CSCI6268L27

# CSCI6268L27 - Foundations of Network and Computer Security...

This preview shows pages 1–7. Sign up to view the full content.

Foundations of Network and Foundations of Network and Computer Security Computer Security J J ohn Black Lecture #27 Nov 6 th 2009 CSCI 6268/TLEN 5550, Fall 2009

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Packet Marking Idea: mark packets as they pass through routers The mark should give information as to what route the packet took One idea is to mark every packet that traverses a given router Just append their IP address to a list in the IP header Drawback is that this is a HUGE burden to put on routers They would have to mark EVERY packet Packets would get enormous if they travel a long route Packets might be caused to fragment
Probabilistic Packet Marking First, some assumptions: Attackers can generate any packet Attackers can conspire Packets can be lost or reordered Route from attacker to victim is mostly stable Routers are not widely compromised

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
PPM: Continued Each router writes its address in a 32-bit field only with probability p Routers don’t care if they are overwriting another router’s address Probability of seeing the mark of a router d hops away is p(1-p) d-1 This is monotonic so victim can sort by number of packets received and get the path Smallest number is received by furthest router, etc
PPM: Difficulties We have to change the IP header any time a router marks a packet This means storing the mark (has drawbacks) Updating the header checksum But this is already done for TTL decrements But we may need a LOT of packets to reconstruct a path Suppose p=0.51 and d=15, then we need more than 42,000 to get a single sample from the furthest router To get the order right with 95% probability requires around 300,000 packets Multiple attackers complicates matters With multiple attackers at the same distance, this all breaks down

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Next Try: Edge Sampling Reserve two address-sized fields in the IP header: “start” and “end” Reserve a small “distance” field as well When a router decides to mark a packet, it writes its address in the “start” field and zeroes the distance field When a router sees a zero in the distance field, it writes its address in the “end” field If a router decides not to mark a packet, it increments the distance field only Must use saturating addition This is critical to minimize spoofing by the attacker; without it, attackers could inject routers close to the victim Now attacker can only spoof marks with distance counts equal or
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern