Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
14 Pages
01134298
Course: ELEG 867, Fall 2008School: Delaware
Rating:
Word Count: 13185
Document Preview
TRANSACTIONS IEEE/ACM ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002 721 Single-Packet IP Traceback Alex C. Snoeren, Student Member, IEEE, Craig Partridge, Fellow, IEEE, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Member, IEEE, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer, Senior Member, IEEE Abstract--The design of the IP protocol makes it difficult to reliably identify the originator...
Unformatted Document Excerpt
Coursehero >> Delaware >> Delaware >> ELEG 867Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
TRANSACTIONS IEEE/ACM ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
721
Single-Packet IP Traceback
Alex C. Snoeren, Student Member, IEEE, Craig Partridge, Fellow, IEEE, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Member, IEEE, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer, Senior Member, IEEE
Abstract--The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packet's origin, widespread packet forwarding techniques such as NAT and encapsulation may obscure the packet's true source. Techniques have been developed to determine the source of large packet flows, but, to date, no system has been presented to track individual packets in an efficient, scalable fashion. We present a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past. We demonstrate that the system is effective, space efficient (requiring approximately 0.5% of the link capacity per unit time in storage), and implementable in current or next-generation routing hardware. We present both analytic and simulation results showing the system's effectiveness. Index Terms--Computer network management, computer network security, denial of service (DoS), IP traceback, network fault diagnosis, wide-area networks (WANs).
I. INTRODUCTION ODAY'S Internet infrastructure is extremely vulnerable to motivated and well-equipped attackers. Tools are readily available, from covertly exchanged exploit programs to publicly released vulnerability assessment software, to degrade performance or even disable vital network services. The consequences are serious and, increasingly, financially disastrous. While distributed denial-of-service (DDoS) attacks, typically conducted by flooding network links with large amounts of traffic, are the most widely reported, there are other forms of network attacks, many of which require significantly smaller packet flows. In fact, there are a number of widely deployed operating systems and routers that can be disabled by a single well-targeted packet (e.g., the Teardrop attack crashes versions of Microsoft Windows with one packet [1]). To institute accountability for these attacks, the source of individual packets must be identified. Unfortunately, the anonymous nature of the IP protocol makes it difficult to accurately identify the true source of an
Manuscript received September 29, 2001; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor V. Paxson. This work was supported by the Defense Advanced Research Projects Agency (DARPA) under Contract N66001-00-C-8038. A preliminary version of this paper was presented at ACM SIGCOMM'01, San Diego, CA, August 2001. A. C. Snoeren is with the MIT Laboratory for Computer Science, Cambridge, MA 02139 USA, and with BBN Technologies, Cambridge, MA 02138 USA (e-mail: snoeren@lcs.mit.edu). C. Partridge, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer are with BBN Technologies, Cambridge, MA 02138 USA (e-mail: craig@bbn.com; cej@bbn.com; ftchakou@bbn.com; bschwart@bbn.com; kent@bbn.com; strayer@bbn.com). L. A. Sanchez is with Megisto Systems, Inc., Germantown, MD 20874 USA (e-mail: lsanchez@megisto.com). Digital Object Identifier 10.1109/TNET.2002.804827
T
IP datagram if the source wishes to conceal it. The network routing infrastructure is stateless and based largely on destination addresses; no entity in an IP network is officially responsible for ensuring the source address is correct. Many routers employ a technique called ingress filtering [2] to limit source addresses of IP datagrams from a stub network to addresses belonging to that network, but not all routers have the resources necessary to examine the source address of each incoming packet, and ingress filtering provides no protection on transit networks. Furthermore, spoofed source addresses are legitimately used by network address translators (NATs), Mobile IP, and various unidirectional link technologies such as hybrid satellite architectures. Accordingly, a well-placed attacker can generate offending IP packets that appear to have originated from almost anywhere. While techniques such as ingress filtering, which suppresses packets arriving from a given network with source addresses that do not properly belong to that network, increase the difficulty of mounting an attack, transit networks are dependent upon their peers to perform the appropriate filtering. This interdependence is clearly unacceptable from a liability perspective; each motivated network must be able to secure itself independently. Systems that can reliably trace individual packets back to their sources are a first and important step in making attackers (or, at least, the systems they use) accountable. There are a number of significant challenges in the construction of such a tracing system including determining which packets to trace, maintaining privacy (a tracing system should not adversely impact the privacy of legitimate users), and minimizing cost (both in router time spent tracking rather than forwarding packets, and in storage used to keep information). We have developed a Source Path Isolation Engine (SPIE) to enable IP traceback, the ability to identify the source of a particular IP packet given a copy of the packet to be traced, its destination, and an approximate time of receipt. Historically, tracing individual packets has required prohibitive amounts of memory; one of SPIE's key innovations is to reduce the memory requirement (down to 0.5% of link bandwidth per unit time) through the use of Bloom filters [3]. By storing only packet digests, and not the packets themselves, SPIE also does not increase a network's vulnerability to eavesdropping. SPIE therefore allows routers to efficiently determine if they forwarded a particular packet within a specified time interval while maintaining the privacy of unrelated traffic. The rest of this paper examines SPIE in detail. We begin by defining the problem of IP traceback in Section II, and articulate the desired features of a traceback system. We survey previous work in Section III, relating their feature sets against our
1063-6692/02$17.00 2002 IEEE
722
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
requirements. Section IV describes the digesting process in detail. Section V presents an overview of the SPIE architecture, while Section VI offers a practical implementation of the concepts. Section VII provides both analytic and simulation results evaluating SPIE's traceback success rates. We discuss the issues involved in deploying SPIE in Section VIII before concluding in Section IX with a brief look at future work.
II. IP TRACEBACK The concept of IP traceback is not yet well defined. In an attempt to clarify the context in which SPIE was developed, this section presents a detailed and formal definition of traceback. We hope that presenting a strawman definition of traceback will also help the community better evaluate different traceback schemes. In order to remain consistent with the terminology in the literature, we will consider a packet of interest to be nefarious, and term it an attack packet; similarly, the destination of the packet is a victim. We note, however, that there are many reasons to trace the source of a packet; many packets of interest are sent with no ill intent whatsoever. A. Assumptions There are several important assumptions that a traceback system should make about a network and the traffic it carries. Packets may be addressed to more than one physical host. Duplicate packets may exist in the network. Routers may be subverted, but not often. Attackers are aware they are being traced. The routing behavior of the network may be unstable. The packet size should not grow as a result of tracing. End hosts may be resource constrained. Traceback is an infrequent operation. The first two assumptions are simply characteristics of the Internet Protocol. IP packets may contain a multicast or broadcast address as their destination, causing the routing infrastructure to duplicate them internally. An attacker can also inject multiple identical packets itself, possibly at multiple locations. A tracing system must be prepared for a situation where there are multiple sources of the same (identical) packet, or a single source of multiple (also typically identical) packets. The next two assumptions speak to the capabilities of the attacker(s). An attacker may gain access to routers along (or adjacent to) the path from attacker to victim by a variety of means. Further, a sophisticated attacker is aware of the characteristics of the network, including the possibility that the network is capable of tracing an attack. The traceback system must not be confounded by a motivated attacker who subverts a router with the intent to subvert the tracing system. The instability of Internet routing is well known [4] and its implications for tracing are important. Two packets sent by the same host to the same destination may traverse wildly different paths. As a result, any system that seeks to determine origins using multipacket analysis techniques must be prepared to make sense of divergent path information.
The assumption that the packet size should not grow is probably the most controversial. There are a number of protocols today that cause the packet size to grow, for example technologies that rely on packet encapsulation, such as IPsec and mobile IP. However, increasing the packet size causes MTU problems and increases overhead sharply (each byte of additional overhead reduces system bandwidth by about 1%, given the average packet size of about 128 B). A recent study by the Cooperative Association for Internet Data Analysis (CAIDA) [5] found that packet encapsulation (and the resulting growth in packet size) is the single largest cause of fragmentation on the Internet. It follows that an efficient traceback system should not cause packet size to grow. We assume that an end host, and in particular the victim of an attack, may be resource poor and unable to maintain substantial additional administrative state regarding the routing state or the packets it has previously received. This assumption comes from the observed rise in special purpose devices such as microscopes, cameras, and printers that are attached to the Internet yet have few internal resources other than those devoted to performing their primary task. The final assumption that traceback queries are infrequent has important design implications. It implies queries can be handled by a router's control path, and need not be dealt with on the forwarding path at line speed. While there may be auditing tasks associated with packet forwarding to support traceback that must be executed while forwarding, the processing of the audit trails is infrequent with respect to their generation. B. Goal Ideally, a traceback system should be able to identify the source of any piece of data sent across the network. In an IP framework, the packet is the smallest atomic unit of data. Any smaller division of data (a byte, for instance) is contained within a unique packet. Hence, an optimal IP traceback system would precisely identify the source of an arbitrary IP packet. Any larger data unit or stream can be isolated by searching for any particular packet containing data within the stream.1 As with any auditing system, a traceback system can only be effective in networks in which it has been deployed. Hence, we consider the source of a packet to be one of the following: the ingress point to the traceback-enabled network; the actual host or network of origin; one or more compromised routers within the enabled network. If one assumes that any router along the path may be co-opted to assist in concealing a packet's source, it becomes obvious that one must attempt to discern not only the packet's source, but its entire path through the network. Because subverted routers can fabricate trace information, the path can only be guaranteed to be accurate on the portion from the victim to the a source or subverted router, whichever comes first. While subverted routers may attempt to conceal their identity by appending additional sources further upstream, the subverted routers themselves must
1Indeed, we would argue that it is desirable to trace the individual packets within a stream because the individual packets may have originated at different sites (meeting only at the victim) and are likely to have followed different paths through the network.
SNOEREN et al.: SINGLE-PACKET IP TRACEBACK
723
still appear as a node in the trace. We consider subverted routers that attempt to conceal the true source of a packet as co-conspirator and, therefore, attack sources themselves. Hence, we are interested in constructing an attack path, where the path consists of each router traversed by the packet on its journey from source to the victim. Each node in an attack path either forwarded the packet or lies upstream of a subverted router that did. Further, since multiple, indistinguishable packets may be injected into the network from different sources in the general case, a traceback system should construct an attack graph composed of the attack paths for every instance of the attack packet that arrived at the victim. If routers are subverted, they may provide misinformation to the traceback system, causing the attack graph to contain false positives; that is, the attack graph may implicate sources that did not actually emit the packet. We argue these false positives are unavoidable consequence of admitting the possibility of subverted routers. An ideal traceback system, however, produces no false negatives while attempting to minimize false positives; it must never exonerate an attacker by not including the attacker in the attack graph. Further, when a traceback system is deployed, it must not reduce the privacy of IP communications. In particular, entities not involved in the generation, forwarding, or receipt of the original packet should not be able to gain access to packet contents by either utilizing or as part of participating in the IP traceback system. An ideal IP traceback system must not expand the eavesdropping capabilities of a malicious party. C. Transformations It is important to note that packets may be modified during the forwarding process. In addition to the standard decrementing of the time to live (TTL) field and checksum recomputation, IP packets may be further transformed by intermediate routers. Packet transformation may be the result of valid processing, router error, or malicious intent. A traceback system need not concern itself with packet transformations resulting from error or malicious behavior. Packets resulting from such transformations only need be traced to the point of transformation, as the transforming node either needs to be fixed or can be considered a co-conspirator (source). A complete traceback system should trace packets through valid transformations back to the source of the original packet. Valid packet transformations are defined as a change of packet state that allows for or enhances network data delivery. Transformations occur due to such reasons as hardware needs, network management, protocol requirements, and source request. Based on the transform produced, packet transformations are categorized as follows. 1) Packet Encapsulation: A new packet is generated in which the original packet is encapsulated as the payload (e.g., IPsec). The new packet is forwarded to an intermediate destination for de-encapsulation. This is also known as tunneling. 2) Packet Generation: One or more packets are generated as a direct result of an action by the router on the original packet (e.g., an ICMP Echo Reply sent in response to an ICMP Echo Request, or packet duplication in IP Multicast). The new packets are forwarded and processed independent of the original packet.
(A large number of reflector attacks utilize such transforms to hide their source [6].) Common packet transformations include those performed by RFC 1812-compliant routers [7] such as packet fragmentation, IP option processing, ICMP processing, and packet duplication. Network address translation (NAT) and both IP-in-IP and IPsec tunneling are also notable forms of packet transformation. Many of these transformations result in a loss of the original packet state due to the stateless nature of IP networks. A recent CAIDA study of wide-area traffic patterns found that less than 3% of IP traffic underwent common transformation and IP tunneling [8]. While this study did not encompass all forms of transformation (NAT processing being a notable omission), it seems safe to assume that packet transformations account for a relatively small fraction of the overall IP traffic traversing the Internet today. However, attackers may transmit packets engineered to experience transformation. The ability to trace packets that undergo transformation is, therefore, an essential feature of any viable traceback system. III. RELATED WORK There are two approaches to the problem of determining the route of a packet flow: one can audit the flow as it traverses the network, or one can attempt to infer the route based upon its impact on the state of the network. Both approaches become increasingly difficult as the size of the flow decreases, but the latter becomes infeasible when flow sizes approach a single packet because small flows generally have no measurable impact on the network state. Route inference was pioneered by Burch and Cheswick [9] who considered the problem of large packet flows and proposed a novel technique that systematically floods candidate network links. By watching for variations in the received packet flow due to the restricted link bandwidth, they are able to infer the flow's route. This technique requires considerable knowledge of network topology and the ability to generate large packet floods on arbitrary network links. One can categorize auditing techniques into two classes according to the way in which they balance resource requirements across the network components. Some techniques require resources at both the end host and the routing infrastructure, others require resources only within the network itself. Of those that require only infrastructure support, some add packet processing to the forwarding engine of the routers while others offload the computation to the control path of the routers. A. End-Host Storage Some auditing approaches attempt to distribute the burden by storing state and performing computation at the end hosts rather than in the network. Routers notify the packet destination of their presence on the route. Because IP packets cannot grow arbitrarily large, schemes have been developed to reduce the amount of space required to send such information. Recently proposed techniques by Savage et al. [10] and Bellovin [11] explore in-band and out-of-band signaling, respectively. Because of the high overhead involved, neither Savage et al. nor Bellovin attempt to provide audit information for every
724
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
packet. Instead, each employs probabilistic methods that allow sufficiently large packet flows to be traced. By providing partial information on a subset of packets in a flow, auditing routers enable an end host to reconstruct the entire path traversed by the packet flow after receiving a sufficient number of packets belonging to the flow. The two schemes diverge in the methods used to communicate the information to the end host. Savage et al. employ a packet marking scheme that encodes the information in rarely-used fields within the IP header itself. This approach has been extended by Song and Perrig to improve the reconstruction of paths and authenticate the encodings [12]. In order to avoid the backward compatibility issues and increased computation required by the sophisticated encoding schemes employed in the packet marking schemes, Bellovin's scheme (and later "intentional" extension [13]) simply sends the audit information in an ICMP message. B. Infrastructure Approaches End-host schemes require the end hosts to log meta data in case an incoming packet proves to be offensive. Alternatively, the network itself can be charged with maintaining the audit trails. The obvious approach to auditing packet flow is simply to log packets at various points throughout the network and then use appropriate extraction techniques to discover the packet's path through the network. Logging requires no computation on the router's fast path and, thus, can be implemented efficiently in today's router architecture. Sager suggests such a monitoring approach [14]. However, the effectiveness of the logs is limited by the amount of space available to store them. Given today's link speeds, packet logs quickly grow to intractable sizes, even over relatively short time frames. An OC-192 link is capable of transferring 1.25 GB per second. If one allows 60 seconds to conduct a query, a router with 16 links would require 1.2 TB of high-speed storage. These requirements can be reduced by sampling techniques similar to those of the end-host schemes, but down-sampling reduces the probability of detecting small flows and does not alleviate the security issues raised by storing complete packets in the router. The ability of an attacker to break into a router and capture terrabytes of actual traffic has severe privacy implications. Alternatively, routers can be tasked to perform more sophisticated auditing in real time, extracting a smaller amount of information as packets are forwarded. Many currently available routers support input debugging, a feature that identifies on which incoming port a particular outgoing packet (or set of packets) of interest arrived. Since no history is stored, however, this process must be activated before an attack packet passes by. Furthermore, due to the high overhead of this operation on many popular router architectures, activating it may have adverse effects on the traffic currently being serviced by the router. C. Specialized Routing One of the main problems with the link testing or logging methods above is the large amount of repetition required. A
trace is conducted in a hop-by-hop fashion, querying each router along the way. Once the incoming link or links have been identified, the process must be repeated at the upstream router. Several techniques have been developed to streamline and automate this process. Some ISPs have developed their own ad hoc mechanisms for automatically conducting input debugging across their networks. Schnackenberg et al. [15] propose a more general Intruder Detection and Isolation Protocol (IDIP) to facilitate interaction between routers involved in a traceback effort. IDIP does not specify how participating entities should track packet traffic; it simply requires that they be able to determine whether or not they have seen a component of an attack matching a certain description. Even with automated tools, however, each router in the ISP must support input debugging or logging which are not common in today's high-speed routers for reasons discussed above. In order to avoid this requirement, Stone [16] suggests constructing an overlay network connecting all the edge routers of an ISP. By using a deliberately simple topology of specialized routers, suspicious flows can be dynamically rerouted across the special tracking network for analysis. This approach has two major shortcomings. First, the attack must be sufficiently long lived to allow the ISP to effect the rerouting before the relevant flow terminates. Second, the routing change is perceptible by the attacker, and an especially motivated attacker may be able to escape detection by taking appropriate action. While techniques exist to hide precisely what changed about the route, changes in layer-three topology are hard to mask. IV. PACKET DIGESTING The Source Path Isolation Engine (SPIE) uses auditing techniques to support the traceback of individual packets while reducing the storage requirements by several orders of magnitude over current log-based techniques [14]. Traffic auditing is accomplished by computing and storing packet digests rather than storing the packets themselves. In addition to reducing storage requirements, storing packet digests instead of the actual packet contents preserves traffic confidentiality by preventing SPIE from being used as a tool for eavesdropping. A. Digest Input The packet content used as input to the digesting function must uniquely represent an IP packet and enable the identification of the packet across hops in the forwarding path. At the same time, it is desirable to limit the size of the digest input both for performance and for reasons discussed below (c.f. Section V-C). Duffield and Grossglauser encountered similar requirements while sampling a subset of forwarded packets in an attempt to measure traffic flows [17]. We use a similar approach, masking variant packet content and selecting an appropriate-length prefix of the packet to use as input to the digesting function. Our choice of invariant fields and prefix length is slightly different, however.2
2Because we sample a smaller portion of the packet (28 versus 40 B), we include fields like header length and protocol that Duffield and Grossglauser eschewed due to their lower entropy.
