Scalable IP Traceback for Internet Attack Attribution, 10-9446Printer Friendly Version
Inclusive Dates: 01/01/04 - 12/31/04
Background - The Internet has rapidly become a critical component of the national infrastructure, but its lack of basic security mechanisms creates a fertile environment for malicious users. A 2003 study estimates there are on the order of 25 billion intrusion attempts per day on the Internet, and the number is rising. Internet viruses, worms, and distributed denial of service (DDoS) attacks cause major disruptions and economic loss. More alarming are stealthy attacks aimed at stealing sensitive information and compromising vital systems. Network firewalls and intrusion detection systems (IDS) provide limited security by detecting and thwarting certain types of attacks. However, the current Internet infrastructure has no mechanism to trace an attack back to its source. This failure in attribution, combined with broadband connections to the home, has lead to the invisible and repeated use of hundreds of thousands of compromised computers for malicious activities such as SPAM e-mailing, DDoS attacks, information theft, and sophisticated espionage activities.
Approach - Our project designed Autonomous System Traceback (AST), a novel and practical solution for automatically tracing single internet provider (IP) packets to their source. The key to AST is that it takes advantage of the top-level Internet organization. The Internet is a loosely coupled organization of independent carrier and user networks, known as autonomous systems (AS). AST recognizes that traceback needs to identify only the AS path; it does not require identifying each router or switch. Passive packet monitors are placed at AS border routers to record hash signatures of each incoming packet. When an AS receives a traceback request, it asks its border monitors if they recorded that packetís signature. If so, the AS was part of the packetís path. Moreover, the AS knows which network or networks are connected to that border router and therefore know the preceding AS in the path.
Single-packet traceback is a difficult technical problem because of high bandwidths and traffic volumes at Internet backbone routers. AST offers a more scalable and economic solution than router-based traceback because interior routers are not affected. AST is also sensitive to broader industry and individual concerns such as user privacy, protection of sensitive information, provider cooperation, and forensics. For example, AST protects user privacy by recording only one-way hashes of packet headers. Packet information is not saved nor can it be reconstructed from the recorded hashes.
Accomplishments - The AST project accomplished its two primary goals: 1) prove that hash-based monitoring is feasible with existing memory and storage devices, and 2) design the communications protocol and algorithm for AS traceback and test it through development of prototype software. To prove AST monitors are technically feasible, we conducted a formal analytical analysis to determine monitor storage and processing requirements for Internet backbone links. Results show that AST monitors built from COTS hardware could record several days of traceback data for current backbone routers with OC-192 links (10 Gbps). We then implemented and tested a prototype version of the AST protocol and traceback algorithm in Jython, a rapid development scripting language. Finally, we conducted simulation studies using real Internet topology data. Our simulations indicate that AST would be useful in locating packet sources even for the case where a fraction of Internet providers participate in the system.