CSC 774 -- Network Security Trace Back Overview

advertisement
Computer Science
CSC 774 -- Network Security
Topic 4.2: IP Trace Back
Dr. Peng Ning
CSC 774 Network Security
1
Trace Back Overview
• Why do we need trace back?
– Stop the attacker at the source
– Hold the attacker accountable
Computer Science
Dr. Peng Ning
CSC 774 Network Security
2
Trace Back Overview (Cont’d)
• Classification
– IP trace back
• IP layer
– Trace back through stepping stones
• Transport/application layer
Computer Science
Dr. Peng Ning
CSC 774 Network Security
3
IP Trace Back
Internet
Victim
DOS Attacks
Attacker
Computer Science
Dr. Peng Ning
CSC 774 Network Security
4
Trace Back through Stepping Stones
DOS
SSH
TELNET
RSH
SSH
Computer Science
Dr. Peng Ning
CSC 774 Network Security
5
Approaches for IP Traceback
• Ingress filtering
– Block the packets with illegitimate source addresses
– Has to examine every packet
– The router must have sufficient knowledge
• Not feasible for traffic aggregated from multiple ISPs
– Requires widespread deployment.
– DOS attacks are still possible with a customer network.
DOS Attacks
Attacker
Victim
Packet filter
Computer Science
Dr. Peng Ning
CSC 774 Network Security
6
Approaches for IP Track Back (Cont’d)
• Link Testing
– Input debugging
• Considerable management overhead
• Only for ongoing attacks
1. signature
DOS Attacks
Attacker
4. signature
Victim
7. signature
2.
deploy
signature
5. deploy signature
3. Find input port
6. Find input port
Computer Science
Dr. Peng Ning
CSC 774 Network Security
7
Approaches for IP Trace Back (Cont’d)
• Link Testing
– Controlled flooding
•
•
•
•
•
Upstream router iteratively floods each in coming link
Observe change received from the attacker
It is a DOS attack itself
Require accurate topology map
1. notification
Unable to trace distributed DOS attacks
DOS Attacks
Attacker
5. notification
4. Controlled
flooding
Computer Science
Dr. Peng Ning
3. notification
Victim
2. Controlled flooding
CSC 774 Network Security
8
Approaches for IP Trace Back (Cont’d)
• Logging
– Log packets at key routers
– Use data mining techniques to determine the attack
path
– Only work after the attack
– Storage requirement
– Database integration problem
Computer Science
Dr. Peng Ning
CSC 774 Network Security
9
Approaches for IP Trace Back (Cont’d)
• ICMP trace back
– Every router sample with low probability the
forwarded packet.
– Send selected information to the source or the
destination in an ICMP traceback message.
• Forward or backward link
– Victim reconstructs the attack path using the above
information
– May be filtered out.
– Requires authentication, and thus key distribution.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
10
Approaches for IP Trace Back (Cont’d)
• Probabilistic packet marking
– Probabilistically mark the packets with the routers’
addresses
– Reconstruct the attack path using these addresses
• Potential advantages
– No interactive cooperation Æ little management
overhead
– No significant additional network traffic
– Can be used both during and after attacks
– Low overhead on routers.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
11
Probabilistic Packet Marking
• Our discussion is limited to
– “Practical Network Support for IP Traceback” by
Stefan Savage, et al.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
12
Probabilistic Packet Marking (Cont’d)
• Attack path from Ai
– The unique ordered list of routers
between Ai and V
• The problem
– Exact traceback
• Difficult, since the attacker may send
false information.
– Approximate traceback
• Find the attack path that contains the
true attack path as a suffix
– Marking procedure
– Reconstruction procedure
– Convergence time
Computer Science
Dr. Peng Ning
A1
A2
R5
A3
R6
R3
R7
R4
R2
R1
V
CSC 774 Network Security
13
Assumptions
•
•
•
•
•
•
•
•
An attacker may generate any packet
Multiple attackers may conspire
Attackers may be aware they are being traced
Packets may be lost or reordered
Attackers send numerous packets
The route between attacker and victim is fairly stable
Routers are both CPU and memory limited
Routers are not widely compromised
Computer Science
Dr. Peng Ning
CSC 774 Network Security
14
Marking Algorithm (1)
• Node Append
– At each router R
• For each packet w, append R to w
– At victim v
• For any packet w from attacker
– Extract path (Ri…Rj) from the suffix of w
• Problems
– High router overhead
– Unbounded space requirement in the packets
• Any reserved space may be filled up by the attacker.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
15
Marking Algorithm (2)
• Node Sampling
– Reserve one node field in the packet header
– At each router R
• For each packet w, write R into w.node with probability p
– At victim v
• The order of the routers is not preserved in the
order of received packets.
