Computer Science CSC 774 -- Network Security Topic 4.2: IP Trace Back Dr. Peng Ning CSC 774 Network Security 1 Trace Back Overview • Why do we need trace back? – Stop the attacker at the source – Hold the attacker accountable Computer Science Dr. Peng Ning CSC 774 Network Security 2 Trace Back Overview (Cont’d) • Classification – IP trace back • IP layer – Trace back through stepping stones • Transport/application layer Computer Science Dr. Peng Ning CSC 774 Network Security 3 IP Trace Back Internet Victim DOS Attacks Attacker Computer Science Dr. Peng Ning CSC 774 Network Security 4 Trace Back through Stepping Stones DOS SSH TELNET RSH SSH Computer Science Dr. Peng Ning CSC 774 Network Security 5 Approaches for IP Traceback • Ingress filtering – Block the packets with illegitimate source addresses – Has to examine every packet – The router must have sufficient knowledge • Not feasible for traffic aggregated from multiple ISPs – Requires widespread deployment. – DOS attacks are still possible with a customer network. DOS Attacks Attacker Victim Packet filter Computer Science Dr. Peng Ning CSC 774 Network Security 6 Approaches for IP Track Back (Cont’d) • Link Testing – Input debugging • Considerable management overhead • Only for ongoing attacks 1. signature DOS Attacks Attacker 4. signature Victim 7. signature 2. deploy signature 5. deploy signature 3. Find input port 6. Find input port Computer Science Dr. Peng Ning CSC 774 Network Security 7 Approaches for IP Trace Back (Cont’d) • Link Testing – Controlled flooding • • • • • Upstream router iteratively floods each in coming link Observe change received from the attacker It is a DOS attack itself Require accurate topology map 1. notification Unable to trace distributed DOS attacks DOS Attacks Attacker 5. notification 4. Controlled flooding Computer Science Dr. Peng Ning 3. notification Victim 2. Controlled flooding CSC 774 Network Security 8 Approaches for IP Trace Back (Cont’d) • Logging – Log packets at key routers – Use data mining techniques to determine the attack path – Only work after the attack – Storage requirement – Database integration problem Computer Science Dr. Peng Ning CSC 774 Network Security 9 Approaches for IP Trace Back (Cont’d) • ICMP trace back – Every router sample with low probability the forwarded packet. – Send selected information to the source or the destination in an ICMP traceback message. • Forward or backward link – Victim reconstructs the attack path using the above information – May be filtered out. – Requires authentication, and thus key distribution. Computer Science Dr. Peng Ning CSC 774 Network Security 10 Approaches for IP Trace Back (Cont’d) • Probabilistic packet marking – Probabilistically mark the packets with the routers’ addresses – Reconstruct the attack path using these addresses • Potential advantages – No interactive cooperation Æ little management overhead – No significant additional network traffic – Can be used both during and after attacks – Low overhead on routers. Computer Science Dr. Peng Ning CSC 774 Network Security 11 Probabilistic Packet Marking • Our discussion is limited to – “Practical Network Support for IP Traceback” by Stefan Savage, et al. Computer Science Dr. Peng Ning CSC 774 Network Security 12 Probabilistic Packet Marking (Cont’d) • Attack path from Ai – The unique ordered list of routers between Ai and V • The problem – Exact traceback • Difficult, since the attacker may send false information. – Approximate traceback • Find the attack path that contains the true attack path as a suffix – Marking procedure – Reconstruction procedure – Convergence time Computer Science Dr. Peng Ning A1 A2 R5 A3 R6 R3 R7 R4 R2 R1 V CSC 774 Network Security 13 Assumptions • • • • • • • • An attacker may generate any packet Multiple attackers may conspire Attackers may be aware they are being traced Packets may be lost or reordered Attackers send numerous packets The route between attacker and victim is fairly stable Routers are both CPU and memory limited Routers are not widely compromised Computer Science Dr. Peng Ning CSC 774 Network Security 14 Marking Algorithm (1) • Node Append – At each router R • For each packet w, append R to w – At victim v • For any packet w from attacker – Extract path (Ri…Rj) from the suffix of w • Problems – High router overhead – Unbounded space requirement in the packets • Any reserved space may be filled up by the attacker. Computer Science