IntentionDriven iTrace - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

IntentionDriven iTrace

Description:

... hosts, networks, domains/ASs have different 'intention levels' ... Rate-Limiting on Intention Update: should not be more frequent than Keep-Alive messages. ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 22
Provided by: sfel5
Category:

less

Transcript and Presenter's Notes

Title: IntentionDriven iTrace


1
Intention-Driven iTrace
S. Felix Last Minutes Wu UC Davis http//www.cs.
ucdavis.edu/wu wu_at_cs.ucdavis.edu Lixia
Zhang UCLA Allison Mankin, Dan Massey USC/ISI
2
A Statistic Problem with iTrace
  • Routers closer to the victims have higher
    probability to generate iTrace packets toward the
    true victims.
  • Routers closer to the DDoS slaves might have
    relatively small probability (smaller than the
    routers around the victims) to generate useful
    iTrace packets.

3
Two measures
  • P(U-iTrace)
  • When an iTrace message is generated, what is the
    probability that this iTrace message is useful
    (i.e., it carries an attack packet)?
  • P(U-iT-sec)
  • What is probability for a router to generate at
    least ONE useful iTrace message in a second?

4
Example Multi-S Single-V
1K attack-pkt/sec 19K normal-pkt/sec
P(U-iTrace) 5 iTrace/sec 1 P(U-iT-sec)
5
200K attack-pkt/sec 200K normal-pkt/sec
P(U-iTrace) 50 iTrace/sec 20 P(U-iT-sec)
99.999
4K attack-pkt/sec 196K normal-pkt/sec
P(U-iTrace) 2 iTrace/sec 10 P(U-iT-sec)
18
980K attack-pkt/sec 20K normal-pkt/sec
P(U-iTrace) 98 iTrace/sec 50 P(U-iT-sec)
100
5
Motivation
  • About (K 0.005) of our network resources will
    be spent on iTrace packets.
  • Then, we hope we can spend the resources on more
    useful iTrace packets.

6
Three Types of Nodes
  • DDoS victim with the intention to trace the
    slaves.
  • DDoS victim without the intention.
  • non-DDoS victims (assuming they do not have the
    intention as well -- and very likely they hope
    they wont receive ones).

7
Intention-driven iTrace
  • Different destination hosts, networks,
    domains/ASs have different intention levels in
    receiving iTrace packets.
  • We propose to add one iTrace-intention bit.
  • Some of them might not care about iTrace, and
    some of them might not be under DDoS attacks, for
    example.

8
a little mathematics...
Intention for receiving iTrace.
S2V 2
I 1
S2B48
I 0
S2C25
I 0
S2D25
I 1
Vs probability to receive iTrace packets
7.41 0.02 / (0.02 0 0 0.25) 0.0741
PiTrace(V) (Ptraffic(V) I(V)) /
(Ptraffic(n) I(n))
9
Example Multi-S Two-V
4K att-v1-pkt/sec 50K att-v2-pkt/sec 146K
normal-pkt/sec P(U-iTrace) 2 iTrace/sec
10 P(U-iT-sec) 18 I(Victim-1) 1
P(U-iTrace) 7.4 P(U-iT-sec) 53.7
P(U-iTrace) 25 iTrace/sec 10
P(U-iT-sec) 95 I(Victim-2) 1
P(U-iTrace) 92.6 P(U-iT-sec) 100.0
10
Issues
  • How to determine the intention bit?
  • Policy to set the bit.
  • How to distribute the intention bits to routers
    globally?
  • Utilize/extend BGP!
  • How to use the intention bits at each router?

11
How to distribute I(n)?
  • YABE (Yet Another BGP Extension)
  • For every BGP route update, we include I(n) as a
    new community attribute
  • 0xiTrace-Intention0x0-1
  • These I(n) values will be forwarded or even
    aggregated by the routers who understand this
    new community attribute.
  • aggregation I(new) max I(n)
  • Rate-Limiting on Intention Update
  • should not be more frequent than Keep-Alive
    messages.
  • should not trigger any major route computation.

12
The iTrace Statistics Model
Packet buffering
Routing table lookup
Forward process
Should this packet be iTraced?
iTrace Stochastic Process
Yes, we should generate an iTrace for this packet?
13
iTrace Trigger
Packet buffering
Routing table lookup
Forward process
If yes, pick the Nth packet in the buffer.
iTrace Trigger
iTrace Stochastic Process
Should we generate an iTrace message now?
14
A simple design
iTrace Process
BGP table I(n) iTrace
bit
per 20K pkts
Add two bits to the routing table (1). I(n)
Intention Bit Value associated with this
entry (2). iTrace bit whether we need to
generate an iTrace message for this entry
now.
15
(No Transcript)
16
Handling an iTrace Trigger
iTrace Process
BGP table I(n) iTrace
bit
  • If all I(n)s are zero, shut-off the iTrace
    trigger process.
  • Set the iTrace bit on all the entries with I(n)
    1.

17
152.1.23.0/24
1
0
(1). Before iTrace trigger
169.20.3.0/24
0
0
192.1.0.0/16
0
0
207.3.4.183/20
1
0
152.1.0.0/16
1
0
155.0.0.0/16
0
0
152.1.23.0/24
1
1
(2). After iTrace trigger
169.20.3.0/24
0
0
192.1.0.0/16
0
0
207.3.4.183/20
1
1
152.1.0.0/16
1
1
155.0.0.0/16
0
0
18
152.1.23.0/24
(3). After iTrace sent
1
0
169.20.3.0/24
0
0
192.1.0.0/16
0
0
207.3.4.183/20
1
0
152.1.0.0/16
1
0
155.0.0.0/16
0
0
19
Processing Overhead
1/20K iTrace message trigger occurs 1. Set all
the iTrace bits on if I(n) 1.
Processing for each data packet 1. if the iTrace
flag bit is 1, (1). send an iTrace message for
this data packet. (2). reset all the iTrace bits
to 0.
20
  • Multiple attackers (nodes 25, 95, 117)
  • 25, 24, 16, 0, 112, 124, 125
  • 95, 92, 80, 112, 124, 125
  • 117, 116, 124, 125

21
Summary for Intention iTrace
  • Improve the probability of useful iTrace.
  • Require some minor changes to the router
    forwarding process.
  • Require another BGP extension.
  • We need to verify that this extension will be
    interoperable well with existing BGP nodes.
  • The amount of generated iTrace messages should be
    no more than the current iTrace proposal.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IntentionDriven iTrace" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!