20-07-2012, 12:39 PM
Network Support for IP Traceback
traceback.pdf (Size: 192.27 KB / Downloads: 21)
INTRODUCTION
DENIAL-OF-SERVICE attacks consume the resources of
a remote host or network, thereby denying or degrading
service to legitimate users. Such attacks are among the hardest
security problems to address because they are simple to implement,
difficult to prevent, and very difficult to trace. In the last
several years, Internet denial-of-service attacks have increased
in frequency, severity, and sophistication. Howard reports that
between the years of 1989 and 1995, the number of such attacks
reported to the Computer Emergency Response Team (CERT)
increased by 50% per year [26]. More recently, a 1999 CSI/FBI
survey reports that 32% of respondents detected denial-of-service
attacks directed against their sites [16]. Even more worrying,
recent reports indicate that attackers have developed tools
to coordinate distributed attacks from many separate sites [14].
RELATED WORK
It has been long understood that the IP protocol permits
anonymous attacks. In his 1985 paper on TCP/IP weaknesses,
Morris writes:
“The weakness in this scheme [the Internet Protocol]
is that the source host itself fills in the IP source host id,
and there is no provision in…TCP/IP to discover the true
origin of a packet.” [32]
In addition to denial-of-service attacks, IP spoofing can be
used in conjunction with other vulnerabilities to implement
anonymous one-way TCP channels and covert port scanning
[32], [3], [25], [46].
BASIC MARKING ALGORITHMS
In this section, we describe a series of marking algorithms—
starting from the most simple and advancing in
complexity. Each algorithm attempts to solve the approximate
traceback problem in a manner consistent with our assumptions.
ENCODING ISSUES
The edge-sampling algorithm requires 72 bits of space in
every IP packet (two 32-b IP addresses and 8 bits for distance
to represent the theoretical maximum number of hops allowed
using IP). It would be possible to directly encode these values
into an MPLS label stack [37], to enable traceback within a
single homogeneous ISP network. However, our focus is on a
heterogeneous environment based purely on IP datagrams. One
obvious approach is to store the edge sample data in an IP option,
but this is a poor choice for many of the same reasons
that the node append algorithm is infeasible—appending additional
data to a packet in flight is expensive and there may
not be sufficient space to append this data. We could also send
this data out-of-band—in a separate packet—but this would add
both router and network overhead plus the complexity of a new
and incompatible protocol.
CONCLUSION
In this paper, we have argued that denial-of-service attacks
motivate the development of improved traceback capabilities
and we have explored traceback algorithms based on packet
marking in the network. We have shown that this class of algorithm,
best embodied in edge sampling, can enable efficient
and robust multiparty traceback that can be incrementally deployed
and efficiently implemented. As well, we have developed
variant algorithms that sacrifice convergence time and robustness
for reduced per-packet space requirements. Finally, we
have suggested one potential deployment strategy using such an
algorithm based on overloading existing IP header fields and
we have demonstrated that this implementation is capable of
fully tracing an attack after having received only a few thousand
packets. We believe our solution represents a valuable first step
toward an automated network-wide traceback facility. Several
areas remain to be addressed in future work, such as improving
robustness under distributed attacks and tracing past points of
indirection such as reflectors.