Date: 21th Oct, 2003
Scribe: Ritesh Shreeshreemal
Lecture No. 26 (Distributed Denial of Service attack,IP Traceback)



Denial of service attack
Distributed denial of service attack
Possible solutions
IP Traceback
Encoding issues



Denial of service attack

DoS attacks occur when an attacker overloads servers or networks with useless traffic so that legitimate
requests cannot be processed and resources cannot be accessed. DDoS (distributed DoS) attacks occur when
a large number of infected machines (zombies) are used to launch an attack against a target. The packets
sent to the target will have randomly selected return addresses and often spoofed source addresses,so the
target has difficulty finding the exact location of the attack.
Although DoS attacks do not compromise sensitive information such as passwords or credit card numbers, they
can be devastating. For companies that rely on online transactions, any amount of time spent offline leads
to lost revenue.
Such attacks are among the hardest security problems to address because they are simple to implement,
difficult to prevent, and very difficult to trace. In the last several years, Internet denialof-service
attacks have increased in frequency, severity and sophistication.


Distributed denial of service attack

In order to facilitate DDoS, the attackers need to have several hundred to several thousand compromised hosts. The hosts are usually Linux and SUN computers; however, the tools can be ported to other platforms as well. The process of compromising a host and installing the tool is automated. The process can be divided into the following steps, in which the attackers:

  1. Initiate a scan phase in which a large number of hosts (on the order of 100,000 or more) are probed for a known vulnerability.
  2. Compromise the vulnerable hosts to gain access.
  3. Install the tool on each host.
  4. Use the compromised hosts for further scanning and compromises.

Because an automated process is used, attackers can compromise and install the tool on a single host in under 5 seconds. In other words, several thousand hosts can be compromised in under an hour. Because of distributed nature of problem solution is difficult. Sender  also uses spoofed IP address which makes tracing of attacker very difficult.

Possible solutions

1. Ingress filtering:-
One way to address the problem of anonymous attacks is to eliminate the ability to forge source
addresses. One such approach, frequently called ingress filtering, is to configure routers to block packets
that arrive with illegitimate source addresses.

The main disadvantages of this approach include the extra overhead and the associated decrease in
performance.It is necessary to check every packet that flows in or out of the network.
It may require upgrade
of existing hardware as not all routers support this type of filtering.Furthermore, this technique is not
effective against compromised machines with valid source addresses.
2. link testing
2.1 Input debugging:-

In this method we develop an attack signature that describes a common feature contained in all the attack
packets. The victim communicates this signature to a network operator, frequently via telephone, who then
installs a corresponding input debugging filter on the victim's upstream egress port. This filter reveals the
associated input port, and hence which upstream router originated the traffic. The process is then repeated
recursively on the upstream router, until the originating site is reached or the trace leaves the ISP's

The main disadvantages of this approach include the management overhead.This method requires
communication with network operators at multiple ISPs.

2.2 Controlled flooding:-

This approach starts by creating a map of the routes from the victim to every network, using any known
mapping technology. Then, starting with the closest router, a brief burst of load is applied to each link
attached to it. If the loaded link is a component of the path of the attacking stream, then the induced load
will change the attacking stream traffic. Then this link is considered to be along the path to the attacker
and this is carried until the nearest source is reached.
The main disadvantage of this method is network overhead due to flooding into internet.It also
introduces another DDoS into the network. This method also assumes that the routes are symmetric,which may not
in some cases.

In this method we log the packet at key router and then use data mining techniques to determine the
path that the packets traversed.
Drawback of this method is huge stotage requirement.

4.ICMP Traceback:-

In this method router randomly generates a new ICMP message(with low probability) and sends out the message to
destination along with forwarding packets. If enough Traceback messages are gathered at the victim(or its
upstream ISP),the origin of traffic can be identified by constrution of a chain of Traceback messages.
 Drawbacks:-ICMP traffic is increasingly differentiated and may be filtered or rate limited differently
 from normal traffic, the ICMP Traceback message relies on an input debugging capability that is not available
 in some router architectures, if only some of the routers participate it seems difficult to positively
"connect" traceback messages from participating routers separated by a non-participating router.


IP Traceback
Victim:-Victim may be single host under attack or a firewall that represent many such host.
Attack tree:-Tree routed at victim and intermeadiate node represents routers of attack path.
Attack path:-Ordered list of routers between victim and attacker.
Exact traceback:-To determine the attack path and the associated attack origin
 for each attacker.
Approximate traceback:-
Finding a candidate attack path for each attacker that contains the true attack path as
a suffix.
Convergence time:-
Time of an algorithm is the number of packets that the victim must observe to reconstruct
the attack path.

Conservative assumption:-
An attacker may generate any packet.
Multiple attackers may conspire.
Packet may be lost or relocated.
Attackers send numerous packets.

Helpful assumptions:-
The route between attacker and victim is stable.
Routers are both CPU and memory limited
Routers are not widely compromized.

Packet marking
(1)Node append:-This method append each node's address to the end of the packet as it travels through the
network from attacker to victim.
Advantage:-Quick to converge
Disadvantage:-High router overhead and fragmentation

(2)Node sampling:-This method sample the path one node at a time instead of recording the entire path. Upon
receiving a packet, each router chooses to write its address in the node field with some probability p. After
enough packets have been sent,the victim will have received at least one sample for every router in the attack
Advantages:- If p>0.5 then algo is robust because attacker can't insert a false router into the path by
putting more samples than a downstream router.
Disadvantages:- Low convergence time of algo and can't handle multiple attacker.

(3)Edge sampling:-This method explicitely encode edges in the attack path rather than simply individual nodes.

For this purpose we would need to reserve two static address fields,start and end,in each packet at each end
of link plus one distance field.
Advantages:-Fast convergence,independent of p(marking probablity),can handle DDOS

Disadvantage:-Extra space in IP packet(72 bits per pack).
Encoding issues:-
Edge sampling aglo requires extra space in IP packet(72 bits per pack).To overcome this
we can store the edge sample data in an IP option,but adding data to a packet in flight is expensive.We can
send this info. in separate packet but this will leads to network and router overheads.Another solution is
to overload 16-bit IP identification field used for fragmentation.

Compressed edge fragment sampling:-
To reduce per-packet storage requirements we can encode each edge in half
the space by representing it as the exclusive-or (XOR) of the two IP addresses making up the edge.Another way
to reduce space requirement is to subdivide each id into some number of smaller nonoverlapping fragment.When a
router desides to mark a packet it selects one of these fragments at random and stores it in the packet.One
more modification is that in case of multiple attackers,
a victim may receive multiple edge fragments with the
same offset and distance. To reduce the probability that we accidentally reconstruct a "false" edge-id by
combining fragments from different paths, we add a simple error detection code to our algorithm. We increase
the size of each router address, and hence each edge-id, by bit-interleaving its IP address with a random hash
of itsel

Limitations of IP traceback: