On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack...
-
Upload
amelia-pitts -
Category
Documents
-
view
214 -
download
0
Transcript of On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack...
On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack
INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE
Presented by FanChiang C.W.
Advisor: Prof. Frank Y.S. Lin
112/04/18OPLab, NTUIM2
Agenda
Abstract Introduction Probabilistic Packet Marking and
Traceback DoS traceback minimax problem DDoS traceback problem Dynamic PPM scheme
112/04/18OPLab, NTUIM3
Abstract
The optimal decision problem - the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume - can be expressed as a constrained minimax optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized.
112/04/18OPLab, NTUIM4
Introduction
Two contributionsFirst, it shows the trade-off relation
between victim and attacker, which is a function of marking probability, path length, and traffic volume.
Second, for a given attack volume, by mounting DDoS attack, the uncertainty factor might be amplified.
Probabilistic Packet Marking and Traceback
112/04/18OPLab, NTUIM5
112/04/18OPLab, NTUIM6
Probabilistic Packet Marking and Traceback
Given network is as a directed graph G = (V,E), where V is the set of nodes and E is the set of edges.
The edges denote physical links between elements in V. Let S ⊂ V denote the set of attackers and let t ∋ V \ S denote the victim. |S| = 1 (DoS)
Probabilistic Packet Marking and Traceback (con’t)
We assume that routes are fixed1, And Attack path A is presented as
1. On the IP Internet, the majority of TCP sessions do not experience route changes during their connection lifetime. Generalization of PPM under dynamic routing (the routing process must be specified) is a problem for future work.
112/04/18OPLab, NTUIM7
112/04/18OPLab, NTUIM8
Probabilistic Packet Marking and Traceback (con’t)
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM9
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
A
C
B
D
E
F
G
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM10
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
Probabilistic Packet Marking and Traceback (con’t) A packet x is assumed to have a marking
field where the identity of a (v, v’) ∊ E traversed can be inscribed.
A packet travels on the attack path A sequentially. At a hop vi ∊ {v1, …, vd}, packet x is marked with the edge value (vi-1, vi) , i=1, 2,…, d. , with probability p (0 ≤ p ≤ 1) where v0 = s. This is probabilistic marking.
112/04/18OPLab, NTUIM11
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM12
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM13
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
112/04/18OPLab, NTUIM14
Path Sampling
αi(p) = p(1-p)d-i (1)
α0(p) = (1-p)d ( attacker can hide his identity or fool defender ) (2)
When N packets are transmitted, the expected value of packets reaching target t marked by ri is ni(p) = Nαi(p) Note that
α1(p) ≦ α2(p) ≦ …… ≦ αd(p)
112/04/18OPLab, NTUIM15
Path Sampling (con’t)
To receive a marked packet form v1 requires N 1/≧ α1(p)
Because N is under attacker’s control
from purely sampling view point, edge(s, v1) is the weakest link.
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM16
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM17
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
A
C
B
D
E
F
G
112/04/18OPLab, NTUIM18
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
???
112/04/18OPLab, NTUIM19
Path Sampling (con’t)
which has the solution p ½.≦ In general, we may consider
p 1-2≦ -1/d , d = 10 then p 0.067≦
Path Sampling (con’t)
The optimal selection of N, d, and x0 by the attacker, and correspondingly optimal selection of p by the victim to achieve their individual, conflicting objectives lies at the heart of the probabilistic PPM approach to source identification.
112/04/18OPLab, NTUIM20
112/04/18OPLab, NTUIM21
Traceback Problem (con’t) Marking spoofed variable x0 can be fixed
by following thereotic argument Let ns
i(p) be the number of spoofed packets arriving at t marked by(ui,v1) no(p) = Σm
i=1 nsi(p). If it holds that
then all m+1 paths are equally likely yielding the same outcome in terms of collected marking values at t
112/04/18OPLab, NTUIM22
Traceback Problem (con’t)
We call m – a function of p and spoofing variable x0- the uncertainty factor with respect to marking probability p.
