Hash-Based IP Traceback

Best Student PaperACM SIGCOMM’01

2

Introduction Today’s Internet infrastructure is

extremely vulnerable to motivated and well equipped attackers.– Denial of service attacks– Single well-targeted packet attacks

To institute accountability for these attacks, the source of individual packets must be identified.

3

Today’s IP Network

The IP protocol has difficulty to identify the true source of an IP datagram.– Stateless and destination based routing

w/o source authentication– Legitimately spoofed source addresses

• NAT, Mobile IP, IPSec

Ingress filtering

4

Source Path Isolation Engine Challenges in constructing a tracing

system– Determining which packets to trace– Maintain privacy– Minimizing cost

The proposed SPIE can– reduces memory consumption with bloom

filters– verifies packets while maintains privacy by

packet digests

5

Assumptions on a Traceback System Packets may be addressed to more than

one physical host

Duplicate packets may exist in the network

Routers may be subverted, but not often

Attackers are aware they are being traced

Continued…

6

Assumptions on a Traceback System The routing behavior of the network may be

unstable

The packet size should not grow as a result of tracing

End hosts may be resource constrained

Traceback is an infrequent operation

7

Design Goals An optimal IP traceback system would

– precisely identify the source of an arbitrary IP packet

– construct an attack path when co-opted routers exist

– construct an attack graph when multiple indistinguishable packets exist

– produce no false negatives while attempting to minimize false positives

– not expand the eavesdropping capabilities of a malicious party

8

Attack Graph

9

Design Goals An optimum traceback system should trace

packets through valid transformation back to the source of the original packet.

Transformation categories– Packet encapsulation– Packet generation– Common packet transformation (RFC 181

2)

10

Related Works Two approaches to determine the route of

a packet flow are auditing and inferring.

Inferring (Burch and Cheswick)– Floods candidate links and monitors variations– Network topology and large packet floods

Specialized routing (Stone)– Overlay tracking network– Long-live flow and routing change

11

Auditing End-host schemes

– Routers notify the packet destination of their presence on the route by in-band or out-of-band signaling.

Infrastructure schemes– Log packets at various points throughout

the network.– Space and privacy considerations

Input debugging & IDIP– High overhead

12

Packet Digesting Auditing by computing and storing 32-

bit packet digests reduces storage requirements and prevents eavesdropping.

SPIE computes digests over the invariant portion of the IP header and the first 8 bytes of the payload (totally 28 bytes).

Continued…

13

Packet Digesting

14

Prefix Collision

15

Bloom Filter

There are multiple, independent hashes which change over time at each router.

16

SPIE Architecture

DGA: Data Generation AgentSCAR: SPIE Collection and ReductionSTM: SPIE Traceback ManagerIDS: Intrusion Detection System

17

Traceback Processing IDS provide STM with a packet, P, victim, V, and

time of attack, T. STM verifies message’s authenticity and integ

rity. STM immediately asks all SCARs to poll their DG

As for relevant traffic digests. Each SCAR responds with a partial attack graph. STM constructs a composite attack graph and r

eturns it to IDS

18

Transformation Processing

Packet being transformed are put on the control path, thus relaxing the timing requirements.

Transform Lookup Table (TLT):

a. Pointerb. Flow caching

Indirect (I) flag:

Continued…

19

Transformation Processing 29-bit packet digest field implies eight disti

nct packet digests map to the same TLT entry.– Rarity of packet transformations– Sparsity of the digest table– Uniformity of the digesting function

SPIE considers the security gateway or NAT functionality of routers as a separate entity to manage TLT growth.

20

Graph Construction Simulating Reverse-Path Flooding (RPF), SC

ARs construct attack graphs by examining the digest tables.

21

DGA Hardware

22

Discussion Reliable and timely SPIE communication

– Out-of-band channel– Higher priority

Inter-domain cooperation– Authentication

Denial of service through transformation– Performance & policy

23

Conclusion and Future Works SPIE contributes on tracing a single p

acket with privacy and low storage.

SPIE deals with complex packet transformations in high-speed routers.

Future works of SPIE include– extending time period of traceability– reduce information of de-transformation