Hash-Based IP Traceback
Reviewer: Robert Dugas
The problem dealt with is that of the inherent anonymity of the IP layer, and it's adverse effects on
accountability and security.
This paper proposes a computationally and spacially feasible scheme, SPIE, for reliable ip traceback
which does not require a massive infrastructure overhaul.
- Identifies benefits of storing only packet digests rather than entire packets for traceback
- Develops and analyzes sophisticated hashing scheme to achieve accurate distributed lookup
- Discusses a traceback manager system (STM) which would
- interface with the IDS
- authenticates valid SPIE agents
- dispatch requests to proper SCARs
- assemble data into an attack graph
The issue of DDoS and other types of attacks is large and growing. To date, most solutions rely on
either probabilistic techniques, excessive logging, or enormous infrastructure alteration. The proposed
idea presents a scalable alternative.
Both analytical and simulation results are presented for the proposed scheme. Although the environment
for the simulation results seems extensively realistic, the attack simulations seem less so. All are based on
1000 attack packets send at a constant rate from source to victim. What about attacks involving only
a few packets or irregularly spaced packets? Also, what about the DDoS issue in which billions
of packets are involved and SPIE traffic may be compromised?
The limitation inherent in any traceback or accountability scheme is that the intended audience
is sophisticated and attempting to break the scheme. In the case of SPIE, although
the measures taken seem appropriate, there will undoubtedly be work-arounds for dedicated crackers.
The major lesson seems to be that efficient traceback can be achieved without overhauling
the internet or storing every packet ever sent.