Patent Grant
7200105
The present invention relates generally to communications networks and, more particularly, to systems and methods for tracing back points of ingress of attacks in communications networks.
Today's Internet infrastructure is extremely vulnerable to motivated and well-equipped attackers. Tools that may be used in network attacks can be easily obtained through publicly released network vulnerability assessment software or through covert exchanges among “hackers.” Well-publicized “hacking” attacks have focused attention on the security weaknesses that exist in many organization's networks. A series of Denial-of-Service (DoS) attacks were recently orchestrated in a distributed fashion against several high profile web sites of companies, such as Yahoo, eBay and Amazon. These attacks relied on the generation of thousands of IP packets from different sources to effectively deny service to a single victim. An effective DoS attack, however, does not necessarily require the generation of thousands of IP packets. It is well known that a single intruder packet can render a host inoperable for hours. For example, a DoS attack using WinNuke can exploit a bug in the Windows TCP/IP stack that relates to TCP packets with the URGENT or out-of-band (OOB) flag set in the packet header. When a machine receives such a packet, it expects a pointer to the position in the packet where URGENT data ends. Windows typically crashes when the URGENT pointer points to the end of the frame and no “normal” data follows. WinNuke, thus, has become the foundation for similar attacks that use a specially crafted packet to crash remote machines.
Accurate and reliable identification of attackers has been, up to this point, nearly impossible because the network routing structure is stateless and based largely on destination addresses. Thus, no records are kept in the routers and the source address is generally not trustworthy since an attacker can generate IP packets masquerading as originating from almost anywhere. Furthermore, if an attacker is able to infiltrate some other facility first, the attack can be launched from that site, making it harder for the target to identify the original source. Generally, attacks currently can be waged from the safety of complete anonymity.
Therefore, there exists a need for systems and methods capable of tracing back packets to their ingress point in a network, regardless of their claimed point of origin.
Systems and methods consistent with the present invention address this and other needs by providing mechanisms that can archive signatures of packets received at network nodes throughout a network. By comparison matching the archived packet signatures with one or more signatures of an intruder packet, systems and methods consistent with the present invention may determine a path of the intruder packet through the network using known network topology information.
In accordance with the purpose of the invention as embodied and broadly described herein, a method of determining a packet signature in a router includes computing a signature of the router's network address, receiving a packet at the router, zeroing out selected fields in the received packet, and computing a signature of the received packet using the computed signature of the router's network address.
In another implementation consistent with the present invention, a method of archiving signatures associated with packets received at nodes in a network includes receiving packets at a plurality of the nodes in the network; computing first signatures of the network addresses of each of the plurality of nodes; computing one or more second signatures for each of the received packets using the computed first signatures; and archiving the one or more computed second signatures in a memory device.
In a further implementation consistent with the present invention, a method of archiving signatures associated with packets received at nodes in a network includes receiving packets at a plurality of the nodes in the network; computing first signatures of the network addresses of each of the plurality of nodes; computing one or more second signatures for each of the received packets using the computed first signatures; and archiving the one or more computed second signatures in a memory device.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, explain the invention. In the drawings,
The following detailed description of the invention refers to the accompanying drawings. The same reference numbers in different drawings identify the same or similar elements. Also, the following detailed description does not limit the invention. Instead, the scope of the invention is defined by the appended claims.
Systems and methods consistent with the present invention provide mechanisms for archiving signatures of packets received at network nodes throughout a network. By comparison matching the archived packet signatures with one or more signatures of an intruder packet detected by an intrusion detection system, systems and methods consistent with the present invention may determine paths of the intruder packet through the network based on a knowledge of the network topology.
Each intrusion detection system 120 may include conventional mechanisms for detecting and reporting attacks upon a victim's network 125. Traceback manager 110 may include functionality for requesting the signatures of packets received at each router connected to a collection agent 115-1–115-N. Traceback manager 110 may request the packet signatures from collection agents 115-1–115-N based on attack reports received from an intrusion detection system 120.
Processing unit 405 may perform all data processing functions for inputting, outputting, and processing of data. Memory 410 may include Random Access Memory (RAM) that provides temporary working storage of data and instructions for use by processing unit 405 in performing processing functions. Memory 410 may additionally include Read Only Memory (ROM) that provides permanent or semi-permanent storage of data and instructions for use by processing unit 405. Memory 410 can also include large-capacity storage devices, such as a magnetic and/or optical recording medium and its corresponding drive.
