Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic...
Transcript of Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic...
![Page 1: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/1.jpg)
TDC690Single-Packet IP Traceback
Authors: Alex Snoren, Craig Partridge, Luis Sanchez, Christine Jones, Fabrice Tchakountio, Beverly Schwartz,
Stephen Kent, W. Timothy StrayerIEEE/ACM Transactions on Networking Vol 10, No 6,
December 2002 Graphic References: Jessica Kornblum DSL Seminar 2001
Reviewer: J. Elarde
![Page 2: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/2.jpg)
Agenda
• Introduction• IP Traceback• Related Work• Packet Digesting• Source Path Isolation• Practical Implementation• Analysis and Discussion• Summary/Critique
![Page 3: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/3.jpg)
Introduction
![Page 4: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/4.jpg)
Problem
• Today’s Internet is extremely vulnerable to hackers.– DDOS and Single Packet(Teardrop) attacks.
• The IP protocol design does not support reliable identification of the originator.– Beyond deliberate attempts, widespread packet
forwarding techniques such as NAT and encapsulation also can obscure origin.
• No system to-date can track single packet in efficient and scalable fashion.
![Page 5: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/5.jpg)
Authors Contributions
• The authors present a hash based Source Path Isolation Engine (SPIE) to enable IP traceback:– Generates audit trails for traffic within the
network.– Can trace the origin of a single packet in the
delivered by the network in recent past.– Analytical and simulation results presented.
![Page 6: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/6.jpg)
IP Traceback
![Page 7: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/7.jpg)
IP Traceback - Assumptions
• Packet may be addressed to more than one host• Duplicate packets can exist• Router may be subverted but not often• Attackers are aware of the monitoring• Routing behavior may be unstable• Packet size should increase as the result of tracing• End hosts may be resource constrained• Traceback is infrequent
![Page 8: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/8.jpg)
IP Traceback - Goals
• Identify source of any piece of data delivered by the network.– Construct an “Attack Path”.
• Possible origins:– The Ingress point to the traceback enabled network– Actual host– One or more compromised routers
• Privacy must not be compromised.• Robustness: Limit the false positives, and no false
negatives.
![Page 9: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/9.jpg)
IP Traceback and Transformations
• Packets may be modified (transformed) as part of the normal forwarding process.
• Examples:– TTL decrementing– Encapsulation– Router processing ICMP Echo, IP Multicast,
Fragmentation, IP option processing– Network Address translation, IPsec tunneling.
• CAIDA study < 3% of wide-are traffic undergoes transformation.
![Page 10: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/10.jpg)
Related Work
![Page 11: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/11.jpg)
Approaches to Traceback
• Audit the flow as it traverses the network.– End-Host Storage auditing techniques– Infrastructure Approaches– Specialized routing
• Infer route based upon its impact on the state of the network.
• As size of flow decreases difficulty increases.
![Page 12: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/12.jpg)
Auditing Techniques
• End-Host Storage: – Distribute burden of storing state information and
performing computations at end-hosts.– Savage et al. and Bellovin explore in-band and out-of-
band signaling respectively to accomplish this.• Not every packet traced only subset of flow. • Auditing routers provide information to end-host to reconstruct
route.• Savages et al. uses a packet marking scheme to encode and
communicate information to the end-host.• Bellovin sends audit information via ICMP to the end-host.
![Page 13: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/13.jpg)
End-Host StorageFlow >
Router 1 Router 2 Router 3
Extract andTracebackProcess occursat end-host
End-Host
![Page 14: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/14.jpg)
Infrastructure Approaches
• Logging Method: Log packets at points throughout the network and use extraction techniques to reconstruct route. (Sager)– Problem: log size and storage – OC-192, 60
seconds, 16 links = 1.2TB• Sampling reduces effectiveness and Privacy
problem exists.
![Page 15: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/15.jpg)
Infrastructure LoggingFlow >
Router 1 Router 2 Router 3
Logging Logging Logging
Analysis Engine
Extract andTracebackProcess
![Page 16: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/16.jpg)
Specialized Routing
• The logging method traceback extraction is expensive and repetitious across each hop.
• Techniques have been developed to streamline and automate the process.– ISPs have develop ad hoc methods of conducting input
debugging across their networks.– (Schnackenberg et al.) propose a generalized Intruder
Detection and Isolation Protocol ( IDIP) to facilitate interactions among routers during traceback.
