Design of Network-based Connection Traceback System for Current Internet Environment

Transcription

1 Design of Network-based Connection Traceback for Current Internet Environment Yang-seo Choi, Hwan-kuk Kim, Byong-cheol Choi, Dong-ho Kang, Seung-wan Han, Dong-il Seo Anti-Cyber Terror Team Electronics and Telecommunications Research Institute 161, Gajeong-Dong, Youseoung-Gu Daejeon Korea Abstract: Recently the number of Internet users has very sharply increased, and the number of intrusions has also increased very much. Consequently, security products are being developed and adapted to prevent systems and networks from being hacked and intruded. Even if security products are adapted, however, hackers can still attack a system and get a special authorization because the security products cannot prevent a system and network from every instance of hacking and intrusion. Therefore, the researchers have focused on an active hacking prevention method, and they have tried to develop a traceback system that can find the real location of an attacker. At present, however, because of the Internet s diversity there are no traceback systems that can be adapted to it. To overcome this problem, a traceback system is proposed in this paper that can be adapted to the current Internet environment. The system is a network-based connection traceback system that uses the packet watermarking technique called the Attacking Connection Traceback (ACT). Key-Words: Hacking, Connection Traceback, Security, Packet Watermark 1 Introduction The Internet is already a part of life because it is very convenient and people can do almost everything online that can be done in real life. As can be seen in Fig. 1, along with the increase in the use of the Internet, various attacks through the Internet have also increased greatly [1]. The cause of these accidental infringements is that security companies have developed numerous security reinforcement systems to protect the system and the network from various intrusions. However, there are some problems with the systems. Security reinforcement systems that have been developed up to now cannot limit the hacking attempts themselves. They just make hacking more difficult to do. That is, they cannot cope with a hacker's spontaneous hacking attempts because security products can only defend passively. Furthermore, since the security reinforcement systems that are adapted to the Internet are very varied, mutual cooperation regarding a hacker's hacking is almost impossible. Because of such problems, hacking attempts are increasing, and cannot be defended effectively. To solve these problems, there has been considerable effort in developing an active hacking prevention system that can limit a hacker's hacking attempts. Researchers have found that the traceback system is the most important thing. In addition, the interest in traceback technology is growing enormously. Even though it is only at an elementary level, research on traceback technology has begun. However, because of the variety and anonymity of the Internet, all traceback systems that have been proposed up to now cannot be applied in the current Internet environment. Consequently, we propose a real-time connection traceback system that not only utilizes the packet watermark technique, but can also be applied to the current Internet environment. CERT/CC Incidents Statistics Incidents ,334 2,340 2,412 2, Year Fig.1 Number of Intrusion by years[1] 2 What is the Traceback? 2,134 3,734 9,859 21,756 52,658 Q ,829

2 2.1 Definition of Traceback Traceback system can be defined as follows. Definition 1. Traceback A that search the attacker's actual position using a real-time automated techniques An attacker means a hacker who attacks a system or makes an intrusion or commits cyber crimes. The traceback system should also be automated and executed in real-time just like any other system. 2.2 Characteristic and Classification of the Traceback The traceback system can be classified according to two kinds of problems that make the traceback difficult. The first problem occurs when a hacker attacks in a roundabout way. Hackers usually attempt to attack a system via many other systems. When they attack using several of these systems, the intrusion is known as a roundabout attack. If a system is attacked by these kinds of attacks then all the middle systems that a hacker has passed through should be examined to search for the hacker s actual position. Furthermore, it should be done inversely and repeatedly, because no information can be found in an attacked system about the real hacker or the hacker s system. The second problem occurs when an IP address of a packet that a hacker sends has changed. If the IP address has changed, then it is impossible to find where the packet has come from. It is very difficult to find the actual position of the packet sender. According to these two kinds of problems, the traceback system is classified as the connection traceback system and the IP Packet traceback system [2] Connection Traceback The definition of Connection Traceback is as follows: Hacker Each Attack Connection Host A Internet Can find Hacker s Information Fig.2 Connection Traceback Host B Can find Host A s Information Definition 2. Connection Traceback The traceback system that chases a hacker's actual position in real time, for cases in which the hacker has attempted to attack in a roundabout way. As mentioned before, the connection traceback system is a traceback system that can be used to chase the hacker s real position when the hacker attempts to attack in a roundabout way via several middle systems. Actually, the connection traceback system tries to find the hosts or connections that are included in a connection chain. The connection chain can be defined as follows: Definition 3. Connection Chain[9] When a user on a computer H 0 logs into another computer H 1 via a network, then a TCP connection C 1 is established between them. When the user logs from H 1 into another computer H 2, and then H 3,..., H n successively in the same way, TCP connections C 2, C 3,..., C n are established respectively on each link between the computers. We call this sequence of connections C = (C 1, C 2,..., C n ) a connection chain H 0 H 1 C 1 C 2 Fig.3 Connection Chain H 2 Network Tracing the source of an intrusion through a connection chain over the Internet is very difficult. Although it requires network-wide collaboration among hosts in the network, some of the hosts may have been compromised, and may not be trustworthy. For a network security mechanism, tracing the source of an intrusion should be based on the trust of appropriate network resources; the security mechanism needs to be robust against compromised hosts in the network. To trace back the chained connections through multiple hosts, effective correlation is needed at intermediate nodes. Because network-based intrusion in today s high-speed network can be very short, the correlation at intermediate nodes needs to be fast and accurate. Additionally, to scale the tracing system to the Internet, the tracing system should have minimum overheads C 3 C 4 C n H 3 H n

