Sei sulla pagina 1di 18
A DoS-Resistant IP Traceback Approach Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12,

A DoS-Resistant IP Traceback Approach

Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003

Overview

Definitions

ICMP Caddie Messages

IP Traceback Using Caddie Messages

Evaluations

Conclusion

Introduction ♦ DoS (Denial-of-Service) ♦ DDoS (Distributed DoS) Attacks – Direct DDoS Attacker – Reflective
Introduction
♦ DoS (Denial-of-Service)
♦ DDoS (Distributed DoS) Attacks
– Direct DDoS
Attacker
– Reflective DDoS
Masters (Handlers)
♦ IP Traceback
ReflectiveReflectiveReflectiveReflective
DDoSDDoSDDoSDDoS AttackAttackAttackAttack
SimpleSimpleSimpleSimple DoSDoSDoSDoS
Slaves
DirectDirectDirectDirect
AttackAttackAttackAttack
(Daemons)
DDoSDDoSDDoSDDoS AttackAttackAttackAttack
Slaves
(Daemons)
Reflectors
Victim
Proposed Solutions DoS Attacks Network Network Network Targets Connectivity Bandwidth Infrastructure Counterfeit
Proposed Solutions
DoS Attacks
Network
Network
Network
Targets
Connectivity
Bandwidth
Infrastructure
Counterfeit
TCP SYN
Packet
Packet
Attacks
Routing
Flooding
Flooding
Dropping
Advertisement
Network
System
Packet
Solutions
Protocol
IP Traceback
Tuning
Filtering
Improvement
Problems of Existing Solutions BandwidthBandwidth StorageStorage ComputationComputation CategoriesCategories
Problems of Existing Solutions
BandwidthBandwidth
StorageStorage
ComputationComputation
CategoriesCategories
ExamplesExamples
OverheadOverhead
OverheadOverhead
OverheadOverhead
LinkLink TestingTesting
RRouterouter IInferencenference
Very High
Low/Low
Low/Low
LoggingLogging
SPIESPIE
Fair
Very High/Low
Fair/Low
OverlayingOverlaying
CenterTrackCenterTrack
High
Low /Low
Low /Low
PPMPPM
None
None/Very High
Low/Very High
InIn--BandBand
MarkingMarking
AAMAAM
None
Low/High
Low/High
iTraceiTrace
High
None/High
Low/Very High
OutOut--ofof--BandBand
ICMPICMP
IDID--iTraceiTrace
High
High/Fair
Low/High
MessagingMessaging
iCaddieiCaddie
Fair
Low/Low
Low /Fair

(A/B indicates the overhead in the network is A and that at the destination is B)

