The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

Similar documents
IP Spoofer Project. Observations on four-years of data. Rob Beverly, Arthur Berger, Young Hyun.

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering

Software Systems for Surveying Spoofing Susceptibility


Software Systems for Surveying Spoofing Susceptibility

Illegitimate Source IP Addresses At Internet Exchange Points

Distributed Denial of Service (DDoS)

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

DDoS and Traceback 1

Experience with SPM in IPv6

Multihoming with BGP and NAT

Measuring and Characterizing IPv6 Router Availability

MPLS L3VPN. The MPLS L3VPN model consists of three kinds of devices: PE CE Site 2. Figure 1 Network diagram for MPLS L3VPN model

On the State of IP Spoofing Defense

Contents. Configuring urpf 1

Analysis. Group 5 Mohammad Ahmad Ryadh Almuaili

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Accurate Real-time Identification of IP Hijacking. Presented by Jacky Mak

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

THE "TRIBE FLOOD NETWORK 2000" DISTRIBUTED DENIAL OF SERVICE ATTACK TOOL

Security Enhancement by Detecting Network Address Translation Based on Instant Messaging

Remember Extension Headers?

InterAS Option B. Information About InterAS. InterAS and ASBR

IPv6 Transition Technologies (TechRef)

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Basic NAT Example Security Recitation. Network Address Translation. NAT with Port Translation. Basic NAT. NAT with Port Translation

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Chapter 7. Denial of Service Attacks

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

NAT, IPv6, & UDP CS640, Announcements Assignment #3 released

Network Security. Thierry Sans

SENSS: Software-defined Security Service

Phase 4 Traceback the Attack. 2002, Cisco Systems, Inc. All rights reserved.

Denial of Service. EJ Jung 11/08/10

Configuring MPLS L3VPN

Shim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI

Various Anti IP Spoofing Techniques

Chapter 15 IPv6 Transition Technologies

Internet Control Message Protocol

Denial of Service, Traceback and Anonymity

Internet Control Message Protocol (ICMP)

Computer Security: Principles and Practice

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)

DENIAL OF SERVICE ATTACKS

Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

A Sampling of Internetwork Security Issues Involving IPv6

Internet Engineering Task Force (IETF) Request for Comments: 6441 BCP: 171 November 2011 Category: Best Current Practice ISSN:

This document is not restricted to specific software and hardware versions.

New IP Header. Why change IP. Address Notation. Changes. Information Sources. IP Version 6 ITL

Information Sources Hans Kruse & Shawn Ostermann, Ohio University

EULER Project Path-Vector Routing Stability Analysis

network security cs642 computer security adam everspaugh

Network Policy Enforcement

CCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4

ARDA Program: P2INGS (Proactive And Predictive Information Assurance For Next Generation Systems)

Information Sources Hans Kruse & Shawn Ostermann, Ohio University

Computer Science 461 Midterm Exam March 14, :00-10:50am

b. Suppose the two packets are to be forwarded to two different output ports. Is it

Lecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015

Updates and Analyses

Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backscatter

Measuring BGP. Geoff Huston. CAIA SEMINAR 31 May

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Computer Science 461 Final Exam May 22, :30-3:30pm

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

An Operational Perspective on BGP Security. Geoff Huston February 2005

Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER

Lecture 19: Network Layer Routing in the Internet

FIGURE 3. Two-Level Internet Address Structure. FIGURE 4. Principle Classful IP Address Formats

Collective responsibility for security and resilience of the global routing system

IPv6. Internet Technologies and Applications

MPLS VPN Explicit Null Label Support with BGP. BGP IPv4 Label Session

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee

Internetworking/Internetteknik, Examination 2G1305 Date: August 18 th 2004 at 9:00 13:00 SOLUTIONS

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

An Industry view of IPv6 Advantages

Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks

Denial of Service and Distributed Denial of Service Attacks

TCP/IP Protocol Suite

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Tag Switching. Background. Tag-Switching Architecture. Forwarding Component CHAPTER

Internet Measurements. Motivation

BGP Security. Kevin s Attic for Security Research

Future Routing and Addressing Models

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

Methods for Detection and Mitigation of BGP Route Leaks

LISP Locator/ID Separation Protocol

Day In The Life of the Internet 2008 Data Collection Event.

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

network security s642 computer security adam everspaugh

Master Course Computer Networks IN2097

LISP Router IPv6 Configuration Commands

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Transcription:

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu

The Spoofer Project Goal: Quantify the extent and nature of source address filtering on the Internet Key results: ~23% of observed netblocks corresponding to ~24% of observed ASes allow some from of spoofing Filtering is frequently applied inconsistently allowing spoofing of parts of the address space Filtering policies corresponds reasonably well to netblocks announced in BGP No discernable geographic pattern in address filtering policies 2/29

Motivation and background 3/29

What are spoofed packets? Attackers/compromised-hosts forge or spoof source address of an IP packet 4/29

What type of addresses are spoofed? Valid 0.0.0.0 IPv4 Address Space Private Intranet 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 Loopback 127.0.0.0/8 Unallocated June 29, 2005 http://www.completewhois.com/bogons/ Multicast 224.0.0.0/4 255.255.255.255 5/29

How are bogons filtered? Bogon list sources: http://www.cymru.com/bogons/ http://www.completewhois.com/bogons/ Ingress or egress filters on a router Need updating (ideally automatically) as assignments change Not always 100% accurate 6/29

Does spoofing matter in 2005? All ISP filter (right?) RFC2827, urpf Zombie farms Spoofing provides little additional anonymity for actual attacker Prevalence of NATs headers rewritten anyway so spoofing useless 7/29