3 while providing a fast response to a detected network-based intrusion [4]. Since the only connection traceback technique that is currently used involves chasing humans, there are several problems. First, if the middle systems are located very far from each other, it takes too much time and effort to examine the log files and find the hacker s real position. Second, it is not possible to respond quickly against hacking incidents and intrusions. Third, during a traceback, if it is not possible to get information from the middle systems, the whole traceback will fail. The reason is that the traceback techniques depend solely on system log files. Because of these problems an automated and real-time traceback system is needed. In general, the connection traceback system can be classified as a host-based connection traceback system and a network-based connection traceback system [4]. The host-based connection traceback system is a system that traces back with various host-based log records. To accomplish a perfect traceback with the host-based connection traceback system, a traceback module should be installed in all the hosts on the Internet. As you can see in Fig. 2, the host-based connection traceback system must analyze logs of Host A again after analyzing Host B to chase the hacker's actual position. If a traceback module is installed in only one system in the traceback path, it is impossible to chase further, rendering the whole traceback impossible. Therefore, it is impossible to apply the host-based connection traceback system in the current Internet environment. The fundamental problem with the host-based tracing approach is its trust model. Host-based tracing places its trust upon the monitored hosts themselves. Specifically, it depends on the correlation of connections at every host in the connection chain. If one host is compromised, and is providing misleading co-relational information, the whole tracing system is fooled as well. Because host-based tracing requires the participation and trust of every host involved in the network-based intrusion, it is very difficult to be applied in the context of the public Internet [4]. The network-based connection traceback system extracts information for traceback from packets that are transmitted on the network. To do this, traceback modules should be installed on network nodes that can identify the network packets. Almost every network-based connection traceback system that is currently proposed chases the hacker s actual location by confirming whether a connection is included in the same connection chain with the attacking connection or not. Until now, however, no complete network-based connection traceback system has been proposed. There are only several algorithms that can be used to decide whether connections are included in the same connection chain or not. There is another kind of traceback system that can only be used over the Active Network. Although included in the network-based connection traceback system, it can only be adapted to the Active Network, making it impossible to utilize in the current Internet environment IP Packet Traceback The definition of IP Packet Traceback is as follow: Definition 4. IP Packet Traceback The traceback system that identifies the real position of an IP address spoofed packet sending system The IP Packet traceback system is usually used to find the real position of an IP spoofed packet sender. Actually, the IP address spoofed packet is used in a Distributed Denial of Service(DDoS) attack. The IP spoofing attack id used to get a special privilege. These days, however, because of the difficulty of connection maintenance, it is not used in traditional hacking. Since the IP packet traceback system is not the focus of this study, it will not be mentioned again. 3 Related Works The network-based connection traceback system is the focus of this paper, so only the research related to the connection traceback system will be examined. 3.1 CIS(Caller Identification ) The Caller Identification (CIS) [5] is another host-based tracing mechanism. It eliminates centralized control by utilizing a truly distributed model. Each host along the login chain keeps a record of its view of the login chain up to that point. When the user from the n-1th host attempts to log onto the nth host, the nth host asks the n-1th host about its view of the login chain for that user, which, ideally, should be 1,2... n-1. The nth host then queries hosts n-1 to 1 about their views of the login chain and so on. Only when the login chain information from all queried

