Extended Deterministic Edge Router Marking Samant Saurabh* E-mail:
[email protected] *Corresponding author
Sangita Roy E-mail: r
[email protected]
Ashok Singh Sairam E-mail:
[email protected] Department of Computer Science and Engineering, Indian Institute of Technology Patna, Patna 800013, India Fax: 91-612-2277383
Abstract: In this paper, a novel deterministic edge router marking scheme to mitigate denial of service (DoS) attacks and perform traceback is proposed. The scheme is compatible to packet fragmentation and at the same time does not add space overhead. The proposed technique produces low false positive as well as adds very low processing and storage overhead at the edge router. An issue with existing filtering scheme for DoS attacks is that they suffer from heavy collateral damage. Our proposed scheme minimizes collateral damage using signature pushback and allows legitimate traffic to be served smoothly. We optimize pushback by using Lamport hash chain and filtering time by sorting the attack feature based on its entropy. Empirical results confirm that our system is fast, accurate, scalable and greatly reduces blocking of legitimate traffic during the filtering phase. Keywords: Packet Marking, DoS, DDoS, Hashing, Attack Signature, Edge Routers, IP Fragmentation, Hash Chains and Filtering Biographical notes: S. Saurabh did his B.Tech in Electronics and Communication Engineering from IIT Guwahati, India and MS in department of Electrical and Computer Engineering, University of Massachusetts Amherst,USA. Currently he is doing his PhD in Computer Science and Engineering at Indian Institute of Technology, Patna, India. His areas of interest are Computer Networks, Operating Systems and Algorithms. S. Roy did her B.Tech in Computer Science and Engineering from West Bengal University of Technology, India and M.Tech in department of Computer Science and Engineering, KIIT University,Orissa,India.
2
Samant Saurabh et al. Currently she is doing her PhD in Computer Science and Engineering at Indian Institute of Technology, Patna, India. Her areas of interest are Computer Networks, Database management System,Cryptography and Network Security. Dr. Ashok Singh Sairam obtained his B.Tech degree from National Institute of Technology Silchar, India in the year 1993. He obtained his M.Tech and Ph.D degree from Indian Institute Technology Guwahati, India in 2001 and 2009 respectively. Currently he is working as an Assistant Professor at Indian Institute of Technology Patna, India. Prior to this he was working as a senior research officer at Indian Institute Technology Guwahati, India. His research interests include network security, wireless networks and Internet technologies. He has worked on major network security projects. He has given invited lectures and served as PC member in several international conferences.
1 Introduction Today’s Internet is extremely vulnerable to motivated and well equipped attackers. Tools are readily available to degrade performance or even disable vital network services. The most widely reported category of attack that today’s Internet community is facing is the Distributed Denial of Service (DDoS)(Misra et al. (2010)) attack which is typically conducted by flooding network links with large amounts of traffic. The problem has become even more profound as new attacks have been introduced that exploit the Internet protocol stack (Yu et al (2011)). Unfortunately, the anonymous nature of the IP protocol makes it difficult to accurately identify the true source of an IP datagram, if the source wishes to conceal it. IP traceback mechanism provides the victim with the ability to trace the origin of an attack. Systems that can reliably trace attack packets back to their sources are the first and important step in making attackers accountable and in blocking attack nearer to the source before it spreads multi-fold. Two approaches are generally used for traceback namely logging and packet marking. In packet marking scheme, some traceback data is inserted in each packet so that a victim can use this information to filter malicious packets and finally identify the attacker. Packet marking can be done in two ways probabilistic and deterministic (Roy (2013)). In this work we are mainly concerned with deterministically marking the packets. Once an intrusion detection system (IDS)(Roesch (1999)) flags certain class of packets as malicious, the packet marks can be used to filter them. For wireless network, different class of IDS have been proposed e.g. stochastic learning automata based solution (Misra et al. (2011)), simple learning automata based solution (Misra et al. (2011)) etc. However, discussion of IDS is beyond the scope of this paper. A naive filtering scheme is to extract mark from a packet flagged as malicious by the IDS and discard all subsequent packets that have the mark. The side-effect of such a simplistic filtering scheme is that legal packets may also have the same
Extended Deterministic Edge Router Marking
3
mark and thereby get filtered. In order to reduce such collateral damage we propose to construct an attack signature that will uniquely identify the malevolent packets. Subsequently we need to port the attack signature to those locations in the network where it will be used to block the attack packets. Since the attack signatures need to be moved in the midst of an attack, it must be done securely and with minimal overhead. The paper is organized as follows. In section 2 we review deterministic edge router marking (DERM), an innovative packet marking scheme and propose improvements. A detailed mathematical analysis of the different flavours of DERM is given in section 3. A technique to filter malicious packets using attack signature is discussed in section 4. Next we discuss some general issues related to packet marking in section 5 and the results are given in section 6. Final concluding remarks are given in section 7.
