Paper Review : Hash-Based IP Traceback
Reviewer : Seh Leng Lim
This paper proposes the Source Path Isolation Engine (SPIE) which is developed to enable IP traceback.
The main contribution of the paper is its detailed analysis of how a single IP packet can be traced to the source using SPIE. The key of SPIE is to perform traffic auditing by computing and storing 32-bit packet digests, thereby reducing packet storage and ensuring confidentiality from eavesdropping. SPIE is also able to deal with transformations such as encapsulation and NAT. More importantly, SPIE can be implemented in high speed routers because the hashing function is simple to compute.
The key main ideas expounded are :
(a) As a router may be coopted to assist in concealing a packet¡¯s source, one must attempt to discern not only the packet¡¯s source, but its entire path through the network.
(b) The idea of a distributed architecture comprising of the Data Generation Agent at the router to compute and store the packet digests, the SPIE Collection and Reduction (SCAR) agent which collects the digests tables from routers in its region, and the SPIE Traceback Manager (STM) which handles all requests for a packet trace
© The idea of using Bloom filters to record packet digests
I think that the paper has a significant contribution (rating of 4) to the study of individual packet traceback, as it proposed a comprehensive and implementable architecture that can determine the source of a packet . The authors simulate an attack by randomly selecting a source and victim and sending 1000 attack packets at a constant rate between them. They assume uniform background traffic for their simulations, and suggest that effective false positive rate is scaled by observed traffic load at each router. I think such simulations may not model worst-case attack scenario. The memory requirements at the router for a minute¡¯s storage is very high. As the paper was written quite sometime ago, more work needs to be done to determine the practical memory sizing for today¡¯s Internet. As acknowledged by the authors, there is still a lot of work to be done to consider the impact of NTP clock skew on SPIE¡¯s performance.
Network and system administrators may have a better appreciation from this paper of the difficulties involved in intruder detection.