LISA 2000 Abstract
Tracing Anonymous Packets to Their Approximate Source
Hal Burch, Carnegie Mellon University; and Bill Cheswick,Lumeta Corporation
Most denial-of-service attacks are characterized by a flood of
packets with random, apparently valid source addresses. These
addresses are spoofed, created by a malicious program running on an
unknown host, and carried by packets that bear no clues that could be
used to determine their originating host. Identifying the source of
such an attack requires tracing the packets back to the source hop by
hop. Current approaches for tracing these attacks require the tedious
continued attention and cooperation of each intermediate Internet
Service Provider (ISP). This is not always easy given the world-wide
scope of the Internet.
We outline a technique for tracing spoofed packets back to their
actual source host without relying on the cooperation of intervening
ISPs. First, we map the paths from the victim to all possible
networks. Next, we locate sources of network load, usually hosts or
networks offering the UDP chargen service . Finally, we work back
through the tree, loading lines or router, observing changes in the
rate of invading packets. These observations often allow us to
eliminate all but a handful of networks that could be the source of
the attacking packet stream. Our technique assumes that routes are
largely symmetric, can be discovered, are fairly consistent, and the
attacking packet stream arrives from a single source network.
We have run some simple and single-blind tests on Lucent's
intranet, where our technique usually works, with better chances
during busier network time periods; in several tests, we were able to
determine the specific network containing the attacker.
An attacker who is aware of our technique can easily thwart it,
either by covering his traces on the attacking host, initiating a
``whack-a-mole'' attack from several sources, or using many sources.