2 Packet Marking: DERM In deterministic packet marking (DPM)(Ansari et al. (2003)), only edge routers participate in the marking procedure. DPM tries to construct the address of the edge router closest to the attack source by fragmenting the IP address and sending it in two packets. The identification (ID) field in the IP header is used to carry one half of an IP address and the RF bit is used to denote whether it is the first or the second half of the IP address. Reconstructing the source address at the victim require trying out the different possible permutation. Not only does DPM technique require a high overhead but also results in a high number of false positives. In order to overcome these issues, Barua et. al. (Rayanchu and Barua (2005)) proposed DERM, which encode the router’s IP address with a hash function. The advantage of DERM is that the time for reconstruction is considerably reduced and a single packet is sufficient to detect and traceback an attack(Barua et al. (2000))(Rayanchu and Barua (2006)). However, encoding the router’s IP address results in false positives and high collateral damage during filtering. Several variants of DERM have been proposed to overcome these and they are briefly reviewed below.
2.1 Basic DERM In basic DERM, a 16-bit hash of the router’s IP address called the HashMark is computed just like a message digest and inserted into the ID field of the IP header. The victim maintains the HashMark and the list of all routers that have this HashMark in a table (RecordTbl ) for later lookup. When the intrusion detection system (IDS) identifies a packet as malicious, the HashMark of the packet is used to set a bit in the table RecordTbl. Since a 32-bit IP address is encoded with a 16-bit hash there can be more than one IP address that maps to the same hash. During filtering phase, the victim looks up the table and filters out those packets whose corresponding HashMark is set. Hence there will be false positives during the filtering phase due to collisions during hashing.
4
Samant Saurabh et al.
2.2 Multiple Hash DERM In order to reduce the false positives of basic DERM, multiple hash functions are used and multiple digests are send in different packets. An edge router marks a packet with a 16-bit representation of its IP address, [HashM ark, fid ] = [HMi (IP )||fi ]. Here HashM ark = HMi (IP ) where HMi is one of the f universally known hash functions HM1 . . . HMf and fid is the corresponding function identifier. If d bits are used for HashMark and log(f) bits are used for hash function identification, we have d + log(f ) = 16. In multiple hash DERM the hash functions for marking are used with equal probability.
2.2.1 Attack Identification and Filtering in Multiple Hash DERM Almost same procedure is followed for attack identification as in case of basic DERM. RECV bit is set to one for hash mark of attack packets in the RecordTbl corresponding to that particular hash function. After sufficient number of attack packets (containing attack packets marked with all different hash functions) are collected, the attacker is identified with almost negligible false positive. When an attack packet is received, its hash mark is noted and verified if the RECV bit is set in the RecordTbl for that particular hash function. If true iterate through its IPAddressList and find the unique IP Address that is present in all the f RecordTbls corresponding to f different hash functions. Though this scheme require more processing and storage requirement, it gives much better result in terms of uniquely identifying the attacker with minimum false positive.
2.3 Multiple Hash DERM with Skew In order to reduce the processing complexity during the filtering phase, a skew characteristic is introduced into the multiple hash functions. Routers use the multiple hash functions with varying probabilities. The idea is that routers use a primary hash function with a higher probability than other secondary hash functions. The filtering phase may then be modified to discard packets based only on the hash marks of the primary hash function thereby reducing the look-up and matching complexity introduced by multiple hash functions during the filtering phase. This is at the cost of increase in false positive, but it is accompanied by significantly less processing overhead at the router. Primary hash function is marked with probability α and secondary hash functions are marked with probability β = (1 − α)/(f − 1). The processing required at the router will consist of probabilistic selection amongst the f hash functions and marking incoming packets by corresponding d bit hash mark and log(f ) bit hash function identifier.
2.3.1 Reconstruction by the Victim The construction of tables and the attacker identification phase remains the same as that of Multiple hash DERM. There are f tables RecordT bl1 , RecordT bl2 , · · · , RecordT blf having tuples of the form < HashM ark; RECV bit; AddList >. When the victim gets an attack packet, the hash function identifier is noted and the corresponding RecordTbl is identified. The
Extended Deterministic Edge Router Marking
5
RECV bit corresponding to the hash mark is then set to 1. Edge router is classified as an attacking router if and only if the RECV bits of all the f Hash Marks of this router are set to 1 in the corresponding RecordTbl’es. The filtering procedure is as follows. For any incoming packet, if the packet has been marked by the primary hash function and the RECV bit is set to one in the corresponding RecordTbl, then that packet will be filtered out. Since filtering is done only based on the primary hash marks, false positives during the filtering phase will drastically reduce.