4 hosts matches, will the login be granted at the nth host. While the CIS attempts to maintain the integrity of the login chain by reviewing information from hosts along the login chain, it introduces excessive overheads to the normal login process. 3.2 Thumbprints-based Approach The thumbprint is a pioneering correlation technique that utilizes a small quantity of information to summarize connections. Ideally, it can uniquely distinguish a connection from unrelated connections, and correlate those related connections in the same connection chain. While thumbprinting can be useful even when only part of the Internet implements it, it depends on clock synchronization to match the thumbprints of corresponding intervals of connections. It is also vulnerable to retransmission variation, which severely limits its usefulness in real-time tracing [4, 7]. drawback of the deviation-based approach is that it correlates only with TCP connections [4, 9]. 3.5 SWT(Sleepy Watermark Tracing) The Sleepy Watermark Traceback (SWT) system is the base system of the approach in this paper. It uses a watermarked packet to trace the hacker s real location. An actual watermark would be inserted into reply packets created to respond to an attack by tracing the packets. The SWT system, however, should be coordinated with watermark-enabled applications. Watermark-enabled applications are those network service applications that have been modified to inject arbitrary watermarks upon request. Therefore, to use SWT, those applications need to be supplied. Furthermore, to apply the SWT system, the guardian gateway needs to be installed on the network. These are big problems for this mechanism in the current Internet environment [4]. 3.3 Timing-based Approach The timing-based scheme of Zhang and Paxson [8] is a novel network-based correlation scheme for detecting stepping stones across the connection chain. The correlation is based on the distinctive timing characteristics of interactive traffic, rather than connection contents. It has pioneered new ways of correlating encrypted connections; it requires no clock synchronization; and it is robust against retransmission variation. However, because its timing characteristics are defined over the entire duration of each connection to be correlated, it is difficult to use in real-time correlation [4, 8]. 3.4 Deviation-based Approach The deviation-based approach [9] by Yoda and Etoh is another network-based correlation scheme. It defines the minimum average delay gap between the packet streams of two TCP connections as a deviation. The deviation considers both timing characteristics and the TCP sequence number, and it does not depend on the TCP payload. Similar to the timing-based approach, the deviation-based approach does not require clock synchronization and is robust against retransmission variations. However, it is difficult to use in real-time correlation as the deviation is defined over all the packets of a connection. Another 4 ACT In this paper, a new traceback system that can be utilized in the current Internet environment is proposed. The name of this traceback system is Attacking Connection Traceback (ACT). The base of the ACT system is the SWT. The ACT system also uses watermarks, as does the SWT system. However, as mentioned before, this approach can be adapted to the current Internet environment. Though very different from the SWT system, it has the same potential advantages: Separates intrusion tracing from intrusion detection Does not need to record all the concurrent connections Requires no clock synchronization Traces only when needed Accurate and efficient Can be implemented efficiently Furthermore, the ACT has more advantages which will be mentioned in section 4.3. There are two assumptions that motivate and constrain the ACT design. These are almost the same as the SWT. First, the intrusions are interactive and bidirectional; second, there is no encrypted connection. The first assumption represents the assessment made in this study of the nature of the intrusions, where intrusions are those attacks that aim to gain

