ip traceback in cloud computing through deterministic flow marking
DESCRIPTION
IP Traceback in Cloud Computing Through Deterministic Flow Marking. Mouiad Abid Hani Presentation figures are from references given on slide 21. Presented. By. Introduction. IP traceback problem The problem of identifying the source of the offending packets (DoS and DDoS attacks) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/1.jpg)
IP Traceback in Cloud IP Traceback in Cloud ComputingComputing
Through Deterministic Flow Through Deterministic Flow MarkingMarking
Mouiad Abid HaniMouiad Abid Hani
Presentation figures are from references given on slide 21. Presentation figures are from references given on slide 21.
ByBy
PresentedPresented
![Page 2: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/2.jpg)
IntroductionIntroduction
IP traceback problemIP traceback problem– The problem of identifying the source of the offending The problem of identifying the source of the offending
packets (DoS and DDoS attacks)packets (DoS and DDoS attacks)– Source: zombie; reflector; spoofed addresses …etc.Source: zombie; reflector; spoofed addresses …etc.
SolutionSolution– Rely on the routers (PPM)Rely on the routers (PPM)
Only for DOSOnly for DOS
– Rely on the ingress routers only (DPM and DFM) for Rely on the ingress routers only (DPM and DFM) for DDoS and DoS.DDoS and DoS.
– Centralized management (log of packet infor.)Centralized management (log of packet infor.)Large overhead, complex, not scalable Large overhead, complex, not scalable
![Page 3: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/3.jpg)
DoS and DDoS AttacksDoS and DDoS Attacks
![Page 4: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/4.jpg)
Why Cloud Computing?Why Cloud Computing?
Cloud Computing is Traditional Distributed Cloud Computing is Traditional Distributed Environment (TDE).Environment (TDE).
Cloud Computing is vulnerable to any attack Cloud Computing is vulnerable to any attack targeting TDEs.targeting TDEs.
DoS and DDoS are targeting TDEs.DoS and DDoS are targeting TDEs.
DoS and DDoS targeting the availability of a DoS and DDoS targeting the availability of a service.service.
The Cost in cloud computing will be greater.The Cost in cloud computing will be greater.
![Page 5: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/5.jpg)
Deterministic Packet Marking (DPM)Deterministic Packet Marking (DPM)Each packet is marked when it enters the networkOnly mark Only mark Incoming Incoming packets packets MarkMark ::address address information of information of this interfacethis interface16 bit ID + 1 16 bit ID + 1 bit Flagbit Flag
![Page 6: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/6.jpg)
![Page 7: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/7.jpg)
Coding of a markCoding of a mark
Flag =0 Flag =0 address bits 0~15 address bits 0~15
Flag =1 Flag =1 address bits 16~31 address bits 16~31
RandomlyRandomly setting flag value setting flag value
How many packet are enoughHow many packet are enough ??– nn :: the number of received packets the number of received packets – The probability of successfully generate the ingress IP The probability of successfully generate the ingress IP
address is greater than address is greater than – 2 packets 2 packets 75% 75% ;; 4 packets 4 packets 93.75%93.75%
6 packets 6 packets 98.43%98.43% ;; 10 packets 10 packets 99.9%99.9%
n5.01
![Page 8: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/8.jpg)
ProsPros
Simple to implementSimple to implementIntroduces no bandwidth Introduces no bandwidth Practically no processing overheadPractically no processing overheadsuitable for a variety of attacks [not just (D)DoS]Backward compatible with equipment which Backward compatible with equipment which does not implement it does not implement it does not have inherent security flawsDo not reveal internet topologyDo not reveal internet topologyNo mark spoofingNo mark spoofingScalableScalable
![Page 9: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/9.jpg)
Schematics Schematics
Pad
Ideal hash
![Page 10: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/10.jpg)
Reconstruction Reconstruction
AreaArea
each area each area hashas k k segmentssegments
Each Each segment segment has has bitsbits
area
d2
a2
![Page 11: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/11.jpg)
DPM LimitationsDPM Limitations
Can not handle the fragmentation/ reassembly problem
All packets need to be marked
Can trace the attack only to ingress routerCan trace the attack only to ingress router
Can handle up to 2058 attack sourcesCan handle up to 2058 attack sources
Does not support IPv6 implementation Does not support IPv6 implementation
![Page 12: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/12.jpg)
Deterministic Flow MarkingDeterministic Flow Marking
Based on DPM
Only the first K packets need to be marked
Can trace the attack to the attacker’s nodeCan trace the attack to the attacker’s node
Can handle up to 64K attack sourcesCan handle up to 64K attack sources
Does not support IPv6 implementation Does not support IPv6 implementation
Can not handle subverted router problemCan not handle subverted router problem
![Page 13: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/13.jpg)
DPM VS. DFM DPM VS. DFM
![Page 14: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/14.jpg)
Identifiers used by DFMIdentifiers used by DFM
![Page 15: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/15.jpg)
Using the gray fields as marking field in IP header for K=2
![Page 16: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/16.jpg)
DFM LimitationsDFM Limitations
Can not handle the fragmentation/ reassembly problem
Does not support IPv6 implementation Does not support IPv6 implementation
Using 42-byte signature to authenticate Using 42-byte signature to authenticate the whole flow the whole flow
![Page 17: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/17.jpg)
The Proposed SolutionsThe Proposed Solutions
Using the IPv6 header Flow Label field to Using the IPv6 header Flow Label field to hold the markhold the mark
Using MD4 algorithm instead of elliptic Using MD4 algorithm instead of elliptic curve signature within the packet (not curve signature within the packet (not assured till now).assured till now).
The fragmentation/reassembly problem is The fragmentation/reassembly problem is not an issue in IPv6 protocol.not an issue in IPv6 protocol.
![Page 18: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/18.jpg)
![Page 19: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/19.jpg)
Conclusion Conclusion
DFM is more practical and efficient than DPM
DFM and DPM can not prevent DDoS attack but try to trace the source of it
DFM need some improvements to be fully applicable on Intrusion Detection Systems.
![Page 20: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/20.jpg)
I have I have questionsquestions……
![Page 21: IP Traceback in Cloud Computing Through Deterministic Flow Marking](https://reader035.vdocuments.us/reader035/viewer/2022062809/56815892550346895dc5f265/html5/thumbnails/21.jpg)
References
Vahid A. F. Nur A. Zincir-Heywood, “IP traceback through (authenticated) deterministic flow marking: an empirical evaluation”, EURASIP Journal on Information Security, Vol. 1, No. 5, pp. 1-24, 2013.
Xiang, Y., W. Zhou and M. Guo, “Flexible deterministic packet marking: An IP traceback system to find the real source of attacks”, IEEE Transactions on Parallel and Distributed Systems, Vol. 20, No. 4, pp. 567-580, 2009.
Andrey Belenky and Nirwan Ansari, “IP Traceback with Deterministic Packet Marking”, IEEE COMMUNICATIONS LETTERS, VOL. 7, NO. 4, pp: 162-164, 2003.
Andrey Belenky and Nirwan Ansari, “Tracing Multiple Attackers with Deterministic Packet Marking (DPM)”, pp: 49-52, 2003.
Vahid A. F. Nur A. Zincir-Heywood, “On Evaluating IP Traceback Schemes: A Practical Perspective”, IEEE Communications, Pp: 127-134