Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣 Introduction IP traceback problem – The problem of identifying the source of the offending packets – Source : zombie;reflector;spoofed address … Solution – Rely on the routers (PPM;ICMP) Only for DOS – Centralized management (log of packet infor.) Large overhead, complex, not scalable Deterministic Packet Marking Each packet is marked when it enters the network Only mark Incoming packets Mark:address information of this interface 16 bit ID + 1 bit Flag PPM PPM VS DPM Router are treated as atomic units – IP address of a router IP address of one of its interfaces – Packet traveling in different direction considered different Mark spoofing – Use coding technique (but not 100%) Spoofed mark will be overwritten PPM VS DPM (2) PPM (full path);DPM (address of the ingress router) – In datagram packet network Every packet is individually routed Full path traceback is as good as address of an ingress point – ISP use different IP address public addresses for interfaces to customers and other networks private addressing plans within their own networks Coding of a mark Flag =0 address bits 0~15 Flag =1 address bits 16~31 Randomly setting flag value How many packet are enough? – n:the number of received packets – The probability of successfully generate the ingress IP address is greater than 1 0.5n – 2 packets 75%;4 packets 93.75% 6 packets 98.43%;10 packets 99.9% Pseudo code Pros Simple to implement Introduces no bandwidth Practically no processing overhead suitable for a variety of attacks [not just (D)DoS] Backward compatible with equipment which does not implement it does not have inherent security flaws Do not reveal internet topology No mark spoofing Scalable Future work The fragmentation/reassembly problem – Only less than 0.5% packet – Solve:The ID field for all fragments has to be assigned the same address bits Attacker change IP frequently during attack – Solve:making the destination rely only on the marks & the hash value of the ingress router Analyze the coding technique IPv6 implementation Tracing Multiple Attackers with Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE PACRIM’03, August 2003 The problem with the basic DPM(1) two hosts with the same Source Address at tack the victim ex: The ingress addresses corresponding to these two attackers are A0 and A1 The victim will receive A0[0], A0[1], A1[0], A1[1] A0[0].A0[1], A0[0].A1[1], A1[0].A0[1], A1[0].A1[1] Rate of false positive=50% rate of false positive incorrectl y identified imgress address the total number of identified ingress address The problem with the basic DPM (2) Change source address Schematics Pad Ideal hash Reconstruction 2 area d 個area each area has k segments Each segment has 2 a bits Analysis N:the number of ingress router When N 2d false positive rate = 0 d When N 2 – The expected number of different values the segment will take is N 1 2d 2 2 1 a 2 a a Analysis (2) – The expected number of permutations that result in a given digest for a given area – The number of false positives for a given area Analysis (3) – The total number of total false positive – The max number of N Analysis (4) – The expected number of datagram Analysis (5) Conclusion capable of tracing thousands of simultaneous attackers during DDoS attack (just DDoS) The traceback process can be performed post-mortem, which allows for tracing the attacks that may not have been noticed initially Solve the two problem Need more marked packets