FACT: A Framework for Authentication in Cloud-Based IP Traceback

IP traceback plays an important role in cyber investigation processes, where the sources and the traversed paths of packets need to be identified. It has a wide range of applications, including network forensics, security auditing, network fault diagnosis, and performance testing. Despite a plethora of research on IP traceback, the Internet is yet to see a large-scale practical deployment of traceback. Some of the major challenges that still impede an Internet-scale traceback solution are, concern of disclosing Internet Service Provider (ISP’s) internal network topologies (in other words, concern of privacy leak), poor incremental deployment, and lack of incentives for ISPs to provide traceback services. In this paper, we argue that cloud services offer better options for the practical deployment of an IP traceback system. We first present a novel cloud-based traceback architecture, which possesses several favorable properties encouraging ISPs to deploy traceback services on their networks. While this makes the traceback service more accessible, regulating access to traceback service in a cloud-based architecture becomes an important issue. Consequently, we address the access control problem in cloud-based traceback. Our design objective is to prevent illegitimate users from requesting traceback information for malicious intentions (such as ISPs topology discovery). To this end, we propose a temporal token-based authentication framework, called FACT, for authenticating traceback service queries. FACT embeds temporal access tokens in traffic flows, and then delivers them to end-hosts in an efficient manner. The proposed solution ensures that the entity requesting for traceback service is an actual recipient of the packets to be traced. Finally, we analyze and validate the proposed design using real-world Internet data sets.

[1]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[2]  Nicholas Hopper,et al.  New Attacks on Timing-based Network Flow Watermarks , 2012, USENIX Security Symposium.

[3]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[4]  Mun Choon Chan,et al.  A general model of probabilistic packet marking for IP traceback , 2008, ASIACCS '08.

[5]  Nirwan Ansari,et al.  A practical and robust inter-domain marking scheme for IP traceback , 2007, Comput. Networks.

[6]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[7]  Kamil Saraç,et al.  Single packet IP traceback in AS-level partial deployment scenario , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[8]  Jun Xu,et al.  Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation , 2008, TNET.

[9]  Joseph D. Touch,et al.  Updated Specification of the IPv4 ID Field , 2013, RFC.

[10]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[11]  Jun Li,et al.  Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Information-Theoretic Foundation , 2008, IEEE/ACM Transactions on Networking.

[12]  A. Nur Zincir-Heywood,et al.  IP traceback through (authenticated) deterministic flow marking: an empirical evaluation , 2013, EURASIP Journal on Information Security.

[13]  Choong Seon Hong,et al.  On IPv6 traceback , 2006, 2006 8th International Conference Advanced Communication Technology.

[14]  A. Sadeghi,et al.  Token-Based Cloud Computing Secure Outsourcing of Data and Arbitrary Computations with Lower Latency , 2010 .

[15]  Yi Lu,et al.  Perfect Hashing for Network Applications , 2006, 2006 IEEE International Symposium on Information Theory.

[16]  Jun Xu,et al.  IP traceback-based intelligent packet filtering: a novel technique for defending against Internet DDoS attacks , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[17]  Yeh-Ching Chung,et al.  Dynamic probabilistic packet marking for efficient IP traceback , 2007, Comput. Networks.

[18]  G. Manimaran,et al.  Novel hybrid schemes employing packet marking and logging for IP traceback , 2006, IEEE Transactions on Parallel and Distributed Systems.

[19]  Athanasios V. Vasilakos,et al.  Passive IP Traceback: Disclosing the Locations of IP Spoofers From Path Backscatter , 2015, IEEE Transactions on Information Forensics and Security.

[20]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[21]  Vyas Sekar,et al.  Making middleboxes someone else's problem: network processing as a cloud service , 2012, SIGCOMM '12.

[22]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[23]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2014, SIGCOMM.

[24]  János Komlós,et al.  Storing a sparse table with O(1) worst case access time , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[25]  Kotagiri Ramamohanarao,et al.  Adjusted Probabilistic Packet Marking for IP Traceback , 2002, NETWORKING.

[26]  Kamil Saraç,et al.  A More Practical Approach for Single-Packet IP Traceback using Packet Logging and Marking , 2008, IEEE Transactions on Parallel and Distributed Systems.

[27]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[28]  Dinil Mon Divakaran,et al.  Opportunistic Piggyback Marking for IP Traceback , 2016, IEEE Transactions on Information Forensics and Security.

[29]  Heejo Lee,et al.  BASE: an incrementally deployable mechanism for viable IP spoofing prevention , 2007, ASIACCS '07.

[30]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[31]  Hassan Aljifri,et al.  IP Traceback: A New Denial-of-Service Deterrent? , 2003, IEEE Secur. Priv..

[32]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[33]  Wanlei Zhou,et al.  Traceback of DDoS Attacks Using Entropy Variations , 2011, IEEE Transactions on Parallel and Distributed Systems.

[34]  Vrizlynn L. L. Thing,et al.  Locating network domain entry and exit point/path for DDoS attack traffic , 2009, IEEE Transactions on Network and Service Management.

[35]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[36]  Nirwan Ansari,et al.  On deterministic packet marking , 2007, Comput. Networks.

[37]  Minyi Guo,et al.  Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks , 2009, IEEE Transactions on Parallel and Distributed Systems.

[38]  Jun Bi,et al.  An Incrementally Deployable Flow-Based Scheme for IP Traceback , 2012, IEEE Communications Letters.

[39]  Dawn Xiaodong Song,et al.  FIT: fast Internet traceback , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[40]  Kamil Saraç,et al.  Toward a Practical Packet Marking Approach for IP Traceback , 2009, Int. J. Netw. Secur..

[41]  David K. Y. Yau,et al.  You can run, but you can't hide: an effective statistical methodology to trace back DDoS attackers , 2005, IEEE Transactions on Parallel and Distributed Systems.

[42]  Xun Gong,et al.  Invisible Flow Watermarks for Channels With Dependent Substitution, Deletion, and Bursty Insertion Errors , 2013, IEEE Transactions on Information Forensics and Security.

[43]  Bhavani M. Thuraisingham,et al.  A Token-Based Access Control System for RDF Data in the Clouds , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[44]  M. Tech,et al.  RIHT: A Novel Hybrid IP Traceback Scheme , 2014 .

[45]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[46]  M.T. Goodrich,et al.  Probabilistic Packet Marking for Large-Scale IP Traceback , 2008, IEEE/ACM Transactions on Networking.

[47]  Tsern-Huei Lee,et al.  Scalable packet digesting schemes for IP traceback , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[48]  Walter Willinger,et al.  cSamp: A System for Network-Wide Flow Monitoring , 2008, NSDI.

[49]  Athanasios V. Vasilakos,et al.  Toward Incentivizing Anti-Spoofing Deployment , 2014, IEEE Transactions on Information Forensics and Security.