Dr. Peng Ning CSC 774 Network Security 15 Marking Algorithm (2) • Node Sampling – Reserve one node field in the packet header – At each router R • For each packet w, write R into w.node with probability p – At victim v • The order of the routers is not preserved in the order of received packets. • How to construct an ordered path? Computer Science Dr. Peng Ning CSC 774 Network Security 16 Node Sampling (Cont’d) • Assume all routers mark their addresses with equal probability p. • What’s the probability that v receives a packet marked by a router d hops away? A1 A2 R5 R6 R3 – ____________ R7 R4 R2 • Observation: R1 – The farther away R is, the less chance v receives packets marked by R. Computer Science A3 Dr. Peng Ning V CSC 774 Network Security 17 Node Sampling (Cont’d) • Reconstruction procedure at victim v – Count the number of packets marked by each router – Sort the routers by this count in increasing order – The ordered router list Æ attack path. • Limitations – Slow convergence • d =15 and p=0.51 Æ need 42,000 packets – Cannot deal with multiple attackers Computer Science Dr. Peng Ning CSC 774 Network Security 18 Marking Algorithm (3) • Edge Sampling – Idea: put edge instead of node into the packets – Reserve start, end, and distance fields in packet header • (start, end): the marked edge (link) • distance: the distance from start to the victim Computer Science Dr. Peng Ning CSC 774 Network Security 19 Edge Sampling (Cont’d) • At each router R – For each packet w • With probability p, write R into w.start and 0 into w.distance • If R doesn’t write w.start – If w.distance = 0 (i.e., the previous router just marked start), write R into w.end – Increment w.distance Computer Science Dr. Peng Ning CSC 774 Network Security 20 Edge Sampling (Cont’d) • At victim v – Let G be a tree with root v – Let edges in G be tuples (start, end, distance) – For each packet w from attacker • If w.distance = 0 then – Insert (w.start, v, 0) into G • Else – Insert edge (w.start, w.end, w.distance) into G – Remove edges (x, y, d) with d ≠ distance from x to v in G • Remove inconsistent edges. – Extract path (Ri, …, Rj) by listing acyclic paths in G. Computer Science Dr. Peng Ning CSC 774 Network Security 21 Edge Sampling (Cont’d) • effectiveness – Can discern multiple attackers – Robust: impossible for any edge closer than the closest attacker to be spoofed – Number of packets needed to reconstruct all paths is linear in the number of attackers. • Limitations – Require additional space in IP packet header – Two 32 bit IP addresses + 8 bit distance Æ 72 bits Computer Science Dr. Peng Ning CSC 774 Network Security 22 Encoding • Problem: – Where to save the edge samples? • Idea – compress the edge sample and store it in the identification field (16 bits for fragmentation) • Three techniques Computer Science Dr. Peng Ning CSC 774 Network Security 23 Encoding (Cont’d) • Technique 1: Send XOR of the two nodes of an edge. Routers in path Marked packets Edge id a ⊕ a⊕b a⊕b b b⊕c ⊕ b⊕c c⊕d ⊕ c ⊕ ⊕ d victim ⊕ c⊕d d Computer Science a b c d Dr. Peng Ning CSC 774 Network Security 24 Encoding (Cont’d) • Technique 2: reduce per-packet space requirement by splitting each edge-id into k fragments. – Each fragment is associated with 32/k bit data + log2k bit offset – Reconstruct fragments with the same distance • Doesn’t work if there are multiple attack paths. Computer Science Dr. Peng Ning CSC 774 Network Security 25 Encoding (Cont’d) • Technique 3: Interleaving edge-id and its hash and then fragment Edge id Hash (Edge id) Bit interleave k-1 0 Computer Science Dr. Peng Ning CSC 774 Network Security 26 Encoding (Cont’d) • Techniques 3 (Cont’d): reconstruction Combine k fragments k-1 0 Bit interleave Edge id Hash (Edge id) Y: accept =? Hash Computer Science N: reject Dr. Peng Ning CSC 774 Network Security 27 Further Reading • Dawn Song, Adrian Perrig: Advanced and Authenticatd Marking Schemes for IP Traceback, IEEE Infocom 2001 • Heejo Lee, Kihong Park: On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack. INFOCOM 2001: 338-347 • Tao Peng, Christopher Leckie, Kotagiri Ramamohanarao: Adjusted Probabilistic Packet Marking for IP Traceback. NETWORKING 2002: 697-708 • Micah Adler: Tradeoffs in probabilistic packet marking for IP traceback. STOC 2002: 407-418 • Michael T. Goodrich: Efficient packet marking for large-scale IP traceback, ACM CCS 2002. Computer Science Dr. Peng Ning CSC 774 Network Security 28