Tracking and TracingCyber-Attacks

Howard F. Lipson, Ph.D.

CERT® Coordination Center

Outline

• Problem with Internet Security

• Shortfalls in the Current Internet Environment

• Near-Term Solutions

• Long-Term Solutions– Next-Generation Internet Protocol

Problem with Internet Security (1)

Problem with Internet Security (2)

Shortfalls in the Current Internet Environment (1)

• The Internet was never designed for tracking and tracing user behavior.– Functionality and performance are focused.

• The Internet was not designed to resist highly untrustworthy users.– Only external attack is considered.

• A packet’s source address is untrustworthy, which severely hinders tracking– IP-spoofed and intermediate nodes techniques are used.

Shortfalls in the Current Internet Environment (2)

• The current threat environment far exceeds the Internet’s design parameters.– There are more high-stake Internet applications.

• The expertise of the average system administrator continues to decline.

• Attacks often cross multiple administrative, jurisdictional, and national boundaries.

Shortfalls in the Current Internet Environment (3)

• High-speed traffic hinders tracking.• Tunnels impede tracking.• Hackers destroy logs and other audit data.• Anonymizers protect privacy by impeding

tracking• The ability to link specific users to specific IP

addresses is being lost.• Purely defensive approaches will fail, so

deterrence through tracking and tracing is crucial.

Near-Term Solutions (1)Hop-by-Hop IP Traceback

• Labor-intensive• For tracing large packet flows with spoofed source

addresses• DDoS attacks are extremely difficult to trace via this

process

victim

attacker

Or

edge router

ISP security broker

Near-Term Solutions (2)CenterTrack

• Optimizing the Hop-by-Hop IP traceback

• Steps– Create an overlay network (IP tunneling)– In the event of a DoS attacks, the ISP diverts

the flow of attack packets from the existing ISP network onto overlay tracking network

– The attack packets can now be easily traced back, hop-by-hop, through the overlay network

Near-Term Solutions (3)Ingress Filtering or Egress Filtering

• Network Ingress Filtering– Discard all packets that contain source IP addresses that

do not match the valid range of the customer’s known IP addresses.

• Network egress Filtering– Corporate network administrator

• IETF– Internet Best current Practices for the Internet

Community

Near-Term Solutions (4)Backscatter Traceback

• Steps– The attack is reported to an ISP– The ISP configures all its router to reject all packets destined for

the victim– Rejected packets are “returned to sender”– The ISP configures all of its router to blackhole many of the ICMP

error packet with illegitimate destination IP address– Analysis by the blackhole machine quickly traces the attack to one

or more routers at the outermost boundary of the ISP’s network– The ISP removes the filter blocking the victim’s IP address from

all router except those serving as the entry points for the DDoS attack

– The ISP asks neighboring ISPs, upstream of the attack, to continue the trace

Near-Term Solutions (5)Probabilistic Approaches

• ICMP Traceback– ICMP traceback message

• Probabilistic Packet Marking– IP header

Near-Term Solutions (6)Single-Packet IP Traceback

• In theory– Keeping a log at each router in the Internet

• Tamper-proof• Fully-authenticated

– Technical infeasibility• Storage• Privacy

• Hash-Based IP Traceback– Packet digests– Reduce storage requirement to 0.5% of the link capacity per unit of time

and help privacy– Issues

• Computational resources• Transformation information (Fragmentation, tunneling) corresponding to the

packet digests is store in a transformation lookup table

Long-Term Solutions (1)Issues of Next-Generation Internet Protocol

• Next-generation Internet protocols will be required to deal with trust not on a binary basis.

• Entry-point anonymity refer the in ability to link an Internet IP address to any human actor or organization.

• Can next-generation protocols be designed so as to increase the cost to the attacker and decrease the cost to the defender?

• Supporting vigilant resource consumption.• Supporting marketplace negotiation of trust versus privacy trade-offs

(trust broker).• Next-generation Internet protocols must allow for variable levels of

trust under various attack states (situation-sensitive).• Sufficient header space for tracking information.

Long-Term Solutions (2)Emerging Next-Generation Security Protocols

• Internet Protocol Security (IPSec)– Characteristics

• AH (Authentication Header)• ESP (Encapsulating Security Payload)• IKE (Internet Key Exchange)

– Shortfalls• Vigilant resource consumption• Fine-grained authentication of trust• Situation-sensitive

• Internet Protocol Version 6 (IPv6)– Characteristics

• IP address is 128 bits long.• IPSec built in.• Flexible header structure• Address space is enormous