1

A trial of IP Traceback Systemin Interop Tokyo 2008

Hiroaki HazeyamaHiroaki HazeyamaNara Institute of Science and Nara Institute of Science and

Tech.Tech.hiroa-ha@is.naist.jphiroa-ha@is.naist.jp

2

What is IP Traceback ?

•Technique to track the true forwarding path of a packet– By querying packet capture agents– Even when the source IP address of the target packet is spoofed

• IP Packet Traceback is expected to track attack packets– DDoS attack, UDP exploit, spoofed DNS queries

: traceback: attack packet

3

IP traceback R&D ProjectIP traceback R&D project

* A research project offered by NICT(*), started 2005 by the Consortium of six parties

* Goal of the project is Demonstration Experiment of IP packet traceback

2005 2006 2007 2008 2009

Research and development ：

Preliminary ISP field testFrom October to December 2008 Experiment preparations ：

Investigation / examination / document making

Consortium (five other parties)

Demonstration ExperimentFrom July to December 2009

(*) NOTE: NICT stands for National Institute of Information and Communications Technology.

(CY)

Telecom iSAC

Japan

4

Outline of IP Traceback system

ISP(a) ISP(b) ISP(c)

IDS

TB-DB

TB Manager

Probe

Real attack

TB Control Center

Incident

Real attack path(AS map)

Attack from spoofed IP addresses

2. Detect the real attack path After an incident be recognized, TB-Operator analyze TB-DB by attack PKT’s HASH, and detect the real attack path.

1. Store suspicious information. Whenever IDS notify suspicious attacks, TB manager calculate the attack PKT’s HASH, and automatically recursive analyze it’s AS map with neighbor AS’s TB manager, and store it to TB-DB.

0. Store HASH data temporary. Each probe convert PKT to HASH, and store own cache automatically.

5

Toward the field test

• We have to consider– A small set of the traceback system in an

actual network environment– The operational flow with the actual traceback

system

• We tried to operate our traceback system in Interop Tokyo 2008

6

Interop Tokyo 2008• One of the biggest exhibition/conference for network equipment /

service vendors. • The Network Operation Center (NOC) team builds an experimental

advanced network called "ShowNet" as a backbone of the event. • The experimental network was connected to several peering points

(Internet Exchange Point) by more than 120G bps links in this year. • Our IP Traceback system was served as a part of "ShowNet".

7

Purpose of our trial in Interop

• The preparations for the preliminary field test in 2008– Collect information necessary for One ISP

environment in the field test• Data, problems, know-how to be collected with a long-time

consecutive operation in One ISP• Set up actual machines at One ISP environment • Data, problems, know-how to be collected at ISP field trial• Define any function to be added or corrected

8

Auditing ShowNet External Links

Mirroring All External I/Fs

Gathering Mirrored Traffic

Manual TCPDUMP / Traceback / 10G / 1G IDS

RegeneratingMirrored Traffic

Sink Hole routing

9

Rack Layout

NICTER(Traffic Monitor

developed by NICT)

Traceback

10

Zoom-In to the Traceback System

HW-Probe

snort on linux

SW-Probe(myri 10G)

SW-Probe(Chellsio 10G)

All-In-One server

Snort on 4 embedded linux boxes

TB-Manager

TB-DB

11

Test Items on Interop

• Test A– Setting up and operating the traceback

system

• Test B– Collaborating with traffic monitor tools

• Test C– Visualizing trace log with random sampling

based requests

12

Test A (Testing the field test set)

TB-DB

TB-Manager

SW-Probe (chellsio 10G-LR)

SW-Probe (myri 10G-LR)

HW-Probe (10G-LR)

Upload Summary

External Router (Alaxala)

External Router (Huawei)

External Router (NEC)

External Router (Foundry)

Snort

SW-Probe (chellsio 10G-LR)

mirrored traffic from exhibitors side

RequestSearchPacket Signature

13

Result of Test A (cont.)