Input device 415 permits entry of data into intrusion detection system 120 and may include a user interface (not shown). Output device 420 permits the output of data in video, audio, or hard copy format. Network interface(s) 425 interconnect intrusion detection system with LAN 305 and network 105. Bus 430 interconnects the various components of intrusion detection system 120 to permit the components to communicate with one another.
As illustrated, router 205 may include multiple input interfaces 505-1 through 505-R, a switch fabric 510, multiple output interfaces 515-1–515-S, and a data generation agent 520. Each input interface 505 of router 205 may further include routing tables and forwarding tables (not shown). Through the routing tables, each input interface 505 may consolidate routing information learned from the routing protocols of the network. From this routing information, the routing protocol process may determine the active route to network destinations, and install these routes in the forwarding tables. Each input interface may consult a respective forwarding table when determining a next destination for incoming packets.
In response to consulting a respective forwarding table, each input interface 505 may either set up switch fabric 510 to deliver a packet to its appropriate output interface 515, or attach information to the packet (e.g., output interface number) to allow switch fabric 510 to deliver the packet to the appropriate output interface 515. Each output interface 515 may queue packets received from switch fabric 510 and transmit the packets on to a “next hop.”
Data generation agent 520 may include mechanisms for computing one or more signatures of each packet received at an input interface 505, or output interface 515, and storing each computed signature in a memory (not shown). Data generation agent 520 may use any technique for computing the signatures of each incoming packet. Such techniques may include hashing algorithms (e.g., MD5 message digest algorithm, secure hash algorithm (SHS), RIPEMD-160), message authentication codes (MACs), or Cyclical Redundancy Checking (CRC) algorithms, such as CRC-32.
Data generation agent 520 may be internal or external to router 205. The internal data generation agent 520 may be implemented as an interface card plug-in to a conventional switching background bus (not shown). The external data generation agent 520 may be implemented as a separate auxiliary device connected to the router through an auxiliary interface. The external data generation agent 520 may, thus, act as a passive tap on the router's input or output links.
Each signature tap 610a–610n may produce one or more signatures of each packet received by a respective input interface 505-1–505-R (or, alternatively, a respective output interface 515-1–515-S). Such signatures typically comprise k bits, where each packet may include a variable number of p bits and k<p. FIFO queues 605a–605n may store packet signatures received from signature taps 610a–610n. MUX 615 may selectively retrieve packet signatures from FIFO queues 605a–605n and use the retrieved packet signatures as addresses for setting bits in RAM 620 corresponding to a signature vector. Each bit in RAM 620 corresponding to an address specified by a retrieved packet signature may be set to a value of 1, thus, compressing the packet signature to a single bit in the signature vector.
RAM 620 collects packet signatures and may output, according to instructions from controller 630, a signature vector corresponding to packet signatures collected during a collection interval R. RAM 620 may be implemented in the present invention to support the scaling of data generation agent 520 to very high speeds. For example, in a high-speed router, the packet arrival rate may exceed 640 Mpkts/s, thus, requiring about 1.28 Gbits of memory to be allocated to signature storage per second. Use of RAM 620 as a signature aggregation stage, therefore, permits scaling of data generation agent 520 to such higher speeds.
Ring buffer 625 may store the aggregated signature vectors from RAM 620 that were received during the last P seconds. During storage, ring buffer 625 may index each signature vector by collection interval R. Controller 630 may include logic for sending control commands to components of data generation agent 520 and for retrieving signature vector(s) from ring buffer 625 and forwarding the retrieved signature vectors to a collection agent 115.
Though the addresses in RAM 620 indicated by packet signatures retrieved from FIFO queues 605a–605n may be random (requiring a very high random access speed in RAM 620), the transfer of packet signatures from RAM 620 to ring buffer 625 can be achieved with a long burst of linearly increasing addresses. Ring buffer 625, therefore, can be slower in access time than RAM 620 as long as it has significant throughput capacity. RAM 620 may, thus, include a small high random access speed device (e.g., a SRAM) that may aggregate the random access addresses (i.e., packet signatures) coming from the signature taps 505 in such a way as to eliminate the need for supporting highly-random access addressing in ring buffer 625. The majority of the signature storage may, therefore, be achieved at ring buffer 625 using cost-effective bulk memory that includes high throughput capability, but has limited random access speed (e.g., DRAM).
Signature tap 610 may pass each of the computed packet signatures to a FIFO queue 605 [step 730]. MUX 615 may then extract the queued packet signatures from an appropriate FIFO queue 605 [step 735]. MUX 615 may further set bits of the RAM 620 bit addresses specified by each of the extracted packet signatures to 1 [step 740]. Each of the N k-bit packet signatures may, thus, correspond to a bit address in RAM 620 that is set to 1. The N k-bit packet signatures may, therefore, be represented by N bits in RAM 620.
Ring buffer 625 may further discard stored signature vectors that are older than P seconds [step 820]. Alternatively, at optional step 825 (
To begin point of ingress traceback processing, intrusion detection system 120 may determine an occurrence of an intrusion event [step 1105]. In response to the determination, intrusion detection system 120 may capture an intruder packet associated with the intrusion event and send a query message to traceback manager 110 that includes the captured intruder packet [step 1110]. Traceback manager 110 may receive the query message from intrusion detection system 120 and verify the authenticity and/or integrity of the message using conventional authentication and error correction algorithms [step 1115]. Traceback manager 110 may request collection agents 115-1–115-N to poll their respective data generation agents 520 for stored signature vectors [step 1120]. Traceback manager 110 may send a message including the intruder packet to the collection agents 115-1–115-N [step 1125].
Collection agents 115-1–115-N may receive the message from traceback manage 110 that includes the intruder packet [step 1205]. Collection agents 115-1–115-N may generate a packet signature of the received intruder packet [step 1210] using the same hashing, MAC code, or Cyclical Redundancy Checking (CRC) algorithms used in the signature taps 610 of data generation agents 520. Collection agents 115-1–115-N may then query pertinent data generation agents to retrieve signature vectors, stored in respective ring buffers 625, that correspond to the intruder packet's expected transmit time range at each data generation agent [act 1215]. Collection agents 115-1–115-N may search the retrieved signature vectors for matches with the received intruder packet signature [step 1220]. If there are any matches, processing may continue with either steps 1225–1230 of
At step 1225, collection agents 115a–115n use the packet signature matches and stored network topology information to construct a partial attack graph. For example, collection agents 115-1–115-N may implement conventional graph theory algorithms for constructing a partial attack graph. Such graph theory algorithms, for example, may construct a partial attack graph using the victim's network 125 as a root node and moving backwards to explore each potential path where the intruder packet has been. Each collection agent 115-1–115-N may store limited network topology information related only to the routers 205 to which each of the collection agents is connected. Collection agents 115-1–115-N may then send their respective partial attack graphs to traceback manager 110 [step 1230].
At step 1305, collection agents 115-1–115-N retrieve stored signature vectors based on a list of active router interface identifiers. Collection agents 115-1–115-N may append interface identifiers to the received intruder packet signature and compute a packet signature(s) [step 1310]. Collection agents 115-1–115-N may search the retrieved signature vectors for matches with the computed packet signature(s) [step 1315]. Collection agents 115-1–115-N may use the packet signature matches and stored topology information to construct a partial attack graph that includes the input interface at each router 205 through which the intruder packet arrived [step 1320]. Collection agents 115-1–115-N may each then send the constructed partial attack graph to traceback manager 110 [step 1325].
Traceback manager 110 may receive the partial attach graphs sent from collection agents 115-1–115-N [step 1405]. Traceback manager 110 may then use the received partial attack graphs and stored topology information to construct a complete attack graph [step 1410]. The complete attack graph may be constructed using conventional graph theory algorithms similar to those implemented in collection agents 115-1–115-N.
Using the complete attack graph, traceback manager 110 may determine the ingress point of the intruder packet into network 105 [step 1415]. Traceback manager 110 sends a message that includes the determined intruder packet ingress point to the querying intruder detection system 120 [step 1420].
Systems and methods consistent with the present invention, therefore, provide mechanisms that permit the archival of signatures of packets received at nodes throughout a network. Through comparison matching of the archived packet signatures with one or more signatures of an intruder packet detected by an intrusion detection system, systems and methods consistent with the present invention may isolate one or more attack paths of the intruder packet through the network based on a knowledge of the network topology.
The foregoing description of exemplary embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention. For example, while certain components of the invention have been described as implemented in hardware and others in software, other configurations may be possible. Also, while series of steps have been described with regard to
The instant application claims priority from provisional application No. 60/261,571, filed Jan. 12, 2001, the disclosure of which is incorporated by reference herein in its entirety. The instant application is related to co-pending application Ser. No. 09/881,145, entitled “Method and Apparatus for Identifying a Packet” and filed Jun. 14, 2001, and co-pending application Ser. No. 09/881,074, entitled “Method and Apparatus for Tracing Packets” and filed Jun. 14, 2001, the disclosures of which are incorporated by reference herein.
The U.S. Government has a paid-up license in this invention and the right in limited circumstances to require the patent owner to license others on reasonable terms as provided for by the terms of Contract No. N66001-00-C-8038, awarded by the Department of the Navy.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5761531 | Ohmura et al. | Jun 1998 | A |
| 5765030 | Nachenberg et al. | Jun 1998 | A |
| 5802522 | Lloyd et al. | Sep 1998 | A |
| 5959976 | Kuo | Sep 1999 | A |
| 6038233 | Hamamoto et al. | Mar 2000 | A |
| 6134662 | Levy et al. | Oct 2000 | A |
| 6138254 | Voshell | Oct 2000 | A |
| 6223172 | Hunter et al. | Apr 2001 | B1 |
| 6266337 | Marco | Jul 2001 | B1 |
| 6279113 | Vaidya | Aug 2001 | B1 |
| 6389419 | Wong et al. | May 2002 | B1 |
| 6397259 | Lincke et al. | May 2002 | B1 |
| 6424650 | Yang et al. | Jul 2002 | B1 |
| 6430184 | Robins et al. | Aug 2002 | B1 |
| 6438612 | Ylonen et al. | Aug 2002 | B1 |
| 6519264 | Carr et al. | Feb 2003 | B1 |
| 6662230 | Eichstaedt et al. | Dec 2003 | B1 |
| 6707915 | Jobst et al. | Mar 2004 | B1 |
| 6782503 | Dawson | Aug 2004 | B1 |
| 6804237 | Luo et al. | Oct 2004 | B1 |
| 6842861 | Cox et al. | Jan 2005 | B1 |
| 6859433 | Chen et al. | Feb 2005 | B1 |
| 6870849 | Callon et al. | Mar 2005 | B1 |
| 6909205 | Corcoran et al. | Jun 2005 | B2 |
| 6947442 | Sato et al. | Sep 2005 | B1 |
| 6978223 | Milliken | Dec 2005 | B2 |
| 6981158 | Sanchez et al. | Dec 2005 | B1 |
| 6990591 | Pearson | Jan 2006 | B1 |
| 7043759 | Kaashoek et al. | May 2006 | B2 |
| 7062782 | Stone et al. | Jun 2006 | B1 |
| 20010000821 | Kolodner et al. | May 2001 | A1 |
| 20020001384 | Buer et al. | Jan 2002 | A1 |
| 20020032871 | Malan et al. | Mar 2002 | A1 |
| 20020071438 | Singh | Jun 2002 | A1 |
| 20030061502 | Tablyashkin et al. | Mar 2003 | A1 |
| 20030097439 | Strayer et al. | May 2003 | A1 |
| 20030110393 | Brock et al. | Jun 2003 | A1 |
| 20030167402 | Stolfo et al. | Sep 2003 | A1 |
| 20030233557 | Zimmerman | Dec 2003 | A1 |
| 20040103315 | Cooper et al. | May 2004 | A1 |
| 20050014749 | Chen et al. | Jan 2005 | A1 |
| 20050057129 | Jones et al. | Mar 2005 | A1 |
| 20050102520 | Baxter et al. | May 2005 | A1 |
| 20050213570 | Stacey et al. | Sep 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| WO 0028420 | May 2000 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 60261571 | Jan 2001 | US |