SNOEREN et al.: SINGLE-PACKET IP TRACEBACK
725
Fig. 1. Fields of an IP packet. Fields in gray are masked out before digesting, including the Type of Service, TTL, IP checksum, and IP options fields.
across a number of sites.) Two unique packets which are identical up to the specified prefix length are termed a collision. A 28-B prefix (only 24 nonmasked bytes) results in a collision rate of approximately 0.000 92% in the wide area and 0.139% on the LAN. Unlike similar results reported by Duffield and Grossglauser [17, Fig. 4], our results include only unique packets; exact duplicates were removed from the packet trace. Close inspection of packets in the wide area with identical prefixes indicates that packets with matching prefix lengths of 22 and 23 B are ICMP Time Exceeded error packets with the IP identification field set to zero. Similarly, packets with matching prefixes between 2431 B in length are TCP packets with IP identifications also set to zero which are first differentiated by the TCP sequence number or acknowledgment fields.3 The markedly higher collision rate in the local area is due to the lack of address and traffic diversity. This expected result does not significantly impact SPIE's performance, however. LANs are likely to exist at only two points in an attack graph: immediately surrounding the victim and the attacker(s). False positives on the victim's local network can be easily eliminated from the attack graph--they likely share the same gateway router in any event. False positives at the source are unlikely if the attacker is using spoofed source addresses, as this provides the missing diversity in attack traffic, and remain in the immediate vicinity of the true attacker by definition. Hence, for the purposes of SPIE, IP packets are effectively distinguished by the first 24 invariant bytes of the packet. B. Bloom Filters Constructing a digest table containing packet digests corresponding to the traffic forwarded by a router for a given time interval is a challenging task. A naive technique that simply stored the digests themselves would require massive amounts of storage. Instead, SPIE implements digest tables using spaceefficient data structures known as Bloom filters [3]. A Bloom filter computes distinct packet digests for each packet using independent uniform hash functions, and uses the -bit results to index into a -sized bit array. The array is initialized to all zeros, and bits are set to one as packets are received. Fig. 3 depicts a Bloom filter with hash functions. Membership tests can be conducted simply by computing the digests on the packet in question and checking the indicated bit positions. If any one of them is zero, the packet was not stored in the table. If, however, all the bits are one, it is highly likely the packet was stored. It is possible that some set of other insertions caused all the bits to be set, creating a false positive, but the rate of such false positives can be controlled by only allowing an individual Bloom filter to store a limited number of digests [18]. Saturated filters can be swapped out for a new, empty filter, and archived for later querying. C. Hash Functions SPIE places three major restrictions on the family of hash functions, , used as digesting functions in its Bloom filters.
3Further investigation indicates a number of current operating systems, including recent versions of Linux, frequently set the IP ID to zero.
Fig. 2. Fraction of packets that collide (with ToS, TTL, and checksum fields masked out) as a function of prefix length. The WAN trace represents 985 150 packets (with 5801 duplicates removed) between 6031 host pairs collected on July 20, 2000 at the University of Florida OC-3 gateway. The LAN trace consists of 1 000 000 packets (317 duplicates removed) between 2879 host pairs observed on an Ethernet segment at the MIT Laboratory for Computer Science.
Fig. 1 shows an IP packet and the fields included by the SPIE digesting function. SPIE computes digests over the invariant portion of the IP header and the first 8 B of the payload. Frequently modified header fields are masked prior to digesting. Note that beyond the obvious fields (TTL, TOS, and checksum), certain IP options cause routers to rewrite the option field at various intervals. To ensure a packet appears identical at all steps along its route, SPIE masks or compensates for these fields when computing the packet digests. It is important to note that the invariant IP fields used for SPIE digesting may occasionally be modified by a packet transform (c.f. Section V-C). Our research indicates that the first 24 invariant bytes of a packet (20-B IP header with 4 B masked out plus the first 8 B of payload) are sufficient to differentiate almost all nonidentical packets. Fig. 2 presents the rate of packet collisions for an increasing prefix length for two representative traces: a WAN trace from an OC-3 gateway router, and a LAN trace from an active 100-Mb Ethernet segment. (Results were similar for traces
726
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
Fig. 3. For each packet received, SPIE computes k independent n-bit digests, and sets the corresponding bits in the 2 -bit digest table.
Fig. 4. SPIE network infrastructure, consisting of Data Generation Agents (DGAs), SPIE Collection and Reduction Agents (SCARs), and a SPIE Traceback Manager (STM).
