Network Security. DoS. input debugging input debugging DoS. DoS Denial of Service:

DoS Denial of Service:

DoS DDoS Distributed DoS:

DoS DDoS IP IP IP DoS input debugging input debugging DoS DoS DoS input debugging Cisco DoS log-input Juniper

alert, log, sample

input debugging DoS

Stone input debugging DoS 1

1 2 3 4

5

6 7

特集 Network Security

youki-k@is.aist-nara.ac.jp

masafu-o@is.aist-nara.ac.jp

ICMP traceback ICMP traceback IP 2 ICMP traceback 2 1 DoS, DDoS ICMP trace-back ICMP ICMP traceback input debugging DoS

Stone

AS

EBGP peering DoS

egress edge router

egress edge EBGP

-1 DoS MPLS ATM EBGPによる 経路広告 エッジルータ 被害者 追跡ルータ 追跡用プライベートAS 運用ネットワークAS バックボーンルータ 物理リンク 仮想リンク（トンネル） 静的経路 静的経路 -1 input debugging

DDoS ICMP traceback IP ingress filter RFC2827 Unicast RPF i A A i Unicast RPF A i A j IPv4 IP identification IP identification IPv4 IPv6

Fragment Header IPv6

Flowlabel field

IPv4

IPv4

32bit IP identification 16bit

IP attack tree -2 Savage 3 IP (R_s ,R_e) IP identifica-tion R_s
R_e (R_s ,R_e) edge-id edge-id IP edge-id 0 R₀ ˆ R Rˆ
R₀
(R
R₀)

dis-tance 5bit edge-id

8 edge-id fragment

offset 3bit

-3

edge-id

edge-id edge-id fragment IP R_i h(R_i)

5

R_i R_i traceroute R_i R_i traceroute R_i R_i unnumbered traceroute tracer-oute R_i Dean 5 p GF(p) d f(x) f(x) d+1 P IP A₁,A₂, ,A_n f_P(x)
A₁xn-1_A 2xn-2 An-1xAn P IP log₂(p) log₂(d) IP Dean GF 2039 IP 3 2027, 2029, 2039 IP Z z₁
Z mod 2027, z₂
Z mod 2029,z₃
Z mod 2039 IP Y, Z z₃x_i5_z 2xi4z1x i3y3xi2 y2xi y1mod2039 f(x)

11bit, x_i 3bit, 1bit Reed-Solomon

8 8bit edge-id fragment

(R_i , ˜h ) h(R_i)
_˜h Song Savage IP IP 4 _IP R_s ,R_e h(R_s)
h(R_e) edge h h' IP

identification 5bit distance, 11bit edge

h(R_i) R_i

upstream router map

d S_d Song traceroute, skitter h(R_i)
_h(Rj) (i ≠ j) false posi-tive Song 60 DDoS 2w g h_i(x)
g(
i , x)
_,_ 0 _{i 2}w₎ flag w bit,

distance 5bit, edge (11w)bit

Song w
3 1500 DDoS

ver hlen TOS total length

identification flag offset

time to live protocol header checksum source IP address

destination IP address

offset distance edge-id fragment

0 2 3 7 8 15

Guruswami-Sudan6 _Reed-Solomon F Guruswami-Sudan k n nkn f(x) k,n IP f_P(x) 211 p₁,p₂,p₃ p₁p₂p₃>232 IP identification IPsec AH IPsec AH IP identification ICV Integrity Check Value

CAIDA

0.09% 1.6%

0.07% 0.7% 7

GRE, L2TP, IPsec tunnel

15%

RealAu-dio, Windows Media

VPN, IP ADSL 2 IP Snoeren 8 _IP 8byte 28byte k 2n _bit -4 digest table k k 2n_bit 1 Snoeren

SPIE Source Path Iso-lation Engine digest table

DGA Data Generation Agent ,

SCAR SPIE Collection and Reduction Agent ,

STM SPIE Traceback

Manager -5

DGA digest table

digest table SCAR SCAR

5

IP

1) Stone,R.:CenterTrack: An IP Overlay Network for Tracking DoS Floods, In Proceed-ings of USENIX Security Symposium'00(2000).

2) Bellovin,S.M.and Leech,M.D.:ICMP Traceback Messages,Internet Draft, draft-ietf-itrace-00.txt (2000).

3) Savage,S.,Wetherall,D.,Karlin,A. and Anderson,T.:Practical Network Support for IP Traceback, In Proceedings of SIGCOMM '00,pp.295-306(2000).

4) Song,D.and Perrig,A.:Advanced and Authenticated Marking Schemes for IP Trace-back, In Proceedings of INFOCOMM '01(2001).

5) Dean,D.,Franklin,M. and Stubblefield,A.:An Algebraic Approach to IP Traceback, In Proceedings of NDSS '01(2001).

6) Guruswami,V. and Sudan,M.:Improved Decoding of Reed-Solomon and Algebraic-geometry Codes, IEEE Transactions on Information Theory, Vol.45, No.6, pp.1757-1767(1999).

7) Shannon,C., Moore,D. and Claffy,K.:Characteristics of Fragmented IP Traffic on Inter-net links, In Proceedings of PAM2001(2001).

8) Snoeren,A.C., Partridge,C.,Sanchez,L.A., Jones,C.E.,Tchakountio,F., Kent,S.T. and Strayer,W.T.:Hash-based IP Traceback, In Proceedings of SIGCOMM'01(2001)

13 11 1 SCAR DGA digest table

STM k digest table STM SCAR DGA, SCAR, STM DoS IPsec SCAR, STM Snoeren k
3,Bloom 5 0.5% OC-3 4 47MB digest table IP DGA DGA ルータ SCAR DGA DGA ルータ SCAR DGA DGA ルータ SCAR STM 侵入検知システム からの問い合わせ digest table 収集データ 担当区域へ問い合わせ -5 SPIE