Three classes based model of traceback system between ASs IETF59th - - PowerPoint PPT Presentation

Three classes based model of traceback system between ASs

IETF59th Korea INCH-WG

Toshifumi Kai (kai@trc.mew.co.jp), Hiroshige Nakatani (nakatani@trc.mew.co.jp) Naohiro Fukuda(fukuda@trc.mew.co.jp)

Matsushita Electric Works, Ltd.

Akira Hashiguchi(akira@cooweb.com), Teruaki Takahashi(c300070@ns.kogakuin.ac.jp) Katsuji Tsukamoto (tsukamoto@tsukaken.jp)

Kogakuin University 2004/2/12

Traceback flow between ASs

Victim Attacker AS1 AS2 AS3 NMS NMS NMS

(1)Attack Report (2)Tracing Upstream AS (3)Request for Trace (4)Tracing Upstream AS (5)Request for Trace (7)Tracing Inside Attacker (6)Tracing Upstream AS

Additional Proposal

As far as we have developed and tested Proto Traceback System using

• ver several hundred nodes targeting on Japanese Local Government

(LGWAN), we think there are several requirements for RID. *They requires tracing attack from end to end, and find it within a few minutes, and false positive rate within 5%. I) Add the range covers End to End as Classical (Layer)

1) Outside Layer … Cooperated with ASs (RID) 2) Intermediate Layer … Between Outside and Inside 3) Inside Layer … Inside AS

II) Add Modes

1) Normal (Detailed) Mode ... Tracing in Detail 2) Quick (Simple) Mode …Tracing Quickly and Rough 3) Nested (Efficient?) Mode …Tracing using Nest Structure

Positioning of each Traceback System

IP Option Traceback RID-DoS iTrace AMS SPIE Hybrid

AS Cooperation Layer (Outside Layer)

Control Layer (Intermediate Layer) Inside Tracback Layer (Inside Layer)

Three classes based model of traceback between ASs

AS Cooperation Layer (Outside Layer)

Control Layer (Intermediate Layer) Inside Tracback Layer (Inside Layer) Traceback Information is exchanged between AS(s). Cooperation of the Internal Traceback and AS(s) Traceback is performed. Tracing Attacked Path

• f inside AS or

Boundary Router that attacks have passed.

AS Cooperation Layer (Outside Layer)

Control Layer (Intermediate Layer) Inside Tracback Layer (Inside Layer) Request for Normal Tracing

Normal Tracing Mode

(1)Tracing Upsteram AS (4)Notify to ASs which is on the line

• f Attacking Path

(5)Request for Trace (2)Tracing Boundary Router (3)Notification of Boundary Router

AS Cooperation Layer (Outside Layer)

Control Layer (Intermediate Layer) Inside Tracback Layer (Inside Layer) (3)Request for Trace

Quick Tracing Mode

Request for Quick Tracing (2)Notify to All Neighbor ASs (1)Tracing Upsteram AS (4)Tracing Boundary Router (6)Notify to ASs which is on the line

• f Attacking Path

(3)Notification of Boundary Router

Nested Tracing Mode

AS Cooperation Layer (Outside Layer) Control Layer (Intermediate Layer) Inside Traceback Layer (Inside Layer) AS Corp Layer Ctrl Layer Inside Traceback Layer

NMS NMS NMS NMS

As an implementation, it will be better to do not only traceback for inside AS but the one between ASs as nested structure. As an implementation, it will be better to do not only traceback for inside AS but the one between ASs as nested structure.

Flow

AS1 AS2 AS3

(1)Attack Report (3)Request for Trace (4)Tracing Upstream AS (5)Request for Trace (6)Tracing Upstream AS (7)Tracing Inside Attacker AS Corp Layer Ctrl Layer Inside Traceback Layer (2)Tracing Upstream AS (2-1)Tracing Boundary Router (4-1)Tracing Boundary Router

Tracing Modes

Outside Layer Outside Layer Outside Layer

Case1

Outside Layer Outside Layer Outside Layer

Case2 (*RID) Started AS Started AS

Outside Layer Outside Layer Outside Layer

Case3 Started AS

AS

Example Case of LGWAN (Japan)

Government Offices

Tokyo Osaka Chiba

… … … Towns/Villages … Cities Prefecture offices NOC of Government LGWAN

47 1 677 2513 3190 (13?)

Population: 126,478,672 (2002)

AS AS AS

…

AS AS AS

… AS

ASASAS ASAS AS

…

ASAS AS

… NMS NMS NMS NMS

Nest Normal Normal Quick

Case by Case & Combination

• Normal
• Quick
• Nest

Modes