First, each member function must distribute a highly correlated set of input values (IP packet prefixes), , as uniformly as possible over the hash's result value space. That is, for a hash funcin , and distinct packets , tion . This is a standard property of good hash functions. SPIE further requires that the event that two packets collide for some ] be indein one hash function [ pendent of collision events in any other functions [ ]. Intuitively, this implies false positives at one router are independent of false positives at neighboring routers. chosen at random indepenFormally, for any function dently of the input packets and , with high probability. Such hash families, called universal hash families, were first defined by Carter and Wegman [19] and can be implemented in a variety of fashions [20][22]. Finally, member functions must be straightforward to compute at high link speeds. This requirement is not impractical because SPIE hash functions do not require any cryptographic "hardness" properties. That is, it does not have to be difficult to generate a valid input packet given a particular hash value. Being able to create a packet with a particular hash value enables three classes of attacks, each of which is fairly benign. One attack would ensure that all attack packets have the same fingerprint in the Bloom filter at some router (which is very difficult since there are multiple, independent hashes at each router), but this achievement is of little use, as the packet fingerprints would be distinct at neighboring routers (due to the independent hash functions at each router). Another attack is to ensure all attack packets have different fingerprints, but that is the common case already. The third, and most difficult attack, is to create an attack packet with the same fingerprint as another, nonattack packet. In general, this attack simply adds one additional false-positive node (where the two packets are indistinguishable) to the attack graph of both packets. V. SOURCE PATH ISOLATION ENGINE SPIE-enhanced routers maintain a cache of packet digests for recently forwarded traffic. If a packet is determined to be offen-
sive by some intrusion detection system (or judged interesting by some other metric), a query is dispatched to SPIE which in turn queries routers for packet digests of the relevant time periods. The results of this query are used in a simulated reverse-path flooding algorithm to build an attack graph that indicates the packet's source(s). A. Architecture The tasks of packet auditing, query processing, and attack graph generation are dispersed among separate components in the SPIE system. Fig. 4 shows the three major architectural components of the SPIE system. Each SPIE-enhanced router has a Data Generation Agent (DGA) associated with it. Depending upon the type of router in question, the DGA can be implemented and deployed as a software agent, an interface card plug to the switching background bus, or a separate auxiliary box connected to the router through some auxiliary interface. The DGA produces packet digests of each packet as it departs the router, and stores the digests in time-stamped digest tables. The tables are paged every so often, and represent the set of traffic forwarded by the router for a particular interval of time. Each table is annotated with the time interval and the set of hash functions used to compute the packet digests over that interval. The digest tables are stored locally at the DGA for some period of time, depending on the resource constraints of the router. SCARs are responsible for a particular region of the network, serving as data concentration points for several routers and facilitating traceback of any packets that traverse the region. Due to the complex topologies of today's ISP's, there will typically be several SCAR's distributed over an entire network. Upon request, each SCAR produces an attack graph for its particular region. The attack graphs from each SCAR are grafted together to form a complete attack graph by the SPIE Traceback Manager (STM). The STM controls the whole SPIE system. The STM is the interface to the intrusion detection system or other entity requesting a packet trace. When a request is presented to the STM, it verifies the authenticity of the request, dispatches the request to the appropriate SCARs, gathers the resulting attack graphs, and assembles them into a complete attack graph. Upon comple-
SNOEREN et al.: SINGLE-PACKET IP TRACEBACK
727
tion of the traceback process, the STM replies to the intrusion detection system with the final attack graph. B. Traceback Processing Before the traceback process can begin, an attack packet must be identified. Most likely, an intrusion detection system will determine that an exceptional event has occurred and provide the STM with a packet , victim , and time of attack . SPIE places two constraints on the intrusion detection system: the victim must be expressed in terms of the last-hop router, not the end host itself, and the attack packet must be identified in a timely fashion. The first requirement provides the query process with a starting point; the latter stems from the fact that traceback must be initiated before the appropriate digest tables are overwritten by the DGAs. This time constraint is directly related to the amount of resources dedicated to the storage of traffic digests. (We discuss timing and resource tradeoffs in Section VII.) Upon receipt of traceback request, the STM cryptographically verifies its authenticity and integrity. Any entity wishing to employ SPIE to perform a traceback operation must be properly authorized in order to prevent DDoS attacks. Upon successful verification, the STM dispatches the query to the relevant SCARs for processing. Beginning at the SCAR responsible for the victim's region of the network, the STM sends a query message containing , , and as provided by the intrusion detection system. The SCAR polls its DGAs and responds with a partial attack graph, the time the packet entered the region, and the entering packet itself (it may have been transformed, possibly multiple times, within the region). The attack graph either terminates within the region managed by the SCAR, in which case a source has been identified, or it contains nodes at the edge of the SCAR's network region. In the latter case the STM sends a new query for the transformed to the SCAR for the abutting network region. This packet query uses the border router between the two network regions as its victim and as the time of attack. This process continues until all branches of the attack graph terminate, either at a source within the network, or at the edge of the SPIE system. The STM then constructs a composite attack graph which it returns to the intrusion detection system. C. Transformation Processing IP packets may undergo valid transformation while traversing the network, and SPIE must be capable of tracing through such transformations. In particular, SPIE must be able to reconstruct the original packet from the transformed packet. Unfortunately, many transformations are not invertible without additional information due to the stateless nature of IP networks. Consequently, SPIE must record sufficient packet data at the time of transformation to allow the original packet to be reconstructed. The packet data chosen as input to the digesting function determines the set of packet transformations SPIE must handle--SPIE need only consider transformations that modify fields used as input to the digest function. SPIE computes digests over the IP header and the first 8 B of the packet payload but masks out (or omits in the case of IP options) several frequently updated fields before digesting, as shown in Fig. 1 of Section IV. Masking hides most hop-by-hop transformations
Fig. 5. Transform Lookup Table (TLT) stores sufficient information to invert packet transformations at SPIE routers. The table is indexed by packet digest, specifies the type of transformation, and stores any irrecoverable packet data.
from the digesting function, but forces SPIE to explicitly handle each of the following transformations: fragmentation, network address translation (NAT), ICMP messages, IP-in-IP tunneling, and IP security (IPsec). Recording the information necessary to reconstruct the original packet from a transformed packet requires additional resources. Fortunately for SPIE, the circumstances that cause a packet to undergo a transformation will generally take that packet off of the fast path of the router and put it onto the control path, relaxing the timing requirements. The router's memory constraints remain unchanged, however; hence, transformation information must be stored in a scalable and space-efficient manner. 1) Transform Lookup Table: Along with each packet digest table collected at a DGA, SPIE maintains a corresponding transform table for the same interval of time called a transform lookup table, or TLT. Each entry in the TLT contains three fields, shown in Fig. 5. The first field stores a digest of the transformed packet. The second field specifies the type of transformation--three bits are sufficient to uniquely identify the transformation type among those supported by SPIE. The last field contains a variable amount of packet data the length of which depends upon the type of transformation being recorded. For space efficiency, the data field is limited to 32 b. Some transformations, such as network address translation, may require more space. These transformations utilize a level of indirection--one bit of the transformation type field is reserved as an indirect flag. If the indirect, or I, flag is set, the third field of the TLT is treated as a pointer to an external data structure which contains the information necessary to reconstruct the packet. The indirect flag can also be used for flow caching. In many cases (e.g., tunneling or NAT), packets undergoing a particular transformation are related. In such cases, it is possible to reduce the storage requirements by suppressing duplicate packet data, instead referencing a single copy of the required data that can be used to reconstruct any packet in the flow. Such a scheme requires, however, that the SPIE-enabled router itself be capable of flow caching, or at least identification, so that the packets within the flow can be correlated and stored appropriately. In order to preserve alignment, it is likely efficient implementations would store only 29 b of the packet digest resulting in 64-b-wide TLT entries. This width implies eight distinct packet digests will map to the same TLT entry. The relative rarity of packet transformations [8], the sparsity of the digest table, and the uniformity of the digesting function combine to make collisions extremely rare in practice. Assuming a digest table capacity of roughly 3.2 Mpkts (16-Mb SRAM, see Section VII-B) and a transformation rate of 3%, the expected collision rate is approximately 1 : 5333 packets. Even if a collision occurs, it simply results in an additional possible transformation of the
728
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
queried packet. Each transformation is computed (including the null transformation) and traceback continues. Incorrectly transformed packets likely will not exist at neighboring routers and, thus, will not contribute any false nodes to the attack graph. 2) Special-Purpose Gateways: Some classes of packet transformations, notably NAT and tunneling, are often performed on a large fraction of packets passing through a particular gateway. The transform lookup table would quickly grow to an unmanageable in size such instances; hence, SPIE considers the security gateway or NAT functionality of routers as a separate entity. Standard routing transformations are handled as above, but special purpose gateway transformations require a different approach to transformation handling. Transformations in these types of gateways are generally computed in a stateful way (usually based on a static rule set); hence, they can be inverted in a similar fashion. While the details are implementation specific, inverting such transformations is straightforward; we do not consider it here. 3) Sample Transformations: A good example of transformation is packet fragmentation. To avoid needing to store any of the packet payload, SPIE supports inversion of only the first packet fragment, i.e., only the first fragment may be traced back beyond the point of fragmentation. The remaining fragments may be traced to the point of fragmentation, but no further. Note that for most fragment-based attacks [1], the attacker inserts fragments directly into the network (i.e., the attacker is the point of fragmentation) so the traceback is complete. (If only a subset of the fragments is received by the victim the packet cannot be reassembled; hence, the only viable attack is a DoS attack on the victim's reassembly engine. But, if the fragmentation occurs within the network itself, an attacker cannot control which fragments are received by the victim so the victim will eventually receive a first fragment to use in traceback.) Packet data to be recorded includes the total length, fragment offset, and more fragments (MF) field. Since properly behaving IP routers cannot create fragments with less than 8 B of payload information [23], when given the first fragment, SPIE is always able to invert fragmentation and reconstruct the header and at least 64 b of payload of the prefragmented packet which is sufficient to continue traceback. Observe that SPIE never needs to record any packet payload information. ICMP transformations can be inverted because ICMP error messages always include at least the first 64 b of the offending packet [24]. Careful readers may be concerned that encapsulation cannot be inverted if the encapsulated packet is subsequently fragmented and the fragments containing the encapsulated IP header and first 64 b of payload are not available. While this is strictly true, such transformations need to be inverted only in extreme cases as it takes a very sophisticated attacker to cause a packet to be first encapsulated, then fragmented, and then ensure fragment loss. If all the fragments are received, the original header can be extracted from the reassembled payload. It seems quite difficult for an attacker to ensure that packet fragments are lost. It can cause packet loss by flooding the link, but to do so requires sending such a large number of packets that it is very likely that all the fragments for at least one packet will be successfully received by the de-encapsulator for use in traceback.