3 Analysis of the DERM Schemes Let the number of edge routers be M, number of marking bits be d, number of attackers be N, number of multiple hash functions be f, probability of marking by primary hash function be α. Let Nav be the average number of edge routers corresponding to a particular hash mark in a record table. E(h) is the expected number of hash marks in a particular table with RECV bit set as 1. When number of edge router is less than 2d then there will be almost negligible collision and hence false positive will almost be zero. When number of edge routers is more than 2d then expected number of different hash marks that have RECV bit set as 1 can be given by the classical occupancy problem (Park (1972)) result in which we throw N item in M bins and find the expected number of unique bins. This is given by N
E(h) = 2d − 2d (1 − 1/2d ) , Nav =
M 2d
E(F alsepositive) = E(h) ∗ Nav − N For Storage requirement we require (Nav ∗ 32 + 1) ∗ 2d bits f or RecordT bl in basic DERM
3.1 Mutiple Hash Derm In multiple hash DERM, we use ln(f ) bits for identifying the hash function and d bits for hash mark, hence we have d + ln(f ) = 16 The number of false positive greatly reduces in multiple hash derm because probability that two IP addresses collides using all f hash functions becomes ( 21d )f −1 times that of the original one. Hence expected number of false positives is given by E(F alsepositive) = (E(h) ∗ Nav − N ) ∗ (E(h)/2d )f −1 Probability that there will be no collision between two attack edge router colliding to the same value using all f hash functions is given by pnocollision = (1 − (
1 f −1 Md ) )2 2d
6 Table 1
Samant Saurabh et al. Comparative performance study of various DERM schemes
Scheme type Basic Derm Multiple Hash Derm Skewed Hash Derm
Filtering phase false positive
Attack identification false positive
E(h) ∗ Nav − N (E(h) ∗ Nav − N ) ∗ f (E(h) ∗ Nav − N ) ∗ f
E(h) ∗ Nav − N (E(h) ∗ Nav − N ) ∗ ( E(h) )f −1 2d E(h) f −1 (E(h) ∗ Nav − N ) ∗ ( 2d )
Minimum number of attack packets needed to be collected by the victim for attack identification becomes equivalent to equiprobable coupon collector problem in which the victim needs to collect f unique packets ( coupons ) corresponding to f different hash marks. The expected number of minimum packets needed is given by 1 1 1 1 1 E(f ) = ∗ ( + + + ··· + ) f f f −1 f −2 1 ' f ∗ log(f + 0.577) We require f ∗ (Nav ∗ 32 + 1) ∗ 2d bits for RecordTbl in basic multiple hash DERM
3.2 Multiple Hash DERM with Skew Expression for expected number of attack packets, expected number of false positive and probability of no collision will remain the same as those in case of multiple hash DERM. However, as we do packet marking with different probabilities, expected number of minimum number of packets required for attack identification is given by the non equal probability coupon collector problem. It states that if p1 , p2 , p3 , · · · , pn are the probability of marking packets with hash functions HM1 , HM2 , · · · , HMn , then minimum number of attack packets required is given by f f f X X X 1 1 E(f ) = + + ··· p p + pi2 i i 1 1 i =1 i =1 i =i +1 1
+(−1)f
1
2
1
1 pi1 + pi2 + pi3 + · · · + pif
where pi1 = α and pi2 , · · · , pif = 1−α f −1 Thus although the performance of both multiple hash DERM (with or without skew) significantly better than basic DERM during attacker identification, yet multiple hash DERM (without skew) has higher processing complexity during filtering phase. The processing complexity is reduced by a factor of f by introducing a skew characteristic in the multiple hash functions. However, this is at the cost of increasing the number of false positive during the filtering phase.
4 Pushback of Attack Signature One of the problems with present DERM schemes is the high level of collateral damage done to the victim. During filtering phase, attacker has already been
Extended Deterministic Edge Router Marking
7
identified and we filter out all traffic that is coming from the attacking edge router. Filtering out traffic based on the IP address of the edge router blocks all incoming traffic to the victim from that edge router. This includes the DDoS attack traffic as well as other legitimate traffic. Moreover, filtering attack packets at the victim causes maximum congestion in network. To reduce the collateral damage and congestion in the network, we propose a new scheme in which the victim sends out an attack signature to the edge router and requests it to block all packets possessing this signature with destination as that of the victim. It greatly reduces the traffic inside the network as the attack packets are filtered out before them entering the network.
