Transcript スライド 1
A trial of IP Traceback System
in Interop Tokyo 2008
Hiroaki Hazeyama
Nara Institute of Science and Tech.
[email protected]
1
What is IP Traceback ?
• Technique to track the true forwarding path of a packet
– By querying packet capture agents
– Even when the source IP address of the target packet is spoofed
• IP Packet Traceback is expected to track attack packets
– DDoS attack, UDP exploit, spoofed DNS queries
: attack packet
: traceback
2
IP traceback R&D Project
IP traceback R&D project
* A research project offered by NICT(*), started 2005 by the Consortium of six parties
* Goal of the project is Demonstration Experiment of IP packet traceback
(CY)
2005
2006
2007
Consortium (five other parties)
Research and development:
Telecom iSAC Japan
Experiment preparations:
Investigation / examination / document making
2008
2009
(*) NOTE: NICT stands for
National Institute of Information and Communications Technology.
Preliminary ISP field test
From October to December 2008
Demonstration Experiment
From July
to December 2009
3
Outline of IP Traceback system
1. Store suspicious information.
Whenever IDS notify suspicious attacks, TB manager calculate the attack PKT’s HASH, and
automatically recursive analyze it’s AS map with neighbor AS’s TB manager, and store it to TB-DB.
TB Control Center
TB-DB
Real attack path
(AS map)
2. Detect the real attack path
After an incident be recognized, TBOperator analyze TB-DB by attack PKT’s
HASH, and detect the real attack path.
TB Manager
IDS
Probe
Incident
ISP(a)
ISP(b)
Real attack
ISP(c)
Attack from
spoofed IP addresses
0. Store HASH data temporary.
Each probe convert PKT to HASH, and store own cache automatically.
4
Toward the field test
• We have to consider
– A small set of the traceback system in an
actual network environment
– The operational flow with the actual traceback
system
• We tried to operate our traceback system
in Interop Tokyo 2008
5
Interop Tokyo 2008
• One of the biggest exhibition/conference for network equipment /
service vendors.
• The Network Operation Center (NOC) team builds an experimental
advanced network called "ShowNet" as a backbone of the event.
• The experimental network was connected to several peering points
(Internet Exchange Point) by more than 120G bps links in this year.
• Our IP Traceback system was served as a part of "ShowNet".
6
Purpose of our trial in Interop
• The preparations for the preliminary field test in
2008
– Collect information necessary for One ISP
environment in the field test
• Data, problems, know-how to be collected with a long-time
consecutive operation in One ISP
• Set up actual machines at One ISP environment
• Data, problems, know-how to be collected at ISP field trial
• Define any function to be added or corrected
7
Auditing ShowNet External Links
Mirroring All External I/Fs
Gathering
Mirrored Traffic
Regenerating
Mirrored
Traffic
Sink Hole
routing
8
Manual TCPDUMP / Traceback / 10G / 1G IDS
Rack Layout
Traceback
NICTER
(Traffic Monitor
developed by NICT)
9
Zoom-In to the Traceback System
Snort on 4 embedded linux boxes
All-In-One server
SW-Probe
(Chellsio 10G)
SW-Probe
(myri 10G)
snort on linux
TB-Manager
TB-DB
HW-Probe
10
Test Items on Interop
• Test A
– Setting up and operating the traceback
system
• Test B
– Collaborating with traffic monitor tools
• Test C
– Visualizing trace log with random sampling
based requests
11
Test A (Testing the field test set)
mirrored traffic from exhibitors side
Snort
SW-Probe
(chellsio 10G-LR)
Request
External Router (Alaxala)
Search
Packet
Signature
TB-Manager
Upload
Summary
TB-DB
SW-Probe
(chellsio 10G-LR)
SW-Probe
(myri 10G-LR)
HW-Probe
(10G-LR)
External Router (Huawei)
External Router (NEC)
12
External Router (Foundry)
Result of Test A (cont.)