5 unauthorized access rather than those that deny service attacks. The second assumption represents the inherent limitation of any tracing based on network contents. Encrypted connections are not considered here. 4.1 Construction The ACT system consists of four subsystems: the IDS, the Packet Drop, the Path Traceback and the Watermark Detection IDS(Intrusion Detection ) The purpose of using the IDS is only to check whether hacking has been attempted or not. Consequently, any kind of network-based IDS can be used for the ACT system. Actually, many kinds of IDSs are widely used nowadays, and these can be used even if they are already installed on a network Packet Drop The Packet Drop is used to drop the reply packets from an attacked system. The drop policy is decided by the source and destination IP addresses and port numbers. In a normal situation it does not do anything. This function is activated only when an attack has happened. Actually, the drop policy is as follows: Source IP Address: attacked system Destination IP Address: attacking system (hacker s system) Source Port Number: attacked application port number Destination Port Number: attacking application port number Since this is the same as a firewall, a firewall is used in this study as a Packet Drop Path Traceback The Path Traceback is activated by an intrusion alert from IDS. When the system is activated it blocks the specified connection through the IDS. The connection information is received from the IDS where the connection is used by the hacker. After that, it inserts a watermark in the reply packet and sends it to the hacker s system. The watermark is created just like the SWT. The watermark, which contains some information and back-space characters, is inserted into the data field of a packet. Therefore, the watermark must arrive at the hacker s system. The Path Traceback also constructs a path from the attacked system to the real hacker s system. It uses information received from an ACT system or Watermark Detection to construct the path Watermark Detection The Watermark Detection is a monitoring system that monitors all the packets transmitted through a network, and it identifies whether a packet has a watermark or not. If a watermark is inserted, it gets the watermark and sends the detection information to the original place where the traceback was initiated. The watermark consists of an IP address and an attack signature. The IP address is owned by the ACT system that inserts the watermark into the packet. This system, which can be installed individually in the same position as an ISP s backbone router, can detect the watermark. This mechanism enables the watermark to be detected more efficiently. As can be seen in Fig. 4, the ACT system can be installed in the current Internet environment and can be used in installed security systems. IDS Router or S/W Packet Drop (Firewall) Intranet Path Traceback Watermark Detection S/W Boarder Router Internet Fig, 4 Construction of ACT for Current Internet Environment All the systems in Fig. 4 are typical network construction forms: IDS, firewall, boarder router and switch. The IDS and Packet Drop (firewall) are currently-used systems. The ACT uses them with minimal modification to interact with each other. Only the Path Traceback and the Watermark Detection are newly installed. The Path Traceback system and the Watermark Detection would be installed in a host connected to an inner router and outer switch in order to send the watermarked packet to the outside of the network without being blocked by the Packet Drop (firewall).

6 4.2 Scenarios First, when the ACT system is activated, the IDS and the Watermark Detection monitor the network packets. The next scenarios are explained in Fig. 5 and Fig. 6 as follows: (1) Intrusion Occurs: An attack is attempted by a hacker (2) Intrusion Detection: The attack is detected by IDS (3) Intrusion Alert Received: The Path Traceback receives intrusion detection information from an IDS and starts the traceback (4) Packet Drop Policy Update (5) Reply: Packets are created and sent to the attacker by the attacked system (6) Collect the Reply Packets: The Path Traceback collects the reply packets (7) Packet Drop: All the reply packets are dropped by the Packet Drop (8) Watermark Creation and Insertion: The Path Traceback creates a watermark and inserts it into the reply packets (9) Send watermarked packets to the attacker Victim Host (1) Attack (5) Reply IDS (3) Alarm (to PTS) (2) Intrusion Detection Fig. 5. ACT Scenarios for internal network 1 (5) Reply (7) Packet Drop (6) Packet Capture (3) Alarm (from IDS) Packet Drop (Firewall) (4) Policy Update Path Traceback Watermark Detection (9) Watermarked Packet Transfer (8) Watermark Creation & Insertion Fig. 6. ACT Scenarios for internal network - 2 Fig. 7 shows how the traceback progresses when the watermarked packet is sent. Once the watermarked packet is sent to an external network, the ACT system that activates the traceback waits for responses from other ACT systems. With these responses the Path Traceback constructs the path to the real hacker. All the ACT systems should respond if they find the watermarked packet. The next scenarios are as follows: (10) Traceback Starting (11) Watermarked Packet Detect 1 (12) Watermark Detection Signal Sending 1 (13) Watermarked Packet Detect 2 (14) Watermark Detection Signal Sending 2 (15) Watermarked Packet Detect 3 (16) Watermark Detection Signal Sending 3 (17) Path Construction and Traceback Complete Hacker ACT ACT Watermarked Packet (13) WP Detect Watermarked Packet (15) WP Detect Watermarked Packet (11) WP Detect (12)WP Detection Signal Sending (14)WP Detection Signal Sending Intranet Internet ACT (10) Start Traceback (17) Path Construction & Confirm the Hacker s Location Watermarked Packet (16)WP Detection Signal Sending WP Intranet Attack Connection WP Detection Signal Watermarked Packet Fig. 7 Traceback scenarios in the External Networks As can be seen in Fig. 7, the watermarked packet follows the attack connection in a reverse direction, and because the watermark is inserted in a data field, it must go to the hacker s system. The watermarked packet would be detected twice in each network that includes middle systems and once in a network in which the hacker is included. This can be used to construct the tracing path. 4.3 Characteristics of ACT Low Overhead The ACT system is not activated until an intrusion has occurred but just monitors packets to determine whether they have a watermark or not. Consequently, until the real traceback has started it uses a very small amount of system resources.

