Download IP Traceback With Deterministic Packet Marking

IP Traceback With
Deterministic Packet Marking
Andrey Belenky and Nirwan Ansari
IEEE communication letters, VOL. 7,
NO. 4 April 2003
林怡彣
Introduction
IP traceback problem
– The problem of identifying the source of the
offending packets
– Source ： zombie；reflector；spoofed
address …
Solution
– Rely on the routers (PPM；ICMP)
Only for DOS
– Centralized management (log of packet infor.)
Large overhead, complex, not scalable
Deterministic Packet Marking
Each packet is
marked when it
enters the
network
Only mark
Incoming packets
Mark：address
information of this
interface
16 bit ID + 1 bit
Flag
PPM
PPM VS DPM
Router are treated as atomic units
– IP address of a router
 IP address of one of its interfaces
– Packet traveling in different direction
considered different
Mark spoofing
– Use coding technique (but not 100%)
Spoofed mark will be overwritten
PPM VS DPM (2)
PPM (full path)；DPM (address of the
ingress router)
– In datagram packet network
Every packet is individually routed
Full path traceback is as good as address of an
ingress point
– ISP use different IP address
public addresses for interfaces to customers and
other networks
private addressing plans within their own networks
Coding of a mark
Flag =0  address bits 0~15
Flag =1  address bits 16~31
Randomly setting flag value
How many packet are enough？
– n：the number of received packets
– The probability of successfully generate the ingress IP
address is greater than 1 0.5n
– 2 packets  75%；4 packets 93.75%
6 packets 98.43%；10 packets 99.9%
Pseudo code
Pros
Simple to implement
Introduces no bandwidth
Practically no processing overhead
suitable for a variety of attacks [not just (D)DoS]
Backward compatible with equipment which
does not implement it
does not have inherent security flaws
Do not reveal internet topology
No mark spoofing
Scalable
Future work
The fragmentation/reassembly problem
– Only less than 0.5% packet
– Solve：The ID field for all fragments has to be
assigned the same address bits
Attacker change IP frequently during attack
– Solve：making the destination rely only on the marks
& the hash value of the ingress router
Analyze the coding technique
IPv6 implementation
Tracing Multiple Attackers with
Deterministic Packet Marking
Andrey Belenky and Nirwan Ansari
IEEE PACRIM’03, August 2003
The problem with the basic DPM(1)
two hosts with the same Source Address
at tack the victim
ex：
The ingress addresses corresponding to these two
attackers are A0 and A1
The victim will receive A0[0], A0[1], A1[0], A1[1]
A0[0].A0[1], A0[0].A1[1], A1[0].A0[1], A1[0].A1[1]
Rate of false positive=50%
rate of false positive 
incorrectl y identified imgress address
the total number of identified ingress address
The problem with the basic DPM (2)
Change source address
Schematics
Pad
Ideal hash
Reconstruction
2
area
d 個area
each area
has k
segments
Each
segment
has 2 a
bits
Analysis
N：the number of ingress router
When N  2d false positive rate = 0
d
When N  2
– The expected number of different values the
segment will take is
N
1  2d
2  2 1  a 
 2 
a
a
Analysis (2)
– The expected number of permutations that
result in a given digest for a given area
– The number of false positives for a given area
Analysis (3)
– The total number of total false positive
– The max number of N
Analysis (4)
– The expected number of datagram
Analysis (5)
Conclusion
capable of tracing thousands of
simultaneous attackers during DDoS
attack (just DDoS)
The traceback process can be performed
post-mortem, which allows for tracing the
attacks that may not have been noticed
initially
Solve the two problem
Need more marked packets