Tracing Traffic through Intermediate Hosts that Repacketize Flows

Tracing interactive traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing has therefore been studied as a means of tracing traffic. One such technique uses traffic timing as a side channel into which a watermark, or identifying tag, can be embedded to aid with tracing. The effectiveness of such techniques is greatly reduced when repacketization of the traffic occurs at the stepping stones. Repacketization is a natural effect of many applications, including SSH, and therefore poses a serious challenge for traffic tracing. This paper presents a new method of embedding a watermark in traffic timing, for purposes of tracing the traffic in the presence of repacketization. This method uses an invariant characteristic of two traffic flows which are part of the same stepping stone chain, namely, elapsed time of the flows. The duration of each flow is sliced into short fixed-length intervals. Packet timing is adjusted to manipulate the packet count in specific intervals, for purposes of embedding the watermark. A statistical analysis of the method, with no assumptions or limitations concerning the distribution of packet times, proves the effectiveness of the method given a sufficient number of packets, despite natural and/or deliberate repacketization and perturbation of the traffic timing by an adversary. The method has been implemented and tested on a large number of synthetically-generated SSH traffic flows. The results demonstrate that 100% detection rates and less than 1% false positive rates are achievable under conditions of 2 seconds of maximum timing perturbation and 12% repacketization rate, using fewer than 1000 packets.

[1]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[2]  Stephen D. Wolthusen,et al.  Techniques and Applications of Digital Watermarking and Content Protection , 2003, Artech House computer security series.

[3]  Gregory W. Wornell,et al.  Quantization index modulation: A class of provably good methods for digital watermarking and information embedding , 2001, IEEE Trans. Inf. Theory.

[4]  Willem H. Buiter,et al.  Cambridge, MA 02138 , 1987 .

[5]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[6]  Matt Bishop,et al.  Attack class: address spoofing , 1997 .

[7]  Paul Syverson,et al.  Onion Routing for Anonymous and Private Internet Connections , 1999 .

[8]  Gerhard C. Langelaar,et al.  Copy Protection for Multimedia Data based on Labeling Techniques , 1998 .

[9]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[10]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[11]  Prepared by: BBN Technologies , 2003 .

[12]  Peter B. Danzig,et al.  tcplib: A Library of TCP Internetwork Traffic Characteristics , 2002 .

[13]  Sally Floyd,et al.  Wide-area traffic: the failure of Poisson modeling , 1994 .

[14]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[15]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[16]  Walter Bender,et al.  Techniques for Data Hiding , 1996, IBM Syst. J..

[17]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[18]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[19]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[20]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[21]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[22]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[23]  Peng Ning,et al.  Active timing-based correlation of perturbed traffic flows with chaff packets , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[24]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[25]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[26]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[27]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.