Fig. 6. Reverse path flooding, starting at the victim's router V and proceeding backward toward the attacker A. Solid arrows represent the attack path; dashed arrows are SPIE queries. Queries are dropped by routers that did not forward the packet in question.
D. Graph Construction Each SCAR constructs a subgraph using topology information about its particular region of the network. After querying each of the DGAs in its region, a SCAR simulates reverse-path flooding by examining the results in the order they would be queried if an actual reverse path flood was conducted on the topology that existed at the time the packet was forwarded. (The topology information itself is collected and stored independently at each DGA along with the digest tables, and returned to the SCAR as part of the query response.) Fig. 6 shows how reverse-path flooding would discover the attack path from to , querying routers and along the way. It is important to note that the routers need not actually be queried sequentially--the SCAR proactively queries each DGA and caches the results locally. In order to respond to a SCAR's query, a DGA computes the appropriate set of digests and consults the digest table for the indicated time period. If an entry exists for the packet in question, the router is considered to have forwarded the packet. If, however, the digest is not found in the indicated table, it may be necessary to search the digest table corresponding to the immediately preceding time period. Depending on the link latency between routers, DGAs may need to search multiple digest tables in order to assure they have examined an appropriate time frame (which is determined by the link latency and maximum queuing delay at that router). Once a digest is located, the packet arrival time is always considered to be the latest possible time in the interval. This ensures the packet must have been seen at an earlier time at adjacent routers. Along with the digest tables, each DGA also consults its TLTs for the same time intervals. If the packet was transformed, the DGA informs the SCAR, which then reissues queries to the other DGAs in the region containing the transformed packet and an updated arrival time. If the packet is not found in any of the digest tables or TLTs for the relevant time period, a negative result is returned by the DGA, and the SCAR considers that particular branch of the search tree to be terminated. The result of this procedure is a connected graph containing the set of nodes believed to have forwarded the packet toward
SNOEREN et al.: SINGLE-PACKET IP TRACEBACK
729
its performance were presented previously [26]. Briefly, each interface card in the router is outfitted with an Interface Tap which computes multiple independent digests of each packet as it is forwarded. These digests are passed to a separate SPIE processor (implemented either in a line card form factor or as an external unit) which stores them as described above in digest tables for specific time periods. As time passes, the forwarded traffic will begin to fill the digest tables and they must be paged out before they become oversaturated, resulting in unacceptable false-positive rates. The tables are stored in a history buffer implemented as a large ring buffer. Digest tables can then be queried or archived by a separate control processor while they are stored in the ring buffer.
Fig. 7. Sample SPIE DGA hardware implementation for high-speed routers.
VII. ANALYSIS There are several tradeoffs involved when determining the optimum amount of resources to dedicate to SPIE on an individual router or the network as a whole. SPIE's resource requirements can be expressed in terms of two quantities: the number of packet digest functions used by the Bloom filter, and the amount of memory used to store packet digests. Similarly, SPIE's performance can be characterized in two orthogonal dimensions. The first is the length of time for which packet digests are kept. Queries can only be issued while the digests are cached; unless archived to some external storage device within a reasonable amount of time, the DGAs will discard the digest tables in order to make room for more recent ones. The second is the accuracy of the candidate attack graphs which can be measured in the number of false positives in the graph returned by SPIE. Both of these metrics can be controlled by adjusting operational parameters. In particular, the more memory available for storing packet digests, the longer the time queries can be issued. Similarly, digest tables with lower false-positive rates yield more accurate attack graphs. Hence, we wish to characterize the performance of SPIE in terms of the amount of available memory and digest table performance. A. False Positives We first relate the rate of false positives in an attack graph to the rate of false positives in an individual digest table. This relationship depends on the actual network topology and traffic being forwarded at the time. We can, however, make some simplifying assumptions in order to derive an upper bound on the number of false positives as a function of digest table performance. 1) Analytic Bounds: Suppose, for example, each router ensures its digest whose neighbors have degree at most , where tables have a false-positive rate of at most ( is an arbitrary tuning factor). It is easy to show that for any true attack graph with nodes, the attack extra graph returned by SPIE will have at most nodes in expectation. In other words, an average traceback will false result in an attack graph with no more than positives. We say "no more than" because the digest tables will typically not be at full capacity when queried, resulting in a lower false-positive rate than predicted.
the victim. Assuming correct operation of the routers, this graph is guaranteed to be a superset of the actual attack graph. But due to digest collisions, there may be nodes in the attack graph that are not in the actual attack graph. We call these nodes false positives and base the success of SPIE on its ability to limit the number of false positives contained in a returned attack graph. VI. PRACTICAL IMPLEMENTATION For our PC-based SPIE prototype, we simulate a universal hash family using MD5 [25]. A random member is defined by selecting a random input vector to prepend to each packet. The properties of MD5 ensure that the digests of identical packets with different input vectors are independent. The 128-b output of MD5 is then considered as four independent 32-b digests which can support Bloom filters of dimension up to four. Router implementations requiring higher performance are likely to prefer other universal hash families specifically tailored to hardware implementation [22]. A simple family amenable to fast hardware implementation could be constructed by computing a CRC modulo a random member of the set of . indivisible polynomials over In order to ensure hash independence, each router periodically generates a set of independent input vectors and uses them to select digest functions needed for the Bloom filter from the family of universal hashes. These input vectors are computed using a pseudo-random number generator which is independently seeded at each router. For increased robustness against adversarial traffic, the input vectors are changed each time the digest table is paged, resulting in independence not only across routers but also across time periods. The size of the digest bit vector, or digest table, varies with the total traffic capacity of the router; faster routers need larger vectors for the same time period. Similarly, the optimum number of hash functions varies with the size of the bit vector. Routers with tight memory constraints can compute additional digest functions and provide the same false-positive rates as those who compute fewer digests but provide a larger bit vector. Fig. 7 depicts a possible implementation of a SPIE Data Generation Agent in hardware for use on high-speed routers. A full discussion of the details of the architecture and an analysis of
730
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
The false-positive rate of a digest table varies over time, depending on the traffic load at the router and the amount of time since it was paged. Similarly, if the tables are paged on a strict schedule based on maximum link capacity, and the actual traffic load is less, digest tables will never reach their rated capacity. Hence, the analytic result is a worst case bound since the digest table performs strictly better while it is only partially full. It represents the expected number of false positives returned if the query was conducted at the worst possible moment, i.e., when all digest tables were at maximum capacity. Furthermore, our analysis assumes the set of neighbors at each node is disjoint which is not true in real networks. It seems reasonable to expect, therefore, that the false-positive rate over real topologies with actual utilization rates would be substantially lower. For the purposes of this discussion, we arbitrarily select a , resulting in no more than 5 additional false-positive rate of nodes in expectation for a path length of over 35 nodes (approaching the diameter of the Internet) according to our theois then a reasonretical model. Using the bound above, able starting point and we turn to considering its effectiveness in practice. 2) Simulation Results: In order to relate false-positive rate to digest table performance in real topologies, we have run extensive simulations using the actual network topology of a national tier-one ISP made up of roughly 70 backbone routers with links ranging from T-1 to OC-3. We obtained a topology snapshot and average link utilization data for the ISP's network backbone for a week-long period toward the end of 2000, sampled using periodic SNMP queries, and averaged over the week. We simulated an attack by randomly selecting a source and victim, and sending 1000 attack packets at a constant rate between them. Each packet is recorded by every intermediate router along the path from source to destination. A traceback is then simulated starting at the victim router and (hopefully) proceeding toward the source. Uniformly distributed background traffic is simulated by selecting a fixed maximum false-positive rate, , for the digest table at each off-path router. (Real background traffic is not uniform, which would result in slight dependencies in the false-positive rates between routers, but we believe that this represents a reasonable starting point.) In order to accurately model performance with real traffic loads, the effective false-positive rate is scaled by the observed traffic load at each router. For clarity, we consider a nontransformed packet with only one source and one destination. Preliminary experiments with multiple sources (as might be expected in a DDoS attack) indicate false positives scale linearly with respect to the size of the attack graph, which is the union of the attack paths for each copy of the packet. We do not, however, consider this case in the experiments presented here. (A DDoS attack sending identical packets from multiple sources only aids SPIE in its task. A wise attacker would instead send distinct packets from each source, forcing the victim to trace each packet individually.) In order to validate our analytic bound, we have plotted the expected number of false positives as a function of attack path as computed length and digest table performance, above, and show that in comparison to the results of three simulations on our ISP backbone topology in Fig. 8. In the first sim-
Fig. 8. Number of false positives in a SPIE-generated attack graph as a function of the attack path length, for p = 1=8. The analytic bound assuming random topology and 100% link utilization is plotted against three simulation results, two with false-positive rates conditioned on router degree, one without. For the two degree-dependent runs, one considered observed link utilization, while the other assumed full utilization. Each simulation represents the average of 5000 runs using topology and utilization data from a national tier-one ISP.