4.1 Attack Signature for various common DoS Attacks In this section, we show attack signature for some of the common DoS attacks. The attack signature is based on decision tree. Decision tree is used for classifying data based on its properties. Here IP Packet is the root of the decision tree. An IP packet can be classified as UDP, TCP or ICMP packets. There after based on features of the packet, it is classified as normal or attack packets.
Figure 1
Packet Classification
In figure 2 DoS attack signature for ICMP based packets are given. Ping flood, IP broadcast flood and ping of death are examples of DoS attacks that utilizes vulnerabilities in ICMP protocol. In decision tree based IDS, each node in the tree represent a feature of the packet. If we take example of ICMP broadcast flooding, IDS checks if packet is (1) ICMP type (2) Echo Request and finally (3) destination IP is broadcast. If the path traversed by the packet follows these three nodes satisfying each of the criteria then it is considered to be signature of ICMP broadcast flood. Similar is the case of the other two ICMP DoS attacks. Figure 3 and 4 shows attack signatures for TCP based DoS attacks. Figure 5 shows attack signature for UDP based DoS attacks.
4.2 Possible Attacks on Pushback Scheme Pushback scheme suffers from a serious security threat in which an adversary can block important service running on the victim by sending signature of some
8
Samant Saurabh et al.
Figure 2
Decision Tree attack signature for ICMP based DoS attacks
Figure 3
Decision Tree attack signature for TCP based DoS attacks
legitimate traffic and spoofing the IP address of the victim. To mitigate this problem, we first use a 3-way handshake mechanism to prevent spoofing of the signature and then improve it by using FAST AUTHENTICATION mechanism which is described below.
4.3 Three Way Hand Shake Schemes like Signature Conflict Triggered Filtering (SCTF)(Mittal (2006)) use three packets termed as FILTER REQUEST, VERIFY SOURCE, and SOURCE ACK packets between the victim and edge router for handshaking. The procedure is
Extended Deterministic Edge Router Marking
Figure 4
Decision Tree attack signature for TCP based DoS attacks
Figure 5
Decision Tree attack signature for UDP based DoS attacks
9
shown in figure 6. FILTER REQUEST packet contains the signature of the attack traffic. Victim requests the edge router to filter out this traffic at the edge itself. This helps in reducing the congestion in network. As some malicious user might try to block legitimate traffic, therefore we need to make sure that FILTER REQUEST packet has not been spoofed. Hence the edge router sends a VERIFY SOURCE packet to ensure that IP address of victim has not been spoofed. It sends a random number called nonce in the VERIFY SOURCE packet. Upon receiving the Verify Source, the victim replies with SOURCE ACK packet containing the same nonce. This mechanism ensures that filter request has not been spoofed. After completion of packet exchange, edge router now filters out all traffic containing the attack signature to the victim. This method has two advantages, first it filters out only the attack traffic and allows legitimate traffic to the victim. Secondly it blocks the attack traffic before it floods the network.
10
Samant Saurabh et al.
Figure 6
3-way handshake mechanism for sending attack signature to the edge router for filtering
4.4 Filter Request With Fast Authentication: Hash Chain The three-way handshake was further enhanced with a fast authentication scheme (Sairam et al. (2010)) which requires only one packet to send the attack signature and prevent IP spoofing. Victim sends the attack signature using a filter request with fast authentication packet in which signature of the attack is sent. The idea is to replace the 3-way handshake with a single-packet handshake, so as to obviate the problem of incomplete handshakes. In the single packet handshake, hash chain (Lamport (1981)) is used for authentication. This scheme uniquely authenticates the sender, is safe from eavesdropping, replay attacks and password theft in an insecure communication channel. Hash chain is an algorithm to produce many one-time keys from a single key or password. That is successive application of a cryptographic hash function on a string x. A hash function H is used to compute a hash chain of length n, i.e hn = H n (x) where H n denotes n successive applications of H and hn , called the anchor of the hash chain is made available to the edge routers. The edge routers begins with storing H n (x) and the victim sends the tuple < H n−1 (x), packetsignature > to the edge router. Edge router applies the function H(H n−1 (x) ) and verifies if it is equal to H n (x). If it is equal then victim is authenticated otherwise it is discarded. In this scheme victim can be authenticated n times before hash is exhausted. By keeping count of n for each victim, in fact ISP or the edge router can monitor the health of the hosts inside the network. The lower the value of n for a particular host, higher is the number of attacks to that particular host. As the path from victim toward the attacker will be relatively less congested, the victim can successfully inform upstream routers in the path to filter all packets from an attacker. Edge routers maintain a Victim Signature Table (VST) which consists of tuples of the form < victim IP address, list < attack signature >> using which it filters packets. This table will be small as it does not contain all the signature contained in the victim IDS. Hence it would not hamper the performance of the network edge routers whereby it will greatly mitigate congestion in the network.
