1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T Series X TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 10 (01/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1205 Supplement on usability of network traceback ITU-T X-series Reco
2、mmendations Supplement 10 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND S
3、YSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099
4、SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECUR
5、ITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/
6、state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.
7、1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. X series Supp
8、lement 10 (01/2014) i Supplement 10 to ITU-T X-series Recommendations ITU-T X.1205 Supplement on usability of network traceback Summary Supplement 10 to the ITU-T X-series of Recommendations provides an overview of traceback for responsive measures to certain network issues within a single or a more
9、 complex array of service providers. Traceback may assist in discovering ingress points, paths, partial paths or sources of problematic network events. This information may aid service providers in mitigating such events. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X Sup
10、pl. 10 2011-09-02 17 11.1002/1000/11341 2.0 ITU-T X Suppl. 10 2014-01-24 17 11.1002/1000/12160 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/1183
11、0-en. ii X series Supplement 10 (01/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent o
12、rgan of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes th
13、e topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards ar
14、e prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may c
15、ontain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express
16、 requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right
17、. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual pr
18、operty, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved.
19、 No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 10 (01/2014) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this supplement . 1 4 Abbr
20、eviations and acronyms 1 5 Conventions 2 6 Traceback introduction . 2 7 Possible traceback capabilities in networks 2 7.1 Source identification . 2 7.2 Ingress point identification . 2 7.3 Partial path identification . 2 8 Potential applications of traceback . 3 8.1 Application to DDoS attacks 3 8.2
21、 Application to misconfiguration issues 4 8.3 Application to routing issues 4 Appendix I Overview of traceback mechanisms research 5 I.1 Abbreviations and acronyms 5 I.2 Classification of traceback mechanisms . 5 I.3 IP layer traceback mechanisms 7 I.4 Comparison of traceback mechanisms . 11 Appendi
22、x II Comparison of traceback mechanisms based on criteria and taxonomy 13 Bibliography. 14 X series Supplement 10 (01/2014) 1 Supplement 10 to ITU-T X-series Recommendations ITU-T X.1205 Supplement on usability of network traceback 1 Scope This Supplement provides an overview of traceback capabiliti
23、es that may be useful in responding to network incidents where some knowledge of the source(s) of those incidents is necessary for effective cybersecurity responsive measures. It includes descriptions and usability considerations of the traceback. Traceback, as described in this supplement, may be i
24、n conflict with laws and regulation (e.g., secrecy of telecommunications or data protection and/or privacy) in some countries or regions, and therefore cannot be applied in those countries or regions. Implementers and users of the described mechanisms shall comply with all applicable national and re
25、gional laws, regulations and policies. 2 References None. 3 Definitions 3.1 Terms defined elsewhere This Supplement uses the following terms defined elsewhere: 3.1.1 domain b-ITU-T M.3010: A set of managed resources subject to a common management policy. 3.1.2 event b-ITU-T M.2140: An instantaneous
26、occurrence that changes the global status of an object. This status change may be persistent or temporary, allowing for surveillance, monitoring, and performance measurement functionality, etc. Events may or may not generate reports, may be spontaneous or planned, may trigger other events, or may be
27、 triggered by one or more other events. 3.2 Terms defined in this supplement This Supplement defines the following term: 3.2.1 traceback: A technique used to discover technical information concerning the ingress points, paths, partial paths or sources of a packet or packets causing a problematic net
28、work event, generally for the purposes of applying mitigation measures. 4 Abbreviations and acronyms This Supplement uses the following abbreviations and acronyms: ADSL Asymmetric Digital Subscriber Line DDoS Distributed Denial of Service IP Internet Protocol IPv4 IP version 4 IPv6 IP version 6 NAT
29、Network Address Translation 2 X series Supplement 10 (01/2014) 5 Conventions None. 6 Traceback introduction IP-based incidents, especially attacks on the network infrastructure, have increased dramatically in number and complexity. End users, service providers and network operators are all adversely
30、 affected by such attacks. In order to deal with these attacks, traceback was developed, and it has now evolved for several years. Traceback attempts to discover information about the attack source(s) for the purpose of pursuing remediation measures. For example, when a distributed denial of service
31、 (DDoS) attack occurs, network providers along the attack path may be able to detect and mitigate DDoS traffic at the ingress points with the help of traceback. Traceback has evolved from network operational tools that have existed for a long time and it has been included as part of the network mana