ulation, we set the maximum digest table false-positive prob, as prescribed above. This setting results ability to false-positive rate significantly lower than the analytic bound. A significant portion of the disparity results from the relatively low link utilizations maintained by operational backbones (77% of the links in our data set had utilization rates of less than 25%), as can be seen by comparing the results to a second simulation on the ISP topology assuming full link utilization. There remains, however, a considerable gap between the analytic bound and simulated performance in network backbones. The nonlinearity of the simulation results indicates there is a strong damping factor due to the topological structure of the network. Intuitively, routers with many neighbors are found at the core of the network (or at peering points), and routers with fewer neighbors are found toward the edge of the network. This suggests false positives induced by core routers may quickly die out as the attack graph proceeds toward less well-connected routers at the edge. To examine the dependence upon vertex degree, we conducted a third simulation in the ISP topology. This time, we removed the false-positive rate's dependence upon the degree of the router's neighbors, setting the digest table performance to (and returning to actual utilization data). While simply there is a marked increase in the number of false positives, it remains well below the analytic bound. This somewhat surprising result indicates that despite the analytic bound's dependence on router degree, the hierarchical structure of ISP backbones may permit a relaxation of the coupling, allowing the false positive rate of the digest tables to be set independently of the degree , resulting in significant space savings. B. Time and Memory Utilization The amount of time during which queries can be supported is directly dependent on the amount of memory dedicated to SPIE. The appropriate amount of time varies depending upon the responsiveness of the method used to identify attack packets. For
SNOEREN et al.: SINGLE-PACKET IP TRACEBACK
731
the purposes of discussion, however, we will assume one minute is a reasonable amount of time in which to identify an attack packet and initiate a traceback. As discussed in Section V-A, once the appropriate digest tables have been queried by the SCARs the actual traceback process can be delayed arbitrarily. 1) Memory Size: Given a particular length of time, the amount of memory required varies linearly with the total link capacity at the router and can be dramatically affected by the dimension of the Bloom filter in use. Bloom filters are typically described in terms of the number of digesting functions. The effective false-positive rate for a Bloom filter that uses digest packets in bits of memory can be functions to store expressed as (1) The performance of a Bloom filter can be quantified in terms and false-positive rate of its memory efficiency factor . For example, a Bloom filter with memory efficiency of would need bits in order to store packets while delivering and its expected false-positive rate. By solving (1) for differentiating with respect to , it is easy to check that optimal . That is, a memory efficiency is reached when or hash functions Bloom filter with either has the maximum memory efficiency for a given false-positive rate . The memory requirement of such a table can easily be determined by substituting back into (1) (observe ) (2) Tables providing the effective false-positive rates for various memory efficiencies and digesting functions are readily available [18]. For the purposes of discussion, we will consider using and a a Bloom filter with three digesting functions of . Such a filter provides memory efficiency factor when full. an effective false-positive rate of or 0.125 used in our While this is well below the value of degree-independent simulations, it is high if digest tables are calibrated with respect to router degree. Luckily, by increasing the number of digesting functions, Bloom filters are able to achieve significantly lower false-positive rates with slight decreases in memory efficiency. For instance, a false-positive rate , which corresponds to our degree-dependent of , with for routers with as many simulation, as 40 neighbors, can be achieved using 8 digesting functions, --slightly less with a memory efficiency factor of only than half what we suggest. SPIE's memory needs are determined by the number of packets processed. Hence, we consider an average-sized packet of approximately 1000 b,4 and describe link speeds in terms of packets per second. We combine this with the Bloom filter efficiency factor of 0.2 from above to compute a rule of thumb:
4This may in fact be a significant underestimate. Recent studies have found the mean packet size has grown to over 400 B in many instances [8], [27]. The corresponding decrease in packet arrival rate eases the load on SPIE's digest tables.
SPIE requires roughly 0.5% of the total link capacity in digest table storage. For a typical low-end router with four OC-3 links, this results in roughly 23 MB of storage. On the very high end, a core router with 32 OC-192 links has a maximum capacity of about 320 Mpkts/s which would require roughly 1.6 Gb/s of digest table memory or 12 GB for one minute's worth of storage. In practice, however, the size of a digest table will be limited by the type of memory required. 2) Access Rates: Size is not the only memory consideration, however; access times turn out to be equally important. Packets must be recorded in the digest table at a rate commensurate with their arrival. Even given an optimistic DRAM cycle time of 50 ns per readmodifywrite cycle, routers processing more than 20 Mpkts/s (roughly 2 OC-192 links, or 8 OC-48 s) require an SRAM digest table. Current technology places pragmatic limits on SRAM size when operating at very high access rates. The increased power consumption, heat, and cost make it impractical to spread digest tables across more than a few SRAM chips. Hence, an entire minute's worth of traffic can only be stored in one digest table at low link speeds. Higher speed routers must page digest tables to SDRAM in order to store a minute's worth of digests as described in Section VI. Given the unavoidable need for a two-tier digest architecture, the best choice of digest table size is likely dictated by pragmatic concerns, and using a single 16-Mb SRAM avoids the timing problems inherent in grouping chips into one memory bank. One way to decrease the update rate is to maintain separate digest tables for each input port. Unfortunately, since the input and output ports for an arbitrary packet are uncorrelated in general, this can complicate the query process. It may be especially problematic if the digest tables are not time synchronized across ports. In certain situations, however, the ability to isolate a specific input port may provide an additional benefit of reducing the number of upstream neighbors that need to be queried. Unfortunately, the ring and bus topologies common at many peering points force routers to have many neighbors on the same input port. The benefits of input port isolation are significantly reduced in such configurations, and are likely not worth the additional complexity. In some border cases, it may be more practical to use a larger amount of slower memory and reduce the number of memory accesses required per packet, allowing DRAM to be used instead of SRAM, for example. This is especially true when considering cached-based memory architectures where access locality becomes an issue. In such cases, packet digests could be recorded in a hash table of -bit values and collisions managed with open-addressed linear probing. If this table is never allowed to fill up, then it admits only false positives, and no false negatives, just like a Bloom filter. The false-positive rate of such a data structure is given by [28] (3) Consider constructing a hash table intended to record packet digests using -bit entries, requiring bits. Such a table is less than 70% full, hence, each packet insertion takes only 2 memory accesses in expectation [28, Sec. 6.4, Table 4]. Solving (3) for , and substituting into the
732
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 10, NO. 6, DECEMBER 2002
above equation, we see the memory required for a particular false-positive rate while storing packets is given by
When is much smaller than 1, . Hence,
is approximated by (4)
Combining (2) and (4), the additional cost of using a hash table instead of a Bloom filter, in terms of increased memory consumption, is a factor of (for small values of ) (5) For slower routers with many neighbors (and, therefore, small ), the decrease in number and improved locality of memory accesses may outweigh the additional storage requirements of a hash table. C. Timing Uncertainties For routers with a single OC-192 link, a 16-Mb SRAM would hold roughly 10 ms of traffic data; hence, the history buffer would store 6000 individual digest tables. This observation gives rise to another important issue: imperfect timing may cause SPIE to need to examine multiple packet digests at a particular router. The more digests that must be considered, the greater the chance of false positives, so it is advantageous to make the digest tables as large as possible (within practical hardware limits). For reasonable link speeds, the memory access time becomes slow enough that SDRAM can be used which, using current technology, would allow 256-Mb digest tables, with a capacity of roughly 50 Mpkts. It may be the case that the approximate packet service time cannot be confined to an interval covered by one digest table. In that case, we expect the false-positive rate to increase linearly with the number of digest tables examined. For high-speed routers, it is especially important to maintain precise timing synchronization between adjacent routers. We have not yet examined the impact of typical NTP clock skew on SPIE's performance, but believe synchronization can be maintained to within a small number of digesting intervals, not significantly impacting our false-positive rate. VIII. DISCUSSION We believe there are three main areas that affect the practicality of SPIE. We examine several issues relating to deployment, vulnerability, and transform han...
