RID Implementation Report Toshifumi Kai (kai@trc.mew.co.jp), Akito - - PowerPoint PPT Presentation

rid implementation report
SMART_READER_LITE
LIVE PREVIEW

RID Implementation Report Toshifumi Kai (kai@trc.mew.co.jp), Akito - - PowerPoint PPT Presentation

Apr 03, 2023 506 likes •681 views

RID Implementation Report Toshifumi Kai (kai@trc.mew.co.jp), Akito Nagashima (akito_nagashima@mewe1.mewnet.or.jp), Hiroshige Nakatani (nakatani@trc.mew.co.jp), Naohiro Fukuda (fukuda@trc.mew.co.jp), Shimizu Hiroshi (shimizu@trc.mew.co.jp)

slide-1
SLIDE 1

RID Implementation Report

Toshifumi Kai (kai@trc.mew.co.jp), Akito Nagashima (akito_nagashima@mewe1.mewnet.or.jp), Hiroshige Nakatani (nakatani@trc.mew.co.jp), Naohiro Fukuda (fukuda@trc.mew.co.jp), Shimizu Hiroshi (shimizu@trc.mew.co.jp) Matsushita Electric Works, Ltd. Teruaki Takahashi (c300070@ns.kogakuin.ac.jp), Akira Hashiguchi (akira@cooweb.com), Takayuki Suzuki (t-suzuki@pf6.so-net.ne.jp) Katsuji Tsukamoto (tsukamoto@tsukaken.jp) Kogakuin University

slide-2
SLIDE 2

Plan for Test by Mew

2004 Sep 27th – Oct 1st Phase 1 (Finished) … RID system only MEW’s XML format is not same as RID format, No Encryption and Authentication 2004 Nov 1th – Dec 30th Phase 2 (Planned and on Going) …RID with Traceback MEW’s XML format is not same as RID format, No Encryption and Authentication 2005 Jan 1th – Phase 3 (Not Planned Yet) …RID with Traceback Full Implemented system

slide-3
SLIDE 3

MEW’s Implementation Status

  • Renaming Source Found to message result for not found case

(-> history area)

‘Message Type 3 with NULL Attacker’s IP’ equal ‘Not Found’

  • Notification field for traceback system added for Source Found

Message (-> free form text area)

– It would be necessary for the following cases, if the initiator does not allow False Negative (FP) and use Hash traceback, however responder use ICMP trceaback then it may have False Positive (FP), and the traced result may be no meaning for initiator. – Hash traceback can trace in each packet but ICMP traceback traces DoS/DDoS

  • packets. So, we added used-traceback-type in some field.

– In the case of system down caused in responder’s traceback system, it should be reported by the notification message.

  • MEW’s XML format is not equal for RID’s XML format

Implementation is not completed yet and modified for test purpose now.

  • Encryption and authentication is not implemented yet.

Implementation of SSL/XML encryption and authentication using CA remained

  • Transport protocol is implemented with soap/http/tcp

We used soap/http/tcp protocol for messaging

slide-4
SLIDE 4

Simple Test

  • We setup a very simple test case: star topology

and straight chained topology with 7 PCs.

  • 7 PCs as NMSes and without routers and

traceback system between them

  • We measured the response time until the source

found (result) message will send to initiator

  • NMS and the CPU time when the NMS handle

the XML interpretation and SOAP

  • communication. When it were straight topology,

and if AS numbers were 7.

slide-5
SLIDE 5

Test Results

  • Straight Chained Topology:

Response time for traceback was 1.6 sec, and Response time for handling SOAP/XML was 0.46 sec for 7 ASes.

  • Star Topology:

Response time for traceback was 0.6 sec, and Response time for handling SOAP/XML was 0.23 sec for 6 ASes.

  • It will take about 0.1-0.22 sec per AS for handling

traceback, 0.038-0.065 sec per AS for handling SOAP/XML, And total response time will be about 0.138-0.285 sec per AS. Note: We assume and feed the tracing time (delay) of inside AS defined as fixed value.

