Transcript Powerpoint

iTrace Probability: 1/20,000
For routers closer to the victim, useful iTrace messages will be
produced very frequently. But, for routers closer to a slave
with a low packet rate, it can take a long time, statistically,
for the “right” iTrace messages to be generated.
A high-rate attack flow from the slave:
A low-rate attack flow from the slave:
Aggregation of lower-rate flows at routers near the victims:
08/02/2001
S. Felix Wu and Dan Massey
1
Intention-driven iTrace
• Different destination hosts, networks,
domains/ASs have different “intention
levels” in receiving iTrace packets.
– We propose to add one “iTrace-intention” bit.
– Some of them might not care about iTrace, and
some of them might not be under DDoS
attacks, for example.
08/02/2001
S. Felix Wu and Dan Massey
2
Intention-Driven iTrace architecture
(draft-wu-itrace-intention-01.txt)
BGP routing
table
iTrace
generation
module
intention
iTrace
trigger??
P%
intention
iTrace
trigger
iTrace
intention
bits
Intention
selection
module
User (firmware)
copy
copy
iTrace
Execution
bit
1/20K
iTrace
selection
08/02/2001
Kernel (hardware)
S. Felix Wu and Dan Massey
packetforwarding
table
3
Processing Overhead
1/20K iTrace message trigger occurs:
1. Select and Set one iTrace Intention bit from the BGP table.
Processing for each data packet:
1. if the iTrace Execution bit is 1,
(1). Copy this packet to the iTrace daemon.
(2). reset the iTrace Execution bit to 0.
08/02/2001
S. Felix Wu and Dan Massey
4
Differences from the 00 draft
• Piit for probabilistically controlling normal
versus intention iTrace
• The difference between iib (iTrace
intention bits in the BGP routing table) and
ieb (iTrace execution bit in the forwarding
table).
08/02/2001
S. Felix Wu and Dan Massey
5
Comments Received
• The confusion of “statistics”.
– Each packet will have a constant probability to be
traced (1/20K).
– Packet flows with higher rate will statistically get
iTraced faster.
• Maliciously sending “intentions” to grab all the
iTrace resources.
– Using Piit to keep some normal iTrace.
• Hard to add one extra bit to the forwarding table.
– Looking for ways to implement intention iTrace
without modifying the packet forwarding process.
08/02/2001
S. Felix Wu and Dan Massey
6
Relationship with “iTrace”
• Add iib, ieb and the mechanism for
processing “iTrace triggers”.
• The proposed architecture will be identical
to the original iTrace architecture if Piit = 0.
• Need to worry about the “probability
element (TAG = 0x0A)” when Piit > 0.
08/02/2001
S. Felix Wu and Dan Massey
7
Status
• Simulation results for draft-00 to appear in
ICCCN’2001.
• Simulation and prototype implementation
(in Linux) for draft-01 in progress.
• Probability analysis (for the probability
element, TAG=0x0A) for intention iTrace
just started.
08/02/2001
S. Felix Wu and Dan Massey
8