Finding the real source of Internet crimes

Transcription

1 Finding the real source of Internet crimes Professor Wanlei Zhou Chair of Information Technology and Head School of Information Technology, Deakin University, Melbourne campus at Burwood, Victoria, Australia 1

2 Finding the real source of internet crimes* Outline Introduction Previous Work on IP Traceback IP Traceback through Flexible Deterministic Packet Marking (FDPM) Traceback of DDoS Attacks using Entropy Variations Discussion *Based on 1. Yang Xiang, Wanlei Zhou and Minyi Guo, "Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks", IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 4, pp , April Shui Yu, Wanlei Zhou, Robin Doss, and Weijia Jia, "Traceback of DDoS Attacks using Entropy Variations", Accepted by IEEE Transactions on Parallel and Distributed Systems, accepted 09/2009. Published online 30 Apr. 2010, 2

3 Introduction: Declaration -- Research support on network security in my group , 2008 W. Zhou and W. Shi, ARC Linkage Project LP : "Protecting Web Services from Distributed Denial of Service Attacks" , Wanlei Zhou and Yang Xiang, ARC Discovery Project DP : "Development of methods to address internet crime" , Wanlei Zhou and Yang Xiang, ARC Linkage Project LP , An active approach to detect and defend against peer-to-peer botnets , Wanlei Zhou and Robin Doss, ARC Linkage Project LP , Secure and Efficient Communication in Vehicle- based Radio Frequency Identification Systems , Yang Xiang, Wanlei Zhou, and Yong Xiang, ARC Discovery Project DP , Tracing real Internet attackers through information correlation. 3

4 Introduction: Why IP Traceback? The Challenge: who or where is the real source of Internet crimes? Although a number of countermeasures and legislations against Internet crimes are developed, the crimes are still on the rise. One critical reason is that researchers and law enforcement agencies still cannot answer a simple question easily: who and where is the real source of Internet crimes? Internet-related crimes: Malicious web sites containing fraud and phishing contexts, Illegal websites publishing illegal information such terrorisms and child pornography, spam s, viruses and worms, intrusions and identity thefts, Distributed Denial of Service (DDoS) attacks, etc. The Internet packets (IPV4) IP spoofing: the source address in an IP header to be manipulated and falsified by attackers The source IP in the IP packet can not tell the real source IP traceback: the ability to trace IP packets to their origins 4

5 Related Work: Problem Description Let Ai, i є [1, n], be the attackers and V be the victim. The attackers and victim are linked by various routers Rj, j є [1, m]. The main objective of IP traceback problem is to identify the n routers directly connected to Ai. The key issue here is to completely identify the n routers with low false positive rates in a single traceback process. A practical IP traceback system should be able to identify a few hundred sources/routers out of one million routers. Some traceback schemes not only identify the n routers directly connected to Ai but also find the routes between the n routers to victim V. 5

6 Related Work: Current IP Traceback Schemes IP Traceback Mechanisms Link testing Messaging Logging Packet marking Hybrid schemes Packet Marking Probabilistic Packet Marking g( (PPM) Deterministic Packet Marking (DPM) Flexible Deterministic Packet Marking (FDPM) 6

7 IP Traceback through Flexible Deterministic Packet Marking g( (FDPM) Requirements and assumptions (same as other DPM) Utilizes a flexible number of bits (called marks) in the IP header to store source IP addresses in the edge router of a protected network Assume the edge routers are not compromised, and the mark will not be overwritten by intermediate routers when the packet traverses the network At any point within the network, e.g., the victim host, the source IP addresses can be assembled when required. Improvements over other DPM Flexibility: flexible mark length according to the network protocols used Can trace more sources in a single traceback process Can prevent overload to the edge routers via adjusting its marking process. 7

8 FDPM: Utilizing IP header TOS, Identification, Flags, Max of 25 bits (8+16+1). At least 2 packets are needed to record an IP address. A hash (called digest) of the ingress address is kept in the mark. This digest remains the same for an FDPM interface from which the packets enter the network. 8

9 FDPM: Encoding Decide the mark length (24, 19, 16) Divide IP address in K segments evenly, with padding Compute digest Mark= IP segment + digest + segment # 9

10 FDPM: Reconstruction Mark recognition Cache the marks for processing By differentiating the fields in the IP header, the length of the mark and which fields in the IP header store the mark can be recognized Address recovery Analyzes the mark and stores it in a recovery table Flexible size of the recovery table (a linked-list ), each row (entry) contains the IP segments of the same digest Hash collision: more entries for the same hash Recovery source according to digest and segment number 10

11 FDPM: Flow-Based Marking Overload prevention is important to all packet marking traceback schemes increase the computing capability of the router, e.g., using multicore based architecture use an adaptive algorithm to reduce the marking load when the the router load exceeds a threshold Flow-based marking is to selectively mark the packets according to the flow information when the router is under a high load 11

12 FDPM: Flow-Based Marking The goal of flow-based marking is to mark the most possible attacking packets, then let the reconstruction process in the victim end reconstruct the source by using a minimum number of packets 12

13 FDPM: Simulation of Trace Large-scale Sources Simulation Implementation: SSFNet Simulator An experimental network. Simulated FDPM system is installed on all the routers in the network. Java Packages: Encoding sub-system, Reconstruction sub-system system and Flow-based Marking sub-system 13

14 FDPM: Simulation of Trace Large-scale Sources Evaluation Measurement: Maximum Number of Sources. Theoretically, FDPM can trace up to sources in one traceback (if no hash collision) n be traced sources can Nmax Maximum FDPM-16 DPM FDPM-19 FDPM Number of segment used k 14

15 FDPM: Simulation of Trace Large-scale Sources The optimal segment number k to achieve maximum number of sources that can be traced traced Ma aximum sour rces can be t Nmax FDPM-16 DPM FDPM-19 FDPM Number of segment used k 15

16 FDPM: Simulation of Trace Large-scale Sources -- Overload Prevention Evaluation Measurements: Marked Rate and Number of Packets Needed to Trace One Source FDPM can adjust the marking rate according to the current load of a router, while still maintaining a good marking function Marked rate β is the measurement of marking efficiency, which also reflects the load of router imposed by FDPM. A lower value of marked rate β means the participating router will cost fewer resources for traceback The number of packets needed to trace one source Nn can be used to measure the effectiveness of the traceback power. The less number of packets needed to trace one source, the better chance the defense system can react to the attack. 16

17 FDPM: Simulation of Trace Large-scale Sources -- Overload Prevention Flow-based Marking vs. Random Marking: The relationship between the number of packets needed to trace one source NN and the marked rate β for flow-based marking scheme and random marking scheme in simulation. (a) the router uses 2 packets to carry a source IP address (k=2) and the percentage of attacking packets γ=0.1. (b) the router uses 8 packets to carry a source IP address (k=8) and the percentage of attacking packets γ=0.5 Number of pac ckets needed flow-based marking random marking Number of pac ckets needed flow-based marking random marking Marked rate (a) k =2, γ = Marked rate (b) k =8, γ =0.5 17

18 FDPM: Real System Implementation Evaluation Measurements: Number of Packets Needed to Trace One Source and Maximum Forwarding Rate Most work on IP traceback are based on simulation or theoretical ti analysis and rarely any traceback scheme has been implemented and tested by real system implementation. It is very difficult to test the real performance of a traceback scheme if only simulation is used. We used the Click modular router to implement our FDPM on PCbased router. 18

19 FDPM: Real System Implementation -- # of Packets for Reconstruction The relationship between the number of packets needed to trace one source NN and the marked rate β for flow-based marking scheme and random marking scheme in Click router implementation Num mber of pack kets needed d flow-based marking 800 random marking Nu umber of pac ckets needed d Marked rate (a) k =2, γ = flow-based marking random marking Marked rate (b) k =8, γ =0.5 19

20 FDPM: Real System Implementation -- Maximum Forwarding Rate the baseline: maximum forwarding rate θmax for the raw Click router without any packet marking functions when k=8, the curve of maximum forwarding rate θmax of FDPM enabled router and the curve when all the packets are marked the maximum forwarding rate of FDPM enabled router is only about 5000 packets per second less than the baseline (about 7%) Forwarding rat te Fo orwarding rate all marking Input rate flow-based marking Input rate 20

21 FDPM: Comparison with other traceback mechanisms Criterion Controlled flooding ICMP traceback Logging PPM FDPM Compatibility Good Fair Good Good Good Implementation Easy Fair Difficult Fair Easy Scalability N/A Fair Low Fair High Computation load Fair Fair High Medium Low Number of packets needed for traceback Huge Huge Small Thousands Small Network topology known Bandwidth comsumed Yes Yes Yes Yes No Huge Fair Low Low Low Application DDoS DDoS, others DDoS, others DDoS DDoS, others 21

22 Traceback of DDoS Attacks using Entropy Variations A sample network with DDoS attack C C C C C LAN 3 LAN 4 R 5 C A A C R 3 R 4 C A LAN 5 LAN 0 LAN 1 C C R 1 f 1 f 3 f 2 LAN 2 R 2 V A attacker C client R i router V victim LAN f i traffic flow 22

23 Entropy Variations: Problem description A flow on a local router Ri= LAN Many flows addressed to victim when a DDoS attack is ongoing, and number of packets of attack flows are much higher than that of nonattack flows. Entropy is used as a metric to measure the randomness of flows at a given router Entropy drops quickly when a DDoS flooding attack started, we name it as entropy variation. R j d m R j LAN router R i V dm flow destination V R k d n victim 23

24 EV: Analysis of Entropy Variation based Traceback Model Lemmas and Theorems 24

25 EV: Analysis of Entropy Variation based Traceback Model Lemmas and Theorems 25

26 EV: Performance evaluation Important issues in evaluation First task is to show that the flow entropy variation is stable for non-attack cases, and find out the fluctuations for normal situations; The second task is to demonstrate the relationship between the drop of flow entropy variation and the increase of attack strength, therefore, we can identify the threshold for identifying attack sources; The third task is to simulate the whole attack tree for traceback, and evaluate the total traceback time. 26

27 EV: Performance evaluation Non-attack cases: The entropy variation (EV) is stable for normal traffic (Deakin data set) The EV increases smoothly against the increase of the number of flows which are passing through the local router. 27

28 EV: Performance evaluation Non-attack cases: The entropy variation (EV) is stable for normal traffic (Simulation data set) the standard variation of the entropy variation is quite stable (the fluctuation is around 1-3%), even when the fluctuations of the flows are quite big, +-25% and +-50%, respectively. 28

29 EV: Performance evaluation The entropy variation drops almost linearly with the increase of attack strength attack strength: presented by the packet rate of attacks. 29

30 EV: Performance evaluation Convergence of EV with against 2,3 branch attack tree. Entropy variation converges when the attack flows are aggregated to the victim, namely, the entropy variation of a router decreases when the router is getting closer to the victim (Theorem 2). 30

31 EV: Performance evaluation The traceback time. shows that the total traceback time is about 25 seconds in the worst case (the most far away zombies are 30 hops away from the victim), and it is less than 20 seconds if the most far away zombies are 23 hops away from the victim. 31

32 Discussion: Current work Three new ARC grants for future work addressing the Internet crimes: , 2012 Wanlei Zhou and Yang Xiang, ARC Linkage Project LP , An active approach to detect and defend against peerto-peer botnets , Wanlei Zhou and Robin Doss, ARC Linkage Project LP , Secure and Efficient i Communication in Vehicle-based Radio Frequency Identification Systems , Yang Xiang, Wanlei Zhou, and Yong Xiang, ARC Discovery Project DP , Tracing real Internet attackers through information correlation. 32

33 Discussion: Current work Dealing with Peer-to-Peer botnets: 33

34 Discussion: Current work Dealing with stepping stones: Stepping Stones IP networks Attacker Telnet, ssh Victim Telnet, et,ssh Who is the real attacker? 34

35 Discussion: Current work Finding the real Internet attackers through information correlation: 35

36 2009/10 Major Publications (in A/A* Journals) 1. Shui Yu, Wanlei Zhou, Robin Doss, and Weijia Jia, "Traceback of DDoS Attacks using Entropy Variations", Accepted by IEEE Transactions on Parallel and Distributed Systems, accepted 09/2009. Published online 30 Apr. 2010, (A*) 2. Yong Xiang, Dezhong Peng, Iynkaran Natgunanathan, and Wanlei Zhou, "Effective Pseudonoise Sequence and Decoding Function for Imperceptibility and Robustness Enhancement in Time-Spread Echo Based Audio Watermarking", Accepted by IEEE Transactions on Multimedia, accepted 1/8/2010. (A) 3. Ashley Chonka, Yang Xiang, Wanlei Zhou, and Alessio Bonti, "Cloud Security Defence to Protect Cloud Computing against HTTP-DoS and XML-DoS Attacks", Accepted by Journal of Network and Computer Applications, Elsevier, Available online June 23, doi: /j.jnca (A) 4. Yang Xiang, Daxin Tian, and Wanlei Zhou, "A Microscopic Competition Model and Its Dynamics Analysis on Network Attacks", Concurrency and Computation: Practice and Experience (Wiley), Vol 22, pp , (A) 5. Yang Xiang, Wanlei Zhou and Minyi Guo, "Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks", IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 4, pp , April (A*) 6. Md Rafiqul Islam, Wanlei Zhou, Minyi Guo, and Yang Xiang, "An Innovative Analyser for Multi-Classifier Classification Based on Grey List Analysis", Journal of Network and Computer Applications, Elsevier, Vol 32, Issue 2, pp , (A) 7. Wanlei Zhou, Yang Xiang, "Network and system security", Journal of Network and Computer Applications (Elsevier), Vol 32, Issue 2, pp , (A) 8. Rafiqul Islam, Wanlei Zhou, and Yang Xiang, "Spam Filtering Using Multi-Classifier Classification on a Ubiquitous Multi- core Architecture", Concurrency and Computation: Practice and Experience (Wiley), Vol 21 Issue 10, pp , (A) 9. Yang Xiang and Wanlei Zhou, Editorial: special issue: multi-core supported network and system security, Concurrency and Computation: Practice and Experience, vol. 21, no. 10, pp , (A) 10. Zhaobin Liu, Wenyu Qu, Haitao Li, Min Ruan, and Wanlei Zhou, "I/O scheduling and performance analysis on multi-core platforms", Concurrency and Computation: Practice and Experience (Wiley), Vol 21 Issue 10, pp , Ashley Chonka, Wanlei Zhou, and Jaipal Singh, "Chaos Theory Based Detection against Network Mimicking DDoS Attacks", IEEE Communications Letters, Volume 13, Issue 9, Sept. 2009, Page(s): (A) 36

37 Questions and Discussion 37