Download Tracking and Tracing Cyber

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts

Computer security wikipedia , lookup

Transcript 
Tracking and Tracing
Cyber-Attacks
Howard F. Lipson, Ph.D.
CERT® Coordination Center
Outline
• Problem with Internet Security
• Shortfalls in the Current Internet
Environment
• Near-Term Solutions
• Long-Term Solutions
– Next-Generation Internet Protocol
Problem with Internet Security (1)
Problem with Internet Security (2)
Shortfalls in the Current Internet
Environment (1)
• The Internet was never designed for tracking and
tracing user behavior.
– Functionality and performance are focused.
• The Internet was not designed to resist highly
untrustworthy users.
– Only external attack is considered.
• A packet’s source address is untrustworthy, which
severely hinders tracking
– IP-spoofed and intermediate nodes techniques are used.
Shortfalls in the Current Internet
Environment (2)
• The current threat environment far exceeds
the Internet’s design parameters.
– There are more high-stake Internet applications.
• The expertise of the average system
administrator continues to decline.
• Attacks often cross multiple administrative,
jurisdictional, and national boundaries.
Shortfalls in the Current Internet
Environment (3)
•
•
•
•
High-speed traffic hinders tracking.
Tunnels impede tracking.
Hackers destroy logs and other audit data.
Anonymizers protect privacy by impeding
tracking
• The ability to link specific users to specific IP
addresses is being lost.
• Purely defensive approaches will fail, so
deterrence through tracking and tracing is crucial.
Near-Term Solutions (1)
Hop-by-Hop IP Traceback
ISP security broker
attacker
victim
Or
edge router
• Labor-intensive
• For tracing large packet flows with spoofed source
addresses
• DDoS attacks are extremely difficult to trace via this
process
Near-Term Solutions (2)
CenterTrack
• Optimizing the Hop-by-Hop IP traceback
• Steps
– Create an overlay network (IP tunneling)
– In the event of a DoS attacks, the ISP diverts
the flow of attack packets from the existing ISP
network onto overlay tracking network
– The attack packets can now be easily traced
back, hop-by-hop, through the overlay network
Near-Term Solutions (3)
Ingress Filtering or Egress Filtering
• Network Ingress Filtering
– Discard all packets that contain source IP addresses that
do not match the valid range of the customer’s known
IP addresses.
• Network egress Filtering
– Corporate network administrator
• IETF
– Internet Best current Practices for the Internet
Community
Near-Term Solutions (4)
Backscatter Traceback
• Steps
– The attack is reported to an ISP
– The ISP configures all its router to reject all packets destined for
the victim
– Rejected packets are “returned to sender”
– The ISP configures all of its router to blackhole many of the ICMP
error packet with illegitimate destination IP address
– Analysis by the blackhole machine quickly traces the attack to one
or more routers at the outermost boundary of the ISP’s network
– The ISP removes the filter blocking the victim’s IP address from all
router except those serving as the entry points for the DDoS attack
– The ISP asks neighboring ISPs, upstream of the attack, to continue
the trace
Near-Term Solutions (5)
Probabilistic Approaches
• ICMP Traceback
– ICMP traceback message
• Probabilistic Packet Marking
– IP header
Near-Term Solutions (6)
Single-Packet IP Traceback
• In theory
– Keeping a log at each router in the Internet
• Tamper-proof
• Fully-authenticated
– Technical infeasibility
• Storage
• Privacy
• Hash-Based IP Traceback
– Packet digests
– Reduce storage requirement to 0.5% of the link capacity per unit of time
and help privacy
– Issues
• Computational resources
• Transformation information (Fragmentation, tunneling) corresponding to the
packet digests is store in a transformation lookup table
Long-Term Solutions (1)
Issues of Next-Generation Internet Protocol
• Next-generation Internet protocols will be required to deal with trust
not on a binary basis.
• Entry-point anonymity refer the in ability to link an Internet IP address
to any human actor or organization.
• Can next-generation protocols be designed so as to increase the cost to
the attacker and decrease the cost to the defender?
• Supporting vigilant resource consumption.
• Supporting marketplace negotiation of trust versus privacy trade-offs
(trust broker).
• Next-generation Internet protocols must allow for variable levels of
trust under various attack states (situation-sensitive).
• Sufficient header space for tracking information.
Long-Term Solutions (2)
Emerging Next-Generation Security Protocols
• Internet Protocol Security (IPSec)
– Characteristics
• AH (Authentication Header)
• ESP (Encapsulating Security Payload)
• IKE (Internet Key Exchange)
– Shortfalls
• Vigilant resource consumption
• Fine-grained authentication of trust
• Situation-sensitive
• Internet Protocol Version 6 (IPv6)
– Characteristics
•
•
•
•
IP address is 128 bits long.
IPSec built in.
Flexible header structure
Address space is enormous
Related documents
What Is the Internet Powerpoint presentation - NC-NET
What Is the Internet Powerpoint presentation - NC-NET
U1L6_The_Internet
U1L6_The_Internet
4th Edition: Chapter 1 - United States Naval Academy
4th Edition: Chapter 1 - United States Naval Academy
IP Traceback With Deterministic Packet Marking
IP Traceback With Deterministic Packet Marking
スライド 1
スライド 1
Lecture 26
Lecture 26
2. Internet Communication Diagram
2. Internet Communication Diagram
Practical Network Support for IP Traceback
Practical Network Support for IP Traceback
Networks
Networks
Impact of Computers on Society
Impact of Computers on Society
How Client/Server Networks Work
How Client/Server Networks Work
Computer Basics
Computer Basics