Check out the new USENIX Web site. next up previous
Next: Bandwidth attacks Up: MULTOPS: a data-structure for Previous: Introduction


Related work

Most of the techniques proposed so far for protection against denial-of-service attacks can be used in conjunction with MULTOPS. We quickly review the major techniques and how MULTOPS can augment them.

Ingress/egress filtering is a technique performed by routers to effectively eliminate IP spoofing [ea00,Ins00]--lying about one's own IP address in the header of outgoing IP packets. To stop spoofed IP packets, edge routers match the IP source address of each outgoing packet against a fixed set of known IP address prefixes. If no match is found, the packet is dropped. Another possible technique is for a router to only send off a packet from interface $i$ if a potential reply to this packet is, according to the router's routing tables, expected to arrive on interface $i$. If not, the packet is dropped. Even though these techniques are simple and effective remedies against IP spoofing, unfortunately many routers are not configured to deploy these techniques and they are not complete solutions. However, MULTOPS benefits from them because IP spoofing hurts MULTOPS' ability to detect attacks (see also Section 7.1).

IP Traceback assists in tracking down attackers post-mortem [SWKA00,SP01,DFS01]. This technique requires routers to, with a low probability, mark packets such that the receiving end can reconstruct the route that packets followed, provided enough packets were sent. A similar technique is ICMP Traceback [Bel00]. When forwarding packets, routers can, with a low probability (1/20,000), generate an ICMP Traceback message that is sent along to the destination. With enough traceback messages from enough routers along the path, the traffic source and path can be determined. The main advantage of these techniques is that it assists in finding attackers. It does not stop them.

All the traceback approaches have serious deployment and operational challenges. A sufficient number of routers need to support traceback before it is effective. Attackers can generate traceback messages too, so some form of authentication of traceback messages is necessary. The victim of a bandwidth attack might also not receive enough traceback messages because they might get dropped by overloaded routers. In addition, if an attack is very distributed, there may not be enough traceback information to find the attackers.

A number of routers provide information about packets that can be used to implement the same detection heuristic that MULTOPS is using. Cisco routers, for example, support RMON [Cisb] and Netflow [Cisa]. Unfortunately, both RMON and Netflow data is expensive to process off-line. RMON copies complete packets to a port for off-line analysis--this slows down the router's normal operation. Netflow keeps a table with 45-byte entries for every flow, which can be queried by and transferred to an external analysis program. Netflow provides no protection against attackers that might blow up the table. In the worst case, RMON and Netflow can magnify an attack. MULTOPS is intended to be integrated into a router or a monitoring device for on-line analysis. MULTOPS also runs in a fixed-size memory footprint so that attackers cannot run a MULTOPS device out of memory.

Stone [Sto99] proposes CenterTrack, an overlay network that consists of IP tunnels which can be used to selectively reroute packets from routers on a network to special ``tracking'' routers. This architecture can be used to analyze traffic for signs of a bandwidth attack, and optionally drop traffic that seems suspicious. MULTOPS could probably be used as a component of CenterTrack to help routers determine whether a bandwidth attack is occurring and what IP addresses are involved.

Bellovin [Bel01] discusses aggregate congestion control and pushback. The central idea is to identify ``aggregates''--subsets of traffic defined by some characteristic, such as a particular destination address--that may be involved in the bandwidth attack. Pushback is a cooperative mechanism in which routers can ask adjacent routers to block an aggregate upstream. MULTOPS could be viewed as a data-structure for efficiently tracking the aggregate defined by IP addresses for which traffic flow is asymmetric.

Intrusion detection system such as Bro [Pax99] try to detect attacks by monitoring network links over which the attacker's traffic transits. Armed with (statistical) knowledge about normal behavior of different applications and protocols, these systems detect anomalies in traffic patterns and report a wide range of attack types. Although similar to MULTOPS in that it monitors traffic, the primary difference is that these systems do not attempt to stop attacks.


next up previous
Next: Bandwidth attacks Up: MULTOPS: a data-structure for Previous: Introduction
2001-05-11