Three classes based model of traceback system between ASs IETF59th Korea INCH-WG Toshifumi Kai (kai@trc.mew.co.jp), Hiroshige Nakatani (nakatani@trc.mew.co.jp) Naohiro Fukuda(fukuda@trc.mew.co.jp) Matsushita Electric Works, Ltd. Akira Hashiguchi(akira@cooweb.com), Teruaki Takahashi(c300070@ns.kogakuin.ac.jp) Katsuji Tsukamoto (tsukamoto@tsukaken.jp) Kogakuin University 2004/2/12
Traceback flow between ASs (4)Tracing (3)Request for Upstream AS Trace AS2 (5)Request for Trace (2)Tracing Upstream AS NMS AS1 (6)Tracing Upstream AS NMS Attacker (1)Attack NMS (7)Tracing Report AS3 Inside Attacker Victim
Additional Proposal As far as we have developed and tested Proto Traceback System using over several hundred nodes targeting on Japanese Local Government (LGWAN), we think there are several requirements for RID. *They requires tracing attack from end to end, and find it within a few minutes, and false positive rate within 5%. I) Add the range covers End to End as Classical (Layer) 1) Outside Layer … Cooperated with ASs (RID) 2) Intermediate Layer … Between Outside and Inside 3) Inside Layer … Inside AS II) Add Modes 1) Normal (Detailed) Mode ... Tracing in Detail 2) Quick (Simple) Mode …Tracing Quickly and Rough 3) Nested (Efficient?) Mode …Tracing using Nest Structure
Positioning of each Traceback System AS Cooperation Layer RID-DoS (Outside Layer) IP Option Traceback Control Layer (Intermediate Layer) iTrace AMS Inside Tracback Layer SPIE (Inside Layer) Hybrid
Three classes based model of traceback between ASs Traceback Information is exchanged between AS(s). Cooperation of the Internal Traceback and AS Cooperation Layer AS(s) Traceback is (Outside Layer) performed. Control Layer (Intermediate Layer) Inside Tracback Layer Tracing Attacked Path (Inside Layer) of inside AS or Boundary Router that attacks have passed.
Normal Tracing Mode (5)Request for (1)Tracing Trace Request for Upsteram AS Normal Tracing AS Cooperation Layer (Outside Layer) (4)Notify to ASs Control Layer which is on the line (Intermediate Layer) of Attacking Path (2)Tracing Boundary Router Inside Tracback Layer (Inside Layer) (3)Notification of Boundary Router
Quick Tracing Mode (1)Tracing (3)Request for Upsteram AS Request for Trace Quick Tracing AS Cooperation Layer (Outside Layer) (6)Notify to ASs Control Layer which is on the line (Intermediate Layer) of Attacking Path Inside Tracback Layer (2)Notify to All (Inside Layer) Neighbor ASs (3)Notification of (4)Tracing Boundary Router Boundary Router
Nested Tracing Mode AS Cooperation Layer (Outside Layer) NMS NMS Control Layer (Intermediate Layer) Inside Traceback Layer NMS NMS (Inside Layer) AS Corp Layer As an implementation, it will be better As an implementation, it will be better Ctrl Layer to do not only traceback for inside AS to do not only traceback for inside AS but the one between ASs as nested Inside Traceback Layer but the one between ASs as nested structure. structure.
Flow (1)Attack (6)Tracing Report Upstream AS (2)Tracing (4)Tracing Upstream AS Upstream AS AS Corp Layer Ctrl Layer (3)Request (5)Request for Trace for Trace Inside Traceback Layer AS1 AS2 AS3 (7)Tracing (2-1)Tracing Boundary (4-1)Tracing Boundary Inside Attacker Router Router
Tracing Modes Started AS Case1 Outside Layer Outside Layer Outside Layer Started AS Case2 Outside Layer Outside Layer Outside Layer (*RID) Started AS Case3 Outside Layer Outside Layer Outside Layer
Example Case of LGWAN (Japan) Government Offices - Normal - Quick Modes Case by Case … (13?) - Nest & Combination LGWAN AS 1 NMS Quick NOC of Government NMS … AS AS … 47 Tokyo Osaka Chiba Normal AS … Prefecture offices … NMS 3190 Nest AS AS AS … 677 Normal AS Cities ASASAS AS ASAS AS ASAS … NMS … 2513 Towns/Villages Population: 126,478,672 (2002)
Recommend
More recommend
