DoS Denial of Service:
DoS DDoS Distributed DoS:
DoS DDoS IP IP IP DoS input debugging input debugging DoS DoS DoS input debugging Cisco DoS log-input Juniper
alert, log, sample
input debugging DoS
Stone input debugging DoS 1
1 2 3 4
5
6 7
特集 Network Security
youki-k@is.aist-nara.ac.jp
masafu-o@is.aist-nara.ac.jp
ICMP traceback ICMP traceback IP 2 ICMP traceback 2 1 DoS, DDoS ICMP trace-back ICMP ICMP traceback input debugging DoS
Stone
AS
EBGP peering DoS
egress edge router
egress edge EBGP
-1 DoS MPLS ATM EBGPによる 経路広告 エッジルータ 被害者 追跡ルータ 追跡用プライベートAS 運用ネットワークAS バックボーンルータ 物理リンク 仮想リンク(トンネル) 静的経路 静的経路 -1 input debugging
DDoS ICMP traceback IP ingress filter RFC2827 Unicast RPF i A A i Unicast RPF A i A j IPv4 IP identification IP identification IPv4 IPv6
Fragment Header IPv6
Flowlabel field
IPv4
IPv4
32bit IP identification 16bit
IP attack tree -2 Savage 3 IP (Rs ,Re) IP identifica-tion Rs Re (Rs ,Re) edge-id edge-id IP edge-id 0 R0 ˆ R RˆR0 (R R0)
dis-tance 5bit edge-id
8 edge-id fragment
offset 3bit
-3
edge-id
edge-id edge-id fragment IP Ri h(Ri)
5
A A A R R R V 1 2 1 2 3 3 -2 Ai Ri VRi Ri traceroute Ri Ri traceroute Ri Ri unnumbered traceroute tracer-oute Ri Dean 5 p GF(p) d f(x) f(x) d+1 P IP A1,A2, ,An fP(x) A1xn-1A 2xn-2 An-1xAn P IP log2(p) log2(d) IP Dean GF 2039 IP 3 2027, 2029, 2039 IP Z z1Z mod 2027, z2Z mod 2029,z3Z mod 2039 IP Y, Z z3xi5z 2xi4z1x i3y3xi2 y2xi y1mod2039 f(x)
11bit, xi 3bit, 1bit Reed-Solomon
8 8bit edge-id fragment
(Ri , ˜h ) h(Ri)˜h Song Savage IP IP 4 IP Rs ,Re h(Rs) h(Re) edge h h' IP
identification 5bit distance, 11bit edge
h(Ri) Ri
upstream router map
d Sd Song traceroute, skitter h(Ri)h(Rj) (i ≠ j) false posi-tive Song 60 DDoS 2w g hi(x)g(i , x) _,_ 0 i 2w) flag w bit,
distance 5bit, edge (11w)bit
Song w3 1500 DDoS
ver hlen TOS total length
identification flag offset
time to live protocol header checksum source IP address
destination IP address
offset distance edge-id fragment
0 2 3 7 8 15
Guruswami-Sudan6 Reed-Solomon F Guruswami-Sudan k n nkn f(x) k,n IP fP(x) 211 p1,p2,p3 p1p2p3>232 IP identification IPsec AH IPsec AH IP identification ICV Integrity Check Value
CAIDA
0.09% 1.6%
0.07% 0.7% 7
GRE, L2TP, IPsec tunnel
15%
RealAu-dio, Windows Media
VPN, IP ADSL 2 IP Snoeren 8 IP 8byte 28byte k 2n bit -4 digest table k k 2nbit 1 Snoeren
SPIE Source Path Iso-lation Engine digest table
DGA Data Generation Agent ,
SCAR SPIE Collection and Reduction Agent ,
STM SPIE Traceback
Manager -5
DGA digest table
digest table SCAR SCAR
5
H (P)1 H (P)2 H (P)k 1 1 1 . . . 2 bitn n bit -4 k H PIP
1) Stone,R.:CenterTrack: An IP Overlay Network for Tracking DoS Floods, In Proceed-ings of USENIX Security Symposium'00(2000).
2) Bellovin,S.M.and Leech,M.D.:ICMP Traceback Messages,Internet Draft, draft-ietf-itrace-00.txt (2000).
3) Savage,S.,Wetherall,D.,Karlin,A. and Anderson,T.:Practical Network Support for IP Traceback, In Proceedings of SIGCOMM '00,pp.295-306(2000).
4) Song,D.and Perrig,A.:Advanced and Authenticated Marking Schemes for IP Trace-back, In Proceedings of INFOCOMM '01(2001).
5) Dean,D.,Franklin,M. and Stubblefield,A.:An Algebraic Approach to IP Traceback, In Proceedings of NDSS '01(2001).
6) Guruswami,V. and Sudan,M.:Improved Decoding of Reed-Solomon and Algebraic-geometry Codes, IEEE Transactions on Information Theory, Vol.45, No.6, pp.1757-1767(1999).
7) Shannon,C., Moore,D. and Claffy,K.:Characteristics of Fragmented IP Traffic on Inter-net links, In Proceedings of PAM2001(2001).
8) Snoeren,A.C., Partridge,C.,Sanchez,L.A., Jones,C.E.,Tchakountio,F., Kent,S.T. and Strayer,W.T.:Hash-based IP Traceback, In Proceedings of SIGCOMM'01(2001)
13 11 1 SCAR DGA digest table
STM k digest table STM SCAR DGA, SCAR, STM DoS IPsec SCAR, STM Snoeren k3,Bloom 5 0.5% OC-3 4 47MB digest table IP DGA DGA ルータ SCAR DGA DGA ルータ SCAR DGA DGA ルータ SCAR STM 侵入検知システム からの問い合わせ digest table 収集データ 担当区域へ問い合わせ -5 SPIE