• How to construct an ordered path?
Computer Science
Dr. Peng Ning
CSC 774 Network Security
16
Node Sampling (Cont’d)
• Assume all routers mark their
addresses with equal
probability p.
• What’s the probability that v
receives a packet marked by a
router d hops away?
A1
A2
R5
R6
R3
– ____________
R7
R4
R2
• Observation:
R1
– The farther away R is, the less
chance v receives packets marked
by R.
Computer Science
A3
Dr. Peng Ning
V
CSC 774 Network Security
17
Node Sampling (Cont’d)
• Reconstruction procedure at victim v
– Count the number of packets marked by each
router
– Sort the routers by this count in increasing order
– The ordered router list Æ attack path.
• Limitations
– Slow convergence
• d =15 and p=0.51 Æ need 42,000 packets
– Cannot deal with multiple attackers
Computer Science
Dr. Peng Ning
CSC 774 Network Security
18
Marking Algorithm (3)
• Edge Sampling
– Idea: put edge instead of node into the packets
– Reserve start, end, and distance fields in packet
header
• (start, end): the marked edge (link)
• distance: the distance from start to the victim
Computer Science
Dr. Peng Ning
CSC 774 Network Security
19
Edge Sampling (Cont’d)
• At each router R
– For each packet w
• With probability p, write R into w.start and 0 into
w.distance
• If R doesn’t write w.start
– If w.distance = 0 (i.e., the previous router just
marked start), write R into w.end
– Increment w.distance
Computer Science
Dr. Peng Ning
CSC 774 Network Security
20
Edge Sampling (Cont’d)
• At victim v
– Let G be a tree with root v
– Let edges in G be tuples (start, end, distance)
– For each packet w from attacker
• If w.distance = 0 then
– Insert (w.start, v, 0) into G
• Else
– Insert edge (w.start, w.end, w.distance) into G
– Remove edges (x, y, d) with d ≠ distance from x to v in G
• Remove inconsistent edges.
– Extract path (Ri, …, Rj) by listing acyclic paths in G.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
21
Edge Sampling (Cont’d)
• effectiveness
– Can discern multiple attackers
– Robust: impossible for any edge closer than the
closest attacker to be spoofed
– Number of packets needed to reconstruct all paths
is linear in the number of attackers.
• Limitations
– Require additional space in IP packet header
– Two 32 bit IP addresses + 8 bit distance Æ 72 bits
Computer Science
Dr. Peng Ning
CSC 774 Network Security
22
Encoding
• Problem:
– Where to save the edge samples?
• Idea
– compress the edge sample and store it in the
identification field (16 bits for fragmentation)
• Three techniques
Computer Science
Dr. Peng Ning
CSC 774 Network Security
23
Encoding (Cont’d)
• Technique 1: Send XOR of the two nodes of an edge.
Routers in path Marked packets
Edge id
a
⊕
a⊕b
a⊕b
b
b⊕c
⊕
b⊕c
c⊕d
⊕
c
⊕
⊕
d
victim
⊕
c⊕d
d
Computer Science
a
b
c
d
Dr. Peng Ning
CSC 774 Network Security
24
Encoding (Cont’d)
• Technique 2: reduce per-packet space
requirement by splitting each edge-id into k
fragments.
– Each fragment is associated with 32/k bit data +
log2k bit offset
– Reconstruct fragments with the same distance
• Doesn’t work if there are multiple attack paths.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
25
Encoding (Cont’d)
• Technique 3: Interleaving edge-id and its hash and
then fragment
Edge id
Hash (Edge id)
Bit interleave
k-1
0
Computer Science
Dr. Peng Ning
CSC 774 Network Security
26
Encoding (Cont’d)
• Techniques 3 (Cont’d): reconstruction
Combine k fragments
k-1
0
Bit interleave
Edge id
Hash (Edge id)
Y: accept
=?
Hash
Computer Science
N: reject
Dr. Peng Ning
CSC 774 Network Security
27
Further Reading
• Dawn Song, Adrian Perrig: Advanced and Authenticatd
Marking Schemes for IP Traceback, IEEE Infocom 2001
• Heejo Lee, Kihong Park: On the Effectiveness of Probabilistic
Packet Marking for IP Traceback under Denial of Service
Attack. INFOCOM 2001: 338-347
• Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao:
Adjusted Probabilistic Packet Marking for IP Traceback.
NETWORKING 2002: 697-708
• Micah Adler: Tradeoffs in probabilistic packet marking for IP
traceback. STOC 2002: 407-418
• Michael T. Goodrich: Efficient packet marking for large-scale
IP traceback, ACM CCS 2002.
Computer Science
Dr. Peng Ning
CSC 774 Network Security
28
Download