• The traceback system worked well in the conference and exhibition days– The alert signatures of snort contained well-known

worm traffic, shell codes and DoS attack signatures – 669,810 alerts were received from 5 snorts on

exhibitors’ side during 5 days (from 8th June to 13th June)

– 169,843 alerts (25.35 %) were judged as “found in external links”

• Other 74.65 % alerts were attacks derived from the internal of ShowNet

14

Test B (Tracing src spoofed packets)

All-in-One Server

Core Routers (Juniper / CISCO)

Sink hole routed packets

Request

Traffic Monitor

internet

Pseudo Attacker

TCP SYN attackThe source address was

45.x.x.x (ShowNet’s address)

External Routers

Mirrored external traffic

15

Result of Test B

• Traffic Monitor (NICTER)– Judged all pseudo attack packets came from

the inside of ShowNet• Because the source address of attack packets are

included in ShowNet address block

• Traceback– Judged all pseudo attack packets came from

the outside of ShowNet• Hash values of all pseudo attacks were cached in

the SW/HW-probe

16

Result of Test B (cont.)

Request from NICTER (pseudo attack packet)

the packet Hash was foundin the External Traffic

17

Test C (Visualization of Traffic)

Visualization

All-in-One Server

External Router (Alaxala)

External Router (Huawei)

External Router (NEC)

External Router (Foundry)

Summary

Regeneration Tap(Net Optics)

L2 Switch (CISCO)

10G tcpdump

sampling

18

Visualization on Test C

19

Summary

• A trial of IP traeback system in Interop Tokyo 2008– Success !!!

• According to the result of Interop, we blush up our implementation and operational flow– Now, we are preparing the preliminary field

test from this autumn in a Data Center environment

20

Future plans• Field tests in domestic

– Preliminary field test with Japanese commercial ISPs will start from this autumn

– The actual field test is planned from July to December, 2009

• Field tests in Internatinal – We are planning the international field test after the domestic

filed test (2010 - )– We are now looking for collaborators in research networks– If you are interested in our work, please mail to

hiroa-ha at is.naist.jp

21

Thanks your attention

http://iplab.naist.jp/research/traceback/

22

Any Questions ?

23

Appendix

24

Detail of Mirroring

All-in-One Server

External Router (Alaxala)

External Router (Huawei)

External Router (NEC)

External Router (Foundry)

Regeneration Tap(Net Optics)

L2 Switch (CISCO)

10G tcpdump

SW-probe

SW-probe

SW-probe

HW-probe

25

Experiments in Lab• We had large scale

experiments on NICT hokuriku research center in 2007– With 200 physical servers– Mapping JP domain AS

(eBGP) topology– Software traceback

Implementation ran on each AS

– DDoS from 3 attack ASes to 1 AS

– Tracing the AS path of an attack packets from dest AS to src ASes

26

Hardware Spec.• Test A

– NEC Express 5800 110R• XEON 2G x 2, 8GB memory, 250GB SATA Disk, IPMI enabled, four

1000TX I/F • Used for TB-Manager, TB-DB, snort• Also used for one SW-Probe with one myri 10G-LR card

– Procide AmazeBlast Eco120• Athlon 2G x 1, 8G memory, 200GB SATA Disk, two 1000TX I/F• Used for two SW-Probes with Chellsio 10G-LR card

– OKI Electric HW-Probe box• One 10G-LR I/F and ten 1000T I/Fs, one 1000T I/F for control

27

Hardware Spec.

• Test B, C– Procide AmazeBlast Eco120

• Athlong 2G x 1, 8G memory, 200GB SATA Disk, two 1000TX I/F

• Two SW-Probe with Chellsio 10G-LR card• Used for All-In-One Server

– MAC mini• Used for running a visualization tool

28

Software Spec.• OS

– Debian 4.0

• Software Traceback Implementations– C++– TB-Manager, SW-Probe

• Developed by NAIST and Matsushita Electric Works– TB-DB

• Developed by KDDI Lab.– HW friendly Packet Hash Algorithm Library

• Developed by OKI Electric – Client Agent

• Developed by NAIST

• Visualization Tool– C++ with QT4– Developed by NAIST