Extended Deterministic Edge Router Marking
11
4.5 Feature Sorting in Attack Signature While sending back the attack signature to the edge router, we propose to sort the features of the signature based on the information it provides about the attack or its relevance to the attack. For example in SYN flood attack, attack packet has several features like packet type(TCP/UDP), ACK, SYN, Urgent Pointer, RST and FIN flag. However SYN bit =1 is the most relevant feature and informative feature of SYN flood attack, followed by its rate. Other flags do not provide much information regarding whether a packet is for TCP SYN attack. Most distinct features of an attack give the maximum information about the attack traffic. Some common features of IP packet almost give no information particular to the attack and are common to normal traffic too. Our aim is to sort the features based on its relevance to the particular attack signature which helps in reducing the signature matching time for legitimate packets considerably. We assume that percentage of legitimate traffic is much higher than attack traffic. Hence a scheme which allows to identify legitimate traffic in less time, while taking same amount of time to detect an attack will have much superior performance. This is explained in Algorithm 1. Features of attack signature are sorted and stored in Attack Signature Array s. The features are sorted based on their relevance to attack. In Algorithm 1, for each packet, we match if all the attack signatures are present in the packet or not, starting from the most relevant feature (line 3-7). If any one of the attack feature is absent, we directly allow the packet to pass through (as shown in line 6 and 7). This way, we require very few matching in the f or loop of line 3-7 because most of the legitimate packets do not have the most relevant attack features and hence we break away from the for loop while just matching very few features. Only if all the features in attack signature array matches, the packet is classified as attack packet as shown in lines 10-12.
Algorithm 1 Packet Filtering Algorithm at the Edge Router Input: packet p, Sorted Signature Array s Output: Boolean bAllowP acket 1: counter ← 0 2: for each feature in Sorted Signature Array s do 3: if p.f eature == present then 4: counter++ 5: else 6: p.allow(); 7: break; 8: end if 9: end for 10: if counter == s.size() then 11: p.discard(); 12: end if
12
Samant Saurabh et al.
5 Additional Issues in Packet Marking The Internet Protocol (IP) was designed to facilitate communication between heterogeneous networks which might have different Maximum Transmission Unit (MTU). To move packets from a network with smaller MTU to one with a larger MTU is trivial, but the reverse is not. In order to handle this, IPv4 protocol uses fragmentation [24,25]. It is the process of breaking up of the original packet into smaller fragments. Each fragment has its own IP header. Most of the fields of this header are inherited from the IP header of the original datagram. Thus, each fragment has same Identification (ID) field, protocol, source address and destination address, source port and destination port. These fields are used by the destination in order to distinguish the fragments of different series. In order to allow correct reassembly, the offset field of each fragment contains the distance, measured in 8-byte units, between the original datagram and the beginning of the particular fragment. The offset of the first fragment is set to zero, the second has its offset set to the payload of the first fragment, and so on. All the fragments except the last one have the more fragments (MF) bit set so that the destination waits to receive all the fragments before reassembling them into the original datagram. Since DERM uses ID field for sending the HashMarks, there may be errors at the destination during reassembly for fragmented packets. We now look into these problems and propose a wrapper function for all DERM schemes to make them fragmentation compatible.
Figure 7
For fragmented packets we add mark in the IP options field while for non-fragmented packets we do marking in ID field in the header itself.
5.1 Problems due to Fragmentation Consider an upstream fragmentation of an original datagram. Each fragment of this series would have the same ID, Protocol, Source Address (SA) and Destination Address (DA) in order to facilitate correct reassembly. Assuming we use multiple hash DERM each of these fragments would be marked by the DERM enabled edge routers i.e. the ID field of every fragment is replaced by one of the f Hash Marks
Extended Deterministic Edge Router Marking
13
which are picked at random. The fragments would have different ID fields when they arrive at the destination and so will be considered as the fragments belonging to different series. Thus, the reassembly will be unsuccessful. We propose a scheme to handle IP fragmentation in DERM.
