[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: attacks on trajectory sampling

To: Matthias Grossglauser <mgross@research.att.com>
Subject: Re: attacks on trajectory sampling
From: Cristian Estan <cestan@cs.ucsd.edu>
Date: Tue, 24 Sep 2002 16:19:48 -0700
Cc: psamp@ops.ietf.org
References: <3D90F070.1855368F@research.att.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0

Hi Matt,

It totally makes sense to me. I was thinking of the same thing, just that I didn't have time to write it up.

Cristian

Matthias Grossglauser wrote:

One of the uses of hash-based sampling (trajectory sampling)
is in attack detection and diagnosis, because trajectory
sampling provides full paths of packets, even if source
addresses are spoofed.

However, there is a possibility that an attacker
tries to defeat trajectory sampling by manufacturing packets that all hash to the same value. To counter this, psamp
allows for a configurable interval to make sampling decisions; by moving this interval from time to time, we avoid that an attacker knows "where to hit".

However, this still makes it possible for an attacker
to manufacture a large set of packets that either all get picked up or not (with reasonable sampling rates,
it would with high probability not be picked up and go "under the radar screen"). This may still be dangerous,
because (a) if none are picked up, it may be a way
to evade TS measurements when mounting a DDoS attack,
and (b) if all are picked up, the psamp device or the
collector may get overloaded.

Here's a possible solution: instead of making sampling
decisions of the form

sample if h(x) in [a,a+r-1]

(where x is the packet, h the hash function, a the
lower interval boundary, r the range)

we could use instead

sample if h(x,s) in [0,r-1]

where s is a secret "seed" value, chosen out of a
possibly large set (this is equivalent, of course, of having a large family h_s(.) of different hash functions).

The advantage of this is that without knowledge of s,
the only way to have a set of packets result in identical sampling decisions is by making the packets
themselves exactly identical (over the fields that
the hash function is computed over), because without knowledge of s, an attacker would be unable
to determine the right "dummy information" in a packet
to force the same h(x,s). This dummy information depends
on the secret value s, in contrast to the current
approach, where the attacker only needs to know the
hash function.

I think this might be a significant advantage, because many attacks require that packets are not identical.
For example, a port scan requires that the dest port number varies from packet to packet; a SYN attack would have to come from many different (possibly spoofed) sources to be effective (in order to force lots of half-open TCP connections).
Pretty much the only thing you can do with perfectly identical packets is a raw bandwidth overload - which is probably easy to detect with other techniques (SNMP, "normal" sampling on the overloaded link, etc.) and easy
to defeat (a filter for exactly these packets).

Thoughts?

Matt

--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>



--
to unsubscribe send a message to psamp-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/psamp/>

References:
- attacks on trajectory sampling
  - From: Matthias Grossglauser <mgross@research.att.com>

Prev by Date: attacks on trajectory sampling
Next by Date: attacks on trajectory sampling
Previous by thread: attacks on trajectory sampling
Next by thread: attacks on trajectory sampling
Index(es):
- Date
- Thread