Research on a Dos attack-based random packet tagging source tracking algorithm

Author: Hunger Garfield (QQ120474)
Iojhgfti@hotmail.com

Absrtact: For the increasingly rampant denial of service (DoS) attacks on the Internet, this paper analyzes the performance defects of the traditional random data packet tagging algorithm, proposes a new return tracking algorithm based on hash message authentication code, and hppm that the algorithm improves the efficiency and accuracy of the return tracking DoS attack by analyzing its performance index.
Thank you for helping me a few master Sango [NSFocus], SUNWEAR[E.S.T], Isno[xfocus], Scz[nsfocus]
1. Introduction
Denial of service attacks, called DOS (Denial-of-service), is a common hacker attack behavior. This attack behavior by sending the packet request with the false source address, causes the network server to flood the information which waits for the reply, consumes the network bandwidth or the system resources, causes the network or the system service overload, the service quality drops, until the paralysis and stops the normal service. Sometimes, in order to improve the effectiveness of the attack, hackers often combine multiple attack sites to attack the victim. Because Dos attacks are easy to implement, difficult to defend, and it is difficult to return to trace the source of an attack, it becomes a security issue that seriously invades the normal functioning of network service providers, government agencies and financial securities.
2. IP return tracking related technologies
To completely eliminate a Dos attack, it must be traced to the real attack machine or attacker. This approach is called IP return tracking (IP traceback). Because the DOS attacker often spoofed the source address when sending the attack packet, the IP return tracking is very difficult. Common IP return tracking methods include: Ingress filtering (ingress filtering), connectivity testing (link testing), ICMP tracking [7], login analysis (Logging), Source path isolation engine (SPIE), IPSec tracing, and random packet marking tracking (PPM) [2]. Performance comparisons between the various tracking techniques, as shown in table 1.
Management burden network burden router burden distributed capability post-tracking capability prevention/response
Enter filtration Medium low medium n/a prevention
Input debugging high and low good difference reaction
Low and high differential response of control flow
Landing analysis high and low, excellent reaction.
ICMP tracking low low low good excellent reaction
Packet marking low low low good excellent reaction
Table 1 Performance comparisons for several IP return tracking technologies [2]
3. HPPM IP return tracking algorithm
3.1 PPM algorithm (probabilistic Packet marking)
The main principle of the random packet marking algorithm PPM is as follows: The router takes a certain probability P (usually 1/25) [2], which is randomly tagged through its packet with its IP address or part of its IP address. When a Dos attack occurs, the victim rebuilds the attack path based on the token information in the attack packet it received. Using the PPM algorithm, the router is less burdensome, and the use of labeled edge compression and fragmentation technology greatly reduces the additional network traffic. Furthermore, the method can track the attack source after the attack is over. PPM has a good tracking effect on Single-source Dos attacks.
However, due to its own defects, the PPM algorithm does not return to tracking DDoS attacks (Distributed–denial–of–service) well. First, because routers randomly tag packets with probability p, the attacker is given the opportunity to write the forged tag information into the header of the attack packet (typically the identifier field), so long as the packet is not tagged by its router until the target host, it can forge a side path in the attack path To prevent the victim from tracking the real source of the attack. Secondly, in order to save the storage space and reduce the network burden, PPM uses edge tag compression and fragmentation storage technology. However, fragmented storage can cause the victim to combine fragments that are not part of the same packet, generating the wrong side path. The edge compression method of labeling (A0+B) 0+b=a (A, B, respectively, is the IP address of the neighboring two routers on the attack path) will significantly exacerbate this effect and further generate the wrong attack path. When a DDoS attack occurs, there are multiple attackers at the same distance, and the effect is more severe [2].
3.2 hppm algorithm
For the above defects of PPM algorithm, we propose a packet marking algorithm hppm based on hash message authentication code HMAC, and adopt new marking overlapping slicing strategy to improve the performance of IP return tracking Dos attack (especially DDoS attack).
In this algorithm, the router RI randomly tags the packets passing through it, including the IP address of RI and the IP address of the next hop router RJ, a total of 64 digits. In order to conserve the marked storage space, without undue impact to the user, the algorithm uses the 16-bit identifier field (Identifier) in the IPV4 header, the 1-bit idle flag bit (flags) [1], and the 13-bit displacement field (according to the statistics, currently less than 0.25% of packets need to be fragmented [2]), The 8-bit TOS field (type-of-service) [1], which is generally rarely used, stores a total of 38 bits to store the tagged fragmentation information. 64-bit tag information is divided into k=8 slices, each piece occupies 8 bits, the fragment offset value occupies the log2k=3 bit, the RI to target host's distance value occupies 5 bits (25-1=31 jumps, applies to the most current network [2]), is used for verifies the HMAC value to be 22 digits.