Indications that spoofing is employed in current attacks Backscatter [Moore01][Pang04] shows continued, strong spoofing activity In Jan 2005 during one DDoS attack 12% of the source addresses were bogons [Dietrich05] High-profile spoofing-based DDoS attacks in 2000-2004: Yahoo, Ebay, E*trade Shaft, TFN, trinoo, Stacheldraht, RingZero Protx online payment site, Nov 2004 8/29

Attacker Spoofed 1 Spoofed 2 Victim DoS attack with spoofing Spoofed n Spoofed packets Slave 1 Master Slave 2 Slave N Spoofed 1 Spoofed 2 Spoofed n Victim Distributed DoS attack with spoofing Slave 1 Master Slave 2 Slave N Reflector 1 Reflector 2 Reflector n Victim Distributed DoS attack with reflectors

Prediction: spoofing increasingly a problem in the future Spoofed traffic complicates a defenders job Adaptive programs that make use of all local host capabilities to amplify their attacks Consider a 10,000 node zombie DDoS Today (worst case scenario): if non-spoofing zombies are widely distributed, a network operator must defend against attack packets from 5% of routeable netblocks. Future: if 25% of zombies capable of spoofing significant volume of the traffic could appear to come any part of the IPv4 address space 10/29

Spoofer Project: Collection and analysis methodology 11/29

Collection methodology Objective: collect reports of the spoofing capabilities from as many locations on the network as possible Spoofing packets requires administrator privileges No way to induce spoofed packets on remote machines need willing participants, unavoidably introducing a potential bias Clients run a spoofer test program generating a report from their network locations Availability advertised on various mailing lists 12/29

1. Spoofer clients attempt to send a series of spoofed UDP packets to our test collection server Five of each type with random inter-packet delay UDP destination port 53 (normally DNS) to avoid secondary filtering effects Payload includes unique 14 byte identifier 2. If received, server stores packets in database 13/29

3. Test summary Spoofer client does a traceroute to server Spoofer client sends a report of spoofed packets to server via TCP TCP destination port 80 used to avoid secondary filtering effects 14/29

Spoofed packets Chosen to infer specific filtering policies Spoofed Source 1.2.3.4 6.1.2.3 172.16.1.100 Client IP (2 N ) for 0<N<24 Description Unallocated Valid (In BGP table) RFC1918 Private address Neighbor Spoof IPv4 Address Space 15/29

Example client run [root@coco spoofer]#./spoofer >> Spoofing Tester v0.2 >> Source 5 spoofed packets (IP: 1.2.3.4) (Seq: g8cb4gc6ojezw1)... >> Source 5 spoofed packets (IP: 172.16.1.100) (Seq: 09kamtjjugxwvy)... >> Source 5 spoofed packets (IP: 6.1.2.3) (Seq: 0dzpw2obc80ff3)... >> >> Checking spoofing result... >> Server response: HOWDY 5am11w18zzc86g >> Server response: COOL 3 >> Server response: FOUND g8cb4gc6ojezw1 >> Server response: FOUND 09kamtjjugxwvy >> Server response: FOUND 0dzpw2obc80ff3 >> Running Trace (please wait): /usr/sbin/traceroute -n 18.26.0.235 traceroute to 18.26.0.235 (18.26.0.235), 30 hops max, 38 byte packets >> Server response: SEND-TRACE LINUX >> Server response: BYE 5am11w18zzc86g Test Complete. Your test results: http://momo.lcs.mit.edu/spoofer/report.php?sessionkey=5am11w18zzc86g 16/29

Analysis and results 17/29

Client population From March 2005 to present: 688 client reports generated 544 unique client reports No network abuse complaints reported from users or received by us 18/29

Spoofing failures for reasons not related to ISP policies Non-ISP related spoofing failures 326 client reports Blocked by Windows XP SP2: 155 Hosts Behind NATs: 126 Otherwise blocked by operating system: 20 We exclude these from our analysis because they do not definitively provide any indication of the capability of other hosts in the same netblock to spoof 19/29

Spoofable: spoofing of private, or unallocated, or valid IP packets possible from these network locations 20/29

Filtering policies Private Unallocated Valid Client Count 261 23 0 59 0 0 0 0 Filtered Spoofable policies found in operation on the Internet 21/29

Filtering Boundaries Filtering occurring on a /8 boundary enables a client within that network to spoof 16,777,215 other addresses. 22/29

Correspondence between filtering granularity and BGP prefix size Important to understand how filtering granularity relates to routing announcements Are our extrapolations valid? Provides clues to a provider s network structure and operational practices. BGP view from University of Oregon Routeviews tables prefix size AS numbers 23/29

Correspondence between filtering granularity and BGP prefix size Over 36% of the time filtering boundary is exactly the same as announced netblock size Over 95% of the time within 65,536 IP addresses 24/29

Spoofed packets that make it past the ingress edges are likely to travel across the entire Internet No geographic pattern to filtering policies 25/29

Conclusion 26/29

Ongoing collection effort http://spoofer.csail.mit.edu/summary.html Hourly-updated web page Summarizes current state of IP spoofing Goal: continue collecting reports to improve accuracy, detect trends, etc. We need help to expand coverage and gain more data! 27/29

28/29

http://spoofer.csail.mit.edu Summary of key results: ~23% of observed netblocks corresponding to ~24% of observed ASes allow some from of spoofing Filtering policies corresponds reasonably well to netblocks announced in BGP Filtering is frequently applied inconsistently allowing spoofing of parts of the address space No discernable geographic pattern in address filtering policies 29/29

Thanks 30/29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback