IP Traceback:A New DenialofService Deterrent

1
IP TracebackA New Denial-of-Service Deterrent?

• 2003 IEEE SECURITY PRIVACY 03
• HASSAN ALJIFRI
• University of Miami

2
Outline

• Introduction
• Current IP traceback approaches
• Link testing
• Logging
• ICMP based traceback
• Packet marking
• Pratical solution for IP traceback
• Conclusin

3
Introduction (cont.)

• DOS( Denial of Service )
• DDOS ( Distributed Denial of Service)
• Spoofed IP address
• Falsification of the source address in IP header.
• IP traceback
• To identify the address of the true source of the
  packets causing a DoS.

4
Introduction (cont.)

• Ingress filtering
• To set up router to ensure that the packets
  routed with valid source addresses.
• The process not automated
• Routine traffic measurements between ISP are not
  shared.
• Some ISPs refuse to install inbound filters to
  stop source address spoofing.

5
Current IP traceback approaches(cont.)

• Reative
• Link test
• Input debugging
• Controlled flooding
• Proactive
• Logging
• Messaging
• Marking

6
Current IP traceback approaches(cont.)

• Reavtive
• Most of them require ISP cooperation.
• Cant be used for post-attack.
• Proactive
• The victim can use resulting traceback data for
  attack path reconstruction.

7
Current Ip traceback approaches (cont.)

• Support for incremental implementation
• ISP cooperation should not be required
• Success should not depend on how long the attack
  lasts.

8
Current IP traceback approaches (cont.)

• The key requirements for IP traceback methods
• Compatibility
• Existing protocol
• Existing router
• Network infrastructure
• Overhead
• Network traffic
• Time
• Resources

9
Link testing (cont.)
10
Link testing Input debugging

• To determine the attack traffics specific
  characteristics.
• Use Attack signature to determine the incoming
  link on the router.
• To apply it until the traffics source is
  identifiedor the trace leaves the current ISPs
  border.

11
Table 1 AD of input debugging
12
Link testing-controlled flooding

• Using a map of the known Internet topology around
  the victim
• Flooding each incoming network link on the
  routers
• Observing how this affects the attack traffics
  intensity
• Deducing which link carries the attack traffic.

13
AD of controlled flooding.
14
Logging (cont.)
15
Logging (cont.)

• Alex Snoeren SPIE
• Source Path Isolation engine
• Storing only a hash digest
• Tatsuya Baba and Shigeyuki Matsuda
• An overlay network of sensors
• detect potential attack traffic
• Tracing agents (tracers) log the attack packets
  on request
• Managing agents

16
Logging
17
ICMP-based traceback (cont.)
18
ICMP-based traceback (cont.)

• Router would generate an ICMP traceback message
  for only one in 20000 packets.
• Intension-driven ICMP traceback
• Decision module select packet to be generate
  message.
• Generation moduleprocess chosen packet and sends
  a new message

19
ICMP-based traceback (cont.)
20
ICMP-based traceback
21
Packet marking (cont.)
22
Packet marking (cont.)

• Stefan Savage
• Probabilistic traffic-sampling (4)
• Compression methods.

23
Packet marking (cont.)
24
Practical solutions for IP traceback

• Symantecs ManHunt
• Deploy its ManHunt agents to network
• Communicating with router support ManHunt
• MANAnet
• Mark the packets in IP option

25
Practical solutions for IP traceback (cont.)

• Peakflow
• FloodGuard
• Detectors direct an attack on a protected domain
• Actuator analyzes its ingress traffic to
  traceback to next upstream actuator.

26
Conclusion

• Widely deployed
• DDOS
• Resource intensive
• Network overhead
• Post-attack analysis.