Adam Bender, Neil SpringDave Levin, Bobby BhattacharjeeUniversity of Maryland, College

ParkIn Proc. USENIX SRUTI, 2007

Speaker: Yun Liaw

Accountability as a Service

IntroductionThe purpose of accountability: To blame

the miscreants, and let everyone else beSpoofed IP – Both IP address and ISP are

not reliableAccountability Service Provider

To “vouch for” sending traffic generated by endpoints

Separate accountability from addressing and routing

3/09/09Speaker : Yun Liaw2

Related WorkExplicit blocking of unsolicited traffic

Implicit blocking of unsolicited traffic

Stepping stone detectionApproaches to stop spoofed source addresses in e-mail

3/09/09Speaker : Yun Liaw3

The Accountability ServiceThe role of an accountability service

To provide authenticated clients with identifiers that can be used to mark packets accountable

Other clients of the service can block unwanted traffic, and report malicious packets to the service

Accountability services may differentiate from each other by how much anonymity or accountability level they provide and what the require from their clients

3/09/09Speaker : Yun Liaw4

The Accountability ServiceHold identities in escrow and reveals in

case of severe proven abusevouch for the traffic of its clientAccountability identifiers are independent

of destinationAccountability identifiers are proxiableReceivers specify what accountability

service they acceptA victim can ask the network to filter

traffic that has specific identifier3/09/09Speaker : Yun Liaw5

Design:Straw-man ProtocolSigning Every PacketsEvery router on the forwarding path can

check the certificate, but it is expensive

3/09/09Speaker : Yun Liaw6

Service

Provider (A)

Sender(S)

Receiver(R)

Keypair:

(S pub,

S priv)

cert s =

{S,

S pub}A privpkt, certs

{pkt}Spriv

Prove Sender himself

Design:An Efficient protocolSender S, receiver R agree to use accountability

service AEach client C of A has a private key c, public key

gc and certification certc = {C, Cpub}AprivUse Diffie-Hellman to create shared key

S and R: (gs)r = (gr)s

S and S’s ISP, P1: ks = (gP1)s = (gs)P1 Outgoing packets from S:

certstimestampa hash hR = hash(pkt, timestamp, certs, gsr)a hash h1 = hash(pkt, timestamp, certs, ks)

3/09/09Speaker : Yun Liaw7

Design:An Efficient protocol

3/09/09Speaker : Yun Liaw8

P1 can cache certs and ks for fast verificationP1 is expected to check certs, timestamp, and h1

Non-checking origination ISP identificationLet P1 insert into each packet from S to R Pi’s AS

number and hi = hash(pkt,timestamp, certs, ki)If R receives a invalid certification packet, R can

show this hashed-by-P1 packet and certs to any Pi along the path, thereby proving that P1 did not check the certification

“First-hop accountability service ISP”R can ask its ISP Pn to block traffic from certs on its

behalf

Design:An Efficient protocol

Does not provide non-repudiation property

3/09/09Speaker : Yun Liaw9

Discussions and CommentsAccountability services can help ISPs to

filter unwanted trafficCentralized and trusted authority would

limit the scalabilityAccountability should be held by people,

while machines are neutralBots and zombies

The cost of accountability serviceWhat is the value and profit that

accountability service would bring to us? Is it worth deploying?

3/09/09Speaker : Yun Liaw10