Agenda

1
Agenda

• Last time finished brief overview of
  buffer-overflow attacks
• Today IP Traceback

2
What and Why

• IP Traceback
• operation of tracing the source of an IP packet
• Why is this important and useful?
• If done properly, can be used to limit DDoS
  attacks
• Post-mortem analysis, investigation into other
  kinds network of attacks
• Potential drawback?
• Abused by repressive regimes/organization
• Why is it difficult?
• Potentially resource-intensive, target for DoS
  itself
• Internet is stateless
• Backward compatibility (think of source-routing)
• Avoid the new scheme itself being spoofed
• The true identity of an attacker may be
  unknown, still

3
Overview of existing approaches

1. Ingress filtering
2. Input debugging
3. Controlled flooding
4. Logging
5. ICMP traceback
6. Probabilistic Packet Marking (PPM)
7. Hash-based one of your reading assignments

4
Ingress filtering

• Routers block packets that arrive with
  illegitimate sources addresses
• Requires the interface to be configured with a
  range of valid IPs
• Quite feasible at customer network at the edge
• Drawbacks
• At higher level ISP, traffic load is higher,
  valid IP range is ambiguous
• With hundreds or thousands of customers, one can
  forge IP of another without much troubles
• Not all ISPs do this. Many dont because theres
  administrative burden, no economic incentive,
  interfere with services requiring spoofing
  (mobile IP)

5
Input debugging

• Use input debugging feature of routers to do
  traceback
• Input debugging allows operators to filter
  particular packets (with some kind of signature)
  on some egress port and determine which ingress
  port they come from
• Manually call the upstream router operator
• Automatically some ISPs have tools to do this
• Drawbacks
• Often too slow
• Management overhead
• Coordination with other ISPs is difficult, and
  very slow

6
Controlled Flooding

• Selectively flood a link to observe attack
  traffic, with the help of some Internet map
• This does not require intermediate operator
  intervention
• Drawbacks
• This is a form of DoS itself
• Requires the map, which itself is non-trivial
• Poorly suited for DDoS
• Only effective for on-going attacks, cannot be
  use for post-mortem analysis

7
ICMP Traceback

• Every router samples with low probability (1/20K)
  one of the packets its forwarding
• Copy the content into a special ICMP traceback
  along the path to the destination, containing
• Back link, forward link, authentication,
• Destination then use this info to do traceback
• Drawbacks
• ICMP traffic is also differentiated and may be
  filtered
• Requires input-debugging which may not be
  available in some router architecture
• Requires key distribution architecture to avoid
  itself being attacked
• However, this is quite effective

8
Probabilistic Packet Marking (PPM)

• Idea proposed by Burch Cheswick
• First scheme proposed by Stefan Savage et al
• Well look at this idea in details

9
PPM Assumptions

• An attacker may generate any packet
• Multiple attackers may conspire
• Attackers are aware that theyre being traced
• Packets may be lost or re-ordered
• Attackers send numerous packets
• Route between attacker(s) and receiver is fairly
  stable
• Routers and both CPU and memory limited
• Routers are not widely compromised
• Compatible with current IP protocol

10
PPM Node Append

• The most basic algorithm
• Each router appends its IP into the packet
• Pros
• Robust and quick to converge
• Cons
• High router overhead
• Interfere with MTU discovery, IP fragmentation,

11
PPM Node sampling

• Reserve some 32-bit field in each IP packet
• A router randomly puts its IP in this field with
  probability p
• Victim receive multiple packets, use this
  database to approximately reconstruct the path.
  How?
• Probability of receiving a packet d hops away is
  p(1-p)d-1, p shoulde be gt ½.
• This probability is monotonic in d, we can use
  the frequency of IPs to reconstruct path to the
  destination
• Drawbacks
• Inferring is a slow process
• Requires a sufficient number of received packets,
  e.g. for d15, p 0.51, we need 42000 packets
  before the furthest router is seen at the
  target
• Not effective against multiple attackers routers
  at the same distance from different source are
  sampled with the same rate

