![Page 1: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/1.jpg)
On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack
INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE
Presented by FanChiang C.W.
Advisor: Prof. Frank Y.S. Lin
![Page 2: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/2.jpg)
112/04/21OPLab, NTUIM2
Agenda
Abstract Introduction Probabilistic Packet Marking and
Traceback DoS traceback minimax problem DDoS traceback problem Dynamic PPM scheme
![Page 3: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/3.jpg)
112/04/21OPLab, NTUIM3
Abstract
The optimal decision problem - the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume - can be expressed as a constrained minimax optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized.
![Page 4: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/4.jpg)
112/04/21OPLab, NTUIM4
Introduction
Two contributionsFirst, it shows the trade-off relation
between victim and attacker, which is a function of marking probability, path length, and traffic volume.
Second, for a given attack volume, by mounting DDoS attack, the uncertainty factor might be amplified.
![Page 5: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/5.jpg)
Probabilistic Packet Marking and Traceback
112/04/21OPLab, NTUIM5
![Page 6: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/6.jpg)
112/04/21OPLab, NTUIM6
Probabilistic Packet Marking and Traceback
Given network is as a directed graph G = (V,E), where V is the set of nodes and E is the set of edges.
The edges denote physical links between elements in V. Let S ⊂ V denote the set of attackers and let t ∋ V \ S denote the victim. |S| = 1 (DoS)
![Page 7: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/7.jpg)
Probabilistic Packet Marking and Traceback (con’t)
We assume that routes are fixed1, And Attack path A is presented as
1. On the IP Internet, the majority of TCP sessions do not experience route changes during their connection lifetime. Generalization of PPM under dynamic routing (the routing process must be specified) is a problem for future work.
112/04/21OPLab, NTUIM7
![Page 8: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/8.jpg)
112/04/21OPLab, NTUIM8
Probabilistic Packet Marking and Traceback (con’t)
A
C
B
D
E
F
G
![Page 9: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/9.jpg)
112/04/21OPLab, NTUIM9
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
A
C
B
D
E
F
G
![Page 10: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/10.jpg)
A
C
B
D
E
F
G
112/04/21OPLab, NTUIM10
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
![Page 11: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/11.jpg)
Probabilistic Packet Marking and Traceback (con’t) A packet x is assumed to have a marking
field where the identity of a (v, v’) ∊ E traversed can be inscribed.
A packet travels on the attack path A sequentially. At a hop vi ∊ {v1, …, vd}, packet x is marked with the edge value (vi-1, vi) , i=1, 2,…, d. , with probability p (0 ≤ p ≤ 1) where v0 = s. This is probabilistic marking.
112/04/21OPLab, NTUIM11
![Page 12: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/12.jpg)
A
C
B
D
E
F
G
112/04/21OPLab, NTUIM12
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
![Page 13: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/13.jpg)
A
C
B
D
E
F
G
112/04/21OPLab, NTUIM13
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
![Page 14: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/14.jpg)
112/04/21OPLab, NTUIM14
Path Sampling
αi(p) = p(1-p)d-i (1)
α0(p) = (1-p)d ( attacker can hide his identity or fool defender ) (2)
When N packets are transmitted, the expected value of packets reaching target t marked by ri is ni(p) = Nαi(p) Note that
α1(p) ≦ α2(p) ≦ …… ≦ αd(p)
![Page 15: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/15.jpg)
112/04/21OPLab, NTUIM15
Path Sampling (con’t)
To receive a marked packet form v1 requires N 1/≧ α1(p)
Because N is under attacker’s control
from purely sampling view point, edge(s, v1) is the weakest link.
![Page 16: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/16.jpg)
A
C
B
D
E
F
G
112/04/21OPLab, NTUIM16
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
![Page 17: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/17.jpg)
A
C
B
D
E
F
G
112/04/21OPLab, NTUIM17
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
![Page 18: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/18.jpg)
A
C
B
D
E
F
G
112/04/21OPLab, NTUIM18
Probabilistic Packet Marking and Traceback (con’t)packets
Packet marked by Attacker
Packets marked by a router
Attack packetsMarked by a router
Attack packets
???
