The ISP has to perform a traceback as well as identify the attack completely on its own.
Overview of Traceback Mechanism a nd Their Applicability IEICE Transactions on Information and Systems, Volume E94.D, Issue 11, pp. 2077-2086 (2011) Heung-Youl Youm Ibnu Mubarok – 2012.04.09
Introduction• Goal of the paper – overview. – base understanding of existing traceback mechanism• IP Traceback• Taxonomy• Existing traceback mechanism• Comparison• Conclusion
IP Traceback• Locate the origin of a packet.• It’s complicated since IP address can be forged or spoofed.• IP Traceback used only for identification of the sources of the offending packets during and after the attack.• Mainly used to trace the DDoS, where the packet (attacker) came from.• In general, IP traceback is not limited only to DoS and DDoS attacks.
Taxonomy• Taxonomy of traceback in Autonomous System – Intra-AS – Inter-AS• Capabilities of traceback mechanism• Currently there are proposed standards being reviewed in ITU-T
Controlled Flooding• Generating a burst of network traffic from the victim’s network to the upstream network segments.• Observe the effect of this flooding.• Flooding a link will cause all packets, including packets from the attacker, to be dropped with the same probability.• if a given link were flooded, and packets from the attacker slowed, then this link must be part of the attack path.• Do this recursively to upstream routers until the attack path is discovered.• Only valid for DoS attacks
Input Debugging• Link-testing mechanism• Already exist on many routers• Router aware of common characteristic of the attack packet (signature)• Repeated hop-by-hop at every upstream router in network until the source or another ISP is reached
Overlay Network – (Center Track)• Forwards packets to a certain network point where they are monitored in the network• The tracking router (TR) monitors all traffic that passes through the network.
Probabilistic Packet Marking• Routers mark packets that pass through them with their addresses, a part of their addresses or edge (marking)• Those modified packets are analyzed at the victim node for path reconstruction.• This scheme is aimed primarily at DoS and DDoS attack as it needs many attack packets to reconstruct the full path.• It use 16-bit identification field in IP header to store router’s address.• Not every packet, but some packet with certain probability (ex 1/25)
Deterministic Packet Marking• Only the ingress router on the attack path marks every packet passing through it with its router IP address.
Packet Messaging - ICMP Traceback (iTrace)• Every router on the network is pick a packet probabilistically and generate an ICMP traceback message directed to the same destination as the selected packet.• The iTrace message consists of the next and previous hop information, and a timestamp• TTL field is set to 255, and is then used to identify the actual path of the attack
Packet Logging – (hash based)• Packet Logging Each router logs information (signature) of all IP packets that traverse through it Enormous amount of storage space• Stores 20 byte IPv4 header + 8 byte payload = 28 byte packet information• Using hash followed by Bloom filtering process reduced size + provide privacy against eavesdropping• Every router captures partial packet information of every packet that passes through the route, to be able in the future to determine if that packet passed through it.• Three function in SPIE : • STM • SCAR • DGA
Hybrid Traceback• Combines the some traceback technique• Packet Marking + Packet Logging• Partially record network path information at routers and in packets.• DLL ( Distributed Link-List ) : store, mark, forward• Fixed size marking field is allocated in each packet.
Evaluation Criteria• Degree of ISP involvement• Number of packets required for traceback• Memory requirement• Processing overhead for traceback• Degree of bandwidth increase• Ability to handles massive DDoS attacks• Misuse by attacker• Knowledge of network topology• Robustness of traceback• Effect of partial deployment• Scalability• Number of functions needed to implement traceback• Capability to trace transformed packets
Conclusion• Practical way to track the massive DDoS is to use a Traceback technique.• For the problem of IP traceback, several solutions have been proposed. Each has its own advantages and disadvantages. No ideal scheme.• Current technology has good Intrusion detection and prevention systems for protect system. Do we really need a ‘location’ of the attacker too? Is it only for Law enforcement and military people this traceback thing?