32、gement systems and products. Indeed, the basic traceroute tool is provided with almost every computer and network element operating system. When combined with directory systems such as WHOIS b-IETF RFC 3912, some basic traceback capabilities can be created. These, and other techniques, are examples
33、of the type of traceback used by service providers. This Supplement does not describe such techniques but rather the usability considerations of traceback. Clauses 7 and 8 describe the overview and usability considerations of traceback. 7 Possible traceback capabilities in networks 7.1 Source identi
34、fication A service provider seeking to uncover the source of a problematic network event may use traceback immediately after the incident has been identified. In the scenario in which the service provider has made appropriate investment in, and configuration of, core and edge routers based on the ap
35、plied traceback mechanisms, operators may be able to uncover at the edge router or the incoming physical port the source of the problematic network event. Source identification may help operators stop the problematic network event or mitigate its impact. 7.2 Ingress point identification A network op
36、erator that operates a region/domain (with multiple links to adjacent regions/domains) may use traceback to identify the set of links affected by a particular network incident. The ability to narrow down the number of affected links may help operators expedite the investigation and, when necessary,
37、apply mitigation procedures. 7.3 Partial path identification If traceback is both deployed and possible across multiple regions/domains, it can be used to uncover a partial path of widespread attacks. While source identification across multiple regions/domains may be difficult under partial tracebac
38、k deployment, some applications of traceback may be able to identify the partial path or multiple paths of a problematic network event, in support of the mitigation procedures across multiple regions/domains. X series Supplement 10 (01/2014) 3 8 Potential applications of traceback 8.1 Application to
39、 DDoS attacks DDoS attacks are characterized by large amounts of traffic that originates in multiple sources and is destined to particular network end resources. It is sent with the intention of rendering the targeted resources unavailable to the intended users. Figure 1 shows a typical DDoS attack
40、scenario. The target of the DDoS attack is the victim served by Domain/region 1. The DDoS attack not only affects the victim but also the resources within Domain/region 1. The attack traffic comes into Domain/region 1 from Domain/region 2 and Domain/region 3, which belong to different network provid
41、ers. Figure 1 Typical DDoS attack applications As DDoS attacks typically attempt to overwhelm the network resources (bandwidth) of the connection circuit between the victim and the provider, the victim expects that the network provider will block the attack traffic before it reaches the targeted res
42、ources. Because DDoS attacks can involve hundreds or thousands of sources, or more, sending attack packets, it is difficult to identify the source of all such packets. Traceback is useful in this case not for identification of the sources, but rather for identification of the ingress points and part
43、ial paths within the providers network where the DDos attack can best be mitigated. Traceback, in this case, helps network providers to determine the ingress edge router and affected high value links. In the DDoS scenario in Figure 1, the quick solution is dropping DDoS traffic at edge router R1. Bu
44、t if the attack traffic has reached R1, there has already been a great deal of unwanted traffic flooding the network and other network elements within Domain/region 1, which wastes network bandwidth and platform resources. Therefore, by using traceback within Domain/region 1, operators can determine
45、 specific ingress points from other providers; namely Domain/region 2 and Domain/region 3, but not Domain/region 4. Domain/region 1 providers may wish to engage in cooperative traceback with Domain/region 2 and Domain/region 3 providers, to enable pushing mitigations even further towards attack sour
46、ces to protect interconnection points. There are, then, X S u p p l . 1 0 ( 1 1 ) _ F 0 1D om a i n/ re gi on 5D om a i n/ re gi on 4D om a i n/ re gi on 3D om a i n/ re gi on 2 D om a i n/ re gi on 1L5 L6L4L2 L3L1R3 R2 R1V i c t i mR7R9R4 R6R5R8A t t a c ke rA t t a c ke rA t t a c ke rA c c e s s
47、de vi c e4 X series Supplement 10 (01/2014) several better solutions, like for example, dropping the DDoS attack traffic at R4, the access device of Domain/region 3, and at R5, the peering router between Domain/region 1 and Domain/region 3. Various factors may affect traceback. There may be various
48、network environments, such as networks with IPv4 and IPv6 addresses, networks with different access techniques (e.g., asymmetric digital subscriber line (ADSL), cable and Ethernet), etc. In addition, the attacker may be using packets with spoofed source addresses, may be located behind network addre
49、ss translations (NATs) and/or may have its IP address assigned dynamically. Traceback must consider all of these various network environments. 8.2 Application to misconfiguration issues Many network and application issues are caused by misconfiguration. In such situations, operators might find such misconfiguration problems with the help of traceback after problematic network events have occurred. 8.3 Application to routing issues A domain/region always has several links to adjacen
