[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

attacks on trajectory sampling



One of the uses of hash-based sampling (trajectory sampling)
is in attack detection and diagnosis, because trajectory
sampling provides full paths of packets, even if source
addresses are spoofed.

However, there is a possibility that an attacker
tries to defeat trajectory sampling by manufacturing packets 
that all hash to the same value. To counter this, psamp
allows for a configurable interval to make sampling decisions; 
by moving this interval from time to time, we avoid that an 
attacker knows "where to hit".

However, this still makes it possible for an attacker
to manufacture a large set of packets that either 
all get picked up or not (with reasonable sampling rates,
it would with high probability not be picked up and go 
"under the radar screen"). This may still be dangerous,
because (a) if none are picked up, it may be a way
to evade TS measurements when mounting a DDoS attack,
and (b) if all are picked up, the psamp device or the
collector may get overloaded.

Here's a possible solution: instead of making sampling
decisions of the form

  sample if h(x) in [a,a+r-1]

(where x is the packet, h the hash function, a the
lower interval boundary, r the range)

we could use instead

  sample if h(x,s) in [0,r-1]

where s is a secret "seed" value, chosen out of a
possibly large set (this is equivalent, of course, 
of having a large family h_s(.) of different hash 
functions).

The advantage of this is that without knowledge of s,
the only way to have a set of packets result in 
identical sampling decisions is by making the packets
themselves exactly identical (over the fields that
the hash function is computed over), because without 
knowledge of s, an attacker would be unable
to determine the right "dummy information" in a packet
to force the same h(x,s). This dummy information depends
on the secret value s, in contrast to the current
approach, where the attacker only needs to know the
hash function.

I think this might be a significant advantage, because many 
attacks require that packets are not identical.
For example, a port scan requires that the dest port number 
varies from packet to packet; a SYN attack would have to come 
from many different (possibly spoofed) sources to be effective 
(in order to force lots of half-open TCP connections). 

Pretty much the only thing you can do with perfectly 
identical packets is a raw bandwidth overload - which 
is probably  easy to detect with other techniques (SNMP, 
"normal" sampling on the overloaded link, etc.) and easy
to defeat (a filter for exactly these packets).

Thoughts?

Matt

--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>