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
Delaware - ELEG - 867
IEEE TRANSACTIONS ON COMPUTERS,VOL. 52, NO. 2,FEBRUARY 2003195Sustaining Availability of Web Services under Distributed Denial of Service AttacksJun Xu, Member, IEEE, and Wooyong LeeAbstract-The recent tide of Distributed Denial of Service
Delaware - ELEG - 867
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,VOL. 14,NO. 9,SEPTEMBER 2003861IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS AttacksMinho Sung and Jun Xu, Member, IEEEAbstract
Delaware - ELEG - 867
ACCEPTED FROM OPEN CALLOn IP TracebackAndrey Belenky and Nirwan Ansari, New Jersey Institute of TechnologyABSTRACTIn this article we present the current state of the art in IP traceback. The rising threat of cyber attacks, especially DDoS, make
Delaware - ELEG - 403
WWV/H Demodulator and DecoderDavid L. Mills University of Delaware http:/www.eecis.udel.edu/~mills mailto:mills@udel.eduFrom NBS Special Publication 432 (1979 edition, now out of print)12-Nov-041Class project: a WWV/H receiver demodulator/d
Delaware - ELEG - 867
IEEE COMMUNICATIONS LETTERS, VOL. 8, NO. 6, JUNE 2004359Probabilistic Packet Marking With Non-Preemptive CompensationYu Kuo Tseng, Hsi Han Chen, and Wen Shyong Hsieh, Member, IEEEAbstractA new scheme in probabilistic packet marking (PPM) for IP
Delaware - ELEG - 403
Electrical Engineering Department Technical Report 97-8-1University of Delaware August 1997A Precision Radio Clock for WWV TransmissionsDavid L. MillsAbstract This report describes a software program that functions as a radio clock using short
Delaware - ELEG - 867
DoS Protection for UDP-Based ProtocolsCharlie KaufmanIBMRadia PerlmanSun Microsystems LaboratoriesBill SommerfeldSun Microsystemsckaufman@us.ibm.com ABSTRACTradia.perlman@sun.comsommerfeld@east.sun.com1. INTRODUCTIONOne of the major
Delaware - ELEG - 867
Steps Towards a DoS-resistant Internet ArchitectureMark Handley, Adam Greenhalgh University College London {M.Handley, A.Greenhalgh}@cs.ucl.ac.ukABSTRACTDefending against DoS attacks is extremely difficult; effective solutions probably require si
Delaware - ELEG - 867
Mitigating Bandwidth-Exhaustion Attacks using Congestion Puzzles(Extended Abstract) XiaoFeng Wang ABSTRACTWe present congestion puzzles (CP), a new countermeasure to bandwidth-exhaustion attacks. Like other defenses based on client puzzles, CP atte
Delaware - ELEG - 867
The Dual Receiver Cryptosystem and Its ApplicationsTheodore Diament Homin K. Lee Angelos D. Keromytis Department of Computer Science, Columbia University{tdiament,homin,angelos,moti}@cs.columbia.eduMoti YungABSTRACTWe put forth the notion of a
Delaware - ELEG - 867
Defending Against an Internet-Based Attack on the Physical WorldSIMON BYERS AT&T Labs AVIEL D. RUBIN Johns Hopkins University and DAVID KORMANN AT&T LabsWe discuss the dangers that scalable Internet functionality may present to the real world, foc
Delaware - ELEG - 867
Fine-Grained Control of Security CapabilitiesDAN BONEH Stanford University XUHUA DING Singapore Management University and GENE TSUDIK University of California, IrvineWe present a new approach for fine-grained control over users' security privilege
Delaware - ELEG - 867
The Case for TCP/IP PuzzlesWu-chang Feng OGI@OHSU wuchang@cse.ogi.edu ABSTRACTSince the Morris worm was unleashed in 1988, distributed denial-of-service (DDoS) attacks via worms and viruses have continued to periodically disrupt the Internet. Cli
Delaware - ELEG - 867
IEEEJACM TRANSACTIONS ON NETWORKING, V(}L3. NO. 1, FEBRUARY 199571The KryptoKnight Family of Light-Weight Protocols for Authentication and Key DistributionRay Bird, Shay Kutten, InderMember,Gopal,Fe/o)t, IEEE, Refik/EEE,AmirHerzberg
Delaware - ELEG - 867
An Algebraic Approach to IP TracebackDREW DEAN SRI International MATT FRANKLIN U.C. Davis and ADAM STUBBLEFIELD Rice UniversityWe present a new solution to the problem of determining the path a packet traversed over the Internet (called the traceb
Delaware - ELEG - 867
Protecting Electronic Commerce From Distributed Denial-of-Service AttacksJose Carlos Brustoloni Networking Software Research Department Bell Laboratories, Lucent Technologies 101 Crawfords Corner Rd., Holmdel, NJ 07733 USAjcb@dnrc.bell-labs.com
Delaware - ELEG - 867
(How) Can Mobile Agents Do Secure Electronic Transactions on Untrusted Hosts? A Survey of the Security Issues and the Current SolutionsJORIS CLAESSENS, BART PRENEEL, and JOOS VANDEWALLE Katholieke Universiteit LeuvenESAT/SCD-COSICThis article inve
Delaware - ELEG - 867
Denialecurity threats are often divided into three c&go&s:breachof confidenThr first twu has bear pur-tiality, failure of authenticityand unauthorizeddenial ofserxice. in particularhave been very extensively studied; confidenti+sued to
Delaware - ELEG - 867
Just Fast Keying: Key Agreement in a Hostile InternetWILLIAM AIELLO, STEVEN M. BELLOVIN, MATT BLAZE AT&T Labs Research RAN CANETTI IBM T. J. Watson Research Center JOHN IOANNIDIS AT&T Labs Research ANGELOS D. KEROMYTIS Columbia University and OMER R
Delaware - ELEG - 867
A Practical Method to Counteract Denial of Service AttacksUdaya Kiran Tupakula Vijay VaradharajanInformation and Networked System Security Research Division of Information and Communication Sciences Macquarie University Sydney, Australia{udaya, v
Delaware - ELEG - 867
Early Internet History and How Urban Legends are BornDavid L. Mills University of Delaware http:/www.eecis.udel.edu/~mills mills@udel.edu"When you are up to your ass in alligators, it is wise to remember you are there to drain the swamp." - R.M.