• The traceback system worked well in the
conference and exhibition days
– The alert signatures of snort contained well-known
worm traffic, shell codes and DoS attack signatures
– 669,810 alerts were received from 5 snorts on
exhibitors’ side during 5 days (from 8th June to 13th
June)
– 169,843 alerts (25.35 %) were judged as “found in
external links”
• Other 74.65 % alerts were attacks derived from the internal
of ShowNet
13
Test B (Tracing src spoofed packets)
Sink hole routed packets
Traffic Monitor
internet
Request
Core Routers
(Juniper / CISCO)
TCP SYN attack
The source address was
45.x.x.x
(ShowNet’s address)
Pseudo
Attacker
Mirrored external traffic
All-in-One Server
External Routers
14
Result of Test B
• Traffic Monitor (NICTER)
– Judged all pseudo attack packets came from
the inside of ShowNet
• Because the source address of attack packets are
included in ShowNet address block
• Traceback
– Judged all pseudo attack packets came from
the outside of ShowNet
• Hash values of all pseudo attacks were cached in
the SW/HW-probe
15
Result of Test B (cont.)
the packet Hash was found
in the External Traffic
16
Request from NICTER (pseudo attack packet)
Test C (Visualization of Traffic)
10G tcpdump
External Router (Alaxala)
sampling
External Router (Huawei)
All-in-One Server
Summary
Regeneration Tap
(Net Optics)
L2 Switch (CISCO)
External Router (NEC)
Visualization
17
External Router (Foundry)
Visualization on Test C
18
Summary
• A trial of IP traeback system in Interop
Tokyo 2008
– Success !!!
• According to the result of Interop, we blush
up our implementation and operational
flow
– Now, we are preparing the preliminary field
test from this autumn in a Data Center
environment
19
Future plans
• Field tests in domestic
– Preliminary field test with Japanese commercial ISPs will start
from this autumn
– The actual field test is planned from July to December, 2009
• Field tests in Internatinal
– We are planning the international field test after the domestic
filed test (2010 - )
– We are now looking for collaborators in research networks
– If you are interested in our work, please mail to
hiroa-ha at is.naist.jp
20
Thanks your attention
http://iplab.naist.jp/research/traceback/
21
Any Questions ?
22
Appendix
23
Detail of Mirroring
SW-probe
10G tcpdump
External Router (Alaxala)
SW-probe
External Router (Huawei)
L2 Switch
(CISCO)
All-in-One Server
Regeneration Tap
(Net Optics)
External Router (NEC)
SW-probe
External Router (Foundry)
HW-probe
24
Experiments in Lab
• We had large scale
experiments on NICT
hokuriku research center
in 2007
– With 200 physical servers
– Mapping JP domain AS
(eBGP) topology
– Software traceback
Implementation ran on
each AS
– DDoS from 3 attack ASes
to 1 AS
– Tracing the AS path of an
attack packets from dest
AS to src ASes
25
Hardware Spec.
• Test A
– NEC Express 5800 110R
• XEON 2G x 2, 8GB memory, 250GB SATA Disk, IPMI enabled, four
1000TX I/F
• Used for TB-Manager, TB-DB, snort
• Also used for one SW-Probe with one myri 10G-LR card
– Procide AmazeBlast Eco120
• Athlon 2G x 1, 8G memory, 200GB SATA Disk, two 1000TX I/F
• Used for two SW-Probes with Chellsio 10G-LR card
– OKI Electric HW-Probe box
• One 10G-LR I/F and ten 1000T I/Fs, one 1000T I/F for control
26
Hardware Spec.
• Test B, C
– Procide AmazeBlast Eco120
• Athlong 2G x 1, 8G memory, 200GB SATA Disk,
two 1000TX I/F
• Two SW-Probe with Chellsio 10G-LR card
• Used for All-In-One Server
– MAC mini
• Used for running a visualization tool
27
Software Spec.
• OS
– Debian 4.0
• Software Traceback Implementations
– C++
– TB-Manager, SW-Probe
• Developed by NAIST and Matsushita Electric Works
– TB-DB
• Developed by KDDI Lab.
– HW friendly Packet Hash Algorithm Library
• Developed by OKI Electric
– Client Agent
• Developed by NAIST
• Visualization Tool
– C++ with QT4
– Developed by NAIST
28