![Page 19: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/19.jpg)
112/04/21OPLab, NTUIM19
Path Sampling (con’t)
which has the solution p ½.≦ In general, we may consider
p 1-2≦ -1/d , d = 10 then p 0.067≦
![Page 20: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/20.jpg)
Path Sampling (con’t)
The optimal selection of N, d, and x0 by the attacker, and correspondingly optimal selection of p by the victim to achieve their individual, conflicting objectives lies at the heart of the probabilistic PPM approach to source identification.
112/04/21OPLab, NTUIM20
![Page 21: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/21.jpg)
112/04/21OPLab, NTUIM21
Traceback Problem (con’t) Marking spoofed variable x0 can be fixed
by following thereotic argument Let ns
i(p) be the number of spoofed packets arriving at t marked by(ui,v1) no(p) = Σm
i=1 nsi(p). If it holds that
then all m+1 paths are equally likely yielding the same outcome in terms of collected marking values at t
![Page 22: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/22.jpg)
112/04/21OPLab, NTUIM22
Traceback Problem (con’t)
We call m – a function of p and spoofing variable x0- the uncertainty factor with respect to marking probability p.
The larger m is, the more the processing cost incurred by the victim to trace back the attack source.
![Page 23: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/23.jpg)
Traceback Problem (con’t)
Thus, the objective of the attacker is to maximize m, whereas the objective of the victim is to minimize m
112/04/21OPLab, NTUIM23
![Page 24: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/24.jpg)
112/04/21OPLab, NTUIM24
Traceback Problem (con’t)
The formulation in (III.5) does not incorporate the attack volume N and thus unduly favors the victim.
A sampling constraint is added by requiring
Nα1(p) = N p(1-p)d-1 ≧ 1 (III.6)
![Page 25: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/25.jpg)
112/04/21OPLab, NTUIM25
Traceback Problem (con’t)
Thus the refined minimax optimization reflecting the victim’s sampling constraint is given by
Nα1(p) = N p(1-p)d-1 ≧ 1 as a function of p has a unimodal (or bell) shape with peak at p = 1/d
![Page 26: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/26.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK
112/04/21OPLab, NTUIM26
![Page 27: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/27.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK
And IV.1 can be derandomized - replaced by a deterministic procedure that emulates uniform generation.
112/04/21OPLab, NTUIM27
no(p) = Σmi=1 ns
i(p).
![Page 28: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/28.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
Given p (determined by the victim), the attacker can achieve m = 1/p - 1
112/04/21OPLab, NTUIM28
![Page 29: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/29.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
With constraint III.6 we can define
and it can be checked that when d 2, ≧ L is convex in p
112/04/21OPLab, NTUIM29
![Page 30: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/30.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
It can be viewed as minimization problems of the objective function
1/p -1 over LN for N= N0, N0+1,…… The next result gives a performance
bound on the attacker’s ability to hide his identity under PPM.
112/04/21OPLab, NTUIM30
![Page 31: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/31.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
Theorem 2 shows that the maximum achievable uncertainty factor cannot exceed d-1, the distance between the attacker and victim.
And on the internet, most path lengths are bounded by 25 [29]
[29] Wolfgang Theilmann and Kurt Rothermel, “Dynamic distance maps of the Internet,” in Proc. of IEEE INFOCOM 2000, Mar. 2000.
112/04/21OPLab, NTUIM31
![Page 32: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/32.jpg)
ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)
d = 10, N = 26
Thus the attacker, by judiciously choosing the attack volume, can maximally hide his identity given by d-1.