7 4.3.2 Adoptable to current Internet Environment When developing a system the most important thing is its usability. Because of the diversity of the Internet, few traceback systems can be adapted to the current Internet environment. The ACT system, however, uses several security systems in their present state. Consequently, there is no need to change the network nodes themselves High Possibility to Success the Traceback As mentioned before, the ACT system can trace back even if some middle systems are compromised. Even though there are no ACT systems in some networks, the traceback can be successful if there is an ACT system included on the hacker s system. Consequently, the possibility of a successful traceback is higher than in other traceback techniques, though it is impossible to construct the whole path and to find all the middle systems if there are no ACT systems in some networks Can Traceback the Encrypted Connection If every connection is encrypted, the traceback is impossible. However, if the last connection that connected between the hacker s system and the next host is not encrypted, and there is an ACT system, then the hacker s real position can be found. Basically, this is the same property that was mentioned in the previous paragraph. 5 Conclusion Because general security products cannot limit or prevent the hacking itself, active hacking protection techniques are urgently required. To develop active hacking protection techniques, researchers have explored active security products. They have found that the traceback system is the most required system. Consequently, their research has been focused on the traceback system. Until now, however, the proposed traceback systems cannot be adapted to the current Internet environment because of the diversity and anonymity of the Internet. Therefore, in this paper, a network-based connection traceback system is proposed that is adaptable to the Internet. This is the ACT system that uses the packet watermark technique. The ACT system inserts a watermark into reply packets that are created due to an intrusion by a hacker. This is sent to the hacker. The watermark is inserted into the data field of the packet and eventually arrives at the hacker s system. During the transmission of the packet that contains the watermark another ACT system or Watermark Detection detects the watermark and sends the information about it to the original ACT system that inserted the watermark. The ACT system that activates the traceback then receives the information from the other ACT system. By combining the information, the whole path from the victim to the hacker s system can be constructed. This mechanism is easy and clear, and it does not have to change or modify network nodes such as a router or firewall. Because of this property, the ACT system can be applied to the current Internet environment. There are several advantages: first, the ACT system can be adapted to the current Internet environment; second, the ACT system can find the real hacker s location even if some middle systems are compromised, because it does not use the system log files to trace back; and third, if the last connection between the hacker s system and the next system is not encrypted, there is a possibility that the traceback will succeed. Hopefully this ACT system can be helpful to world security and provide protection against intrusions and hacking. References: [1] CERT, [2] Buchholz, Thomas E. Daniels, Benjamin Kuperman, Clay Shields, "Packet Tracker Final Report", CERIAS Technical Report , Purdue University, 2000 [3] Chaeho Lim, Semi-Auto Intruder Retracing Using Autonomous Intrusion Analysis Agent, FIRST Conference on Computer Security Incident Handling & Response 1999, 1999 [4] X. Wang, D. Reeves, S. F. Wu, and J. Yuill, "Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework", Proceedings of IFIP Conference. on Security, Mar [5] H. T. Jung et al. Caller Identification in the Internet Environment., Proceedings of the 4th Usenix Security Symposium, [6] Heejin Jang and Sangwook Kim, "A Self Extension Monitoring for Security Management" 16th Annual Computer Security Applications Conference, Dec. 2000, New Orleans, Louisiana.

8 [7] S. Staniford-Chen and L. T. Heberlein. Holding Intruders Accountable on the Internet., Proceedings of the 1995 IEEE Symposium on Security and Privacy, [8] Y. Zhang and V. Paxson, "Detecting Stepping Stones", Proceedings of 9th USENIX Security Symposium, August [9] K. Yoda and H. Etoh, "Finding a Connection Chain for Tracing Intruders", In F. Guppens, Y. Deswarte, D. Gollamann, and M. Waidner, editors, 6th European Symposisum on Research in Computer Security - ESORICS 2000 LNCS -1985, Toulouse, France, Oct [10] S. Snapp et al. DIDS (Distributed Intrusion Detection ) - Motivation, Architecture, and An Early Prototype., Proceedings of the 14th National Computer Security Conference, [11] D. Wetherall, J. Guttag and D. Tennenhouse. ANTS : A Toolkit for Building and Dynamically Deploying Network Protocols., Proceedings of IEEE OPENARCH 1998, April 1998.