Alex%C.%Snoeren†,%Craig%Partridge,%%Luis%A.%Sanchez,%Christine%E.%Jones,%Fabrice%Tchakountio,%%Stephen%T.%Kent,%W.%Timothy%Strayer%BBN%Technologies%†MIT%Laboratory%for%Computer%Science%Presented%by%Ankur%Khetrapal% Traceback:%Find%the%source%of%the%“attack%traffic”% IP%permits%anonymity% Attackers%can%spoof%IP%addresses% IP%forwarding%maintains%no%audit%trails% Packets%addressed%to%more%than%one%host% Duplicate%packets% Routers%may%be%subverted% Routing%in%the%network%may%be%unstable% Packet%size%should%not%grow% End%hosts%are%resource%constrained% Traceback%is%an%INFREQUENT%operation% Ingress%point%to%the%traceback%enabled%network% Actual%host%or%network%of%origin% A%compromised%router%within%the%enabled%network% Logging:%a%naïve%in‐network%approach% Record%each%packet%forwarding%event% Can%trace%a%single'packet%to%a%source%router,%ingress%point,%or%subverted%router(s)%V"R"R1"R2"R3"R"R"R"R"R4"A"R"R"R7"R6"R5" Attack%path%reconstruction%is%difficult% Packet%may%be%transformed%as%it%moves%through%the%network% Full%packet%storage%is%problematic% Memory%requirements%are%prohibitive%at%high%line%speeds% Record%only%invariant%packet%content% Mask%dynamic%fields%(TTL,%checksum,%etc.)% Store%information%required%to%invert%packet%transformations%at%performing%router% Compute%packet'digests%instead% Use%hash%function%to%compute%small%digest% Store%probabilistically%in%Bloom%filters%Total Length Identification Checksum Ver TOS HLen TTL Protocol Source Address Destination Address Fragment Offset M F D F Options Remainder of Payload First 8 bytes of Payload 28 bytes1e-06 1e-05 0.0001 0.001 0.01 0.1 1 20 22 24 26 28 30 32 34 36 38 40 Fraction of Collided Packets Prefix Length (in bytes) WAN (6031 hp) LAN (2879 hp)• Variable capacity Easy%to%adjust% Page%when%full%• Fixed structure size Uses%2n%bit%array' Initialized%to%zeros%• Insertion is easy Use%n‐bit%digest%as%indices%into%bit%array%1 n bits 2n bits H(P) H2(P) Hk(P)%H3(P)%H1(P)%1%1%1%. . .% Mitigate%collisions%by%using%multiple%digests% Bloom%filters%may%be%mistaken% Mistake%frequency%can%be%controlled% Depends%on%capacity%of%full%filters% Neighboring%routers%won’t%be%fooled% Vary%hash%functions%used%in%Bloom%filters% Each%router%select%hashes%independently%% Long%chains%of%mistakes%highly%unlikely% Probability%drops%exponentially%with%length% Occasionally%invariant%content%changes% IP/IPsec%Encapsulation,%etc.% Packets%sometimes%give%rise%to%others% IP%Fragmentation% Routers%need%to%invert%these%transforms% Often%requires%additional%information% Only%need%to%restore%invariant%content% Often%available%from%the%transform%(e.g.,%ICMP)% Otherwise,%save%data%at%transforming%router% Index%required%data%by%transformed%packet%digest% Record%transform%type%and%sufficient%data%to%invert% Use%indirect%storage%for%complicated%transforms%Digest Packet Data I Type 29 bits 3 bits 32 bits Pros% Zero%false%negatives% One%packet%traceback% Cons% Need%cooperation%amongst%ISPs% Packet%transform%may%be%a%bottleneck%
View Full Document