problem



b: number of extra header bits in each packet
n: number of bits used to describe a path
Investigate the tradeoff between b, convergence
time, and total number of packets needed to
reconstruct the attack path(s) with high probability
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
15
Interesting Results by Micah Adler

Single path attacks:




b=1 works! Requires θ((2+ε)2n) packets for any ε
Showed that, for b=1, Ώ(2n) packets is necessary
For general b, Adler gave a protocol that uses
O(bn22b(2+ε)4n/2^b) packets, and showed
Ώ(2b2n/2^b) is necessary
Multiple path attacks, say k paths


At least log(2k-1) header bits is needed [regardless of the
number of received packets]
For a restricted class of attacker strategies, log(2k+1) bits
are sufficient
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
16
Open Problems


Close the upper-lower bound gap when b=1, single
path attack
For multiple path attacks, there’s still a lot to be
done, e.g.



Devise protocols for all attacker’s strategies
Computational complexity has not been addressed
properly
…
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
17
Brainstorming



What kind of information does the victim need?
Where can we store this information?
How can the routers be instructed to store this
information?



This is the protocol
How effective is the protocol? This requires
probabilistic analysis, information theoretic analysis
Drawbacks of PPM-related schemes?


Requires large number of packets
Not exact science
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
18
A Simple Model for Upper Bounding

Assumptions [to be relaxed later]





Packet delivery paths form a tree rooted at the victim v
Assume the tree is full-binary, depth = n
Each path can be encoded with B1B2…Bn
Want routers to send victim the string B1B2…Bn
Protocol




Idea: encode the string into a probability of victim
receiving bit-1 packets
What’s the most natural way to do this?
Prob[packet with bit-1 received] = the binary number
represented by B1B2…Bn divided by 2n, i.e.
How do we realize this?
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
19
A Simple Protocol





Each router knows its bit Bi
With probability ½, it forwards the bit as it is
With probability ½, it set the bit to be Bi
If original bit is 0, then p is as expected
If original bit is 1, then p is as expected + 1/2n


Need to “fix” this case
Next time [I’ll talk a little bit about information theory]
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
20
Download