5.2 IP Fragmentation compatible DERM To make packet marking useful for both (a) fragmentation and re-assembly and (b) identifying the attacking edge router, we need to provide information that can uniquely identify attack edge router as well as keep the ID information intact in case of fragmentation. We propose a novel scheme as shown in Algorithm 2, in which, when DERM enabled routers identify that if a packet is part of a fragmentation series, then it leaves the ID field intact as shown in lines 2 − 7. Instead it adds the IP address in the IP options field (line 6). We check the MF bit and OFFSET field of packet header to find if the packet belongs to a fragmentation packet series (line 2). If true then we add the IP address of the edge router in the options field (lines 4-7). As percentage of fragmented packets is just around 0.25% to 0.5%(Savage (2000)) we add the complete 32 bit IP address of edge router instead of marking it with the hash. We have the option of marking with normal DERM schemes generated packet mark or we can add the IP address of the edge router in the options field. Even though adding the IP address requires extra 16 bits however it saves a lot of storage and processing at the edge router and the victim for attacker identification. If we use 16 bit hash then we need to maintain a table with index as sourceaddress||destinationaddress||protocol and then remember which hash we are using to mark the ID field and make sure all fragments of a given packet hash same packet mark. This book keeping becomes complex besides possibility of false positive during attack identification. Therefore we simply add the complete IP address in the options data field (line 7). The working of our scheme is also explained in figure 7. Algorithm 2 Fragmentation Compatible Marking Algorithm Input: P acket p, M ap m < string index, int hashN um, int cnt[f ] > Output: P acketM ark 1: for each incoming packet p do 2: if p.M F == 1||p.OF F SET 6= 0 then 3: p.optionsClass = DEBU GGIN G; 4: p.options.optionN umber = 2; 5: p.options.optionLength = 4; 6: p.options.data = IP (edgerouter); 7: p.DF = SET ; 8: else 9: do DERMBasedmarking(p) 10: end if 11: end for In the fragmentation compatible marking scheme, in line 2 we check if packet is of fragmented type, if true we define in line 3 that options field is being used for
14
Samant Saurabh et al.
debugging and measurement and option number 2 in line 4 states that it is being used for security purpose. We set the option length to be of four bytes in line 5 and then set the option field data to the IP address of the edge router in line 6. In line 7 we set DF bit to be true which implies routers inside the autonomous system cannot fragment it. If packet is non fragmented then we do simple DERM based marking as described in section 2.1 and 2.2.
6 Results We first show the results for distribution for number of IP address hashing to the same hash mark with respect to number of edge routers present in the network. We call the number of edge routers getting hashed to a particular hash mark as Address List. The length of ingress Address List gives us idea about the false positive that we will get in the attack identification phase.
Figure 8
This bar graph shows distribution of count of hash marks and their ingress Address List length where ingress Address List is the number of IP addresses hashing to a given hash mark.
In figure 8, we see that if number of edge routers M = 216 , then in the record table for DERM, a huge percentage(30%) of hash marks don’t have any IP Address hashed to them, while almost equal percentage of hash mark got just one IP address hashed to them. Around 40% of hash marks have more than two IP addresses hashed to them which would contribute to the false positive during the attack identification phase. In figure 9, we see that if number of edge router is of the order of 224 , then length of ingress Address list ranges from 40 to 90 with mean being around 65. We see that at this high value of edge routers we need to improve our algorithm to get less number of false positives. However, such large number of edge router is more for mathematical analysis and in practice we have maximum of only around 1000 edge routers even in any big network. However, we see that an ideal hash function will give collision even if we have only hundreds of edge routers.
Extended Deterministic Edge Router Marking
Figure 9
15
This bar graph shows distribution of count of hash marks and their ingress Address List length for M = 224 where ingress Address List Length is the number of IP address hashing to same hash mark
Figure 10 This bar graph shows distribution of count of hash marks and their ingress address list length for M = 210
From figure 8, 9 and 10 we see that as the number of edge routers increase, probability of collisions also increases. Hence basic DERM will give higher false positives if number of edge routers becomes greater than 216 . One more observation is that, even if the number of edge router is less than equal to 216 , we get collisions or false positives. Now we analyse the results for number of packets required for attacker identification phase. In case of basic DERM, one attack packet will suffice for attack identification. However to reduce false positives, we use multiple hash functions which in turn increases number of attack packets required for attack identification. In figure 11, we see that as we increase number of different hash functions, minimum number of packets required to identify the attacker increases considerably.
16
Samant Saurabh et al.
Figure 11 Graph for minimum number of packets required versus number of different hash mark used in multiple hash DERM
However, as DDoS attacks are based on pumping high volume of traffic to the victim, so collecting these number of packets is not a big requirement.