The larger m is, the more the processing cost incurred by the victim to trace back the attack source.
Traceback Problem (con’t)
Thus, the objective of the attacker is to maximize m, whereas the objective of the victim is to minimize m
112/04/18OPLab, NTUIM23
112/04/18OPLab, NTUIM24
Traceback Problem (con’t)
The formulation in (III.5) does not incorporate the attack volume N and thus unduly favors the victim.
A sampling constraint is added by requiring
Nα1(p) = N p(1-p)d-1 ≧ 1 (III.6)
112/04/18OPLab, NTUIM25
Traceback Problem (con’t)
Thus the refined minimax optimization reflecting the victim’s sampling constraint is given by
Nα1(p) = N p(1-p)d-1 ≧ 1 as a function of p has a unimodal (or bell) shape with peak at p = 1/d
ANALYSIS OF SINGLE-SOURCE DOS ATTACK
112/04/18OPLab, NTUIM26
ANALYSIS OF SINGLE-SOURCE DOS ATTACK
And IV.1 can be derandomized - replaced by a deterministic procedure that emulates uniform generation.
112/04/18OPLab, NTUIM27
no(p) = Σmi=1 ns
i(p).
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
Given p (determined by the victim), the attacker can achieve m = 1/p - 1
112/04/18OPLab, NTUIM28
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
With constraint III.6 we can define
and it can be checked that when d 2, ≧ L is convex in p
112/04/18OPLab, NTUIM29
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
It can be viewed as minimization problems of the objective function
1/p -1 over LN for N= N0, N0+1,…… The next result gives a performance
bound on the attacker’s ability to hide his identity under PPM.
112/04/18OPLab, NTUIM30
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
Theorem 2 shows that the maximum achievable uncertainty factor cannot exceed d-1, the distance between the attacker and victim.
And on the internet, most path lengths are bounded by 25 [29]
[29] Wolfgang Theilmann and Kurt Rothermel, “Dynamic distance maps of the Internet,” in Proc. of IEEE INFOCOM 2000, Mar. 2000.
112/04/18OPLab, NTUIM31
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
d = 10, N = 26
Thus the attacker, by judiciously choosing the attack volume, can maximally hide his identity given by d-1.
112/04/18OPLab, NTUIM32
Approximation of Uncertainty Factor
Np(1-p)d-1 ≥ 1,
The equation, Np(1-p)d-1 = 1 , is transformed to the polynomial xn – xn-1 + c by substitution of p, N, d with 1-x, 1/c, n, respectively.
We divide Np(1-p)d-1 = 1 by N, and represent p as 1-x (0≤x≤1), thus, it becomes
112/04/18OPLab, NTUIM33
Approximation of Uncertainty Factor (con’t)
Assuming N ≫ 1, thus, 1/N ≈ 0.
First consider xd-1 close to 1, left hand side becomes (1-1/N)d-1 ->1, as N -> ∞.
Next, When(1-1/N)d-1 -> 0, the approximate solution x = 1/N 1/d-1
112/04/18OPLab, NTUIM34
Approximation of Uncertainty Factor (con’t)
Thus x is approximately 1-(1/N) or 1/N1/d-1. Therefore,
112/04/18OPLab, NTUIM35
Approximation of Uncertainty Factor (con’t)
The maximum uncertainty value m of the min-max optimization problem is given by
N = 105,d = 25 then m is 1.6247; N = 107,d = 25 then m is 1.0446
112/04/18OPLab, NTUIM36
Marking Probability
112/04/18OPLab, NTUIM37
Marking Probability (con’t)
112/04/18OPLab, NTUIM38
Marking Probability (con’t)
d ∝ 1/p m ∝ 1/p Given N, as distance d ↓, the
expected number of spoofed packets, Ns ↑, at any given value of p
When the source of an attack is far from the victim, the attacker becomes more potent at impeding traceback
112/04/18OPLab, NTUIM39
Attack Distance
112/04/18OPLab, NTUIM40
Attack Distance (con’t)
Since the distance between an attacker and victim is bounded on the Internet, an attacker has limited ability to hide his location when subject to probabilistic packet marking.
112/04/18OPLab, NTUIM41
Attack Volume
To satisfy sampling constrain, N needs to be at least dd/(d-1)d-1
As N increases, the victim can reduce the forgeable paths to less than d-1
112/04/18OPLab, NTUIM42
V. DDoS Attack
112/04/18OPLab, NTUIM43
DDoS Attack
Following the uncertainty optimization framework, given a desired attack Volume N, an amplification factor of M can be trivially achieved by mounting N/M -volume attacks from M separate attack sites.
112/04/18OPLab, NTUIM44
DDoS Attack (con’t)
m*(∙) is a function depicting the optimum (i.e., minimax) uncertainty factor for the traffic volume given in the argument.
112/04/18OPLab, NTUIM45
DDoS Attack Model -Classification(con’t)
All-source traceback, • we assume the attacker is able to mount
stateless intrusions when gathering attack hosts, and thus his objective is to maximize total uncertainty (vs. individual uncertainty in the any-source traceback case) since quick traceback of individual attack hosts does not present a danger with respect to revealing traceback information..
112/04/18OPLab, NTUIM47
DDoS Attack Model – Classification (con’t)
The attacker’s objective is to maximize the number of forged paths that the victim has to process.
And the victim’s goal is to isolate or shut down traffic flow emanating from comprised hosts.
112/04/18OPLab, NTUIM48
DDoS Attack Model -Traceback Analysis
Given M distinct sources, each sources si sends Ni packets to victim v at di distant for 1 ≤ i ≤ M
An attack path is represented by Ai = (si, vi,1, vi,2, …vi,d, t). Without loss of generality, assume di ≤ d j, for i < j
112/04/18OPLab, NTUIM49
DDoS Attack Model -Traceback Analysis (con’t)
Thus the expected number of spoofed packets from si is
for 1 ≤ i ≤ M
The expected number of packets marked by vi,1 is
112/04/18OPLab, NTUIM50
DDoS Attack Model -Traceback Analysis (con’t)
112/04/18OPLab, NTUIM53
Numerical Evaluation of Traceback
Let Ni = N/M, di = d, 1 ≤ i ≤ M, which facilitates comparability. m*(Ni) be the uncertainty factor achievable by Ni
m*(N/M) /m*(N) represents the expansion rate to uncertainty factor with respect to the distribution factor M
112/04/18OPLab, NTUIM54
Numerical Evaluation of Traceback (con’t)
112/04/18OPLab, NTUIM55
Conclusion
PPM has the advantages of efficiency and implementability over DPM, however, it has the potential drawback that an attacker may impede traceback by sending packets with spoofed marking field values as well as spoofed source IP addresses.
112/04/18OPLab, NTUIM56
Conclusion (con’t)
While it is always possible for an attacker to impede exact traceback by the victim, the attacker’s ability to affect uncertainty is limited in internetworks with bounded diameters
112/04/18OPLab, NTUIM57
考量到 OD pair 的長度 d ,將簡短介紹下一篇 Dynamic PPM scheme
112/04/18OPLab, NTUIM58
Efficient Dynamic Probabilistic packet marking for IP traceback
Networks, 2003. ICON2003. The 11th IEEE International Conference on
112/04/18OPLab, NTUIM59
Agenda
Introduction Preliminaries Dynamic Probabilistic Packet Marking Performance Analysis Concluding remarks
112/04/18OPLab, NTUIM60
Introduction
It had been shown that PPM suffers from uncertainty under attack with spoofed packets
During DDoS attack, the uncertainty factor might be amplified significantly, which may diminish the effectiveness of PPM
112/04/18OPLab, NTUIM61
Introduction (con’t)
To improve the effectiveness of PPM, this paper proposed a new scheme DPPM.
Instead of a fixed marking probability, DPPM choose marking probability as an inverse function of the length of an OD pair by TTL field
112/04/18OPLab, NTUIM62
Preliminaries – Issues in Choosing Probability (con’t)
Let pi represent the marking probability of router ri. Define leftover probability for router ri, denoted by ai, ai = pi x πD
j = i+1
(1 - pj ) (1). Because in PPM, p is fixed, thus
ai = p(1 - p)d-i, (2) Therefore, the leftover probability is
geometrically smaller the closer it is to the attacker.
