Network Traffic Tracking Systems: Folly in the Large? Thomas E. Daniels Center for Education and Research in Information Assurance and Security (CERIAS) 1315 Recitation Building Lafayette, IN 47907-1315 daniels @ ce rias.pu rdue.edu Eugene H. Spafford Center for Education and Research in Information Assurance and Security (CERIAS) 1315 Recitation Building Lafayette, IN 47907-1315 spaf @ cerias.purdue.edu ABSTRACT Recent distributed denial of service attacks have demon- strated the difficulty with tracing network attackers on the Internet and simultaneously led to calls for development of systems to track network traffic to its source. Tracking net- work traffic is difficult because of two basic techniques used to obfuscate the source of the traffic: spoofing and redi- rection. In this paper, we examine the desirable properties of network traffic tracking systems (NTTS) from both the technical and social perspectives. An analysis of the fea- sibility of a system with these properties in a number of increasingly open network models leads us to a number of conclusions. First, NTTS may be very successful in rela- tively closed environments where there is strong control of the infrastructure, and there is no expectation of privacy. Second, in an open, global Internet, it is not be feasible to deploy a perfect NTTS. Third, if a perfect NTTS for the In- ternet is not possible, how do we evaluate the consequences of deployment of an evadeable NTTS. *Primary and corresponding author. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advan- tage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. New Security Paradigm Workshop 9•00 Ballycotton, Co. Cork, Ireland © 2001 ACM ISBN 1-58113-260-310110002...$5.00 1. INTRODUCTION Recent distributed denial of service attacks have demon- strated the difficulty with tracing network attackers on the Internet and simultaneously led to calls for development of systems to track network traffic to its source. We call these proposed systems, network traffic tracking systems (NTTS). We consider the area of network traffic tracking a new paradigm in network security because there has been little past work, to some extent, we are going against the relatively well researched topic of network anonymity, and we feel the problem is not well characterized. The majority of the past work[7, 15, 19] is directed at tracing spoofed packets and denial of service attacks. Only three known works[13, 20, 21, 23] address the tracing of attacker's actions through the network. Another factor is that while there are a substantial number of works that aim to anonymize network access, no work discusses ways to do the inverse. Finally, instead of dwelling on one or two well known problems, we hope to consider the larger problem of network anonymity and what are consequences of systems that attempt to eliminate it. The development of NTTS is not just a technical issue. There are issues of privacy and control of the system. In a system that covers the Internet, how does its multinational nature and distributed control make an effective NTTS pos- sible? Furthermore, if an NTTS is less than perfect, how do we justify the cost of a system that only catches the dumb criminals? We feel that this is an excellent topic for the new secu- rity paradigms workshop for a number of reasons. First, it is a very young area to which few in the field have given much thought. Second, there is need for consensus building around terms and the desirable properties that make up the area. Third, our submission is likely to create a good deal of debate about the need for systems which are likely to be fallible for the foreseeable future. Finally, there is some merit to the idea that we do not need more secure networks, rather we need methods of determining who is accountable for an action on the network thereby deterring attacks in the first place. 2. ANONYMITY IN THE NETWORK Informally, anonymity in the network is achieved by using two basic methods: spoofing and redirection. Spoofing in this context means to lie about the source of some piece of network traffic. Redirection means that a network entity receives network traffic, possibly modifies it in some way, and then resends the traffic. These methods may be used at 119various levels of a protocol stack in order to obfuscate the source of the traffic that the protocol carries. Spoofing attacks are most closely tied to attempts to ex- ploit trust relationships where anonymity is simply a by- product of the attack [16, 1]. Spoofing is used for anonymity in many denial of service attacks including the recent dis- tributed denial of service attacks[ll, 9] and classic ones[4, 6, 5, 3] as well. Redirection is also used to hide the source of network traf- fic. Legitimate systems such as Crowds[18] and Onion Rout- ing[17] use it along with encrypting the contents the traffic to decouple the true source of the traffic from the receiver and possible eavesdroppers. Network attackers use a com- mon form of redirection to hide their network access point. To do this, the attacker logs into a number of hosts in a serial fashion so that their user session is redirected from one host to the next. The attacker then launches his attack from the final host in the chain so that the source address of the traffic is that of the final host. To make it even more difficult to trace, the attacker may use subverted hosts in many different jurisdictions and may delete useful togs from the hosts. 2.1 A Simple Model of the Problem We have developed a high-level model of anonymity in the network that illustrates the depth of the problem and unifies the many instances of the problem observed by others. It should be known that this model is a work in progress and that we are continuing to
View Full Document
Unlocking...