Transcript ppt3 - School of Computer Science

Hash-Based IP Traceback
U Kang
Computer Science Department
15-744 Computer Networks
Carnegie Mellon University
U Kang
1
Motivation


Our network or hosts have been
compromised
How can we trace the attackers identity?
Carnegie Mellon University
U Kang
2
Problem Definition

IP traceback problem



Given packets of interest,
1. Identify the source of the packets
2. Construct an attack graph composed of the
attack paths for attack packets that arrived at the
victim
Attack Graph
Carnegie Mellon University
U Kang
3
Log-based Traceback


Routers keep the log of packets
If an attack occurs, routers are queried for
attack packets
Carnegie Mellon University
U Kang
Challenges

C1: Minimizing Cost


C2: Accuracy



Storage used to keep information
No false negative
Minimize false positive
C3: Maintaining Privacy

A tracing system should not adversely impact the
privacy of legitimate users
Carnegie Mellon University
U Kang
5
Proposed Method

Source Path Isolation Engine(SPIE)

Audit traffic by storing 32-bit packet digests rather
than the packets themselves


Solves “C1: Minimizing Cost”, “C3: Maintaining Privacy”
Bloom Filters to Minimize False Positive

Solves “C2: Accuracy”
Bloom Filter
- add()
- isMember()
Carnegie Mellon University
U Kang
6
SPIE Infrastructure
STM: Traceback Manager
SCAR: Collection and Reduction
Agents
DGA: Data Generation Agent
1. IDS detects an attack packet
2. IDS issue a traceback request to STM
3. STM asks all SCARS in its domain to poll their
respective DGAs for the relevant traffic digests
4. SCARs construct attack subgraphs
Carnegie Mellon University
U Kang
7
Discussion


Deployment: can the SPIE infrastructure be
deployed over multiple ISPs?
Memory Requirements?

A core router with a max. capacity of 640M
pkts/sec requires 23 GB for one minute’s storage
Carnegie Mellon University
U Kang
8