A DoS-Resistant IP Traceback Approach

Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003

Overview
Definitions ICMP Caddie Messages IP Traceback Using Caddie Messages Evaluations Conclusion

Introduction
DoS (Denial-of-Service) DDoS (Distributed DoS) Attacks Direct DDoS Reflective DDoS IP Traceback
Direct DDoS Attack

Attacker

Masters (Handlers)
Reflective DDoS Attack

Simple DoS Attack

Slaves (Daemons)

Slaves (Daemons) Reflectors

Victim

Proposed Solutions
DoS Attacks

Targets

Network Connectivity

Network Bandwidth

Network Infrastructure

Attacks

TCP SYN Flooding

Packet Flooding

Counterfeit Routing Advertisement

Packet Dropping

Solutions

System Tuning

Network Protocol Improvement

IP Traceback

Packet Filtering

Problems of Existing Solutions

Categories Examples
Bandwidth Overhead
Very High Fair High None None High High Fair

Storage Overhead
Low/Low Very High/Low Low /Low None/Very High Low/High None/High High/Fair Low/Low

Computation Overhead
Low/Low Fair/Low Low /Low Low/Very High Low/High Low/Very High Low/High Low /Fair

Link Testing Router Inference Logging Overlaying In-Band Marking Out-of-Band ICMP Messaging SPIE CenterTrack PPM AAM iTrace ID-iTrace iCaddie

(A/B indicates the overhead in the network is A and that at the destination is B)

ICMP Caddie Messages

Ball Packets Caddie Messages Caddie Initiators Caddie Propagators
Router Router Caddie Initiator Router Caddie Initiator Router Traffic Source Traffic Source

Router

Caddie Propagator

Caddie Propagator

Router

Caddie Propagator

Caddie Propagator

Ball packets The corresponding Caddie messages

Caddie Propagator

Attack Victim/Tracer

Caddie Message Generation

Caddie Selector Caddie Timer Caddie KeyMaker
Caddie Tim er C addie K eym ak er

1 4
Caddie Selector

C addie G enerator

3
P P B P P P P P P P P C

Input port (Inp ut queue) B . T he ball p acket C . Th e C addie m essage P. Regular p ackets 1. 2. 3. 4. 5. 6. 7. 8.

O utput port (O utp ut q ueue)

Trigger ball pack et selection Select a ball p ack et E xtract the ball p ack et U pdate the Caddie tim er Cop y th e ball pack et header Trigger C addie generation G enerate a session key (O ptional) Inject Caddie m essage in th e front of output port

Caddie Message Propagation

Caddie Timer Caddie Keymaker

3 2
Caddie Propagator

4 1

Input port (Input queue) B. The ball packet C. The Caddie message P. Regular packets 1. 2. 3. 4.

Output port (Output queue)

Receive an ICMP Caddie message in an input port Update the Caddie timer Generate a session key (Optional) Update and inject Caddie message into an output port

A Caddie Message
TYPE CODE DIGEST SOURCE DESTINATION SECURITY ROUTER ID PREVIOUS ROUTER ID NEXT HOP ROUTER ID TTL TIMESTAMP HMAC ROUTER ID PREVIOUS ROUTER ID NEXT HOP ROUTER ID TTL TIMESTAMP HMAC CHECKSUM

ICMP message header Caddie message header

TIMESTAMP

First element of the ROUTER LIST (by Caddie Initiator)

Successive ROUTER LIST elements (by Caddie Propagators)

Time-Release Key Chain (TRKC)

Key Generation HMAC Calculation Caddie Message Authentication
MD5(Kt-1,IP) MD5(Kt,IP) MD5(Kt+1,IP) Kt+1 MD5(Kt+2,IP)

Kt-1

Kt

Time
C1 C2 C3 C4 C5 C6 C7 C8 C9

Ci: Caddie Messages Kt: Session keys

IP Traceback
IP Traceback for Direct DDoS
Attack Agent CI CP CI CP CP Attack Agent

CP Attacker CP

CI-Caddie Initiator CP-Caddie Propagator Intrusion Connection Chain DoS Traffic

CP

CP

Victim

IP Traceback (Cont.)
IP Traceback for Reflective DDoS
A t ta c k A g e n t A t ta c k A g e n t A tta c k R e fle c to r CI CI CP CP CP CP CP A tt a c k R e fle c to r

A tt a c k e r C I-C a d d ie In itia to r C P -C a d d ie P ro p a g a to r In t ru s io n C o n n e c tio n C h a in S e r v ic e R e q u e s t T r a ffic S e rv ic e R e s p o n s e T r a ffic V ic t im

Evaluations
Incremental Deployment Scalability
The Source The Source Router Router Caddie Initiator Router Caddie Initiator Router

Router

Regular Router

Caddie Propagator

Router

Regular Router

Regular Router

Ball packets The corresponding Caddie messages

Caddie Propagator

Attack Victim/Tracer

Evaluations (Cont.)
Workload Distribution
Local networks ISP

Backbone Internet Core

ISP Local networks

Evaluations (Cont.)
Security HMACs Robustness False positives Political Issues ISPs cooperation Privacy

Evaluations (Cont.)
Bandwidth Overhead Number of attack packets required Number of ICMP messages generated Storage Overhead In the network At the victim Computational Overhead In the network At the victim

Conclusion
Effective Secure DoS-Resistant

Q&A
Thank You Very Much