Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Tracing Cyber Attacks from the Practical Perspective

advertisement

Tracing Cyber Attacks

Areej Al-Bataineh

4/11/2020 Tracing Cyber Attacks 1

Tracing cyber attacks from the practical perspective

Zhiqiang Gao and Nirwan Ansari

Communications Magazine, IEEE

May 2005 http://www.comsoc.org/tutorials/Ansari

Tracing Cyber Attacks 4/11/2020 2

Outline

 Introduction

 IP Traceback

 Objective

 Classification of IP Traceback Schemes

 Evaluation of Representative Schemes

 Conclusion

 Future Work

4/11/2020 Tracing Cyber Attacks 3

Introduction

 Denial of service (DoS/DDoS) attacks

 Disrupt legitimate access

 Costs victims financial and productivity loss

 Why Easy to conduct?

Prevalence of attack tools

Stateless nature of Internet

 Address Spoofing (Anonymous Attacks)

 Gain illegitimate access

 Hide attack source

4/11/2020 Tracing Cyber Attacks 4

Intrusion Countermeasure

 Prevention

 Source/Network/Victim-based

 Detection

 Mitigation

 Rate limiting/statistical/path-based

 Response

IP Traceback

Tracing Cyber Attacks 4/11/2020 5

IP Traceback

 Objective

 Locate the actual source of attack packets

 Difficult

Source Address Spoofing

Many attack sources (DDoS)

 Host in stepping stone chain

 Reflector

 Zombie

4/11/2020 Tracing Cyber Attacks 6

Objectives

 Grasp global view

Classify Traceback schemes

Select typical schemes

Focus on practicality

 Foundation for

Developing efficient schemes

And Effective schemes

4/11/2020 Tracing Cyber Attacks 7

Classification

4/11/2020 Tracing Cyber Attacks 8

Evaluation Metrics

Based on Practicality

Minimum number of packets required for path reconstruction

 The less the better

The computational overhead

 Good design minimize it

Effectiveness under partial deployment

 Deployment implies more cost

Robustness

 The ability to perform tracing reliably under adverse conditions

4/11/2020 Tracing Cyber Attacks 9

Representative Schemes

Probabilisic Packet Marking (PPM)

Savage et al (2001)

ICMP traceback (iTrace)

Bellovin (2000)

Source Path Isolation Engine (SPIE)

Snoeren et al (2002)

Algebraic-bases Traceback Approach (ATA)

Dean et al (2002)

Determinnistic Packet Marking (DPM)

Belenky and Ansari (2003)

Overlay-based solution (Center-Track)

Stone (2000)

4/11/2020 Tracing Cyber Attacks 10

Basic PPM

4/11/2020 Tracing Cyber Attacks 11

PPM Variants

 Edge-Sampling with p(1-p)^d-i probability

4/11/2020 Tracing Cyber Attacks 12

PPM Variants

 Net result in (c) and final result in (d)

4/11/2020 Tracing Cyber Attacks 13

Analysis of PPM

Pros

1.

Low router overhead

2.

Support of incremental deployment

3.

“Post-mortem” tracing

Cons

1.

Heavy computational load for path reconstruction

2.

High false-positives

3.

Spoofed marking

4.

Unaware of path length ( d) in advance

5.

Subverted routers

Good for DoS, not for large-scale DDoS

4/11/2020 Tracing Cyber Attacks 14

Development and Solutions

 Advaned and Authenticated PPM

Proposed by Song et al (2001)

Victim knows the mapping of upstream routers

Solves problems 1 , 2 , and 3

 PPM with Non-Preemptive Compensation

Proposed by Tseng et al (2004)

Use counters to complement the marking info loss from upstream routers

May address 1 , 3 , and decrease false-positives ( 2 )

15 4/11/2020 Tracing Cyber Attacks

Development and Solutions

 Problem 4

Not easy to resolve in the IP layer d is known at AS level

 Problem 5

More difficult to resolve

To solve, verification of marking info embedded by upstream routers should be done

No scheme has this feature yet!

16 4/11/2020 Tracing Cyber Attacks

Basic DPM

4/11/2020 Tracing Cyber Attacks 17

Analysis of DPM

 Pros

Effectively handles DoS attack

Path construction is simpler

 Cons

High false positives for DDoS attack

Cannot identify the ingress router if attacker uses different source IP addresses for each packet

18 4/11/2020 Tracing Cyber Attacks

Development and Solutions

 Tracing Multiple Attackers with DPM

Proposed by Belenky and Ansari (2003)

Uses hash function to contain the identity of the ingress edge router

Victim uses identity to combine packets from the same source better than PPM

Far less false positives than PPM

Handles reflector-based DDoS

Subverted routers problem ( 5 )

4/11/2020 Tracing Cyber Attacks 19

iTrace

4/11/2020 Tracing Cyber Attacks 20

Analysis of iTrace

 Marking procedure similar to PPM

 Shares pros and cons

 Differences

 Requires additional bandwidth

More marking bits can be used ( 1 , 2 solved)

Requires far fewer ICMP messages than PPM for path reconstruction

21 4/11/2020 Tracing Cyber Attacks

Comparison of ICMP and PPM

4/11/2020 Tracing Cyber Attacks 22

Development and Solutions

 Intention-Driven ICMP traceback technology

Proposed by Mankin et al (2001)

Adds some intellegence to the marking procedure

Path reconstruction is gleaned quickly

Solves problems 1 and 2

 Problem 3 may be addressed using PKI, but increase overhead at routers

 Further work on problems 4 and 5 is needed

23 4/11/2020 Tracing Cyber Attacks

Basic SPIE

4/11/2020 Tracing Cyber Attacks 24

Analysis of SPIE

 Deterministic logging scheme

 Pros

 Supports advanced functions like single packet tracing, transformed packet tracing (wireless)

 Cons

 Requires additional infrastructure

Incurs very heavy computational, management, and storage overhead

Not scalable

 Limited applicability

4/11/2020 Tracing Cyber Attacks 25

Development and Solutions

 Large-scale IP traceback

Proposed by Li et al (2004)

Logging scheme by sampling

Construct attack tree by correlating samples

Scale well for 5000 attack sources

4/11/2020 Tracing Cyber Attacks 26

Basic Center-Track

4/11/2020 Tracing Cyber Attacks 27

Analysis of Center-Track

 Pros

 Handles DDoS

 Cons

Enforces heavy management burden on the network

Wears out network resources (bandwidth, processing capability) due to tunnels maintenance

Not scalable

 Limited applicability

28 4/11/2020 Tracing Cyber Attacks

Development and Solutions

 Secure Overlay Service (SOS)

Associative defensive method

Proactive approach

Employ intensive filtering and anonymity

Effectively mitigate DDoS attacks

No false positives

Low chance for compromised routers

4/11/2020 Tracing Cyber Attacks 29

Conclusion/Future Work

 IP Traceback technology is only the first step toward tackling DoS/DDos attacks

 Ideal tracing scheme trade-offs

 Identify indirect sources of DDoS

 Identify attackers who use stepping stone

 Integrating IDS with tracebak

 Automatic traceback

 Scalability

30 4/11/2020 Tracing Cyber Attacks

Future Work

 Identify indirect sources of DDoS

 Identify attackers who use stepping stone

 Integrating IDS with tracebak

 Automatic traceback

 Scalability

4/11/2020 Tracing Cyber Attacks 31

Questions?

4/11/2020 Tracing Cyber Attacks 32

Related documents
L MAPPING INSTRUMENT / MODEL 1 Prof. J. Meejin Yoon
L MAPPING INSTRUMENT / MODEL 1 Prof. J. Meejin Yoon
Download
advertisement