Embed Size (px)
Citation preview
04/22/2001 ecs289K: Intention Driven iTrace 1
ecs298kIntention-Driven iTracelecture #6
Dr. S. Felix Wu
Computer Science Department
University of California, Davishttp://www.cs.ucdavis.edu/~wu/
04/22/2001 ecs289K: Intention Driven iTrace 2
A Statistic Problem with iTrace
• Routers closer to the victims have higher probability to generate iTrace packets toward the true victims.
• Routers closer to the DDoS slaves might have relatively small probability (smaller than the routers around the victims) to generate “useful” iTrace packets.
04/22/2001 ecs289K: Intention Driven iTrace 3
“Usefulness”• Let’s think??
24 16 0 112 12425 125
04/22/2001 ecs289K: Intention Driven iTrace 4
Two answers
• It carries attack packets.
• It carries attack packets from a router that is very close to the original slaves
04/22/2001 ecs289K: Intention Driven iTrace 5
Two measures
• P(U-iTrace)– When an iTrace message is generated, what is
the probability that this iTrace message is “useful” (i.e., it carries an attack packet)?
• P(U-iT-sec)– What is probability for a router to generate at
least ONE “useful” iTrace message in a second?
04/22/2001 ecs289K: Intention Driven iTrace 6
Example: Multi-S Single-V
Slave R1 R2 Victim
1K attack-pkt/sec 19K normal-pkt/sec P(U-iTrace) = 5% #iTrace/sec = 1 P(U-iT-sec) = 5%
4K attack-pkt/sec196K normal-pkt/sec P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18%
200K attack-pkt/sec200K normal-pkt/sec P(U-iTrace) = 50% #iTrace/sec = 20 P(U-iT-sec) = 99.999%
980K attack-pkt/sec 20K normal-pkt/sec P(U-iTrace) = 98% #iTrace/sec = 50 P(U-iT-sec) = 100%
04/22/2001 ecs289K: Intention Driven iTrace 7
Motivation
• About (K* 0.005%) of our network resources will be spent on iTrace packets.
• Then, we hope we can spend the resources on more “useful” iTrace packets.
04/22/2001 ecs289K: Intention Driven iTrace 8
Three Types of Nodes
• DDoS victim with the intention to trace the slaves.
• DDoS victim without the intention.
• non-DDoS victims (assuming they do not have the intention as well -- and very likely they hope they won’t receive ones).
04/22/2001 ecs289K: Intention Driven iTrace 9
Intention-driven iTrace
• Different destination hosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets.– We propose to add one “iTrace-intention” bit.
• Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example.
04/22/2001 ecs289K: Intention Driven iTrace 10
a little mathematics...
S2V: 2%S2B:48%S2C:25%S2D:25%
I: 1I: 0I: 0I: 1
Intention forreceiving iTrace.
V’s probability to receive iTrace packets: 7.41%0.02 / (0.02 + 0 + 0 + 0.25) = 0.0741
PiTrace(V) = (Ptraffic(V) * I(V)) / (Ptraffic(n) * I(n)) dst
04/22/2001 ecs289K: Intention Driven iTrace 11
Example: Multi-S Two-V
Slave R1 R2 Victim
4K att-v1-pkt/sec 50K att-v2-pkt/sec146K normal-pkt/sec
P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18%
I(Victim-1) = 1 P(U-iTrace) = 7.4% P(U-iT-sec) = 53.7%
P(U-iTrace) = 25% #iTrace/sec = 10 P(U-iT-sec) = 95%
I(Victim-2) = 1 P(U-iTrace) = 92.6% P(U-iT-sec) = 100.0%
04/22/2001 ecs289K: Intention Driven iTrace 12
04/22/2001 ecs289K: Intention Driven iTrace 13
0
16
48
32
20
36
28
24
40
44
52
56
60
232221
252627
293031
414243
535455
636261
373839
474645
595857
64
80
96
112
84
88
92858687
89 90 91
939495
100
104
108
116
120
124
101 102 103
105
106
107
109 110 111
117
118
119
121 122 123
125
126
127
Test-bed topology
133
49
17
6581
97113
04/22/2001 ecs289K: Intention Driven iTrace 14
node24 (single attack)
4 21 40 78 123 108265
943
1515 1653 16181813
0
500
1000
1500
2000
1k 10k 20k 30k 40k 50k
attack-rate (packets/sec)
Th
e #
of
us
efu
l iT
race
m
es
sag
es
Original iTrace
Intention-Driven iTrace
Node16 (single attack)
2 26 51 77 114 14469
1406
2288 2444 2460 2574
0500
10001500200025003000
1k 10k 20k 30k 40k 50k
attack rate (packets/sec)
Th
e #
of
us
efu
l iT
race
m
es
sag
es
Original iTrace
Intention-Driven iTrace
04/22/2001 ecs289K: Intention Driven iTrace 15
Node0 (single attack)
5 27 45 82 118 129124
2251
31052444 2460 2574
0
1000
2000
3000
4000
1k 10k 20k 30k 40k 50k
attack-rate (packets/sec)
Th
e #
of
us
efu
l iT
race
m
es
sag
es
Original iTrace
Intention-Driven iTrace
node112 (single attack)
4 27 57 71 107 12644
1041
16541873 1949 2089
0
500
1000
1500
2000
2500
1k 10k 20k 30k 40k 50k
attack rate (packets/sec)
Th
e #
of
us
efu
l iT
race
m
es
sag
e
Original iTrace
Intention-Driven iTrace
04/22/2001 ecs289K: Intention Driven iTrace 16
Node124 (single attack)
3 20 68 92 105 129
1329 1360 1389 1415 1440 1463
0
500
1000
1500
2000
1k 10k 20k 30k 40k 50k
attack rate (packets/sec)
Th
e #
of
us
efu
l iT
race
m
es
sag
es
Original iTrace
Intention-Driven iTrace
04/22/2001 ecs289K: Intention Driven iTrace 17
Issues• How to determine the intention bit?