Hash message authentication code, referred to as HMAC, is an authentication mechanism based on message authentication code (authentication code). When using HMAC, the two sides of the message communication authenticate the authenticity of the message by verifying the authentication key (k) added in the message; HMAC also attracts a hash function h, which encrypts the message to further ensure the security and validity of the message authentication. The specific calculation method for HMAC is as follows:
HMAC (m,k) = h (K0+opad, H (K0+ipad, M))
wherein, the ipad = Word 0x36 repeat b, opad = 0x5c repeat b, M = The message string to be encrypted, B = The word length of the message string. For more detailed information on HMAC, please refer to the documentation RFC 2104[6].
In the HPPM algorithm, we adopt the one-time password mechanism OTP (one-time Password) [4][5], first let each router ri generate a set of private key sequence {Kij} (j=0, 1, 2 ...). ）。 This set of private key sequences is generated by the one-way hash function f and has the following rules: Kij-1 =f (Kij). Because function f is one-way, the newest key Kij can roll out all the Kij-1, Kij-2 ... that it has previously generated ... Ki0, but the next key cannot be pushed based on the existing key, which ensures that the RI key cannot be forged by others. Each time the router RI passes a fixed interval, the private key ki is replaced according to the above method, and the key that is just stopped is released in a reliable manner. When packet p passes through RI, RI uses the HMAC function H and the current private key Ki to encrypt the IP address of the RI and the destination address of P, namely: H (M,ki), where M = IP (Ri) +ip (destination). The specific marking steps are as follows:
Marking procedure at Router Ri:
Let M is the marking massage IP (Ri) + IP (Rj)
Let K is the number of fragments in M
Let H is the HMAC function
Let Ki is the private key of Ri at current time interval
For each packet W
Let X is a random number from [0..1]
If x < P then
Let HMAC is the HMAC value of IP (Ri) +ip (w.destination)
HMAC: = H (IP (Ri) +ip (w.destination), Ki)
Let O is a random integer from [0..k-1]
Let F is the fragment of M at offset O
Write F into W.frag
Write 0 into W.distance
Write o into W.offset
Write HMAC into W.hmac
Else
Increment w.distance
The following is a discussion of the victim's reconstruction of the attack path. When a Dos attack occurs, the victim begins to collect the token fragment and record its arrival time. We assume that attackers send a large number of attack packets, then the victim can collect enough tag fragments, and then according to the fragment offset value, will have the same attack distance D and HMAC value of the fragment recombination, generate edge path, and then generate the entire attack path. Because the attacker could spoof the tag packet, the interference returned to the tracking process, so the generated side path needs to be authenticated. The specific identification method is: The victim and the router Ri (service provider) Contact, obtain RI's latest private key K, and then use the same hash function f to calculate the private key ki used when RI tag p, based on K and packet p arrival time (which requires consideration of latency), and then based on RI and its own IP address, and Ki, Calculates that the HMAC value is compared to the HMAC value in the tagged packet, which indicates that the side path is valid, otherwise it is discarded. The exact process of rebuilding the attack path is as follows:
Path reconstruction procedure at victim V:
Let Fragtbl is a table of tuples (Frag, offset, distance, HMAC, time)
Let G is a tree with root V
Let edges in G tuples (start,end,distance,hmac,time)
Let Maxd: = 0
Let-Last: = V
For each packet w attacker
Let Rectime is the time when V receives the packet W
Fragtbl.insert (W.frag,w.offset,w.distance,w.hmac,rectime)
If w.distance > Maxd Then
Maxd: = W.distance
For D: = 0 to Maxd
For all ordered combinations of fragments has the same HMAC value at distance D
Construct Edge Z (IP (Ri), IP (Rj), W.distance, W.hmac, Rectime)
Start of HMAC Authentication
Let K is the private key of Ri at current time interval
Let Ki is the private key of RI at the time interval when RI marked the packet w
Let F is the function to get Ki according to K and Rectime
Ki: = f (K, Rectime)
If W.hmac = H (IP (Ri) +ip (v), Ki)
Insert Edge Z (IP (Ri), IP (Rj), w.distance) into G
End of HMAC authentication
Remove any edge (X,y,d,hmac,time) with d≠distance from X to V in G
Extract path (Ri.. RJ) by enumerating acyclic paths in G
4. Performance analysis of HPPM algorithm
4.1 Attack Convergence Packet number
According to [2], the probability of the victim receiving the tag packet from the farthest router on the path to D is: P (1-p) d-1. Conservative assume that the victim receives the same probability that a router sends the packet to mark it at the farthest distance d. and independent of each other, so the probability that any packet received by the victim is marked by some routers on the path of the packet will have the expected value: 1/DP (1-p) d-1.