112/04/21OPLab, NTUIM32
![Page 33: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/33.jpg)
Approximation of Uncertainty Factor
Np(1-p)d-1 ≥ 1,
The equation, Np(1-p)d-1 = 1 , is transformed to the polynomial xn – xn-1 + c by substitution of p, N, d with 1-x, 1/c, n, respectively.
We divide Np(1-p)d-1 = 1 by N, and represent p as 1-x (0≤x≤1), thus, it becomes
112/04/21OPLab, NTUIM33
![Page 34: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/34.jpg)
Approximation of Uncertainty Factor (con’t)
Assuming N ≫ 1, thus, 1/N ≈ 0.
First consider xd-1 close to 1, left hand side becomes (1-1/N)d-1 ->1, as N -> ∞.
Next, When(1-1/N)d-1 -> 0, the approximate solution x = 1/N 1/d-1
112/04/21OPLab, NTUIM34
![Page 35: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/35.jpg)
Approximation of Uncertainty Factor (con’t)
Thus x is approximately 1-(1/N) or 1/N1/d-1. Therefore,
112/04/21OPLab, NTUIM35
![Page 36: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/36.jpg)
Approximation of Uncertainty Factor (con’t)
The maximum uncertainty value m of the min-max optimization problem is given by
N = 105,d = 25 then m is 1.6247; N = 107,d = 25 then m is 1.0446
112/04/21OPLab, NTUIM36
![Page 37: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/37.jpg)
Marking Probability
112/04/21OPLab, NTUIM37
![Page 38: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/38.jpg)
Marking Probability (con’t)
112/04/21OPLab, NTUIM38
![Page 39: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/39.jpg)
Marking Probability (con’t)
d ∝ 1/p m ∝ 1/p Given N, as distance d ↓, the
expected number of spoofed packets, Ns ↑, at any given value of p
When the source of an attack is far from the victim, the attacker becomes more potent at impeding traceback
112/04/21OPLab, NTUIM39
![Page 40: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/40.jpg)
Attack Distance
112/04/21OPLab, NTUIM40
![Page 41: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/41.jpg)
Attack Distance (con’t)
Since the distance between an attacker and victim is bounded on the Internet, an attacker has limited ability to hide his location when subject to probabilistic packet marking.
112/04/21OPLab, NTUIM41
![Page 42: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/42.jpg)
Attack Volume
To satisfy sampling constrain, N needs to be at least dd/(d-1)d-1
As N increases, the victim can reduce the forgeable paths to less than d-1
112/04/21OPLab, NTUIM42
![Page 43: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/43.jpg)
V. DDoS Attack
112/04/21OPLab, NTUIM43
![Page 44: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/44.jpg)
DDoS Attack
Following the uncertainty optimization framework, given a desired attack Volume N, an amplification factor of M can be trivially achieved by mounting N/M -volume attacks from M separate attack sites.
112/04/21OPLab, NTUIM44
![Page 45: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/45.jpg)
DDoS Attack (con’t)
m*(∙) is a function depicting the optimum (i.e., minimax) uncertainty factor for the traffic volume given in the argument.
112/04/21OPLab, NTUIM45
![Page 46: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/46.jpg)
DDoS Attack Model -Classification(con’t)
All-source traceback, • we assume the attacker is able to mount
stateless intrusions when gathering attack hosts, and thus his objective is to maximize total uncertainty (vs. individual uncertainty in the any-source traceback case) since quick traceback of individual attack hosts does not present a danger with respect to revealing traceback information..
112/04/21OPLab, NTUIM47
![Page 47: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/47.jpg)
DDoS Attack Model – Classification (con’t)
The attacker’s objective is to maximize the number of forged paths that the victim has to process.
And the victim’s goal is to isolate or shut down traffic flow emanating from comprised hosts.
