IP Traceback: Information Security Technical Update
IP (Internet Protocol) is the primary protocol of the Internet communication standards. It delivers packet from the source host to the destination device based on the information carried in the packet header.
Forging a false IP address is easy especially with the python script “Scapy”. Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies.
The intended receiver uses Wireshark to analyse the receiving packets and verify the information of the forged packet.
The TCP/IP protocol does not check the source address. Thus, the address source that appeared on Wireshark is not the true source.
DDoS attack: Expensive Damages
Denial of Service attack is one of the three most expensive cyber-attacks. Along with malicious insider attacks and webbased attacks, they account for 55% of all cybercrime costs per year.
The estimated cost damage is $40,000 per hour and 49% of DDoS attacks last for 6 to 24 hours according to Incapsula poll 6. Thus the average DDoS costs is $500,000 with some exceptionally expensive cases.
However, damages are not only financial: loss of customer trust, virus/malware infection and loss of intellectual property are other consequences of DDoS attack.
DDoS attack is a growing concern as it targets a broad range of industries, from e-commerce to financial institutions, it can lead to a significant loss of money because of unavailability of service. Preventive measures against these attacks are available, but the identification of the source of attack and prevention of any recurrences are also crucial to a good practice of cyber security.
One of the ways to achieve IP traceback is hop-by-hop link testing. When an attack is launched, the network administrator will log into the closest router to the victim and analyse the packet flow to determine the origin of the malicious packets. This will localise the next upstream router. The major drawback of this simple method is that it requires a strong interoperability between routers, and the attack must still be in progress while the tracing of malicious packet takes place.
IP traceback techniques can be classified as pro-active or reactive.
A pro-active approach locates the source after the attack by looking at the records files and logs of the network.
A reactive approach locates the attacker on the flight when the attack is detected by a specialised hardware.
The comparison of traceback techniques will focus on three illustrative methods which belong to different classes of IP traceback techniques. These techniques remain at the stage of research and are not yet released in the market. The Source Path Isolation Engine (or hash-based) algorithm is an in-band pro-active techniques. The iCaddie ICMP is the evolution of the ICMP out-of-band traceback technique. The third one is the reactive IDIP mechanism.
Source Path Isolation Engine (SPIE)
SPIE, or Hashed-based IP traceback is used to trace the origin of a single packet. This system was proposed by Snoeren et al5. It is a packet logging technique which means that it involves storing packet digests at some crucial routers. The main issue is that the storage of saved packet data requires a lot of memory. SPIE is of high storage efficiency and thus reduces the memory requirement (0.5% of the link capacity per unit time in storage). In fact, instead of storing the packets, it uses auditing techniques. It computes and stores 32-bit packet digest. Moreover, an efficient data structure to store packet digest is mandatory. SPIE uses Bloom filter structure.
Another important issue of packet logs is the risk of eavesdropping. Storing only packet digests and not the entire packet prevents SPIE from being misused by attackers. Therefore, the network is protected from eavesdropping which is one of the criteria of an effective IP traceback system.
There are two options to determine the route of a packet flow. The first one is to audit the flow while it passes through the network and the second is to attempt to infer the route based on its impact on the state of the network. The difficulty of using them increases as the size of the packet flow decreases. Especially, the second one becomes impossible because small flows have no detectable impacts on the network. Thus, an audit option is used in SPIE.
SPIE is also called hash-based IP traceback because a hash of the invariant fields in the IP header is stored in each router as a 32-bit digest. It remains stored only for a limited duration of time because of space constraint.
Packet digests are created by Data Generation Agent (DGA) at each router. Before a traceback begins, an attack packet must be detected. To determine it, an intrusion detection system (IDS) is used. IDS provides a packet, the last hop router, the time of attack, to the SPIE Traceback Manager (STM) which will verify its authenticity and integrity. Upon successful verification, STM will send the signature information to the SPIE Collection and Reducing Agent (SCAR) responsible for the victim’s network area. If any match is found, the SCAR returns a partial attack graph of the involving routers. Then STM will then send new queries to another SCAR region. This process continues until the attack path is constructed. Finally, the STM sends the result back to the IDS.
- “Requirements for Internet Hosts – Communication Layers” R. Braden October 1989 pdf
- “TCP/IP Vulnerabilities: IP spoofing and Denial-of-Service Attacks” A. Kak 25 April 2015 pdf
- “SYN flood” 7 July 2015 Web. 23 July 2015
- “Scapy” December 2014 Web. 24 July 2015
- “Hash-Based IP Traceback” A. C. Snoeren et al. 2001 pdf.
- “Incapsula survey – DDoS Impact Survey”T. Matthews 2014 pdf.
- “Internet Control Message Protocol” June 2015 Web. 23 July 2015
- “Comparative study of IP Traceback Techniques” M.Lapeyre 2015 pdf.
- “A DoS-Resistant IP Traceback Approach” Bao-Tung Wang, 2003 pdf.
- “Advanced and Authenticated marking Schemes for IP traceback” D.X. Song and A. Perrig 2001 pdf.
- “Taxonomy of IP Traceback” L. Santhanam et al. 2006 pdf.
- “Infrastructure for Intrusion Detection and Response” D. Schnackenberg et al.