Areej AlBataineh

1
Tracing Cyber Attacks

• Areej Al-Bataineh

2

• Tracing cyber attacks from the practical
  perspective
• Zhiqiang Gao and Nirwan Ansari
• Communications Magazine, IEEE
• May 2005
• http//www.comsoc.org/tutorials/Ansari

3
Outline

• Introduction
• IP Traceback
• Objective
• Classification of IP Traceback Schemes
• Evaluation of Representative Schemes
• Conclusion
• Future Work

4
Introduction

• Denial of service (DoS/DDoS) attacks
• Disrupt legitimate access
• Costs victims financial and productivity loss
• Why Easy to conduct?
• Prevalence of attack tools
• Stateless nature of Internet
• Address Spoofing (Anonymous Attacks)
• Gain illegitimate access
• Hide attack source

5
Intrusion Countermeasure

• Prevention
• Source/Network/Victim-based
• Detection
• Mitigation
• Rate limiting/statistical/path-based
• Response
• IP Traceback

6
IP Traceback

• Objective
• Locate the actual source of attack packets
• Difficult
• Source Address Spoofing
• Many attack sources (DDoS)
• Host in stepping stone chain
• Reflector
• Zombie

7
Objectives

• Grasp global view
• Classify Traceback schemes
• Select typical schemes
• Focus on practicality
• Foundation for
• Developing efficient schemes
• And Effective schemes

8
Classification
9
Evaluation Metrics

• Based on Practicality
• Minimum number of packets required for path
  reconstruction
• The less the better
• The computational overhead
• Good design minimize it
• Effectiveness under partial deployment
• Deployment implies more cost
• Robustness
• The ability to perform tracing reliably under
  adverse conditions

10
Representative Schemes

• Probabilisic Packet Marking (PPM)
• Savage et al (2001)
• ICMP traceback (iTrace)
• Bellovin (2000)
• Source Path Isolation Engine (SPIE)
• Snoeren et al (2002)
• Algebraic-bases Traceback Approach (ATA)
• Dean et al (2002)
• Determinnistic Packet Marking (DPM)
• Belenky and Ansari (2003)
• Overlay-based solution (Center-Track)
• Stone (2000)

11
Basic PPM
12
PPM Variants

• Edge-Sampling with p(1-p)d-i probability

13
PPM Variants

• Net result in (c) and final result in (d)

14
Analysis of PPM

• Pros
• Low router overhead
• Support of incremental deployment
• Post-mortem tracing
• Cons
• Heavy computational load for path reconstruction
• High false-positives
• Spoofed marking
• Unaware of path length (d) in advance
• Subverted routers
• Good for DoS, not for large-scale DDoS

15
Development and Solutions

• Advaned and Authenticated PPM
• Proposed by Song et al (2001)
• Victim knows the mapping of upstream routers
• Solves problems 1,2, and 3
• PPM with Non-Preemptive Compensation
• Proposed by Tseng et al (2004)
• Use counters to complement the marking info loss
  from upstream routers
• May address 1,3, and decrease false-positives (2)

16
Development and Solutions

• Problem 4
• Not easy to resolve in the IP layer
• d is known at AS level
• Problem 5
• More difficult to resolve
• To solve, verification of marking info embedded
  by upstream routers should be done
• No scheme has this feature yet!

17
Basic DPM
18
Analysis of DPM

• Pros
• Effectively handles DoS attack
• Path construction is simpler
• Cons
• High false positives for DDoS attack
• Cannot identify the ingress router if attacker
  uses different source IP addresses for each packet

19
Development and Solutions

• Tracing Multiple Attackers with DPM
• Proposed by Belenky and Ansari (2003)
• Uses hash function to contain the identity of the
  ingress edge router
• Victim uses identity to combine packets from the
  same source better than PPM
• Far less false positives than PPM
• Handles reflector-based DDoS
• Subverted routers problem (5)

20
iTrace
21
Analysis of iTrace

• Marking procedure similar to PPM
• Shares pros and cons
• Differences
• Requires additional bandwidth
• More marking bits can be used (1,2 solved)
• Requires far fewer ICMP messages than PPM for
  path reconstruction

22
Comparison of ICMP and PPM
23
Development and Solutions

• Intention-Driven ICMP traceback technology
• Proposed by Mankin et al (2001)
• Adds some intellegence to the marking procedure
• Path reconstruction is gleaned quickly
• Solves problems 1 and 2
• Problem 3 may be addressed using PKI, but
  increase overhead at routers
• Further work on problems 4 and 5 is needed

24
Basic SPIE
25
Analysis of SPIE

• Deterministic logging scheme
• Pros
• Supports advanced functions like single packet
  tracing, transformed packet tracing (wireless)
• Cons
• Requires additional infrastructure
• Incurs very heavy computational, management, and
  storage overhead
• Not scalable
• Limited applicability

26
Development and Solutions

• Large-scale IP traceback
• Proposed by Li et al (2004)
• Logging scheme by sampling
• Construct attack tree by correlating samples
• Scale well for 5000 attack sources

27
Basic Center-Track
28
Analysis of Center-Track

• Pros
• Handles DDoS
• Cons
• Enforces heavy management burden on the network
• Wears out network resources (bandwidth,
  processing capability) due to tunnels maintenance
• Not scalable
• Limited applicability

29
Development and Solutions

• Secure Overlay Service (SOS)
• Associative defensive method
• Proactive approach
• Employ intensive filtering and anonymity
• Effectively mitigate DDoS attacks
• No false positives
• Low chance for compromised routers

30
Conclusion/Future Work

• IP Traceback technology is only the first step
  toward tackling DoS/DDos attacks
• Ideal tracing scheme trade-offs
• Identify indirect sources of DDoS
• Identify attackers who use stepping stone
• Integrating IDS with tracebak
• Automatic traceback
• Scalability

31
Future Work

• Identify indirect sources of DDoS
• Identify attackers who use stepping stone
• Integrating IDS with tracebak
• Automatic traceback
• Scalability

32
Questions?