=================================================== From twngan@cs.rice.edu Wed Feb 18 15:31:10 2004 =================================================== This paper introduces a new way to add network support IP trackback. While it is impractical to add the whole trace in each and every packet, the paper suggests overloading a field in the IP header and probabilistically adding compressed data to each packet. During a DoS attack, when a large number of packets are sent in the same route, it would then be possible for the victim (destination) to reconstruct the whole path by statistical analysis on the data collected from that field. This is an interesting and very useful technique in tracing an IP packet, given the constrain on the design and implementation of the current packet switching networks. Since it does not require additional knowledge on the network, it should be easily deployable. And it does not induce additional packets into the network during flooding, it is more network-friendly than other approaches. The only catch is on overloading the identification field, which may or may not introduction incompatibility with other network "hacks." However, I don't see a better way to solve this problem. Overall, the suggestion is very practical and should work well. =================================================== From santa@rice.edu Wed Feb 18 21:28:40 2004 =================================================== Practical Network Support for IP Traceback Review: The paper attempts to detail a technique for tracing packet flooding attacks back to the sources. The basic approach is very simple - simply mark a fraction of the packets passing through any router. They actually trace the edges by 2 consecutive routers marking the path. The papers contribution is that it deals with a realistic way to encode these edges and a practical way to enforce this in current internet protocols. The problem they attempt seems a bit restrictive as dealing with the large state of a distributed attack is not handled well. All DoS attacks nowadays are distributed. A host under attack has to do a lot of computation to discover each attacker. Their implementation with XOR-ing, hashing and fragmenting are cute hacks to fit into the IP header with little overhead. It seems more of an implementation kind of paper, as it really does not have any new thoery. =================================================== From ahae@cs.rice.edu Wed Feb 18 23:15:26 2004 =================================================== The authors propose a mechanism for localizing the source(s) of a denial-of-service attack. Packets are probabilistically marked with an identifier for an edge along which they travel inside the network. Since most denial-of-service attacks involve large numbers of packets, the path to the attacker can be reconstructed with high probability. The paper is carefully written and pays special attention to backwards compatibility, incremental deployment, and potential countermeasures by the attackers. However, it could have benefited from more experimental data, e.g. an analysis of acutal denial-of-service attacks. This would have answered many practical questions, such as: How many hosts are typically involved in an attack? At what rate can packets be expected to arrive from a particular host? And: Is the route between attacker and victim really stable, or can the sudden traffic increase trigger dynamic load balancing mechanisms and other second-order effects? =================================================== From anupamc@cs.rice.edu Thu Feb 19 02:16:07 2004 =================================================== "Practical Network Support for IP Traceback" This paper describes a method to discover the source of DoS attacks postmortem or while the attack is in effect. This is based on probabilistic packet marking by the routers on the path between the source and the destination. However this paper does not give a mechanism to prevent the attack. One obvious extension to this work could be relaying the information from the victim to the routers to drop packets from the attacking host. =================================================== From gulati@cs.rice.edu Thu Feb 19 12:52:13 2004 =================================================== Practical Network support for IP Traceback This paper presents a novel approach to IP traceback (which means locating the route to the source of flooding) ans comapres it with other existing approches, such as ingress filtering, link testing and logging. Any kind of marking approch has two parts: "marking of packets" and "path reconstruction". Some marking alorithms discussed in paper are: 1. Node append: every router appends itself to the packet and victim gets the path from a single packet. This is too expensive to implement in practice due to resource constraints at routers and on packet size. 2. Node Sampling: Every router records itself at a particular place in header with some probability p. So the victim can get a part of route with every packet and it can construct it based on certain number of packets with a very high probability. This approach doesn't converge very well and can't work with multiple routes. 3. Edge sampling: Instead of a single router, an edge in the route is written in the header, along with its distance from destination and it can't be overwritten. This algorithm converges very well but requires alot of space(72 bits) in packet header. Authors present a tradeoff between space requirement and number of packets for convergance and show that it can work by using the identifier field(16 bits) in the iP header. I think overall the paper is well presented and gives a novel idea for IP traceback. It also provides mathematical bounds in various cases as a proof of concept, but it lacks details and has number of limitation. Some of the limitations are mentioned in the paper. -Ajay =================================================== From muhammed@ece.rice.edu Thu Feb 19 14:01:30 2004 =================================================== The problem the authors are addressing is to back trace the source of a DoS attack. Further they limit their attention to the case of tracing uptil that point from which the attack packets are originating. It is very likely that the host they trace back to is not the host the attacker directly used to launch the attack. These days the most common attacks and the most severe are the DDoS attacks. The hosts which have been taken over by the attacker launch a synchronized packet flood. Therefore the problem they address is of limited use. But the algorithms they use to solve the limited problem are very innovative. Their algorithms quickly converge and incur very low router processing overhead due to their being based on the observation that DoS attacks are mostly aimed at depleting the bandwidth of the bottleneck link.