Towards Loop-Free Forwarding of Anonymous Internet Datagrams that Enforce Provenance J.J. Garcia-Luna-Aceves1;2 1Department of Computer Engineering, University of California, Santa Cruz, CA 95064 2Palo Alto Research Center, Palo Alto, CA 94304 Email: [email protected] Abstract—The way in which addressing and forwarding are Internet datagram specifies the source address of the datagram implemented in the Internet constitutes one of its biggest privacy independently of any forwarding mechanism and end nodes and security challenges. The fact that source addresses in Internet are allowed to specify IP source addresses. datagrams cannot be trusted makes the IP Internet inherently vulnerable to DoS and DDoS attacks. The Internet forwarding Because of the algorithms used to assign IP addresses to plane is open to attacks to the privacy of datagram sources, be- entities and write source addresses into Internet datagrams, cause source addresses in Internet datagrams have global scope. the source address of an Internet datagram fails to convey The fact an Internet datagrams are forwarded based solely on the its provenance correctly. The recipient of an Internet data- destination addresses stated in datagram headers and the next gram is unable to authenticate the claimed IP address of the hops stored in the forwarding information bases (FIB) of relaying routers allows Internet datagrams to traverse loops, which wastes source of the datagram based solely on the basic operation resources and leaves the Internet open to further attacks. We of the forwarding plane of the IP Internet. The receivers of introduce PEAR (Provenance Enforcement through Addressing Internet datagrams are forced to use additional mechanisms and Routing), a new approach for addressing and forwarding and information to cope with the fact that a source address of Internet datagrams that enables anonymous forwarding of need not denote the valid provenance of an Internet datagram. Internet datagrams, eliminates many of the existing DDoS attacks on the IP Internet, and prevents Internet datagrams from looping, Furthermore, these mechanisms are far more complex than even in the presence of routing-table loops. the simple mechanism used by sources of Internet datagrams to state the origins of datagrams. In addition, IP addresses are globally unique and assigned on a long-term basis, which I. INTRODUCTION makes it easier for attackers to plan and mount attacks. This One of the biggest challenges facing the future of the constitutes a major vulnerability to DDoS attacks in the current Internet is that its vulnerabilities to DoS and DDoS attacks are Internet architecture. inherent in the algorithms used in the Internet to: (a) assign In addition to the above, a router forwards an Internet addresses to hosts, routers, and devices; (b) include source datagram to its next hop based solely on the destination addresses in Internet datagrams; (c) map addresses to routes; address stated in the datagram and the next hop listed in (d) bind names to locations in the Internet; and (e) forward its forwarding information base (FIB). This is a problem in Internet datagrams. the presence of routing-table loops, because it is possible for In theory, the goal of assigning Internet Protocol (IP) ad- Internet datagrams to traverse loops. The only approach used dresses to entities and including the source and destination IP today is to include a time-to-live (TTL) field in the datagram address in each datagram is to have system-friendly identifiers header that is decremented at each hop of the path traversed that: state the origin and destination of Internet datagrams by the datagram, and to drop an Internet datagram after the based on topological locations where content, services, or TTL value reaches zero. arXiv:1612.05998v1 [cs.NI] 18 Dec 2016 devices are made available; and can be matched efficiently The contribution of this paper is to present a set of algo- against stored information by routers and end systems. How- rithms that we call PEAR (Provenance Enforcement through ever, an IP address simply denotes the point of attachment Addressing and Routing), and which prevent Internet data- of a host or router to a network with a given IP address grams from traversing forwarding loops, makes the identity of range, without any topological information other than the the origin of an Internet datagram anonymous to the rest of the aggregation of IP addresses. Furthermore, IP addresses are Internet, and enforces the provenance of an Internet datagram. assigned to entities independently of the establishment of Section II summarizes current defenses against DDoS flood- routes to services, content, devices, groups, or any entity in ing attacks. The main objective of this review of prior work is general. As a result, routing protocols (e.g., OSPF, BGP) and to point out that defending against large DDoS flooding attacks directory services (e.g., DNS) map names used to denote is virtually impossible without changing the basic algorithms entities (e.g., domain names) to names that denote points of used for the allocation of addresses to Internet