Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts
no text concepts found
Transcript 
Network Support for IP Traceback
Stefan Savage, David Wetherall, Member, IEEE, Anna Karlin, and Tom Anderson
IEEE/ACM Transactions On Networking, VOL. 9, NO. 3, JUNE 2001
報告者 : 李宗穎
Outline





Introduction
Marking scheme
Encoding issues
Limitations
Conclusion
Introduction

Network Problem



Denial of Service (DoS) attacks
Spoofed IP source
(weakness in the IP is that the source host itself
fills in the IP source host id)
Goal

Using marking packet scheme to find attack
source
Marking Packet
A1
A2
A3

R5
R6
R7

R3
R4
R2
R1

Not require interactive
cooperation with ISPs
Not require significant
additional network
traffic
Low management and
network overhead
V
Attack Path : A2  R6  R3  R2  R1  V
Node Append



Append each router address to the end of
the packet
Every packet has a complete ordered list of
the routers it traversed (quick convergence)
High router and network overhead
Packet
Router List
Node Sampling


Router writes its address with probability p
Probability p, and d hops away


The probability of receiving a marked packet : p(1-p)d-1
Slow convergence

d (distance) = 15 p (marking probability) = 0.51
p(1-p)d-1  about 42000 packets
p(1-p)2=1/8
p(1-p)=1/4
p=1/2
Router1
Router2
Router3
Victim
Edge Sampling


encode edges in the attack path instead of
routers
need three static fields



the start of router address (32bits)
the end of router address (32bits)
the distance of the edge from the victim (8bits)
Edge Sampling Example


Write Start and distance = 0 when x < p
Write End (if distance = 0) and increment
distance when x > p
Start End Dis.
R1
-
0
R1 R2
1
R1 R2
R1
R2
R3
x<p
x>p
x>p
2
The issues of marking scheme

Problem




Node-append cause high overhead
Node-sampling converge too slow
Edge-sampling algorithm require 72 bits of space
Solving scheme

Reduce per-packet storage requirement, so based on
overloading the 16-bits IP identification
Encoding Issues


Encode each edge in half the space by
representing it as the exclusive-or (XOR) of
the two IP addresses making up the edge
Each edge-id into some number k of smaller
non-overlapping fragments
Fragment 1
Fragment 2
Fragment K-1 Fragment k
IP address
Encode each edge in half the space
1. Router a decides to mark packet, it write address a into the packet
2. Router b read the distance field is 0 and write a⊕b into packet
3. Since b⊕a⊕b=a, mark packet can be used to decode
Simple Error Detection Code

1 2 3
edge-id fragments are not unique and
multiple fragments from different edge-ids
may have the same value
1 2 3
1 1 2 2 3 3
Reconstructing a candidate edge
IP Header Encoding

offset (3bits)


distance (5bits)


8 separate fragments
32 hops of router distance
edge fragment (8bits)

a part of IP address
Assessment


Marking probability is 1/25
The longest paths can be resolved with a very high
likelihood within 4000 packets
LIMITATIONS AND FUTURE WORK




Only in IPv4 network
Distributed attacks
Fake marking path
Attack Origin Detection
Conclusion

Authors have developed variant algorithms
that sacrifice convergence time and
robustness for reduced per-packet space
requirements
Related documents