112/04/18OPLab, NTUIM64
Preliminaries – Issues in Choosing Probability (con’t)
Let N denote the total number of attacking packets (attack volume) from an attacker to a victim.
112/04/18OPLab, NTUIM65
Preliminaries – Issues in Choosing Probability (con’t)
112/04/18OPLab, NTUIM68
DPPM
To have an uniform leftover probability for all routers.
To removed the uncertainty factor, introduced by spoofed packets, completely if every packet got a legitimate marking along the path.
112/04/18OPLab, NTUIM69
DPPM (con’t)
112/04/18OPLab, NTUIM70
DPPM (con’t)
Eq. 3 shows that each router along the attack path has the same probability to leave its information in the marking field.
In other words, the victim has an equal probability to obtain each router's information along the path despite their distance from the victim.
112/04/18OPLab, NTUIM71
DPPM (con’t)
routers
112/04/18OPLab, NTUIM72
DPPM (con’t)
112/04/18OPLab, NTUIM73
Challenge on spoofed TTL value
112/04/18OPLab, NTUIM74
Challenge on spoofed TTL value
112/04/18OPLab, NTUIM75
Challenge on spoofed TTL value (con’t)
Attacker may use TTL = 129, and then DPPM would choose p as 1/126(= 255-129). And attacker can get away without any trace.
112/04/18OPLab, NTUIM76
Challenge on spoofed TTL value (con’t)
112/04/18OPLab, NTUIM77
Challenge on spoofed TTL value (con’t)
112/04/18OPLab, NTUIM78
Summary
Path length di, marking probability p, spoofing packet rate ps, attack volume N, spoofed packets Ns , uncertainty factor mdi↑ miMAX↑ ;
ps↑ m↑ ;p↑ m ↓; N↓ m ↑;
112/04/18OPLab, NTUIM79
Summary (con’t)
在這篇 PAPER 當中所參考的 PPM 是一個 FRAMEWORK, 一條 path 上的每個 router 只要標注一個以上的封包就可以完成一條 attack path reconstruction
在 IEEE/ACM TRANSACTIONS PN NETWORKING VOL16 Feb/2008 提出了一個適用 DDoS 的 PPM SCHEME
112/04/18OPLab, NTUIM80
Summary (con‘t)
為了提升 PPM 的安全性,此篇 PAPER提出 message fragmentation ,將標注資訊切分成數個資料段,每個 router 每次標注時只隨機注入一個資料段。因此victim 需要收集更多的 packets 才能將資料段重組成回溯資訊、重建攻擊路徑,找出最適當的 router 並開啟 filter 。
在不同的 PPM 架構下, m=1/p -1 可能需要微調參數。
112/04/18OPLab, NTUIM81
Summary (con’t) Attacker
增加 defender 要處理的攻擊路徑Spoof marking field 誤導 defender 攻
擊來源消耗防禦資源 Defender
收集到足夠的路徑資訊之後找最適當的router 開啟 filter ;如果有某條路徑沒有 filter 可以過濾攻擊封包,利用routing strategy 將攻擊封包引導至最近的 filter 上過濾。
112/04/18OPLab, NTUIM82
Summary (con’t)
112/04/18OPLab, NTUIM83
政祐學長 My Work
PPM Scheme and false positive rate
X O
Spoof packets may amplify error rate and may increase victim’s processing cost
X O
ReroutingO O
Filter allocation
利用 LR 、次梯度法與經驗法則找出 filter最佳配置最小化collateral damage
使用 PPM traceback 技術同時考慮誤判率、攻擊特性 (N, d, 拓樸架構 ) 、 spoofed information ,令 filter 的位置是給定的並配合 LR 找出最佳的 ON -配置策略最小化collateral damage
112/04/18OPLab, NTUIM84
Thanks for your listening