Figure 12 Plot for minimum number of packets required versus probability of marking with primary hash function for skewed hash DERM
We see in figure 12, that in case of multiple hash DERM with skew characteristics when probability of marking (α) approaches 0.9 or greater, number of packets required increases. Moreover as we increase the number of hash functions (f ), number of packets required also increases. From figure 13, we see that false positive is quite less when number of attackers is less than 2500 and for (d = 11, f = 32); (d = 12, f = 16); (d = 13, f = 8). However, we require large number of packets if we increase f. In our experiment, we use d =13 and f =8 as the optimal solution for marking. Thousand random packets were selected in network traffic, and a set of 12 features were selected for forming signatures. Six attacks were considered having signature length of 3, 4, 5, 6, 7 and 8 features respectively. We see in figure 14, that number of comparisons required for signature features sorted based on their
Extended Deterministic Edge Router Marking
17
Figure 13 Graph for probability of false positives versus number of attackers for multiple and skewed hash DERM
Figure 14 Comparisons of features in attack signature for 1000 IP packets. Total number of features is 12.
relevance to the attack is considerably less as compared to the number of comparison required for normal signature matching.
7 Conclusion In this paper, we analyzed, evaluated and extended IP traceback for DDoS attacks using DERM. We used the basic DERM and its variants to help in IP traceback while aiming at a very low false positive rate. After analyzing DERM, we tried to solve some of its shortcomings like heavy collateral damage, congestion in network and inability to handle IP Fragmentation. To reduce collateral damage done during the filtering phase for multiple hash DERM, we propose a pushback mechanism with FILTER REQUEST WITH FAST AUTHENTICATION which filters out attack
18
Samant Saurabh et al.
packets at the edge itself and also reduces congestion in network by filtering attack traffic nearer to the source. Moreover authentication scheme used in the pushback scheme also reduces the chances of adversary trying to block legitimate services running on the victim.
References Abraham, A.P. and Song, D.,(2003)‘Pi: A path identification mechanism to defend against DDoS attacks’,In IEEE Symposium on Security and Privacy, May. Ansari, N. and Belenky, A., (2003) ‘IP Traceback with Deterministic Packet Marking’, IEEE communication letters. Ansari, N. and Belenky, A.,(2003) ‘On IP Traceback’, IEEE communication Magazine., July, Vol. 41, No. 7, pp.142-153 Ansari, N. and Belenky, A., (2003) ‘Tracing Multiple Attackers with Deterministic Packet Marking (DPM)’, In Proceedings of the IEEE PACRIM, Victoria, B.C., Canada, August. Bace, R. and Mell, P.,(2001) ‘Intrusion Detection Systems’,NIST Special Publication on IDS, November, SP 800-31. Baker, F.,(1995)‘Requirements for IP Version 4 Routers’,RFC 1812, June. Barua, G. and Rayanchu, S.K.(2004) ‘IP Traceback using Deterministic Edge Router Marking(DERM)’, in proceeding of International Conference on Distributed Computing and Internet Technology(ICDCIT) Burch, H. and Cheswick, B. (2000) ‘Tracing anonymous packets to their approximate source’, In Proceedings of 2000 USENIX LISA Conference, December, pp.319–327. Computer Emergency Response Team. CERT Advisory CA-2000-01, (2003) ‘Denial-ofService Developments.’ Computer Security Institute and Federal Bureau of Investigation. (1999) ‘CSI/FBI Computer Crime and Security Survey’,Computer Security Institute publication, March. Feller, W.(1966) ‘An Introduction to Probability Theory and Its Applications’,2nd ed. Vol. 1. Ioannidis, J. and Bellovin, S.M. (2002)‘Implementing pushback: Router-based defense against DDoS attacks’, In Proceedings of the Symposium on NDSS, February, San Diego, CA. Karlin, A. and Savage, S.(2000) ‘Practical Network Support for IP Traceback’, ACM SIGCOMM, pp.295–306. Khatua, M. and Misra, S. , ‘Exploiting Partial-Packet Information for Reactive Jamming Detection: Studies in UWSN Environment’, In the roceedings of the 14th International Conference on Distributed Computing and Networking (ICDCN 2013), Networking Track, Mumbai, January 3-6, 2013, Springer, Vol. 7730, pp. 118-132. Lamport, L. (1981) ‘Password Authentication with Insecure Communication’, Commun. ACM, Vol. 24, No. 11, pp.770–772. Leech, M., Bellovin, S., Floyd, and Taylor, T. (2001) ‘The ICMP traceback message’, Internet-Draft, October. Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V. and Shenker, S. (2002) ‘Controlling high bandwidth aggregates in the network’, ACM Computer Communication Review, July, Vol. 32, No. 3, pp.62-73.
