RID Implementation Report Toshifumi Kai (kai@trc.mew.co.jp), Akito Nagashima (akito_nagashima@mewe1.mewnet.or.jp), Hiroshige Nakatani (nakatani@trc.mew.co.jp), Naohiro Fukuda (fukuda@trc.mew.co.jp), Shimizu Hiroshi (shimizu@trc.mew.co.jp) Matsushita Electric Works, Ltd. Teruaki Takahashi (c300070@ns.kogakuin.ac.jp), Akira Hashiguchi (akira@cooweb.com), Takayuki Suzuki (t-suzuki@pf6.so-net.ne.jp) Katsuji Tsukamoto (tsukamoto@tsukaken.jp) Kogakuin University
Plan for Test by Mew 2004 Sep 27th – Oct 1st Phase 1 (Finished) … RID system only MEW’s XML format is not same as RID format, No Encryption and Authentication 2004 Nov 1th – Dec 30th Phase 2 (Planned and on Going) …RID with Traceback MEW’s XML format is not same as RID format, No Encryption and Authentication 2005 Jan 1th – Phase 3 (Not Planned Yet) …RID with Traceback Full Implemented system
MEW’s Implementation Status • Renaming Source Found to message result for not found case (-> history area) ‘Message Type 3 with NULL Attacker’s IP’ equal ‘Not Found’ • Notification field for traceback system added for Source Found Message (-> free form text area) – It would be necessary for the following cases, if the initiator does not allow False Negative (FP) and use Hash traceback, however responder use ICMP trceaback then it may have False Positive (FP), and the traced result may be no meaning for initiator. – Hash traceback can trace in each packet but ICMP traceback traces DoS/DDoS packets. So, we added used-traceback-type in some field. – In the case of system down caused in responder’s traceback system, it should be reported by the notification message. • MEW’s XML format is not equal for RID’s XML format Implementation is not completed yet and modified for test purpose now. • Encryption and authentication is not implemented yet. Implementation of SSL/XML encryption and authentication using CA remained • Transport protocol is implemented with soap/http/tcp We used soap/http/tcp protocol for messaging
Simple Test • We setup a very simple test case: star topology and straight chained topology with 7 PCs. • 7 PCs as NMSes and without routers and traceback system between them • We measured the response time until the source found (result) message will send to initiator • NMS and the CPU time when the NMS handle the XML interpretation and SOAP • communication. When it were straight topology, and if AS numbers were 7.
Test Results • Straight Chained Topology: Response time for traceback was 1.6 sec, and Response time for handling SOAP/XML was 0.46 sec for 7 ASes. • Star Topology: Response time for traceback was 0.6 sec, and Response time for handling SOAP/XML was 0.23 sec for 6 ASes. • It will take about 0.1-0.22 sec per AS for handling traceback , 0.038-0.065 sec per AS for handling SOAP/XML , And total response time will be about 0.138-0.285 sec per AS. Note: We assume and feed the tracing time (delay) of inside AS defined as fixed value. First and Middle AS; 0.2sec Attacker’s AS (Final AS); 0.4sec (We plan to test with the real tracing time in next month)
Reference
Spec for NMS • CPU : – Pentium 4 3.0GHz • Memory : – 512MBytes • Network: – Fast Ether (100Base-T) • Transport Protocol: NMS(RID) – TCP + HTTP + Open SOAP (Inter-AS traceback • Inter-AS Traceback Protocol: Software) – RID-mew (modified RID + XML)