– (Stone) suggests constructing an overlay network so all routers do not need to support logging.
![Page 17: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/17.jpg)
Packet Digesting
![Page 18: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/18.jpg)
Packet Digesting
• SPIE implements an auditing technique while reducing storage requirements significantly.
• Auditing is accomplished by computing and storing a packet digest.
• Privacy is maintained.
![Page 19: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/19.jpg)
Digest Input
Version Header Len
Type of Service Total Length
Identification Fragmentation Offset
TTL Protocol Checksum
Masked out
Payload (first 8 bytes)
Options
Source AddressDestination Address
![Page 20: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/20.jpg)
Digest Input
• 20 Bytes header with 4 bytes masked and 8 bytes of payload are sufficient to identify duplicates.
• Collision Rates– LAN .139%– WAN .00092%
• Most collisions are ICMP or packets with IP Identification field set to zero.
• Higher collision rate on LAN is due to the lack of address diversity.
![Page 21: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/21.jpg)
Collisions Vs. Digest Input
1e-06
1e-05
0.0001
0.001
20
Frac
tion
of C
ollid
ed P
acke
ts
WAN (6031 hp)LAN (2879 hp)
1
0.1
0.01
22 24 26 28 30 32 34 36 38 40Prefix Length (in bytes)
![Page 22: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/22.jpg)
Bloom Filters
• To reduce storage requirements further, Bloom filters are used to store the data.
• A Bloom filter computes k distinct packet digests for each packet using a hash function.
• And then uses the n-bit results to index into an array 2n –bit array.
• If any bit is zero then the packet is not stored in the table.
• If all ones, it is likely the packet was stored.
![Page 23: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/23.jpg)
Bloom Filtersk Hash Functions
1
1
1
1
1
H1(p)
H4(p)
H3(p)
H2(p)
H5(p)
Bits 2n
| n-bits |
![Page 24: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/24.jpg)
Hashing Requirements
• Each hash function– Uniform distribution of input -> output
H1(x) = H1(y) for some x,y -> unlikely• Use k independent hash functions
– Collisions among k functions independent– H1(x) = H2(y) for some x,y -> unlikely
• Compute at high speed. Digests must be archived and cleared at interval t.
![Page 25: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/25.jpg)
Source Path Isolation Engine
![Page 26: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/26.jpg)
SPIE Process
• SPIE routers maintain a cache of packet digests for recently forwarded packets.
• If a packet is determined to be offensive, a query is dispatched to the SPIE.
• The SPIE queries routers for packet digests of relevant time periods.
• The results are used to build an attack graph.
![Page 27: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/27.jpg)
SPIE Architecture• Data Generator Agent (DGA)
– Stores digests in a time stamped table– Periodically pages out portions of the table. – Integrated into router or outboard box monitoring router output.
• SPIE Collection and Reduction Agents (SCARs)– SCARs monitor a region of the network– Produce an attack graph periodically.
• SPIE Traceback Manager– Controls process and is linked to Intrusion detection system– Dispatches request to SCARS– Collects results and assembles complete attack graph.
![Page 28: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/28.jpg)
SPIE Architecture
Router DGARouter DGA
Router DGASCAR
Router DGARouter DGA
Router DGASCAR
STM
Intrusion DetectionSystem
![Page 29: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/29.jpg)
IDS1: IDS identifies attack packet
STM
4: Provisions SCAR’s to collect local DGA digests
7: Collect SCAR local graphs
9: Send attack graph to IDS2: Sends Packet, Time, Last Hop
8: Assemble local graphs, queryfor missing info
3: Authenticates and verifies IDS request
SCA
R
Router
DGA
DGA/Router
DGA
Router
5: Collect digest tables,time intervals,hash functions SC
AR
Router
DGA
DGA/RouterRouter
DGA
6: Identify routers withPacket’s digest andconstruct graph
Source: Jessica Kornblum
![Page 30: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/30.jpg)
Handling Transformations
• The SPIE must handle fragmentation, Network address translation, ICMP, IP Tunneling.
• A Transformation Lookup Table (TLT) is maintained to reconstruct the original packet.
• The TLT consists of the transformed digest, type flags, and the changed packet data.
• NAT and tunneling handled by a standard rule set due to volume.