12
PPM Edge Sampling

• Idea sample the edges on the paths instead of
  nodes
• Reserve 2 32-bit fields on every packet, FROM
  TO
• One more field (8 bits) called HOP
• Sampling is done as follows. Fix a probability p
• Chose x at random in 0, 1)
• If x lt p then write IP into packet.FROMElse
  if packet.HOP 0 then write IP
  into packet.TO packet.HOP

13
PPM Edge Sampling

• Time to converge dominated by time to receive a
  sample from the furthest router, roughly
  1/p(1-p)d-1
• Expected number of packets required to work
  properly is at most ln(d)/p(1-p)d-1
• Choose p 1/d for optimal result
• In practice, choose p1/25 (as path lengths often
  lt 25)
• Pros
• Single attacker any packet written by attacker
  will necessarily has distance at least the
  distance of true attack path
• Multiple attacker the above applies to the
  closest attacker
• Quite robust
• Cons
• Not backward compatible (requires gt 64 more bits)

14
Encoding Issues

• Compress edge segment sampling 3 techniques
• Next router fills FROM XOR TO into the 32-bit
  space
• Partition address into k fragments, sends
  fragment along with fragment offset, next-hop
  router use the the offset to send the right
  fragment. Over time, all fragments of all edge
  IDs are received.
• XORing makes edge ID not unique, compute a hash
  of an IP, interleave it with actual IP, then do
  fragmentation
• Expected of packets needed to reconstruct path
  is k ln(kd)/p(1-p)d-1
• For instance, if k8, d10, p1/25, then we need
  about 1300 packets on average
• In practice overload 16-bit identification field
  in each IP packet with 3-bit offset (k8), 5 bit
  distance (32 hops), 8-bit edge fragment

15
Formalization of the Problem

• b number of extra header bits in each packet
• n number of bits used to describe a path
• Investigate the tradeoff between b, convergence
  time, and total number of packets needed to
  reconstruct the attack path(s) with high
  probability

16
Interesting Results by Micah Adler

• Single path attacks
• b1 works! Requires ?((2e)2n) packets for any e
• Showed that, for b1, ?(2n) packets is necessary
• For general b, Adler gave a protocol that
  usesO(bn22b(2e)4n/2b) packets, and showed
  ?(2b2n/2b) is necessary
• Multiple path attacks, say k paths
• At least log(2k-1) header bits is needed
  regardless of the number of received packets
• For a restricted class of attacker strategies,
  log(2k1) bits are sufficient

17
Open Problems

• Close the upper-lower bound gap when b1, single
  path attack
• For multiple path attacks, theres still a lot to
  be done, e.g.
• Devise protocols for all attackers strategies
• Computational complexity has not been addressed
  properly

18
Brainstorming

• What kind of information does the victim need?
• Where can we store this information?
• How can the routers be instructed to store this
  information?
• This is the protocol
• How effective is the protocol? This requires
  probabilistic analysis, information theoretic
  analysis
• Drawbacks of PPM-related schemes?
• Requires large number of packets
• Not exact science

19
A Simple Model for Upper Bounding

• Assumptions to be relaxed later
• Packet delivery paths form a tree rooted at the
  victim v
• Assume the tree is full-binary, depth n
• Each path can be encoded with B1B2Bn
• Want routers to send victim the string B1B2Bn
• Protocol
• Idea encode the string into a probability of
  victim receiving bit-1 packets
• Whats the most natural way to do this?
• Probpacket with bit-1 received the binary
  number represented by B1B2Bn divided by 2n, i.e.
• How do we realize this?

20
A Simple Protocol

• Each router knows its bit Bi
• With probability ½, it forwards the bit as it is
• With probability ½, it set the bit to be Bi
• If original bit is 0, then p is as expected
• If original bit is 1, then p is as expected
  1/2n
• Need to fix this case
• Next time Ill talk a little bit about
  information theory