Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress. Abstract It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks.
|Published (Last):||22 February 2008|
|PDF File Size:||18.53 Mb|
|ePub File Size:||10.81 Mb|
|Price:||Free* [*Free Regsitration Required]|
Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.
It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress. Abstract It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks. Bellovin [Page 1] Internet Draft draft-bellovin-itrace Introduction It is often useful to learn the path that packets take through the Internet.
This is especially important for dealing with certain denial-of-service attacks, where the source IP is forged. There are other uses as well, including path characterization and detection of asymmetric routes. There are existing tools, such as traceroute, but these generally provide the forward path, not the reverse. When forwarding packets, routers can, with a low probability, generate a Traceback message that is sent along to the destination. With enough Traceback messages from enough routers along the path, the traffic source and path can be determined.
The message contains the following fields in this draft, we are not going to define the syntax of the different fields : Back link -- information on the previous hop see below Forward link -- information on the next hop Timestamp, in NTP format Traced packet -- as much of the traced packet as will fit.
Note: this is a variable-length field, since there are many different types of authentication fields. Authentication Some requirements are imposed on the IP header of the Traceback message. If that interface has multiple addresses, the address chosen SHOULD, if possible, be the one by which this router is known to the previous hop. If the Traceback packet follows the same path as the data packets, this provides an unambiguous indication of the distance from this router to the destination.
More importantly, by comparing the distances with the link fields, a chain can be constructed and partially verified even without examining the authentication fields. Link Fields The purpose of the link fields is to permit easy construction of a chain of Traceback messages. They are further designed for examination by network operations personnel, and thus contain human-useful information such as interface names.
The subfields of a link field are always arranged in "forward order". That is, the "destination" subfield is always the address of the router closer to the ultimate recipient of the traceback packet. The association string is an opaque blob that is known to and used by both routers. If there are no such addresses say, for a point-to-point link , a suitable string MUST be provisioned in both routers.
This field is used to tie together Traceback messages emitted by adjacent routers. Authentication data An attacker may try to generate fake Traceback messages, prinarily to conceal the source of the real attack traffic, but also to act as another form of attack. We thus need authentication techniques that are robust but quite cheap to verify. The ideal form of authentication would be a digital signature.
It is unlikely, though, that routers will be able to afford such signatures on all Traceback packets. Thus, although we leave hooks for such a variant, we do not further define it at this time.
Bellovin [Page 3] Internet Draft draft-bellovin-itrace Null Authentication Option Given the TTL definition and the link fields, it is unclear whether or not we even need stronger authentication. An attacker at a given location can generate packets that appear to be coming from further away; he or she cannot generate packets that appear to be closer.
Thus, the uncorrupted routers between the target and the attacker will point unambiguously to some point of attack. That said, it is unclear if this is sufficient. The distributed denial of service attacks involved a massive amount of traffic from many different sources; plausible-looking fake chains could easily deceive a victim.
Cleartext Random Strings A second authentication option is to include a unique cleartext string in the packet. The same string would be used for some interval probably a few minutes. A validation field -- a digitally-signed list of the last several authentication strings, plus their validity intervals -- would prevent easy forgery of these strings.
Cleartext validation strings are unique per output interface. This makes it harder for the attacker to collect such strings as seen by the target of the attack, since the strings are headed towards the target, and hence away from the attacker. It carries its own guarantee of freshness, and if digitally signed can be presumed to be authentic.
A variation on this scheme would involve the router sending occasional separate validation messages. This removes the validation field from the traceback packets, at the cost of requiring the recipient to see two ICMP messages from the same router. Again, a validation field could be sent, listing the last several HMAC keys but not the current one.
This should be immune to forgery; again, though it requires reception of at least two ICMP messages to fully validate the chain. Bellovin [Page 4] Internet Draft draft-bellovin-itrace PKI Requirements Digital signatures are useless without some way of authenticating the public key of the signer.
The ideal form of authentication would be a certificate-based scheme rooted in the address registries. That is, the registries are the authoritative source of information on who owns which addresses; they are thus the only party that can easily issue such certificates. Current registry-based databases can be used to verify the owner of an address block; this information can in turn be used to locate the appropriate root key.
If the average maximum diameter of the Internet is 20 hops, that translates to a net increase in traffic at the destination of about. This will help block attempts to time attack bursts. There does not appear to be any requirement for cryptographically strong pseudo-random numbers.
A suggested scheme involves examination of the low-order bits of a linear congruential pseudo-random number generator. If they are all set to 1, the packet should be emitted. As long as the period of the generator is maximal, all values, including all 1s in the low-order bits, will occur with the proper probability.
Although this document describes a router-based implementation of Traceback messages, most of the functionality can be implemented via outboard devices. For example, suitable laptop computers can be used to monitor LANs, and emit the traceback messages as appropriate, on behalf of all of the routers on that LAN.
Bellovin [Page 5] Internet Draft draft-bellovin-itrace Related Work The other scheme proposed for packet Traceback is by Savage et al. That is, in-flight packets may have their ID field changed to provide information about the path.
The recipient can decode this information. No extra traffic is generated. However, there are disadvantages as well. For one thing, the ID field cannot be changed if fragmentation is necessary though they propose some schemes to ameliorate this. AH [ RFC ] provides cryptographic protection for the ID field; if it is modified, the packet will be discarded by the receiving system.
And IPv6 has no ID field at all. Security Considerations It is quite clear that this scheme cannot cope with all conceivable denial of service attacks.
It is limited to those where a significant amount of traffic is coming from a relatively small number of sources. Furthermore, those sources must themselves be in some sense evil or corrupted.
An attack based on inducing innocent and uncorrupted machines to send traffic to the victim would be traceable only to these machines, and not to the real attackers. Bellovin [Page 6] Internet Draft draft-bellovin-itrace Krawczyk, M. Bellare, R. February March Kent and R. November Author Information Steven M.
ICMP TRACEBACK MESSAGES PDF
It remains stored only for a limited duration of time because of space constraint. The intended receiver uses Wireshark to analyse the receiving packets and verify the information of the forged packet. There was a problem providing the content you requested All fingerprints are stored in a 2n bit table for later retrieval. Oe June 26—29, The IP packet is composed of the header which carries the IP address, the destination IP address and other meta-data required to route and deliver the packet. A reactive approach locates messges attacker on the flight when the attack is detected by a specialised hardware.
Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress. Abstract It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks. Message Definition Related Work