IP Traceback With IP Traceback With Deterministic Packet MarkingDeterministic Packet Marking

Andrey Belenky and Nirwan AnsariAndrey Belenky and Nirwan Ansari

IEEE communication letters, VOL. 7, NIEEE communication letters, VOL. 7, NO. 4 April 2003O. 4 April 2003

林怡彣林怡彣

IntroductionIntroduction

IP traceback problemIP traceback problem– The problem of identifying the source of the ofThe problem of identifying the source of the of

fending packetsfending packets– Source Source ： ： zombiezombie ；； reflectorreflector ；； spoofed addspoofed add

ress …ress …

SolutionSolution– Rely on the routers (PPMRely on the routers (PPM ；； ICMP)ICMP)

Only for DOSOnly for DOS

– Centralized management (log of packet infor.)Centralized management (log of packet infor.)Large overhead, complex, not scalable Large overhead, complex, not scalable

Deterministic Packet MarkingDeterministic Packet Marking

Each packet is marked when it enters the networkOnly mark IncomiOnly mark Incoming packets ng packets MarkMark ：： address iaddress information of this nformation of this interfaceinterface16 bit ID + 1 bit Fl16 bit ID + 1 bit Flagag

PPMPPM

PPM VS DPMPPM VS DPM

Router are treated as atomic unitsRouter are treated as atomic units– IP address of a router IP address of a router

IP address of one of its interfacesIP address of one of its interfaces– Packet traveling in different direction Packet traveling in different direction

considered different considered different

Mark spoofingMark spoofing– Use coding technique (but not 100%)Use coding technique (but not 100%)

Spoofed mark will be overwrittenSpoofed mark will be overwritten

PPM VS DPM (2)PPM VS DPM (2)

PPM (full path)PPM (full path) ；； DPM (address of the ingDPM (address of the ingress router)ress router)– In datagram packet network In datagram packet network

Every packet is individually routedEvery packet is individually routedFull path tracebackFull path traceback is as good as is as good as address of an ingaddress of an ingress point ress point

– ISP use different IP addressISP use different IP addresspublic addresses for interfaces to customers and other networksprivate addressing plans within their own networks

Coding of a markCoding of a mark

Flag =0 Flag =0 address bits 0~15 address bits 0~15

Flag =1 Flag =1 address bits 16~31 address bits 16~31

RandomlyRandomly setting flag value setting flag value

How many packet are enoughHow many packet are enough ？？– nn ：： the number of received packets the number of received packets – The probability of successfully generate the ingress IP The probability of successfully generate the ingress IP

address is greater than address is greater than – 2 packets 2 packets 75% 75% ；； 4 packets 4 packets 93.75%93.75%

6 packets 6 packets 98.43%98.43% ；； 10 packets 10 packets 99.9%99.9%

n5.01

Pseudo codePseudo code

ProsPros

Simple to implementSimple to implementIntroduces no bandwidth Introduces no bandwidth Practically no processing overheadPractically no processing overheadsuitable for a variety of attacks [not just (D)DoS]Backward compatible with equipment which doeBackward compatible with equipment which does not implement it s not implement it does not have inherent security flawsDo not reveal internet topologyDo not reveal internet topologyNo mark spoofingNo mark spoofingScalableScalable

Future workFuture work

The fragmentation/reassembly problem– Only less than 0.5% packetOnly less than 0.5% packet– SolveSolve ：： The ID field for all fragments has to be assig

ned the same address bits

Attacker change IP frequently during attack– Solve ： making the destination rely only on the mark

s & the hash value of the ingress router

Analyze the coding techniqueAnalyze the coding technique

IPv6 implementation IPv6 implementation

Tracing Multiple Attackers with Tracing Multiple Attackers with Deterministic Packet Marking Deterministic Packet Marking

Andrey Belenky and Nirwan AnsariAndrey Belenky and Nirwan Ansari

IEEE PACRIM’03, August 2003IEEE PACRIM’03, August 2003

The problem with the basic DPM(1)The problem with the basic DPM(1)

two hosts with the same Source Address at tack the victimexex ： ：

The ingress addresses corresponding to these two attackers are A0 and A1

The victim will receive A0[0], A0[1], A1[0], A1[1]

A0[0].A0[1], A0[0].A1[1], A1[0].A0[1], A1[0].A1[1]

Rate of false positive=50%

address ingress identified ofnumber totaltheaddress imgress identifiedy incorrectl

positive false of rate

The problem with the basic DPM The problem with the basic DPM (2)(2)

Change source addressChange source address

Schematics Schematics

Pad

Ideal hash

Reconstruction Reconstruction

個個 areareaa

each area each area hashas k k seg segmentsments

Each segEach segment has ment has bits bits

area

d2

a2

AnalysisAnalysis

N ： the number of ingress router

When false positive rate = 0

When – The expected number of different values the s

egment will take is

dN 2dN 2

dN

aaa 2

2

1122

Analysis (2)Analysis (2)

– The expected number of permutations that result in a given digest for a given area

– The number of false positives for a given area

Analysis (3)Analysis (3)

– The total number of total false positiveThe total number of total false positive

– The max number of NThe max number of N

Analysis (4)Analysis (4)

– The expected number of datagramThe expected number of datagram

Analysis (5)Analysis (5)

Conclusion Conclusion

capable of tracing thousands of simultaneous attackers during DDoS attack (just DDoS)The traceback process can be performed post-mortem, which allows for tracing the attacks that may not have been noticed initiallySolve the two problemNeed more marked packets