First and Middle AS; 0.2sec Attacker’s AS (Final AS); 0.4sec

(We plan to test with the real tracing time in next month)

slide-6
SLIDE 6

Reference

slide-7
SLIDE 7

Spec for NMS

NMS(RID)

(Inter-AS traceback Software)

  • Transport Protocol:

– TCP + HTTP + Open SOAP

  • Inter-AS Traceback Protocol:

– RID-mew (modified RID + XML)

  • CPU:

– Pentium43.0GHz

  • Memory:

– 512MBytes

  • Network:

– Fast Ether (100Base-T)

slide-8
SLIDE 8

Chained AS Topology

V A Victim Attacker AS1 AS2 AS3 AS4 AS Num Topology V A

AS1 V A

AS1 AS2 AS3 AS4 AS5 AS6 AS7 V A

slide-9
SLIDE 9

Timeline for Chained Trace

Start-Tracing Trace Finished AS1 AS2 AS3 Int-AS trace Int-AS trace Int-AS trace Request message Request message Request message Result message t1 t2 *AS num = 4 AS4 Int-AS trace t3

T=t1+t2+t3+t4 =RID Processing Time ( SOAP Protocol +XML Translation)

Time to Trace t4

slide-10
SLIDE 10

Chained Results

[sec] 0.466741 1.6 7 0.401333 1.4 6 0.315661 1.2 5 0.252760 1.0 4 0.189532 0.8 3 0.096066 0.6 2 0.053916 0.4 1 RID Processing Time( SOAP Protocol + XML Translation) Tracing Time for Total int-AS AS num

*We assume that the tracing time of inside AS defined as fixed value ( first and middle AS;0.2sec, Attacker’s AS; 0.4sec)

. 5 1 1 . 5 2 2 . 5 1 2 3 4 5 6 7 A S N u m b e r s T r a c i n g T i m e [ s e c ]

RID Processing Time( SOAP Protocol + XML Translation) Total Time for tracing Internal AS

slide-11
SLIDE 11

Star AS Topology

AS1

V A

AS4 AS3 AS2

A Num of Neighbor AS

1 3 6

A

AS1 AS2

A V

AS1 AS4 AS3

A

AS2 AS3 AS3 AS2

A A A V A Topology A A: Attacker V: Victim

slide-12
SLIDE 12

Timeline for Star Topology

AS1 AS2 AS3 AS4 Int-AS trace Int-AS trace Int-AS trace Int-AS trace Trace Finished Request message Result message Start Tracing Time for Tracing ※num of neighbor AS was 3

slide-13
SLIDE 13

Star Results

. 2 3 7 4 5 9 . 6 6 . 2 1 9 4 2 9 . 6 5 . 1 8 3 9 . 6 4 . 1 7 7 4 6 9 . 6 3 . 1 5 7 6 9 2 . 6 2 . 9 6 6 6 . 6 1

RID Processing Time ( SOAP Protocol + XML Translation) Tracing Time for each Int- AS Num of neighbor AS . 5 1 1 . 5 1 2 3 4 5 6 n u m

  • f

C h i l d A S T r a c i n g T i m e [ s e c ]

RID Processing Time( SOAP Protocol + XML Translation) Time for each tracing Internal AS

*We assume that the tracing time of inside AS defined as fixed value ( first and middle AS;0.2sec, Attacker’s AS; 0.4sec)

slide-14
SLIDE 14

RID-Anime (Tracing)

NP1 AS1

NMS

NP4 AS2 AS3 NP3

NMS NMS NMS NMS NMS NMS Victim (Web-Server) Attacker Trace Trace

Attack Report Req

Trace Trace Trace Trace

Found!

Trace

Req Req Req Auth Auth

Found Found Found Found

Auth Auth

...2 min later

pending

pending

NP2

slide-15
SLIDE 15

RID-Anime (Filtering)

NP1 AS1

NMS

NP4 AS2

NMS NMS NMS NMS NMS NMS Victim (Web-Server) Attacker Trace Trace

Attack Report Req

Trace Trace Trace Trace

Not Found!

Trace

Req Req Auth (Approved)

Auth (Approved)

Auth (Denied)

Auth (Denied)

Auth (Denied)

NP2 NP3

Filter Source (available)

AS3

slide-16
SLIDE 16

AS1

Hash

NP1

NMS

RID-Anime

(Probabilistic Traceback )

NP4 AS2 AS3 NP2 NP3

NMS NMS NMS NMS NMS NMS Victim (Web-Server) Attacker

H

Trace

i

Trace

Attack Report Req i

Trace

i

Trace

H

Trace

H

Trace

Found! i

Trace

Req

Found

Auth Req

iTrace

Auth

Found

Auth Found

*NP1 and NP3 have a same consortium

slide-17
SLIDE 17

AS1

Hash

NP1

NMS

RID-Anime

(Multi-Traceback)

NP4 AS2 AS3 NP2 NP3

NMS NMS NMS NMS NMS NMS Victim (Web-Server) Attacker

H

Trace

H

Trace

Attack Report i

Trace

H

Trace

H

Trace

Req

Found

Auth Req

iTrace

Auth Found!

iTrace

i H

Trace

i H

Trace

i

Hash iTrace +Hash Hash

Attacker

Req Req Auth Auth

Found Found

Auth Found!

Found

Found Req Req Req

Found

Auth

Found

Auth Found!