[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
attacks on trajectory sampling
One of the uses of hash-based sampling (trajectory sampling)
is in attack detection and diagnosis, because trajectory
sampling provides full paths of packets, even if source
addresses are spoofed.
However, there is a possibility that an attacker
tries to defeat trajectory sampling by manufacturing packets
that all hash to the same value. To counter this, psamp
allows for a configurable interval to make sampling decisions;
by moving this interval from time to time, we avoid that an
attacker knows "where to hit".
However, this still makes it possible for an attacker
to manufacture a large set of packets that either
all get picked up or not (with reasonable sampling rates,
it would with high probability not be picked up and go
"under the radar screen"). This may still be dangerous,
because (a) if none are picked up, it may be a way
to evade TS measurements when mounting a DDoS attack,
and (b) if all are picked up, the psamp device or the
collector may get overloaded.
Here's a possible solution: instead of making sampling
decisions of the form
sample if h(x) in [a,a+r-1]
(where x is the packet, h the hash function, a the
lower interval boundary, r the range)
we could use instead
sample if h(x,s) in [0,r-1]
where s is a secret "seed" value, chosen out of a
possibly large set (this is equivalent, of course,
of having a large family h_s(.) of different hash
The advantage of this is that without knowledge of s,
the only way to have a set of packets result in
identical sampling decisions is by making the packets
themselves exactly identical (over the fields that
the hash function is computed over), because without
knowledge of s, an attacker would be unable
to determine the right "dummy information" in a packet
to force the same h(x,s). This dummy information depends
on the secret value s, in contrast to the current
approach, where the attacker only needs to know the
I think this might be a significant advantage, because many
attacks require that packets are not identical.
For example, a port scan requires that the dest port number
varies from packet to packet; a SYN attack would have to come
from many different (possibly spoofed) sources to be effective
(in order to force lots of half-open TCP connections).
Pretty much the only thing you can do with perfectly
identical packets is a raw bandwidth overload - which
is probably easy to detect with other techniques (SNMP,
"normal" sampling on the overloaded link, etc.) and easy
to defeat (a filter for exactly these packets).
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.