Delaware - CPEG - 323
Virtual MemoryCPEG3231Review: The memory hierarchyTake advantage of the principle of locality to present the user with as much memory as is available in the cheapest technology at the speed offered by the fastest technologyProcessor4-8 byt
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 13 Digital Signatures & Authentication ProtocolsTo guard against the baneful influence exerted by strangers is therefore an elementary dicta
Delaware - ELEG - 867
Chapter 10FirewallsBle kingeI nstituteof Te chnology, S de we n http:/www.its.bth.se /staff/hjo/ +46-708-250375Henric Johnson 1Outlinewall De Principle sign s Firewall C haracte ristics Fire s walls Type of Fire wall C onfigurations Fire
Delaware - CPEG - 323
CPEG 323 Computer ArchitectureI/O SystemsCPEG3231Review: Major Components of a ComputerProcessor Control DatapathDevices Memory Output InputImportant metrics for an I/O systemq q q qPerformance Expandability Dependability Cost, siz
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 20 FirewallsThe function of a strong position is to make the forces holding it practically unassailable -On War, Carl Von ClausewitzIntro
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 11 Message Authentication and Hash Functions At cats' green on the Sunday he took the message from the inside of the pillar and added Peter
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 1 IntroductionThe art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; n
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 12 Hash AlgorithmsEach of the messages, like each one he had ever read of Stern's commands, began with a number and ended with a number or
Delaware - CPEG - 323
CPEG 323 Computer ArchitectureDisks & RAIDsCPEG3231Review: Major Components of a ComputerProcessor Control Datapath Devices Memory Output InputMain MemoryCacheSecondary Memory (Disk)CPEG3232Magnetic DiskPurposeq qLong term,
Delaware - RFC - 1128
1#e#l#l#l#l#l#NORMAL.STY# #@HEAD LEVEL 1 = Introduction How do hosts and gateways in a large, dispersed networking community know what time it is? How accurate are their clocks? In a 1988 survey involving 5,722 hosts and gateways of the Internet syst
Delaware - RFC - 1128
RFC 1128Performance of the Network Time ProtocolOctober 19891. Introduction How do hosts and gateways in a large, dispersed networking community know what time it is? How accurate are their clocks? In a 1988 survey involving 5,722 hosts and gat
Delaware - RFC - 1305
1#0#^#^#c#c#c#NORMAL.STY# #POSTSCRPd#@#0@#xw#^#^#c#@HEAD LEVEL 1 = Introduction This document constitutes a formal specification of the Network Time Protocol (NTP) Version 3, which is used to synchronize timekeeping among a set of distributed time se
Delaware - ELEG - 403
1#9#:#:#:#:#:#NORMAL.STY# #@HEAD LEVEL 1 = Appendix C. Modem Data Carrier Detector Signal One of the most intractable algorithms is one that reliably discriminates FSK signals from noise in a hard-limiter demodulator. In these demodulators, the baseb
Delaware - ELEG - 93
1#9#:#:#:#:#:#NORMAL.STY# #@HEAD LEVEL 1 = Appendix C. Modem Data Carrier Detector Signal One of the most intractable algorithms is one that reliably discriminates FSK signals from noise in a hard-limiter demodulator. In these demodulators, the baseb
Delaware - ELEG - 403
1#@#NORMAL.STY# #IBMPRO#@HEAD LEVEL 1 = Appendix B. Word Error Rate for Asynchronous Radiotelegraph Signals @HEAD LEVEL 2 = Introduction An asynchronous radiotelegraph (RTTY) signal consists of a start bit interval followed by five or eight data bit
Delaware - ELEG - 93
1#@#NORMAL.STY# #IBMPRO#@HEAD LEVEL 1 = Appendix B. Word Error Rate for Asynchronous Radiotelegraph Signals @HEAD LEVEL 2 = Introduction An asynchronous radiotelegraph (RTTY) signal consists of a start bit interval followed by five or eight data bit
Delaware - ELEG - 403
1# @#z # # # # # #NORMAL.STY# #IBMPRO# # # #s#@HEAD LEVEL 1 = Appendix A. Operating Notes The hardware and software design described in this report implements a FSK modem/TNC for HF asynchronous Baudot (ITA-2) and synchronous SITOR/AMTOR (CCIR 476 Mo
Delaware - ELEG - 93
1# @#z # # # # # #NORMAL.STY# #IBMPRO# # # #s#@HEAD LEVEL 1 = Appendix A. Operating Notes The hardware and software design described in this report implements a FSK modem/TNC for HF asynchronous Baudot (ITA-2) and synchronous SITOR/AMTOR (CCIR 476 Mo
Delaware - ELEG - 403
WWV/H Demodulator and DecoderDavid L. Mills University of Delaware http:/www.eecis.udel.edu/~mills mailto:mills@udel.eduFrom NBS Special Publication 432 (1979 edition, now out of print)Apr 20, 20091Class project: a WWV/H receiver demodulato
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 3 Block Ciphers and the Data Encryption StandardAll the afternoon Mungo had been working on Stern's code, principally with the aid of the l
Delaware - ELEG - 867
Chapter3Public-Key Cryptography and Message AuthenticationHenric Johnson Blekinge Institute of Technology, Sweden http:/www.its.bth.se/staff/hjo/ henric.johnson@bth.seHenric Johnson 1OUTLINE Approache to Me s ssageAuthe ntication S cureHas
Delaware - ELEG - 867
Chapter 9Intruders and VirusesHe Johnson nric Ble kingeI nstituteof Te chnology, S de we n http:/www.its.bth.se /staff/hjo/ he nric.johnson@ bth.seHenric Johnson 1Outline Intruders Intrusion Techniques Password Protection Password Selec
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 19 Malicious SoftwareWhat is the concept of defense: The parrying of a blow. What is its characteristic feature: Awaiting the blow. -On War
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 15 Electronic Mail SecurityDespite the refusal of VADM Poindexter and LtCol North to appear, the Board's access to other sources of informa
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 5 Advanced Encryption Standard"It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherabl
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 16 IP SecurityIf a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to who
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 10 Key Management; Other Public Key CryptosystemsNo Singhalese, whether man or woman, would venture out of the house without a bunch of key
Delaware - ELEG - 867
Cryptography and Network SecurityThird Edition by William Stallings Lecture slides by Lawrie BrownChapter 4 Finite FieldsThe next morning at daybreak, Star flew indoors, seemingly keen for a lesson. I said, "Tap eight." She did a brilliant exhib
Delaware - ELEG - 867
NTP Security ModelDavid L. Mills University of Delaware http:/www.eecis.udel.edu/~mills mailto:mills@udel.eduSir John Tenniel; Alice's Adventures in Wonderland,Lewis CarrollApr 20, 20091NTP security modeloNTP operates in a mixed, multi-l
Delaware - ELEG - 867
NTP Security ProtocolDavid L. Mills University of Delaware http:/www.eecis.udel.edu/~mills mailto:mills@udel.eduSir John Tenniel; Alice's Adventures in Wonderland,Lewis CarrollApr 20, 20091Security protocol requirementsoIt must interoper
Delaware - ELEG - 867
NTP Security AlgorithmsDavid L. Mills University of Delaware http:/www.eecis.udel.edu/~mills mailto:mills@udel.eduSir John Tenniel; Alice's Adventures in Wonderland,Lewis CarrollApr 20, 20091Symmetric key and public key cryptographyoPubl
Delaware - ELEG - 403
1#k#NORMAL.STY# #POSTSCRP#@#0@#xw#@CHAPTER = Appendix <$R[C#]>. Program Listing /* * * * * Program to control LORAN-C radio * * * * This program controls a special-purpose radio designed to receive * * transmissions from the US Coast Guard LORAN-C na
Delaware - ELEG - 403
1#]#.#<#<#<#<#<#NORMAL.STY# #IBMPRO#=#<#<#<#@PARAFILTR ON = @Z_TOC TITLE = Abstract This report describes a digital modem for narrowband, direct printing radiotelegraph signals commonly used for data communications in the decametric (330 MHz) radio s
Delaware - ELEG - 93
1#]#.#<#<#<#<#<#NORMAL.STY# #IBMPRO#=#<#<#<#@PARAFILTR ON = @Z_TOC TITLE = Abstract This report describes a digital modem for narrowband, direct printing radiotelegraph signals commonly used for data communications in the decametric (330 MHz) radio s
Delaware - ELEG - 403
1#'#6#6#7#7#7#NORMAL.STY# #POSTSCRP8#@#0@#xw#6#6#7#@PARAFILTR ON = @Z_TOC TITLE = Abstract This report describes the design and construction of a specialized radio timing receiver for the LORAN-C radionavigation system. The computer-controlled receiv
Delaware - ELEG - 403
1#NORMAL.STY# #POSTSCRP#@#0@#xw#@CHAPTER = Appendix <$R[C#]>. Schematic Drawings # # # #2# # #(#03/23/9203/23/922#
Delaware - ELEG - 403
** ** Copyright (c) David L. Mills 1997-1998 ** ** Permission to use, copy, mo
Delaware - MATH - 243
Math243: Analytic Geometry & Calculus C Section 012Instructor: Zeying Wang Office: 315 Ewing Hall Phone: 3028316516 Office Hours: Monday, Wednesday, 11:00AM-12:00PM. Other times by appointment. Email: wangz@math.udel.edu Homepage: http:/www.math.ude
Delaware - MATH - 243
Solution to Homework 3 5. A line perpendicular to the given plane has the same direction as a normal vector to the plane, such as n = 1, 3, 1 . So r0 = 1, 0, 6 , and we can take v = 1, 3, 1 . Then a vector equation is r = 1, 0, 6 + t 1, 3, 1 = 1 + t,
Delaware - MATH - 243
Instruction for MapleZeying WangID and Password: ID: student, Password: m4th4UD. 1, You cannot save data in the computers, so you have to save it in your email or in your ashdrive. 2, The UNIX Instructional project # for Math 243-012, Spring 2008