Luận Văn Data-Link Layer Traceback in Ethernet Networks

Abstract
​

The design of the most commonly-used Internet and Local Area Network protocols provide no way of verifying the sender of a packet is who it claims to be. Protocols and applications exist that provide authentication but these are generally for special use cases.
A malicious host can easily launch an attack while pretending to be another host to avoid being discovered. At worst, the behavior may implicate a legitimate host causing it and the user to be kicked off the network. A malicious host may further conceal its location by sending the attack packets from one or more remotely-controlled hosts. Current research has provided techniques to support traceback, the process of determining the complete attack path from the victim back to the attack coordinator. Most of this research focuses on IP traceback, from the victim through the Internet to the edge of the network containing the attack packet source, and Stepping-Stone traceback, from source to the host controlling the attack. However, little research has been conducted on the problem of Data-Link Layer Traceback (DLT), the process of tracing frames from the network edge to the attack source, across what is usually a layer-2 network. We propose a scheme called Tagged-fRAme tracebaCK (TRACK) that provides a secure, reliable DLT technique for Ethernet networks. TRACK defines processes for Ethernet switches and a centralized storage and lookup host. As a frame enters a TRACK-enabled network, a tag is added indicating the switch and port on which the frame entered the network. This tag is collected at the network edge for later use in the traceback operation. An authentication method is defined to prevent unauthorized entities from generating or modifying tag data. Simulation results indicate that TRACK provides accurate DLT operation while causing minimal impact on network and application performance.
Table of Contents
Table of Contents . iv
List of Figures . vi
List of Tables viii
Acronyms ix
Chapter 1: Introduction . 1
1.1 Problem Description . 1
1.2 Motivation . 3
1.3 Contributions 5
1.4 Organization 5
Chapter 2: Background Information 7
2.1 Terminology 7
2.2 IEEE Ethernet Standards 8
2.2.1 IEEE 802.3 . 8
2.2.2 IEEE 802.1D 10
2.2.3 IEEE 802.1Q 12
2.2.4 IEEE 802.3ac . 13
2.3 Simple Network Management Protocol (SNMP) . 15
2.4 IP Traceback . 17
2.4.1 Source Path Isolation Engine (SPIE) . 18
2.5 Stepping-Stone Traceback 19
2.6 Data-Link Layer Traceback 20
2.6.1 A Layer-2 Extension to SPIE . 21
Chapter 3: Network and Attacker Models . 23
3.1 Network Model . 23
3.2 Attacker Model . 26
Chapter 4: Tagged-Frame Traceback (TRACK) 29
4.1 Protocol Architecture 29
4.1.1 TraceBack Tag (TBT) Format . 30
4.1.2 TRACK Frame Tagger (TFT) 32
4.1.3 TRACK Analysis and Collection Host (TACH) 33
4.2 Protocol Operation 37
4.2.1 TFT Operation . 37
4.2.2 TACH Tag Collection 40
4.2.3 TACH Traceback Request Processing . 40
4.3 Protocol Security . 42
4.3.1 AUTH field Calculation and Verification 43
4.4 Implementation Considerations 43
4.4.1 TRACK Frame Tagger (TFT) 43
4.4.2 TRACK Analysis and Collection Host (TACH) 44
Chapter 5: Data-Layer Traceback Scheme Comparison 47
5.1 Traceback Accuracy . 47
5.2 False Positives . 53
Chapter 6: Simulation 55
6.1 TFT Module Implementation 58
6.2 Simulation Metrics 59
6.3 Ethernet Delay 61
6.4 MAC Relay Entity (MRE) Queue Length 71
6.5 Application Throughput 80
Chapter 7: Future Work 82
Chapter 8: Conclusions 84
Bibliography 85