Chained AS Topology AS Num Topology V A V Victim 1 A Attacker AS1 V A 4 AS1 AS2 AS3 AS4 V A 7 AS1 AS2 AS3 AS4 AS5 AS6 AS7
Timeline for Chained Trace Start-Tracing Trace Finished Time to Trace Request Result message AS1 Int-AS trace message Request message AS2 Int-AS trace Request t1 message Int-AS trace AS3 t2 AS4 Int-AS trace T=t1+t2+t3+t4 = RID Processing Time ( SOAP Protocol + XML *AS num = 4 Translation ) t3 t4
Chained Results 2 . 5 RID Processing Time ( SOAP Protocol + XML RID Processing Time ( Tracing Time SOAP Translation ) for Total Protocol + XML Translation ) Total Time for tracing Internal AS AS num int-AS 2 1 0.4 0.053916 2 0.6 0.096066 ] c 1 . 5 e 3 0.8 0.189532 s [ e m i 4 1.0 0.252760 T g n i 5 1.2 0.315661 c a 1 r T 6 1.4 0.401333 7 1.6 0.466741 0 . 5 [sec] 0 1 2 3 4 5 6 7 A S N u m b e r s *We assume that the tracing time of inside AS defined as fixed value ( first and middle AS;0.2sec, Attacker’s AS; 0.4sec )
Star AS Topology Num of 1 3 6 Neighbor AS V A A A V AS4 V AS3 AS1 AS1 AS2 A A AS3 AS4 Topology AS2 AS2 AS1 AS3 AS3 A A A A AS2 A A: Attacker V: Victim
Timeline for Star Topology Start Tracing Trace Finished Time for Tracing AS1 Int-AS trace AS2 Int-AS trace Result message AS3 Int-AS trace Request message AS4 Int-AS trace ※ num of neighbor AS was 3
Star Results Tracing Num of Time for RID Processing Time ( 1 . 5 neighbor each Int- SOAP Protocol + XML Translation ) AS AS RID Processing Time ( SOAP Protocol + XML Translation ) 1 0 . 6 0 . 0 9 6 0 6 6 Time for each tracing Internal AS ] 2 0 . 6 0 . 1 5 7 6 9 2 c 1 e s [ e 3 0 . 6 0 . 1 7 7 4 6 9 m i T g 4 0 . 6 0 . 1 8 0 3 9 0 n i c a 0 . 5 r T 5 0 . 6 0 . 2 1 9 4 2 9 6 0 . 6 0 . 2 3 7 4 5 9 0 1 2 3 4 5 6 n u m o f C h i l d A S *We assume that the tracing time of inside AS defined as fixed value ( first and middle AS;0.2sec, Attacker’s AS; 0.4sec )
RID-Anime (Tracing) pending ...2 min later Found Req Req Found NMS Trace NP4 Auth Req Auth NP1 pending NP2 NP3 NMS Trace NMS Trace Req NMS Trace Auth Auth Found NMS Trace Trace Found NMS Trace NMS AS1 AS2 AS3 Found! Attack Report Victim Attacker (Web-Server)
RID-Anime (Filtering) Auth (Approved) Req Req Auth (Denied) NMS Trace NP4 Auth (Denied) Req NP1 NP2 NP3 NMS Trace NMS Trace NMS Trace Filter Source Auth (available) (Approved) Auth (Denied) NMS Trace Trace NMS Trace NMS AS1 AS2 AS3 Not Found! Attack Report Victim Attacker (Web-Server)
RID-Anime (Probabilistic Traceback ) Found Req i Auth NMS Trace NP4 iTrace Req i i i NP1 NP2 NP3 NMS Trace NMS Trace Req NMS Trace Auth Auth Found Found H H H Hash NMS Trace Trace NMS Trace NMS AS1 AS2 AS3 Found! Attack Report Victim Attacker (Web-Server) *NP1 and NP3 have a same consortium
RID-Anime (Multi-Traceback) Found Req Found Req Req Found H i Auth NMS Trace NP4 iTrace Req Auth Auth Req Auth Found H i i H NP1 i NP2 NP3 NMS Trace NMS Trace Req NMS Trace Req Auth Auth iTrace Auth Found Found iTrace Found +Hash H H H Hash NMS Trace Trace NMS Trace NMS AS1 AS2 AS3 Hash Hash Found! Found! Found! Attack Report Victim Attacker Attacker (Web-Server)
Recommend
More recommend