Speedy ip trace back(sipt) for identifying sadhan
Download as PPTX, PDF0 likes631 views
The document proposes a new method called Speedy IP Traceback (SIPT) to identify denial-of-service attacks. SIPT works by having routers insert the media access control (MAC) address of the client and the router's IP address into packets. This allows the destination to identify the attacker's boundary router and MAC address, tracing the attack path. Traditionally, mechanisms like ingress filtering, link testing, and packet marking have been used but have not kept pace with evolving attacks. SIPT provides a more direct way to find the router connected to the attacker.
Speedy ip trace back(sipt) for identifying sadhan
- 2. Denial-of-service (DoS) is a type of attack in networks in which an attacker may be able to prevent legitimate users from accessing email, web sites, online accounts(banking, etc.) Unfortunately, mechanisms for dealing with DoS attacks haven’t advanced at the same pace as the attacks themselves. This paper presents a new method for identifying denial-of-service attacks that uses the attacker’s media access control address for identification and trace back. 2
- 3. Introduction DoS. DDoS. SIPT for identifying the boundary router. Existing mechanisms. Conclusion. References. 3
- 4. In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate user from accessing information or services by targeting his computer and its network connection, or the computers and network of the sites that he is trying to use. Eg: flooding the network with information. 4
- 5. In a distributed denial-of-service (DDoS) attack, an attacker may use other user’s computer to attack another computer. By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of other computers, thereby sending huge amounts of data to a web site or send spam to particular email addresses. 5
- 6. Speedy IP Trace back (SIPT) method finds boundary router (the router connected directly to the client). Once we know the boundary router and the attacker’s media access control (MAC) address, we can identify the attacker and find the attack path. 6
- 7. Boundary router: A router that connects the internet to a company’s intranet(a private computer network that uses IP technologies to secure any part of organization’s information). Media Access Control Address(MAC): MAC is a unique identifier assigned to network interfaces for communication on the physical network segment. 7
- 8. With SIPT, each router determines whether the packet came from a client, the router inserts a data link connection identifier for the source (client) and the IP address of its own incoming interface. With this additional source link address information in the packet, the destination can identify the attacker’s boundary router. 8
- 9. 1) Ingress filtering 2) Link Testing 3) Packet marking 9
- 10. The ingress filtering approach configures routers to block packets that arrive with illegitimate source addresses. This requires a router with enough power to examine the source address of every packet, and sufficient knowledge to distinguish between legitimate and illegitimate addresses 10
- 11. Administrators use two different types of link tests: input debugging and controlled flooding. Input Debugging: With this test, administrators capture and record specific details on IP packets that traverse networks. Once administrators know that an attack is in progress, they must find a unique characteristic common across attack packets. This is called the attack signature, which is used to differentiate attack traffic and determine the inbound interface 11
- 12. This involves sending large bursts of traffic link by link upstream and monitoring the impact on the rate of received attacking packets. While an attack is in progress, an administrator can run extended pings across each upstream link to see which has an effect on attacking traffic. Once the administrator finds this link on the router closest to the victim, the process is repeated with the next router upstream. 12
- 13. Packet marking 13
- 14. The router plays a vital role in SIPT. The router inserts the client’s data link identifier and its own IP address into the packet’s IP header using one of the several available packet-marking techniques. 14
- 15. Every packet that the server receives is hence marked with the MAC address of the machine that sent it and the IP address of the router the machine is connected to. The marking must be done at the first router because it alone knows the client’s MAC address. Subsequently, the attacker’s source MAC address will be lost when the MAC header is replaced in the next hop. 15
- 16. The server retrieves the IP address of the router the attacker is directly connected to and the attacker’s MAC address. The system can identify the attacker with just these two pieces of information. 16
- 17. Since our method has backward compatibility and supports incremental deployment, the probability of finding an attacker will increase with the percentage of routers. The SIPT approach doesn’t constitute a hop-by-hop trace back. Instead, it directly finds the boundary router connected to the attacker. 17
- 18. 1. S. Specht and R. Lee, “Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures,” 2. P. Ferguson and D. Senie, Network Ingress Filtering. 3. S. Savage et al., “Network Support for IP Trace back,” 4. C. Gong and K. Sarac, “IP Trace back with Packet Marking and Logging,” 18