Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin

On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack

INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE

Presented by FanChiang C.W.

Advisor: Prof. Frank Y.S. Lin

112/04/21OPLab, NTUIM2

Agenda

Abstract Introduction Probabilistic Packet Marking and

Traceback DoS traceback minimax problem DDoS traceback problem Dynamic PPM scheme


Abstract

The optimal decision problem - the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume - can be expressed as a constrained minimax optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized.


Introduction

Two contributionsFirst, it shows the trade-off relation

between victim and attacker, which is a function of marking probability, path length, and traffic volume.

Second, for a given attack volume, by mounting DDoS attack, the uncertainty factor might be amplified.

Probabilistic Packet Marking and Traceback



Probabilistic Packet Marking and Traceback

Given network is as a directed graph G = (V,E), where V is the set of nodes and E is the set of edges.

The edges denote physical links between elements in V. Let S ⊂ V denote the set of attackers and let t ∋ V \ S denote the victim. |S| = 1 (DoS)

Probabilistic Packet Marking and Traceback (con’t)

We assume that routes are fixed1, And Attack path A is presented as

1. On the IP Internet, the majority of TCP sessions do not experience route changes during their connection lifetime. Generalization of PPM under dynamic routing (the routing process must be specified) is a problem for future work.



Probabilistic Packet Marking and Traceback (con’t)

A

C

B

D

E

F

G


Probabilistic Packet Marking and Traceback (con’t)packets

Packet marked by Attacker

Packets marked by a router

Attack packetsMarked by a router

Attack packets

A

C

B

D

E

F

G

A

C

B

D

E

F

G






Attack packets

Probabilistic Packet Marking and Traceback (con’t) A packet x is assumed to have a marking

field where the identity of a (v, v’) ∊ E traversed can be inscribed.

A packet travels on the attack path A sequentially. At a hop vi ∊ {v1, …, vd}, packet x is marked with the edge value (vi-1, vi) , i=1, 2,…, d. , with probability p (0 ≤ p ≤ 1) where v0 = s. This is probabilistic marking.


A

C

B

D

E

F

G






Attack packets


Path Sampling

αi(p) = p(1-p)d-i (1)

α0(p) = (1-p)d ( attacker can hide his identity or fool defender ) (2)

When N packets are transmitted, the expected value of packets reaching target t marked by ri is ni(p) = Nαi(p) Note that

α1(p) ≦ α2(p) ≦ …… ≦ αd(p)


Path Sampling (con’t)

To receive a marked packet form v1 requires N 1/≧ α1(p)

Because N is under attacker’s control

from purely sampling view point, edge(s, v1) is the weakest link.

A

C

B

D

E

F

G






Attack packets

A

C

B

D

E

F

G






Attack packets

???



which has the solution p ½.≦ In general, we may consider

p 1-2≦ -1/d , d = 10 then p 0.067≦


The optimal selection of N, d, and x0 by the attacker, and correspondingly optimal selection of p by the victim to achieve their individual, conflicting objectives lies at the heart of the probabilistic PPM approach to source identification.



Traceback Problem (con’t) Marking spoofed variable x0 can be fixed

by following thereotic argument Let ns

i(p) be the number of spoofed packets arriving at t marked by(ui,v1) no(p) = Σm

i=1 nsi(p). If it holds that

then all m+1 paths are equally likely yielding the same outcome in terms of collected marking values at t


Traceback Problem (con’t)

We call m – a function of p and spoofing variable x0- the uncertainty factor with respect to marking probability p.

The larger m is, the more the processing cost incurred by the victim to trace back the attack source.


Thus, the objective of the attacker is to maximize m, whereas the objective of the victim is to minimize m




The formulation in (III.5) does not incorporate the attack volume N and thus unduly favors the victim.

A sampling constraint is added by requiring

Nα1(p) = N p(1-p)d-1 ≧ 1 (III.6)



Thus the refined minimax optimization reflecting the victim’s sampling constraint is given by

Nα1(p) = N p(1-p)d-1 ≧ 1 as a function of p has a unimodal (or bell) shape with peak at p = 1/d

ANALYSIS OF SINGLE-SOURCE DOS ATTACK


ANALYSIS OF SINGLE-SOURCE DOS ATTACK

And IV.1 can be derandomized - replaced by a deterministic procedure that emulates uniform generation.


no(p) = Σmi=1 ns

i(p).

ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t)

Given p (determined by the victim), the attacker can achieve m = 1/p - 1



With constraint III.6 we can define

and it can be checked that when d 2, ≧ L is convex in p



It can be viewed as minimization problems of the objective function

1/p -1 over LN for N= N0, N0+1,…… The next result gives a performance

bound on the attacker’s ability to hide his identity under PPM.



Theorem 2 shows that the maximum achievable uncertainty factor cannot exceed d-1, the distance between the attacker and victim.

And on the internet, most path lengths are bounded by 25 [29]

[29] Wolfgang Theilmann and Kurt Rothermel, “Dynamic distance maps of the Internet,” in Proc. of IEEE INFOCOM 2000, Mar. 2000.



d = 10, N = 26

Thus the attacker, by judiciously choosing the attack volume, can maximally hide his identity given by d-1.


Approximation of Uncertainty Factor

Np(1-p)d-1 ≥ 1,

The equation, Np(1-p)d-1 = 1 , is transformed to the polynomial xn – xn-1 + c by substitution of p, N, d with 1-x, 1/c, n, respectively.

We divide Np(1-p)d-1 = 1 by N, and represent p as 1-x (0≤x≤1), thus, it becomes


Approximation of Uncertainty Factor (con’t)

Assuming N ≫ 1, thus, 1/N ≈ 0.

First consider xd-1 close to 1, left hand side becomes (1-1/N)d-1 ->1, as N -> ∞.

Next, When(1-1/N)d-1 -> 0, the approximate solution x = 1/N 1/d-1



Thus x is approximately 1-(1/N) or 1/N1/d-1. Therefore,



The maximum uncertainty value m of the min-max optimization problem is given by

N = 105,d = 25 then m is 1.6247; N = 107,d = 25 then m is 1.0446


Marking Probability


Marking Probability (con’t)


Marking Probability (con’t)

d ∝ 1/p m ∝ 1/p Given N, as distance d ↓, the

expected number of spoofed packets, Ns ↑, at any given value of p

When the source of an attack is far from the victim, the attacker becomes more potent at impeding traceback


Attack Distance


Attack Distance (con’t)

Since the distance between an attacker and victim is bounded on the Internet, an attacker has limited ability to hide his location when subject to probabilistic packet marking.


Attack Volume

To satisfy sampling constrain, N needs to be at least dd/(d-1)d-1

As N increases, the victim can reduce the forgeable paths to less than d-1


V. DDoS Attack


DDoS Attack

Following the uncertainty optimization framework, given a desired attack Volume N, an amplification factor of M can be trivially achieved by mounting N/M -volume attacks from M separate attack sites.


DDoS Attack (con’t)

m*(∙) is a function depicting the optimum (i.e., minimax) uncertainty factor for the traffic volume given in the argument.


DDoS Attack Model -Classification(con’t)

All-source traceback, • we assume the attacker is able to mount

stateless intrusions when gathering attack hosts, and thus his objective is to maximize total uncertainty (vs. individual uncertainty in the any-source traceback case) since quick traceback of individual attack hosts does not present a danger with respect to revealing traceback information..


DDoS Attack Model – Classification (con’t)

The attacker’s objective is to maximize the number of forged paths that the victim has to process.

And the victim’s goal is to isolate or shut down traffic flow emanating from comprised hosts.


DDoS Attack Model -Traceback Analysis

Given M distinct sources, each sources si sends Ni packets to victim v at di distant for 1 ≤ i ≤ M

An attack path is represented by Ai = (si, vi,1, vi,2, …vi,d, t). Without loss of generality, assume di ≤ d j, for i ＜ j


DDoS Attack Model -Traceback Analysis (con’t)

Thus the expected number of spoofed packets from si is

for 1 ≤ i ≤ M

The expected number of packets marked by vi,1 is


DDoS Attack Model -Traceback Analysis (con’t)


Numerical Evaluation of Traceback

Let Ni = N/M, di = d, 1 ≤ i ≤ M, which facilitates comparability. m*(Ni) be the uncertainty factor achievable by Ni

m*(N/M) /m*(N) represents the expansion rate to uncertainty factor with respect to the distribution factor M


Numerical Evaluation of Traceback (con’t)


Conclusion

PPM has the advantages of efficiency and implementability over DPM, however, it has the potential drawback that an attacker may impede traceback by sending packets with spoofed marking field values as well as spoofed source IP addresses.


Conclusion (con’t)

While it is always possible for an attacker to impede exact traceback by the victim, the attacker’s ability to affect uncertainty is limited in internetworks with bounded diameters


考量到 OD pair 的長度 d ，將簡短介紹下一篇 Dynamic PPM scheme


Efficient Dynamic Probabilistic packet marking for IP traceback

Networks, 2003. ICON2003. The 11th IEEE International Conference on


Agenda

Introduction Preliminaries Dynamic Probabilistic Packet Marking Performance Analysis Concluding remarks


Introduction

It had been shown that PPM suffers from uncertainty under attack with spoofed packets

During DDoS attack, the uncertainty factor might be amplified significantly, which may diminish the effectiveness of PPM


Introduction (con’t)

To improve the effectiveness of PPM, this paper proposed a new scheme DPPM.

Instead of a fixed marking probability, DPPM choose marking probability as an inverse function of the length of an OD pair by TTL field


Preliminaries – Issues in Choosing Probability (con’t)

Let pi represent the marking probability of router ri. Define leftover probability for router ri, denoted by ai, ai = pi x πD

j = i+1

(1 - pj ) (1). Because in PPM, p is fixed, thus

ai = p(1 - p)d-i, (2) Therefore, the leftover probability is

geometrically smaller the closer it is to the attacker.



Let N denote the total number of attacking packets (attack volume) from an attacker to a victim.


DPPM

To have an uniform leftover probability for all routers.

To removed the uncertainty factor, introduced by spoofed packets, completely if every packet got a legitimate marking along the path.


DPPM (con’t)


DPPM (con’t)

Eq. 3 shows that each router along the attack path has the same probability to leave its information in the marking field.

In other words, the victim has an equal probability to obtain each router's information along the path despite their distance from the victim.


DPPM (con’t)

routers


DPPM (con’t)


Challenge on spoofed TTL value


Challenge on spoofed TTL value (con’t)

Attacker may use TTL = 129, and then DPPM would choose p as 1/126(= 255-129). And attacker can get away without any trace.


Summary

Path length di, marking probability p, spoofing packet rate ps, attack volume N, spoofed packets Ns , uncertainty factor mdi↑ miMAX↑ ;

ps↑ m↑ ;p↑ m ↓; N↓ m ↑;


Summary (con’t)

在這篇 PAPER 當中所參考的 PPM 是一個 FRAMEWORK, 一條 path 上的每個 router 只要標注一個以上的封包就可以完成一條 attack path reconstruction

在 IEEE/ACM TRANSACTIONS PN NETWORKING VOL16 Feb/2008 提出了一個適用 DDoS 的 PPM SCHEME


Summary (con‘t)

為了提升 PPM 的安全性，此篇 PAPER提出 message fragmentation ，將標注資訊切分成數個資料段，每個 router 每次標注時只隨機注入一個資料段。因此victim 需要收集更多的 packets 才能將資料段重組成回溯資訊、重建攻擊路徑，找出最適當的 router 並開啟 filter 。

在不同的 PPM 架構下， m=1/p -1 可能需要微調參數。


Summary (con’t) Attacker

增加 defender 要處理的攻擊路徑Spoof marking field 誤導 defender 攻

擊來源消耗防禦資源 Defender

收集到足夠的路徑資訊之後找最適當的router 開啟 filter ；如果有某條路徑沒有 filter 可以過濾攻擊封包，利用routing strategy 將攻擊封包引導至最近的 filter 上過濾。


Summary (con’t)


政祐學長 My Work

PPM Scheme and false positive rate

X O

Spoof packets may amplify error rate and may increase victim’s processing cost

X O

ReroutingO O

Filter allocation

利用 LR 、次梯度法與經驗法則找出 filter最佳配置最小化collateral damage

使用 PPM traceback 技術同時考慮誤判率、攻擊特性 (N, d, 拓樸架構 ) 、 spoofed information ，令 filter 的位置是給定的並配合 LR 找出最佳的 ON －配置策略最小化collateral damage


Thanks for your listening

Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin

Documents

Transcript of Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin