WIDE Paper-List in 2006 InterTrack: A federation of IP traceback systems across borders of network operation domains wide-paper-traceback-acsac05-00.txt WIDE Project: http://www.wide.ad.jp/ If you have any comments on this document, please contact to ad@wide.ad.jp. Title: InterTrack: A federation of IP traceback systems across borders of network operation domains Author(s): Hiroaki Hazeyama (hiroa-ha@is.naist.jp) Youki Kadobayashi(youki-k@is.naist.jp) Masafumi Oe (masa@fumi.org) Ryo Kaizaki(kaizaki@sfc.wide.ad.jp) Date: 01/05/2006 author = [Hiroaki Hazeyama and Youki Kadobayashi and Masafumi Oe and Ryo Kaizaki] title = [InterTrack: A federation of IP traceback systems across borders of network operation domains ] type = [conference (Annual Computer Security Applications Conference, Technology Blitz Session)] institution = [ACSA] volume = [] number = [] pages = [] year = [12/07/2005] site = [(will be published at http://www.acsa-admin.org/)] wideareaname = [Area 3] widewgname = [iptraceback] keyword = [traceback, Denial of Service Attack] references = [ [1] J. Mirkovic and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM Computer Communications Review, vol. 34, no. 2, pp. 39.54, Apr. 2004. [3] P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," RFC 2827 (Best Current Practice), May 2000, updated by RFC 3704. [Online]. Available: http://www.ietf.org/rfc/rfc2827.txt [4] F. Baker and P. Savola, "Ingress Filtering for Multihomed Networks,"RFC 3704 (Best Current Practice), Mar. 2004. [Online]. Available: http: //www.ietf.org/rfc/rfc3704.txt [5] Cisco Systems, Inc., "Unicast Reverse Path Forwarding Enhancements." [Online]. Available: http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/ products feature guide09186a008007fffd.html [6] R. Beverly and S. Bauer, "Spoofer project." [Online]. Available: http: //spoofer.csail.mit.edu/ [7] .., "The spoofer project: Inferring the extent of source address filtering on the internet," in Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), July 2005, pp. 53.59. [Online]. Available: http://www.usenix.org/events/sruti05/tech/beverly.html [8] A. Belenky and N. Ansari, "On IP Traceback," IEEE Communications Magazine, vol. 41, no. 7, pp. 142.153, July 2003. [9] T. Battles, D. McPherson, and C. Morrow, "Customer-triggered real-time blackholes,"NANOG, Tech. Rep., Feb 2004. [10] B. R. Greene and D. McPherson, "Sink holes: A swiss army knife isp security toolversion 1.8," NANOG 28, Tech. Rep., June 2003. [Online]. Available: http://ipmon.sprint.com/pubs trs/trs/RR04-ATL-013177.pdf [11] Cisco Systems Inc., "Remotely triggered black hole filtering - destination based and source based," Cisco Systems Inc., Tech. Rep., Feb 2005. [Online]. Available: www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf [12] B. Claise, "Cisco Systems NetFlow Services Export Version 9," RFC 3954 (Informational), Oct. 2004. [Online]. Available: http://www.ietf.org/rfc/rfc3954. txt [13] P. Phaal, S. Panchen, and N. McKee, "InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks," RFC 3176 (Informational), Sept. 2001. [Online]. Available: http://www.ietf.org/rfc/rfc3176.txt [14] Arbor Networks, "Peakflow SP." [Online]. Available: http://www.arbornetworks.com/products sp.php [15] BBN Technologies, "Source Path Isolation Engine (SPIE)," http://www.ir.bbn.com/projects/SPIE/index.html. [16] Institute of Applied Internet Technology Inc., "PAFFI: PAcket Footmark FInder."[Online]. Available: http://www.netstar.co.jp/products/PAFFI/index.html [17] Cyber Solutions Inc., "Packetchaser (in japanese)." [Online]. Available: http://netskate.cysol.co.jp/products/packetchaser/index.html [18] Cisco Systems, Inc., "Catalyst 6500 Series Command Reference, 8.2 - fotmat to ping - l2trace." [Online]. Available: http://www.cisco.com/en/US/products/hw/switches/ps708/products command reference chapter09186a00801dd5dd.html#wp1030529 [19] .., "Cisco Works Small Network Management Solution Version 1.5." [Online]. Available: http://www.cisco.com/en/US/products/sw/cscowork/ps2408/prod brochure09186a00801c0a43.html [20] Foundry Networks, Inc, "IronView Network Manager Features." [Online]. Available: http://www.foundrynet.com/products/networkman/ironview/ features.html [21] Extreme Networks, "EPICenter Asset Discovery Tool." [Online]. Available: http: //www.extremenetworks.com/libraries/prodpdfs/products/epicenter ADT.asp [22] Aruba Networks, "Aruba Tech Briefs." [Online]. Available: http://www. arubanetworks.com/technology/techbriefs.php [23] M. Oe, H. Hazeyama, S. Yamamoto, and S. Shirahata, "An implementation and verification of ieee 802.11 wireless network management system," Electronics and Communications in Japan (Part I: Communications), vol. 88, no. 12, pp. 20.28, June 2005. [24] G. Sager, "Security fun with OCxmon and cflowd," http://www.caida.org/ projects/ngi/content/security /1198/, Internet 2 working Group Meeting, Nov. 1998. [25] R. Stone, "CenterTrack: an IP overlay network for tracking DoS floods," in Proceedings of 9th USENIX Security Symposium ’00, Denver, USA, Aug. 2000. [26] H. Burch and B. Cheswick, "Tracing anonymous packets to their approximate source," in Proceedings of 14th USENIX Systems Administration Conference ’00, New Orleans, Louisiana, USA, Dec. 2000. [27] S. Bellovin, M. Leech, and T. Taylor, "ICMP traceback message," Feb. 2003, IETF, Internet Draft, draft-ietf-itrace-04.txt. [28] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical network support for IP traceback," in Proceedings of ACM SIGCOMM’ 00, Aug. 2000, pp. 295.306. [29] J. Ioannidis and S. M. Bellovin, "Implementing Pushback: Router-based defense against DDoS attacks," in Proceedings of Network and Distributed System Security Symposium, Catamaran Resort Hotel San Diego, California 6-8 February 2002. 1775 Wiehle Ave., Suite 102, Reston, VA 20190: The Internet Society, Feb. 2002. [30] T. Baba and S. Matsuda, "Tracing network attacks to their sources," IEEE Internet Computing, vol. 13, no. 7, pp. 422.426, Mar 2002. [31] R. Ramanujan, M. Kaddoura, J.Wu, K. Millikin, D. Harper, and D. Baca, "Organic techniques for protecting virtual private network (vpn) services from access link flooding attacks,"," in Proceedings of IEEE/IEE Conference on Networking (Networks 2002),, 2002. [32] M. Oe, Y. Kadobayashi, and S. Yamaguchi, "An implementation of a hierarchical IP traceback architecture," in Proceedings of IPv6 Workshop, SAINT 2003, Orland, USA, Jan. 2003. [33] V. Paruchuri, A. Durresi, L. Barolli, R. Kannan, and S. Ivengar, "Efficient and secure autonomous system based traceback," Journal of Interconnection Networks (JOIN), vol. 5, no. 2, pp. 151.164, June 2004. [34] J. Li, M. Sung, J. Xu, and L. Li, "Large-scale ip traceback in high-speed internet: Practical techniques and theoretical foundation." in Proceedings of IEEE Symposium on Security and Privacy, 2004, pp. 115.129. [35] C. Jin, H.Wang, and K. G. Shin, "Hop-count filtering: an effective defense against spoofed ddos traffic." in Proceedings of ACM Conference on Computer and Communications Security, 2003, pp. 30.41. [36] Hewlett-Packard Development Company, L.P., "Network Node Manager advanced edition." [Online]. Available: http://www.managementsoftware.hp. com/products/nnm/index.html [37] Fluke Networks, "OptiView Integrated Network Analyzer." [Online]. Available: http://www.flukenetworks.com/us/LAN/Handheld+Testers/Optiview.htm [38] B. H. Bloom, "Space/time trade-offs in hash coding with allowable errors," Communications of the ACM, vol. 13, no. 7, pp. 422.426, July 1970. [39] L. Wen, J. Wu, and K. Xu, "Overlay logging: An ip traceback scheme in mpls network." in Proceedings of ICN, 2005, pp. 75.82. [40] N. Fischbach, "MPLS-based traffic shunt," RIPE46, Tech. Rep., Sep. 2003. [Online]. Available: www.securite.org/presentations/ripe46/ COLT-RIPE46-NF-MPLS-TrafficShunt-v1.pdf [41] T. Hamano, R. Suzuki, T. Ikegawa, and H. Ichikawa, "Redirection based defense mechanism against flood-type attacks for a large-scale isp network," in Proceedings of 10-th Asia-Paciffic Conference on Communications APCC’04, Aug. 2004. [42] C. T. Sharad Agarwal, Travis Dawson, "Ddos mitigation via regional cleaning centers," SPRINT ATL RESEARCH REPORT RR04-ATL-013177, Tech. Rep., January 2004. [Online]. Available: http://ipmon.sprint.com/pubs trs/trs/ RR04-ATL-013177.pdf [43] F. Kastenholz, "The Definitions of Managed Objects for the Bridge Network Control Protocol of the Point-to-Point Protocol," RFC 1474 (Proposed Standard), June 1993. [Online]. Available: http://www.ietf.org/rfc/rfc1474.txt [44] TCPDUMP ORG, "The Libpcap library." [Online]. Available: http://www. tcpdump.org/ [45] S. F. Wu, W. Huang, D. Massey, A. Mankin, C. L. Wu, X. L. Zhao, and L. Zhang, "Intention-driven ICMP trace-back," Nov. 2001, IETF, Internet Draft, draft-ietfitrace- intention-00.txt. [46] T. Yamada, "Active traceback protocol," Oct. 2002, IETF, Internet Draft, draft-yamada-active-trace-00.txt. [47] Y. Sawai, M. Oe, K. Iida, and Y. Kadobayashi, "Performance evaluation of interdomain IP traceback," in Proceesings of ICT’03, Tahiti, Feb. 2003. [48] D. X. Song and A. Perrig, "Advanced and authenticated marking schemes for IP traceback," in Proceedings of IEEE Infocomm 2001, 2001. [49] D. Dean, M. Franklin, and A. Stubblefield, "An algebraic approach to IP traceback," ACM Transactions on Information and System Security, vol. 5, no. 2, pp. 119.137, 2002. [50] M. Waldvogel, "GOSSIB vs. IP traceback rumors," in Proceedings of 18th Annual Computer Security Applications Conference (ACSAC 2002), Dec. 2002. [51] D. Farinacci, T. Li, S. Hanks, D. Meyer, and P. Traina, "Generic Routing Encapsulation (GRE)," RFC 2784 (Proposed Standard), Mar. 2000. [Online]. Available: http://www.ietf.org/rfc/rfc2784.txt [52] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, and B. Palter, "Layer Two Tunneling Protocol "L2TP"," RFC 2661 (Proposed Standard), Aug. 1999. [Online]. Available: http://www.ietf.org/rfc/rfc2661.txt [53] S. Kent and R. Atkinson, "Security Architecture for the Internet Protocol," RFC 2401 (Proposed Standard), Nov. 1998, updated by RFC 3168. [Online]. Available: http://www.ietf.org/rfc/rfc2401.txt [54] L. Mamakos, K. Lidl, J. Evarts, D. Carrel, D. Simone, and R. Wheeler, "A Method for Transmitting PPP Over Ethernet (PPPoE)," RFC 2516 (Informational), Feb. 1999. [Online]. Available: http://www.ietf.org/rfc/rfc2516.txt [55] A. Durresi, V. Paruchuri, L. Barolli, R. Kannan, and S. S. Iyengar, "Efficient and secure autonomous system based traceback." Journal of Interconnection Networks, vol. 5, no. 2, pp. 151.164, 2004. [56] S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson, "Pushback messages for controlling aggregates in the network," July 2001, iETF, Internet Draft, draft-floyd-pushback-messages-00.txt. [57] K. Shanmugasundaram, H. Br¨onnimann, and N. D. Memon, "Payload attribution via hierarchical bloom filters." in ACM Conference on Computer and Communications Security, 2004, pp. 31.41. [58] H. Song, S. Dharmapurikar, J. Turner, and J. Lockwood, "Fast hash table lookup using extended bloom filter: an aid to network processing," SIGCOMM Comput. Commun. Rev., vol. 35, no. 4, pp. 181.192, 2005. [59] J. Li, M. Sung, J. Xu, and L. Li, "Large-scale ip traceback in high-speed internet: Practical techniques and theoretical foundation." in IEEE Symposium on Security and Privacy, 2004, pp. 115.129. [60] C. Partridge, C. Jones, D. Waitzman, and A. Snoeren, "New protocols to support internet traceback," Nov. 2001, IETF, Internet Draft, draft-partridge-ippt-discuss-00.txt. [61] G. M. Keeni and Y. Kuwata, "An architecture for IP packet tracing," Oct. 2004, IETF, Internet Draft, draft-glenn-ippt-arch-01.txt. [62] K. M. Moriarty, "Incident Handling: Real-time Inter-network Defense," Nov. 2005, IETF, Internet Draft, draft-ietf-inch-rid-05.txt. [63] M. Oe, "A hierarchical architecture for IP traceback," Jul. 2002, IETF, a presentation in IPPT BoF at 54th IETF meeting. [Online]. Available: http://iplab.naist.jp/research/traceback/ippt-naist-ietf54.pdf [64] R. Danyliw, J. Meijer, and Y. Demchenko, "The incident object description exchange format data model and xml implementation," Nov. 2005, IETF, draft-ietfinch- iodef-05.txt. [65] T. Kai, A. Nagashima, H. Nakatani, N. Fukuda, S. Hiroshi, A. Hashiguchi, and KatsujiTsukamoto, "Three classes based model of traceback system between ass," Feb. 2004, presentation on INCH Working Group session in 59th IETF meeting. [Online]. Available: http://www3.ietf.org/proceedings/04mar/slides/inch-2.pdf [66] T. Kai, A. Nagashima, H. Nakatani, NaohiroFukuda, S. Hiroshi, A. Hashiguchi, T. Suzuki, and KatsujiTsukamoto, "Rid implementation report," Nov. 2004, presentation on INCH Working Group session in 61th IETF meeting. [Online]. Available: http://www1.ietf.org/proceedings new/04nov/slides/inch-4.pdf [67] Cisco Sytems Inc., "Cisco self-defending networks integrated protection against top security challenges." [Online]. Available: http://www.cisco.com/application/ pdf/en/us/guest/netsol/ns413/c643/cdccont 0900aecd8024d539.pdf [68] nCircle Network Security, Inc., "ntellect." [Online]. Available: http://www. ncircle.com/index.php?s=products ntellect [69] A. Conta and S. Deering, "Generic Packet Tunneling in IPv6 Specification," RFC 2473 (Proposed Standard), Dec. 1998. [Online]. Available: http: //www.ietf.org/rfc/rfc2473.txt [70] B. Carpenter and C. Jung, "Transmission of IPv6 over IPv4 Domains without Explicit Tunnels," RFC 2529 (Proposed Standard), Mar. 1999. [Online]. Available: http://www.ietf.org/rfc/rfc2529.txt [71] P. Srisuresh and K. Egevang, "Traditional IP Network Address Translator (Traditional NAT)," RFC 3022 (Informational), Jan. 2001. [Online]. Available: http://www.ietf.org/rfc/rfc3022.txt [72] Microsoft Corporation, "Windows Server System - Internet Protocol Version 6." [Online]. Available: http://www.microsoft.com/windowsserver2003/technologies/ ipv6/default.mspx [73] Apple Computer, Inc., "MAC OS X Man Pages - ip6 . Enable or disable IPv6 on active interfaces." [Online]. Available: http://developer.apple.com/ documentation/Darwin/Reference/ManPages/man8/ip6.8.html [74] US-Cert, "Malware tunneling in ipv6," US-Cert, Tech. Rep., May 2005. [Online]. Available: http://www.us-cert.gov/reading room/IPv6Malware-Tunneling.pdf [75] S. Kent and R. Atkinson, "IP Encapsulating Security Payload (ESP)," RFC 2406 (Proposed Standard), Nov. 1998. [Online]. Available: http: //www.ietf.org/rfc/rfc2406.txt [76] The Team Cymru, "The team cymru BGP data page." [Online]. Available: http://www.cymru.com/BGP/index.html [77] G. Huston, "BGP Table Data." [Online]. Available: http://bgp.potaroo.net/index-bgp.html [78] H. Hazeyama, M. Oe, and Y. Kadobayashi, "A layer-2 extension to hash-based IP traceback," IEICE Transactions on Information and Systems, vol. E86-D, no. 11, pp. 2325.2333, November 2003. [79] Geoff Huston, "APNIC Trial of Certification of IP Addresses and ASes," Oct. 2005. [Online]. Available: http://www.ripe.net/ripe/meetings/ripe-51/ presentations/pdf/ripe51-address-certificate.pdf [80] C. Lynn, S. Kent, and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers," RFC 3779 (Proposed Standard), June 2004. [Online]. Available: http://www.ietf.org/rfc/rfc3779.txt [81] BBN Technologies, "Secure BGP Project (S-BGP)." [Online]. Available: http://www.net-tech.bbn.com/sbgp/sbgp-index.html [82] R. White, Securing BGP Through Secure Origin BGP.[Online]. Available: http://www.cisco.com/web/about/ac123/ac147/ac174/ac236/ about cisco ipj archive article09186a00801c5a9b.html [83] Daniel Veillard, The XML C parser and toolkit of Gnome libxml.[Online]. Available: http://xmlsoft.org/ [84] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee, Hypertext Transfer Protocol HTTP/1.1,RFC 2616 (Draft Standard), June 1999, updated by RFC 2817. [Online]. Available: http://www.ietf.org/rfc/rfc2616.txt [85] VMware Inc., Vmware workstation.[Online]. Available: http://www.vmware.com/products/ws/ [86] V. L. L. Thing, H. C. J. Lee, M. Sloman, and J. Zhou, Enhanced icmp traceback with cumulative path,in Proceedings of 61st IEEE Vehicular Technology Conference, May 2005. [87] L. F. Cao, J. Almeida, and A. Z. Broder, Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol,http://www.cs.wisc.edu/cao/papers/summarycache/share.html. [88] E. Decker, P. Langille, A. Rijsinghani, and K. McCloghrie, "Definitions of Managed Objects for Bridges," RFC 1286 (Proposed Standard), Dec. 1991, obsoleted by RFCs 1493, 1525. [Online]. Available: http://www.ietf.org/rfc/ rfc1286.txt [89] M. D. Schiffman, "The libnet library." [Online]. Available: http://libnet.sourceforge.net/ [90] B. Caswell and M. Roesch, "Snort." [Online]. Available: http://www.snort.org/ [91] Y. Rekhter and P. Gross, "Application of the Border Gateway Protocol in the Internet," RFC 1772 (Draft Standard), Mar. 1995. [Online]. Available: http://www.ietf.org/rfc/rfc1772.txt [92] M. G. Gouda and C.-T. Huang, "A secure address resolution protocol." Computer Networks, vol. 41, no. 1, pp. 57.71, 2003. ] summary_ja = [] summary = [ On an attack tracking across ASes, the operational cost on the transfer of the tracking information to other network domains, the misuses of traceback systems to steal sensitive information or to comsume resources on ASes, and the risks of depending on a specific traceback technique are issued. To solve these issues, we propose InterTrack, an autonomous architecture for tracking attacks across borders of ASes and for providing a foundation to combine detection, traceback and protection (Fig.1). InterTrack runs a preliminary investigation of an attack path across Autonomous Systems (ASes) to find attack-source ASes, while at the same time concealing sensitive information of each AS. In parallel with the preliminary investigation, InterTrack can run a deep inspection on each suspected AS for detecting attacker. InterTrack can also trace an attack even if the attack come across different address spaces through some address translators (e.g. a NAT router or a 6to4 tunnel). Such parallel investigations are brought by three characteristics of InterTrack: the separated tracking stages along with routing domains, the independence of the inside tracking from each other network domain, and the interconnections between different traceback systems through several messages which contain the tracking information. Due to these three characteristics, each tracking stage not only can employ different traceback systems according to their properties, but also can replace its traceback technique to another feasible one regardless of other stages or other domains. Furthermore, these three characteristics allow each network domain to apply its own operational policy to each attack tracking request. Because InterTrack can cooperate with detection systems and protection systems shown as Fig.1, we predict that Inter- Track will expedite the recent attack tracking and protecting in practice, and will become a deterrent against network attacks. ] misc = [ The bib entry of the conference paper @INPROCEEDINGS{Hazeyama:ACSAC2005, AUTHOR = {Hiroaki Hazeyama and Youki Kadobayashi and Masafumi Oe and Ryo Kaizaki}, TITLE = {{I}nter{T}rack: A federation of {IP} traceback systems across borders of network operation domains}, BOOKTITLE = {Proceedings of Annual Computer Security Applications Conference, Technology Blitz Session}, MONTH = {December}, YEAR = {2005} } ]