Extended Deterministic Edge Router Marking
19
Misra, S., Krishna, P. V. and Abraham, K. I.(2011), ‘A Stochastic Learning AutomataBased Solution for Intrusion Detection in Vehicular Ad Hoc Networks’, Security and Communication Networks, Wiley, Vol. 4, No. 6, 2011, pp. 666-677. Misra, S., Krishna, P. V. and Abraham, K. I.(2011), ‘A Simple Learning AutomataBased Solution for Intrusion Detection in Wireless Sensor Networks’, Wireless Communications and Mobile Computing, Wiley, Vol. 11, No. 3, 2011, pp. 426-441. Misra, S., Krishna, P. V., Abraham, K. I. ,Sasikumar, N. and Fredun, S.(2010), ’An Adaptive Learning Routing Protocol for the Prevention of Distributed Denial of Service Attacks in Wireless Mesh Networks’,Computers Mathematics with Applications (Elsevier), Vol. 60, No. 2, 2010, pp. 294-306. Mittal, P., Barua, G., Narang S. (2006),‘Defeating Reflector Attacks: Signature Conflict Triggered Filtering’ Proceedings Fifth European Conference on Information Warfare and Security(ECIW). Mogul, J.C. and Deering, S.E.(1990) ‘PathMTU discovery’, RFC 1191, Internet Engineering Task Force, November. Moore, D., Shannon, C. and Clary, K.C. (2001) ‘Beyond folklore: Observations on fragmented traffic’, IEEE/ACM Transactions on Networking, Vol. 10, No. 6, pp.709– 720 Nishio, N., Harashima, N. and Tokuda, H. (2003) ‘Reflective Probabilistic Packet Marking Scheme for IP Traceback’, Transactions on Information Processing Society of Japan, Japan, Vol. 44, No. 8, pp.1848–1860. Oommen B. J. ,Misra S. and Granmo O. C., ‘Routing Bandwidth Guaranteed Paths in MPLS Traffic Engineering: A Multiple Race Track Learning Approach’, IEEE Transactions on Computers, Vol. 56, No. 7, July 2007, pp. 959-976. Park, C.J., A Note on the Classical Occupancy Problem, The Annals of Mathematical Statistics, Vol. 43, No. 5, pp. 1698-1701, (Oct., 1972) Partridge, C., Snoren, A.C., and Jones, C.E.,(2001)‘Hash-based IP Traceback’,ACM SIGCOMM. Paxson, V. (2001) ‘An analysis of using reflectors for distributed denial-of-service attacks’, ACM SIGCOM Computer Communication Review, New York, USA, July, Vol. 31, No. 3. Perrig, A., Yaar, A. and Song, D.,(2003)‘StackPi: A New Defense Mechanism against IP Spoofing and DDoS Attacks’,Technical Report, CMU. Postel, J.(1981) ‘Internet protocol’, RFC 791, Internet Engineering Task Force, September. Rayanchu, S.K. and Barua, G.(2005) ‘Tracing Attackers with Deterministic Edge Router Marking (DERM)’, Distributed Computing and Internet Technology, First International Conference, ICDCIT, Bhubaneswar, India, December. Rayanchu, S.K. and Barua, G.(2006) ‘ Defending Against Slave And Reflector Attacks With Deterministic Edge Router Marking (DERM)’ in proceedings of the Eleventh National Conference on Communications: NCC-2005 Roesch, M. , ‘Snort lightweight intrusion detection for networks’, In 13th USENIX Systems Administration Conference (LISA 1999), Seattle, WA, Nov. 1999. Roy, S., Singh, A., Sairam, A.S.(2013) ‘IP traceback in star colored networks’, Fifth International Conference on Communication Systems and Networks (COMSNETS), pp.1-9, 7-10 Jan. 2013 Sairam, A.S., Late Subramaniam, A., and Barua, G. (2010) ‘Defeating Reflector Based Denial-of-Service Attacks using Single Packet Filters’, 5th International ICST Conference on Communications and Networking in China, August, Bejing, China.
20
Samant Saurabh et al.
Savage, S., Wetherall, D., Karlin,A., and Anderson, T.(2000), ‘Practical Network Support for IP Traceback,’in Proc. ACM SIGCOMM, pp. 295-306, Aug. 2000. Stone, R.(2000) ‘An IP overlay network for tracking DoS foods’, In Proceedings of the 9th USENIX Security SymposiumInternet-Draft, Denver, Colorado, August. Yu, S., Zhou, W., Doss, R. and Jia, W. 2011. ‘Traceback of DDoS attacks using entropy variations’, Parallel and Distributed Systems, IEEE Transactions,Vol. 22, No. 3,pp.412-425.