According to the coupon-collector question [8], the data packets received by the victim from the path of D, including at least one token packet issued by each router in all D routers, receive the desired number of packets, with the following expectations: 1+d/(d-1) +d/(d-2 ) +......+d/2+d = d (ln (d) +o (1)). The above value is KD (ln (KD) +o (1)), considering that each tag packet is divided into K slices and a total of KD slices. Therefore, the number of packets required to rebuild the attack path D (including the D-router) is n, with expected values:
E (N) <kd (ln (KD) +o (1))
1/DP (1-p) d-1≈k
ln (KD)/P (1-p) d-1
Therefore, the algorithm has the same number of attack convergence packets as PPM edge labeling algorithm [2].
4.2 Robustness
In the PPM algorithm [2], the probability of the victim accepting any candidate side path is 1/2h for a hash random function with an output length of H. If there are m attackers, then at a certain distance d, at worst there will be M independent routers. Therefore, at the distance of victim D, the maximum probability that this is not in the actual attack path is accepted by the victim (i.e., the positive error [3]) will be: N (1-1/2h) (of which N=MK) [2]. Because, at worst, there will be a MK marker fragment from D. When the K value or M value is large, this probability will also become very large. The HMAC authentication mechanism used by HPPM algorithm can effectively identify the attacker's forged edge path and filter out the forged edge path from the candidate side path, so that the positive error caused by the algorithm is reduced, and the accuracy of the return tracking is improved.
4.3 Router burden
Because of the use of HMAC and a one-time password mechanism to encrypt the edge tag in an attack packet, intermediate routers do not have to bear the XOR (A0+B) 0+b of each router in the PPM algorithm for its IP address and existing edge tags. HMAC's calculation process is simple and scalable, and it is easy to replace the underlying hash function when discovering or requiring a faster or more secure hash function, see document [6]. To make the packet tagging process more secure, the router needs to periodically replace the private key that it uses to encrypt the edge tag. This cycle requires appropriate selection, the cycle is too short will give the router an additional burden, and not conducive to synchronization with the victim, the cycle is too long and affect the security of the algorithm, you can consider 10 seconds as its order of magnitude [3].
4.4 Victim Burdens
Because a one-time password mechanism is used, the victim needs to obtain the private key used when the upstream router encrypts the edge tag. One possible way to do this is to the upstream router publishes the latest key through a trusted channel (e.g., posted on the Web site), and the victim identifies the authenticity of the edge tag by simply downloading the latest key from the router, which, based on the latest key, can calculate all the keys used for the router's previous encryption edge tag. This process can be done in constant time.
4.5 Algorithm Limitations
HPPM algorithm, which requires the victim to master the network topology structure, has its upstream router map, which limits the development of the algorithm to some extent. The victim and the intermediary router the process of synchronizing the key requires further consideration.
5. Summary and future work
This paper describes a new random packet marking algorithm based on hash message authentication Code HMAC (HPPM), which can be used to return the attack source of tracking Dos attack, and reduce the error caused by the attacker's forgery of the packet marking, and improve the security and accuracy of the return tracking. However, the algorithm also has imperfections, such as: As with most return tracking algorithms, the HPPM algorithm is a reactive tracking algorithm, that is, only if an attack does occur can the trace. Also, the algorithm cannot actually track the true source of the attack and can only return the border router that traces to the nearest source of attack. All these questions need to be studied further.

Reference documents
[1] W.richard Stevens, Fan Jianhua Huguang Zhang, Shehiren School, "TCP/IP detailed--Volume 1: Agreement" [M], 1th edition, Beijing: Machinery Industry Press, April 2000, 第24-27, 111-112 pages.
[2] s.savage, D.wetherall, A.karlin and T.anderson. Practical network support for IP Traceback[c]. In ACM Sigcomm, Stockholm, Sweden, 2000, 295-306.
[3] D.x.song and A.perrig. Advanced and authenticated marking schemes for IP Traceback[c]. In IEEE INFOCOMM, April 2001.
[4] N.haller, the S/key one-time Password system[z], Internet RFC 1760, February 1995.
[5] N.haller, A one-time Password system[z], Internet RFC 2289, February 1998.
[6] H.krawczyk, M.bellare, and R.canetti, hmac:keyed-hashing for message authentication[z], Internet RFC 2104, February 1 997.
[7] S.m.bellovin. ICMP Traceback Messages[z]. Internet Draft:draft-bellovin-itrace-00.txt.march 2000.
[8] W.feller. An Introduction to probability theory and its applications[m]. 2nd edition, Volume 1. Wiley and Sons. 1966.
[9] K.park, H.lee. On the effectiveness of probabilistic Packet marking for IP Traceback under
Service Attack[c]. In IEEE Infocom, 2001.