![Page 31: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/31.jpg)
Practical Implementation
![Page 32: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/32.jpg)
SPIE Prototype
• The authors constructed a PC based SPIE prototype and used MD5 for the hash functions.
• The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. – It is conjectured that it is computationally infeasible to produce
two messages having the same message digest, or to produce any message having a given pre-specified target message digest.
• The 128 bit result is separated into 4 independent digests for the Bloom filters.
![Page 33: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/33.jpg)
Analysis and Discussion
![Page 34: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/34.jpg)
Analysis
• Effectiveness is dependent upon:– Length of time the digest is retained.– The accuracy of the attack graph - fewer false positives.
• Both can be controlled by adjusting the amount of memory.
• Authors use an analytical model to estimate the false positive upper bound to be 5 nodes in 35 –expected to be substantially less in practice.
• Simulation study performed to research probability of false-positive reporting nodes.
![Page 35: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/35.jpg)
Simulation Configuration
• Ran a simulation using an ISPs (70 node T1-OC3) actual network topology and sampled link utilization.
• Simulated attack by randomly selecting a source and victim and generating 1000 packets.
• Each simulation result represents the average of 5000 runs.
• Three simulations conducted to validate computed analytical upper bound.
![Page 36: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/36.jpg)
False Positive Rate Attack Graph
• False Positive rate can be reflected by the number of false nodes in the attack graph generated.
P1 = n*p / (1-p)• Parameters:
n: total number of nodes in the true attack graphp: 1/8 an arbitrary tuning parameter.d: average number of router’s neighbors.P: =p/d, false positive rate of a single digest table
p=P*d
![Page 37: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/37.jpg)
Analytical Model False Positve Upper Bound Prediction
0.140.29
0.430.57
0.710.86
1.001.14
1.291.43
1.571.71
1.862.00
0.00
0.50
1.00
1.50
2.00
2.50
1 2 3 4 5 6 7 8 9 10 11 12 13 14n
P1
P1=n*p/(1-p) p=.125
![Page 38: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/38.jpg)
Simulation Results
0
Analytical Random GraphReal ISP, 100% Utilization
Degree-Independent Actual Utilization
Expe
cted
Num
ber o
f Fal
se P
ositi
ves Real ISP, Actual Utilization
1111
0.80.80.80.8
0.60.60.60.6
0.40.40.40.4
0.20.20.20.2
00
00
00
0 5555 10101010 15151515 20202020 25252525 30303030Length of Attack Path (in hops)Length of Attack Path (in hops)Length of Attack Path (in hops)Length of Attack Path (in hops)
![Page 39: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/39.jpg)
False Positive Rate of a Single Digest Table
• False Positive RateP = [1-(1-1/m)kn]k = (1-e-kn/m)k
• Parametersm: size of bloom filter in bits.k: number of hash functionsn: number of packets the table serve for
For example, when m=5n, k=3, P=0.092when m=12n, k=8, P=0.00314
![Page 40: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/40.jpg)
Memory Analysis
• Bloom filters require 0.5% of bandwidth.– 4-OC-3s require 23MB per minute– 32 OC-192 12GB per minute
• Access time important– DRAM can support 20Mpkts/sec– SRAM needed for OC-192
![Page 41: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/41.jpg)
Summary/Critique
![Page 42: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/42.jpg)
Summary• Hash-based traceback is a viable alternative
– Router memory and early detection of suspect packets are keys to effectiveness.
• Referenceshttp://www.ir.bbn.com/projects/SPIE
![Page 43: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/43.jpg)
Issues Summary
• Deployment– The SPIE’s usefulness increases with deployment.
• Vulnerabilities– DDOS may slow SPIE processing time– Flow Amplification – duplicate packets– Information Leakage – passing information from IDS to
SPIE.
• Transformations– Problematic and possible attack candidate
![Page 44: Review of Single-Packet IP Traceback - users.cs.jmu.edu TraceBack/Use of Bloo… · Graphic References: Jessica Kornblum DSL Seminar 2001 Reviewer: J. Elarde. Agenda • Introduction](https://reader033.fdocuments.us/reader033/viewer/2022042915/5f514a49e5f918157102b674/html5/thumbnails/44.jpg)
Critique
• Generally easy to read and well structured paper. • Simulation discussion could be improved.• Complex implementation.• More discussion and a comparative analysis of the
alternatives would be useful. For example packet encoding/tagging would eliminate the storage problem, but increase network bandwidth.