datagrams, attachment to networks (IP addresses). In addition to this, the mapping of addresses to routes and connections, and the Internet surrenders any control of the allocation of source the protection of information carried in Internet datagrams. IP addresses to Internet datagrams, because the origin of an Currently, attackers spend far less energy and time mounting attacks than their targets spend defending against them. in an attempt to detect flow anomalies. The key limitation Section III introduces a simple approach to ensure that of defense approaches based on detection is that they must Internet datagrams never loop, even when routing tables con- rely on a number of assumptions regarding the behavior of tain long-term or short-term routing-table loops. The approach legitimate users, and attackers can adopt countermeasures to operates by having the FIB entry for an address prefix state evade detection. Some DoS attacks can be detected, given that the next hop and the hop-count distance to the prefix, and only a few computer systems are attackers and compromised by using the TTL filed of a datagram to enforce an ordering system must behave differently than benign users to exhaust constraint ensuring that a router can forward a datagram only the resources of their targets. However, the problem is far more to a next hop that is strictly closer to the intended destination. difficult for DDoS attacks, which involve many compromised Section IV introduces a receiver-initiated address allocation hosts that can mimic legitimate users and need not change the algorithm, a simple address swapping function, and an on- normal pattern of protocol traffic to be effective. demand routing algorithm operating in the data plane, which Prior approaches for the identification of attack sources together ensure that the origins of Internet datagrams remain have focused on tracing the origins of attacks by explicit anonymous to any routers processing the datagram, and that signaling or marking datagrams with the paths they traverse anonymous sources of datagrams can receive traffic from (e.g., [9], [31], [33], [34], [35], [41], [42]). Some path mark- public destinations over the reverse paths traveled by their ing techniques have also been combined with filtering. The anonymous datagrams. main limitations of these approaches include that: it may be difficult to infer the attack paths in large DDoS attacks; some II. CURRENT DEFENSES AGAINST DDOSATTACKS approaches can consume considerable storage, processing, and The methods used to launch DDoS attacks today consist communication overhead; some path markings are not entirely of: (a) sending malformed packets to the victims to confuse unique; and tracebacks and markings become useful only after protocols or applications; (b) disrupting the connectivity of the attacks have consumed network resources and have reached legitimate users by exhausting bandwidth, router processing their targets. Similarly, prior approaches aimed at filtering capacity, or network resources; and (c) disrupting services Internet datagrams with spoofed IP addresses are only partially to legitimate users by exhausting the resources of servers effective, because they change router behavior to enact filtering (sockets, CPU, memory, or I/O bandwidth). We address DDoS without changing the way in which IP source addresses are flooding attacks aimed at disrupting the connectivity and assigned to Internet datagrams [5], [13], [18], [22], [25], [28], services offered to legitimate users. Four types of defenses or the fact that datagram forwarding is independent of the against these attacks have been proposed to date [3], [12], distances to address prefixes stated in routing tables. [26], [30], [37]: Attack prevention, which aims at stopping Approaches that introduce additional information to denote attacks before they reach their targets; attack detection, which the provenance of a datagram are difficult to implement and attempts to identify the existence of attacks when they occur; cannot be deployed at Internet scale, because they require attack source identification, which tries to locate the source public key infrastructure (PKI) support. For example, HIP [27] of the attack independently of the information contained in requires a PKI that is globally deployed to prevent attackers packets used in the attack; and attack reaction, which aims at from simply minting unlimited numbers of host identifiers eliminating or minimizing the impact of attacks. used in HIP. AIP [4] on the other hand assumes a flat The attack prevention approaches proposed to date focus on addressing space that cannot be applied at Internet scale, is routers filtering IP datagrams with spoofed source IP addresses vulnerable to malicious hosts creating unlimited numbers of (e.g., [5], [13], [18], [22], [25], [28]), or routers adding prove- EIDs, and does not offer an efficient way to recovering from nance information to IP datagrams The limitations of existing compromised private keys corresponding to the AIP addresses packet-filtering approaches are that: (a) existing filters provide of hosts or accountability domains.