ICMP Caddie Messages ♦ Ball Packets ♦ Caddie Messages Traffic Source Traffic Source ♦ Caddie
ICMP Caddie Messages
♦ Ball Packets
♦ Caddie Messages
Traffic Source
Traffic Source
♦ Caddie Initiators
♦ Caddie Propagators
Caddie
Caddie
Router
Router
Initiator
Router
Initiator
Router
Caddie
Caddie
Router
Propagator
Propagator
Router
Caddie
Caddie
Propagator
Propagator
Caddie
Ball packets
Propagator
The corresponding
Caddie messages
Attack Victim/Tracer
Caddie Message Generation ♦ Caddie Selector ♦ Caddie Timer Caddie Caddie Timer Keymaker ♦ Caddie
Caddie Message Generation
♦ Caddie Selector
♦ Caddie Timer
Caddie
Caddie
Timer
Keymaker
♦ Caddie KeyMaker
1
7
4
5
6
Caddie
Caddie
Selector
Generator
2
8
3
P
P
B
P
P
P
P
P
P
P
P
C
Input port
Output port
(Input queue)
(Output queue)
B.
The ball packet
C.
The Caddie message
P.
Regular packets
1.
Trigger ball packet selection
2.
Select a ball packet
3.
Extract the ball packet
4.
Update the Caddie timer
5.
Copy the ball packet header
6.
Trigger Caddie generation
7.
Generate a session key (Optional)
8.
Inject Caddie message in the front of output port
Caddie Message Propagation Caddie Caddie Keymaker Timer 3 2 Caddie Propagator 4 1 P P
Caddie Message Propagation
Caddie
Caddie
Keymaker
Timer
3
2
Caddie
Propagator
4
1
P
P
C
P
P
P
B
P
P
P
P
C
Input port
Output port
(Input queue)
(Output queue)
B.
The ball packet
C.
The Caddie message
P.
Regular packets
1.
Receive an ICMP Caddie message in an input port
2.
Update the Caddie timer
3.
Generate a session key (Optional)
4.
Update and inject Caddie message into an output port
A Caddie Message TYPE CODE CHECKSUM ICMP message header TIMESTAMP DIGEST Caddie message header SOURCE
A Caddie Message
TYPE
CODE
CHECKSUM
ICMP message header
TIMESTAMP
DIGEST
Caddie message header
SOURCE
DESTINATION
SECURITY
ROUTER ID
PREVIOUS ROUTER ID
First element of the
NEXT HOP ROUTER ID
ROUTER LIST
TTL
TIMESTAMP
(by Caddie Initiator)
HMAC
ROUTER ID
PREVIOUS ROUTER ID
Successive ROUTER LIST
NEXT HOP ROUTER ID
elements
TTL
TIMESTAMP
(by Caddie Propagators)
HMAC
Time-Release Key Chain (TRKC) ♦ Key Generation ♦ HMAC Calculation ♦ Caddie Message Authentication MD5(K
Time-Release Key Chain (TRKC)
♦ Key Generation
♦ HMAC Calculation
♦ Caddie Message Authentication
MD5(K t-1 ,IP)
MD5(K t ,IP)
MD5(K
t+1 ,IP)
MD5(K
,IP)
K
K
K
t+2
t-1
t
t+1
Time
C
C
C
C
C
C
C
C
C
1
2
3
4
5
6
7
8
9
C i : Caddie Messages
K t : Session keys
IP Traceback ♦ IP Traceback for Direct DDoS Attack Agent Attack Agent CI CP CI
IP Traceback
♦ IP Traceback for Direct DDoS
Attack Agent
Attack Agent
CI
CP
CI
CP
CP
CP
CP
Attacker
CP
CP
CI-Caddie Initiator
CP-Caddie Propagator
Intrusion
Connection Chain
DoS Traffic
Victim
IP Traceback (Cont.) ♦ IP Traceback for Reflective DDoS Attack Agent Attack Agent Attack Reflector
IP Traceback (Cont.)
♦ IP Traceback for Reflective DDoS
Attack Agent
Attack Agent
Attack Reflector
CI
CI
CP
Attack Reflector
CP
CP
CP
CP
Attacker
CI-Caddie Initiator
CP-Caddie Propagator
Intrusion
Connection Chain
Service Request
Traffic
Service Response
Traffic
Victim
Evaluations ♦ Incremental Deployment ♦ Scalability The Source The Source Caddie Caddie Router Router
Evaluations
♦ Incremental Deployment
♦ Scalability
The Source
The Source
Caddie
Caddie
Router
Router
Initiator
Router
Initiator
Router
Regular
Caddie
Router
Router
Propagator
Router
Regular
Regular
Router
Router
Caddie
Ball packets
Propagator
The corresponding
Caddie messages
Attack Victim/Tracer
Evaluations (Cont.) ♦ Workload Distribution Local networks ISP Backbone Internet Core ISP Local networks
Evaluations (Cont.)
♦ Workload Distribution
Local networks
ISP
Backbone
Internet Core
ISP
Local networks

Evaluations (Cont.)

Security

 

HMACs

Robustness

False positives

Political Issues

 

– ISPs’ cooperation

– Privacy

Evaluations (Cont.)

Evaluations (Cont.) ♦ Bandwidth Overhead – Number of attack packets required – Number of ICMP messages
Evaluations (Cont.) ♦ Bandwidth Overhead – Number of attack packets required – Number of ICMP messages

Bandwidth Overhead

♦ Bandwidth Overhead
♦ Bandwidth Overhead
Evaluations (Cont.) ♦ Bandwidth Overhead – Number of attack packets required – Number of ICMP messages

– Number of attack packets required

– Number of attack packets required
– Number of attack packets required

– Number of ICMP messages generated

– Number of ICMP messages generated

Storage Overhead

♦ Storage Overhead

– In the network

– At the victim

Computational Overhead

– In the network

– At the victim

Storage Overhead – In the network – At the victim ♦ Computational Overhead – In the
Storage Overhead – In the network – At the victim ♦ Computational Overhead – In the
Storage Overhead – In the network – At the victim ♦ Computational Overhead – In the

Conclusion

Effective

Secure

DoS-Resistant

Q&A ♦ Thank You Very Much
Q&A
♦ Thank You Very Much