10-10-2014, 04:50 PM
IP Traceback based on
Packet Marking and Logging
1408228505-PacketMarking.pdf (Size: 705.29 KB / Downloads: 28)
Introduction
The goal of IP traceback is to trace the path of an IP
packet to its origin.
● The most important usage of IP traceback is to deal with
certain denial-of-service (DoS) attacks, where the source
IP address is spoofed by attackers.
● Identifying the sources of attack packets is a significant
step in making attackers accountable.
Packet Marking
The router marks packets with its identification
information as they pass through that router.
● The mark overloads a rarely used field in IP packet
header, i.e., 16-bit IP identification field.
● The identification of a router could be 32-bit IP address,
hash value of IP address, or uniquely assigned number.
Probabilistic Packet Marking
Since the marking space in packet header is too small to
record the entire path, routers mark packets with some
probability so that each marked packet carries the
information of one node in the path.
● Due to its probabilistic nature, it can only trace the
traffic that consists of a large volume of packets.
Packet Logging
Packets are logged at each router through which they pass.
● Hash-based IP traceback stores packet digests, instead of packets
themselves, in a space-efficient data structure, bloom filter.
● For each arriving packet, the router uses the first 24 invariant byte
of the packet (20-byte IP header with 4 bytes masked out) plus the
first 8 bytes of payload as input to the digesting function.
● The 32-bit packet digest is stored into the digest table which is
realized with bloom filter.
Hybrid IP Traceback
We propose to develop a hybrid IP traceback approach based on
both packet marking and packet logging.
The motivation is to develop an IP traceback approach that has
advantages of both packet marking and packet logging.
Hybrid IP Traceback
In our approach, each traceback-enabled router could commit both
marking and logging operations on packets.
● For each arriving packet, routers always commit marking
operation, but commit logging operation when needed (generally
alternately).
● Traceback-enabled routers audit traffic, and a traceback server
(or multiple servers in hierarchy) which has the network topology
information constructs attack graph by querying routers
Hybrid IP Traceback
Router Operation
The marking operation on a packet is to mark the packet with
router identification information.
● The logging operation on a packet is to record the packet digest
and the mark (router identification) carried by the packet.
● Every router is assigned an ID number of 15 bits in length.
● In hybrid IP traceback approach, the router ID number is used
to differentiate neighbor routers of a router.
So the same ID number can be assigned to any two routers as
long as they are more than 2 hops away.
Hybrid IP Traceback
Attack Graph Construction
If a router commits logging operation on an attack
packet, examining digest tables at that router will not
only confirm that router is in the attack path, but also
find out its upstream router in the attack path.
● The attack graph can be constructed using those two
methods alternately.