BBN Technologies

Water always has a source, and trees always have roots. - Chinese Proverb

Today's Internet infrastructure is extremely vulnerable to motivated and well-equipped attackers. Tools are readily available—from covertly exchanged exploit programs to publicly released vulnerability assessment software—to degrade performance or even disable vital network services. Whether vandalism or cyber warfare, the consequences are serious. Determining the identity of the source of attacks is a giant step toward deterrence and countermeasures.

Finding the source of attacks presents a particularly interesting challenge. The anonymous nature of the IP protocol makes it difficult to identify the true source of the packet accurately. The Internet routing infrastructure is stateless and based largely on destination addresses; no entity is officially responsible for ensuring that the source address is correct. Spoofed source addresses—addresses purposely changed to make them look like the packet came from some place else—are used legitimately by many increasingly popular network solutions such as network address translators (NATs) and Mobile IP. Consequently, a well-placed attacker can generate offending IP packets that appear to have originated from almost anywhere.

How BBN Meets the Challenges of Source Path Traceback

BBN Technologies has developed the SPIE, the Source Path Isolation Engine, to enable IP traceback, the ability to identify the source of an individual IP packet. Historically, traceback systems have relied on the massive flows of distributed denial-of-service (DDoS) attacks, easily observed by any router or end host. SPIE focuses on subtler, perhaps even more nefarious attacks that involve one or a small group of packets. These attacks are much harder to find, and have been nearly impossible to trace to their source until now. SPIE actually records evidence of every single packet that passes through a router, so tracing a particular packet back to its source is simply a process of asking each router if it has seen that packet.

Since recording the full contents of every packet is prohibitively expensive, SPIE uses extremely efficient data storage techniques to log every packet that passes through a router. This technique reduces memory requirements to no more than 0.5% of the total link capacity. SPIE stores digests of the packet rather than the packet itself. These digests reduce the packet to a few bits rather than hundreds of bytes. Then SPIE uses the digests as indices into an array called a digest table, further reducing the packet down to several bits.

Although SPIE provides an extremely efficient means of storing packet logs, there is a finite amount of memory in the system and, therefore, a finite amount of time the logs can be held. This defines the time during which a traceback can be started and still be effective. Fortunately, this window of opportunity is entirely dependent on the total capacity of the router, so the amount of memory can be engineered to meet the timeliness requirements for the traceback.

Naturally, keeping log information about individual packets raises questions about privacy. With this in mind, SPIE has been designed to ensure that packet digests stored at routers do not pose a privacy risk: it is impossible to reconstruct information about the packets seen by a router based only on the logs of packet digests.

Continued Work

BBN is extending the work on attack attribution to include tracing across "stepping stones", or multiple remote login sessions. Attackers are using a series of stepping stones to further hide the origin of the attack. Techniques like SPIE can trace a single connection; we are developing correlation algorithms that identify the pairs of connections that meet at a stepping stone host.