112/04/21OPLab, NTUIM48
![Page 48: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/48.jpg)
DDoS Attack Model -Traceback Analysis
Given M distinct sources, each sources si sends Ni packets to victim v at di distant for 1 ≤ i ≤ M
An attack path is represented by Ai = (si, vi,1, vi,2, …vi,d, t). Without loss of generality, assume di ≤ d j, for i < j
112/04/21OPLab, NTUIM49
![Page 49: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/49.jpg)
DDoS Attack Model -Traceback Analysis (con’t)
Thus the expected number of spoofed packets from si is
for 1 ≤ i ≤ M
The expected number of packets marked by vi,1 is
112/04/21OPLab, NTUIM50
![Page 50: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/50.jpg)
DDoS Attack Model -Traceback Analysis (con’t)
112/04/21OPLab, NTUIM53
![Page 51: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/51.jpg)
Numerical Evaluation of Traceback
Let Ni = N/M, di = d, 1 ≤ i ≤ M, which facilitates comparability. m*(Ni) be the uncertainty factor achievable by Ni
m*(N/M) /m*(N) represents the expansion rate to uncertainty factor with respect to the distribution factor M
112/04/21OPLab, NTUIM54
![Page 52: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/52.jpg)
Numerical Evaluation of Traceback (con’t)
112/04/21OPLab, NTUIM55
![Page 53: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/53.jpg)
Conclusion
PPM has the advantages of efficiency and implementability over DPM, however, it has the potential drawback that an attacker may impede traceback by sending packets with spoofed marking field values as well as spoofed source IP addresses.
112/04/21OPLab, NTUIM56
![Page 54: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/54.jpg)
Conclusion (con’t)
While it is always possible for an attacker to impede exact traceback by the victim, the attacker’s ability to affect uncertainty is limited in internetworks with bounded diameters
112/04/21OPLab, NTUIM57
![Page 55: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/55.jpg)
考量到 OD pair 的長度 d ,將簡短介紹下一篇 Dynamic PPM scheme
112/04/21OPLab, NTUIM58
![Page 56: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/56.jpg)
Efficient Dynamic Probabilistic packet marking for IP traceback
Networks, 2003. ICON2003. The 11th IEEE International Conference on
112/04/21OPLab, NTUIM59
![Page 57: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/57.jpg)
Agenda
Introduction Preliminaries Dynamic Probabilistic Packet Marking Performance Analysis Concluding remarks
112/04/21OPLab, NTUIM60
![Page 58: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/58.jpg)
Introduction
It had been shown that PPM suffers from uncertainty under attack with spoofed packets
During DDoS attack, the uncertainty factor might be amplified significantly, which may diminish the effectiveness of PPM
112/04/21OPLab, NTUIM61
![Page 59: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/59.jpg)
Introduction (con’t)
To improve the effectiveness of PPM, this paper proposed a new scheme DPPM.
Instead of a fixed marking probability, DPPM choose marking probability as an inverse function of the length of an OD pair by TTL field
112/04/21OPLab, NTUIM62
![Page 60: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/60.jpg)
Preliminaries – Issues in Choosing Probability (con’t)
Let pi represent the marking probability of router ri. Define leftover probability for router ri, denoted by ai, ai = pi x πD
j = i+1
(1 - pj ) (1). Because in PPM, p is fixed, thus
ai = p(1 - p)d-i, (2) Therefore, the leftover probability is
geometrically smaller the closer it is to the attacker.
112/04/21OPLab, NTUIM64
![Page 61: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/61.jpg)
Preliminaries – Issues in Choosing Probability (con’t)
Let N denote the total number of attacking packets (attack volume) from an attacker to a victim.
112/04/21OPLab, NTUIM65
![Page 62: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/62.jpg)
Preliminaries – Issues in Choosing Probability (con’t)
112/04/21OPLab, NTUIM68
![Page 63: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/63.jpg)
DPPM
To have an uniform leftover probability for all routers.
To removed the uncertainty factor, introduced by spoofed packets, completely if every packet got a legitimate marking along the path.
112/04/21OPLab, NTUIM69
![Page 64: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/64.jpg)
DPPM (con’t)
112/04/21OPLab, NTUIM70
![Page 65: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/65.jpg)
DPPM (con’t)
Eq. 3 shows that each router along the attack path has the same probability to leave its information in the marking field.
In other words, the victim has an equal probability to obtain each router's information along the path despite their distance from the victim.
112/04/21OPLab, NTUIM71
![Page 66: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/66.jpg)
DPPM (con’t)
routers
112/04/21OPLab, NTUIM72
![Page 67: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/67.jpg)
DPPM (con’t)
112/04/21OPLab, NTUIM73
![Page 68: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/68.jpg)
Challenge on spoofed TTL value
112/04/21OPLab, NTUIM74
![Page 69: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/69.jpg)
Challenge on spoofed TTL value
112/04/21OPLab, NTUIM75
![Page 70: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/70.jpg)
Challenge on spoofed TTL value (con’t)
Attacker may use TTL = 129, and then DPPM would choose p as 1/126(= 255-129). And attacker can get away without any trace.
112/04/21OPLab, NTUIM76
![Page 71: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/71.jpg)
Challenge on spoofed TTL value (con’t)
112/04/21OPLab, NTUIM77
![Page 72: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/72.jpg)
Challenge on spoofed TTL value (con’t)
112/04/21OPLab, NTUIM78
![Page 73: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/73.jpg)
Summary
Path length di, marking probability p, spoofing packet rate ps, attack volume N, spoofed packets Ns , uncertainty factor mdi↑ miMAX↑ ;
ps↑ m↑ ;p↑ m ↓; N↓ m ↑;
112/04/21OPLab, NTUIM79
![Page 74: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/74.jpg)
Summary (con’t)
在這篇 PAPER 當中所參考的 PPM 是一個 FRAMEWORK, 一條 path 上的每個 router 只要標注一個以上的封包就可以完成一條 attack path reconstruction
在 IEEE/ACM TRANSACTIONS PN NETWORKING VOL16 Feb/2008 提出了一個適用 DDoS 的 PPM SCHEME
112/04/21OPLab, NTUIM80
![Page 75: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/75.jpg)
Summary (con‘t)
為了提升 PPM 的安全性,此篇 PAPER提出 message fragmentation ,將標注資訊切分成數個資料段,每個 router 每次標注時只隨機注入一個資料段。因此victim 需要收集更多的 packets 才能將資料段重組成回溯資訊、重建攻擊路徑,找出最適當的 router 並開啟 filter 。
在不同的 PPM 架構下, m=1/p -1 可能需要微調參數。
112/04/21OPLab, NTUIM81
![Page 76: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/76.jpg)
Summary (con’t) Attacker
增加 defender 要處理的攻擊路徑Spoof marking field 誤導 defender 攻
擊來源消耗防禦資源 Defender
收集到足夠的路徑資訊之後找最適當的router 開啟 filter ;如果有某條路徑沒有 filter 可以過濾攻擊封包,利用routing strategy 將攻擊封包引導至最近的 filter 上過濾。
112/04/21OPLab, NTUIM82
![Page 77: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/77.jpg)
Summary (con’t)
112/04/21OPLab, NTUIM83
政祐學長 My Work
PPM Scheme and false positive rate
X O
Spoof packets may amplify error rate and may increase victim’s processing cost
X O
ReroutingO O
Filter allocation
利用 LR 、次梯度法與經驗法則找出 filter最佳配置最小化collateral damage
使用 PPM traceback 技術同時考慮誤判率、攻擊特性 (N, d, 拓樸架構 ) 、 spoofed information ,令 filter 的位置是給定的並配合 LR 找出最佳的 ON -配置策略最小化collateral damage
![Page 78: Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin](https://reader036.vdocument.in/reader036/viewer/2022081504/56814e83550346895dbc1fef/html5/thumbnails/78.jpg)
112/04/21OPLab, NTUIM84
Thanks for your listening