– Policy to set the bit.
• How to distribute the intention bits to routers globally?– Utilize/extend BGP!
• How to use the intention bits at each router?
04/22/2001 ecs289K: Intention Driven iTrace 18
How to distribute I(n)?• YABE: (Yet Another BGP Extension)
– For every BGP route update, we include I(n) as a new string in the community attribute:
• 0x[iTrace-Intention]:0x[0-1] (optional & transitive)
– These I(n) values will be forwarded or even aggregated by the routers who understand this new community attribute.
• aggregation: I(new) = max {I(n)}
– Rate-Limiting on Intention Update:• should not be more frequent than Keep-Alive messages.
• should not trigger any major route computation.
04/22/2001 ecs289K: Intention Driven iTrace 19
The iTrace Statistics Model
Packetbuffering
Routingtable
lookup
Forwardprocess
iTraceStochastic
Process
Should this packet be iTraced?
Yes, we shouldgenerate an iTracefor this packet?
04/22/2001 ecs289K: Intention Driven iTrace 20
iTrace Trigger
Packetbuffering
Routingtable
lookup
Forwardprocess
iTraceStochastic
Process
If yes, pick the Nth packetin the buffer….
Should we generatean iTrace messagenow?
iTraceTrigger
04/22/2001 ecs289K: Intention Driven iTrace 21
A simple design
BGP table I(n) iTrace bit
iTraceProcess
Add two bits to the routing table:(1). I(n): Intention Bit Value associated with this entry
(2). iTrace bit: whether we need to generate an iTrace message for this entry now.
per ~20K pkts
04/22/2001 ecs289K: Intention Driven iTrace 22
Handling an iTrace Trigger
BGP table I(n) iTrace bit
iTraceProcess
• If all I(n)’s are zero, shut-off the iTrace trigger process.
• Set the iTrace bit on all the entries with I(n) = 1.
04/22/2001 ecs289K: Intention Driven iTrace 23
152.1.23.0/24 1 0169.20.3.0/24 0 0192.1.0.0/16 0 0
207.3.4.183/20 1 0152.1.0.0/16 1 0155.0.0.0/16 0 0
152.1.23.0/24 1 1169.20.3.0/24 0 0192.1.0.0/16 0 0
207.3.4.183/20 1 1152.1.0.0/16 1 1155.0.0.0/16 0 0
(1).BeforeiTracetrigger:
(2).AfteriTracetrigger:
I(n) iTrace bit
04/22/2001 ecs289K: Intention Driven iTrace 24
152.1.23.0/24169.20.3.0/24192.1.0.0/16
207.3.4.183/20152.1.0.0/16155.0.0.0/16
(3).AfteriTracesent:
1 00 00 01 01 00 0
I(n) iTrace bit
04/22/2001 ecs289K: Intention Driven iTrace 25
Processing Overhead
Processing for each data packet:1. if the iTrace flag bit is 1,
(1). send an iTrace message for this data packet.(2). reset all the iTrace bits to 0.
1/20K iTrace message trigger occurs:1. Set all the iTrace bits on if I(n) = 1.
04/22/2001 ecs289K: Intention Driven iTrace 26
The Aggregation Problem
Slave R1 R2 Victim
4K att-v1-pkt/sec
50K att-v2-pkt/sec146K normal-pkt/sec
P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18%
I(Victim-1) = 1 P(U-iTrace) = 7.4% for 4K traffic. P(U-iT-sec) = 53.7%
4K att-v1-pkt/sec 16K agg-v1-pkt/sec 50K att-v2-pkt/sec130K normal-pkt/sec
P(U-iTrace) = 2% #iTrace/sec = 10 P(U-iT-sec) = 18%
I(Victim-1) = 1 P(U-iTrace) = 5.7% for 20K traffic. P(U-iT-sec) = 44.4%
04/22/2001 ecs289K: Intention Driven iTrace 27
Summary for Intention iTrace• Improve the probability of “useful” iTrace.• Require some “minor” changes to the router
forwarding process.• Require another BGP extension.
– We need to verify that this extension will be interoperable well with existing BGP nodes.
• The amount of generated iTrace messages should be no more than the current iTrace proposal.
