https://spoofer.caida.org/

Similar documents
Software Systems for Surveying Spoofing Susceptibility

Software Systems for Surveying Spoofing Susceptibility

Using Loops Observed in Traceroute to Infer the Ability to Spoof

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet

IP Spoofer Project. Observations on four-years of data. Rob Beverly, Arthur Berger, Young Hyun.

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering

Illegitimate Source IP Addresses At Internet Exchange Points

Collective responsibility for security and resilience of the global routing system

The Impact of Router Outages on the AS-Level Internet

IPv6 Pollution Traffic Analysis

Collective responsibility for security and resilience of the global routing system

Measuring and Characterizing IPv6 Router Availability

Updates and Analyses

Measuring and Modeling the Adoption of IPv6

Updates and Case Study

RIPE Labs Operator Tools, Ideas, Analysis

Analysis of Country-wide Internet Outages Caused by Censorship

Experience with SPM in IPv6

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

MAPPING PEERING INTERCONNECTIONS TO A FACILITY

An introduction to BGP security

Network Security. Thierry Sans

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

Primitives for Active Internet Topology Mapping: Toward High-Frequency Characterization

MAPPING PEERING INTERCONNECTIONS TO A FACILITY

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. January 27th, 2004 RIPE 47, Amsterdam

Routing Security We can do better!

MAPPING INTERNET INTERDOMAIN CONGESTION

UDP-based Amplification Attacks and its Mitigations

RFC1918 updates on servers near M and F roots C A I D A. Andre Broido, work in progress. CAIDA WIDE Workshop ISI, CAIDA / SDSC / UCSD

Computer Science 461 Final Exam May 22, :30-3:30pm

Update from the RIPE NCC

BGP Routing Table Report

AS Connectedness Based on Multiple Vantage Points and the Resulting Topologies

Tracking the Internet s BGP Table

SENSS: Software-defined Security Service

Two days in The Life of The DNS Anycast Root Servers

INFERRING PERSISTENT INTERDOMAIN CONGESTION

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

Opportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

DDoS Defense Mechanisms for IXP Infrastructures

Revealing the load-balancing behavior of YouTube traffic of interdomain links

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

Accurate Real-time Identification of IP Hijacking. Presented by Jacky Mak

DNS Authentication-as-a-Service Preventing Amplification Attacks

A Characterization of IPv6 Network Security Policy

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

SDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged

Dig into MPLS: Transit Tunnel Diversity

Studying Black Holes on the Internet with Hubble

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Denial of Service Protection Standardize Defense or Loose the War

Security)Track) NANOG)65)

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Measuring the Adoption of Route Origin Validation and Filtering

DNS root server deployments. George Michaelson DNS operations SIG APNIC17/APRICOT 2004 Feb KL, Malaysia

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. May 3rd, 2005 RIPE 50, Stockholm, SE

R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Security in inter-domain routing

Trends in IoT DDoSbotnets

The Challenges of Measuring Wireless Networks. David Kotz Dartmouth College August 2005

Inter-Domain Routing Trends

Current Challenges in Internet Technology

Routing the Internet in Geoff Huston APNIC March 2007

network security s642 computer security adam everspaugh

PERISCOPE: Standardizing and Orchestrating Looking Glass Querying

IPv6 at Google. Lorenzo Colitti

Achieving scale: Large scale active measurements from PlanetLab

Internet Mapping Primitives

Evaluating Network Security using Internet Measurements

Measured Impact of Tracing Straight. Matthew Luckie, David Murrell WAND Network Research Group Department of Computer Science University of Waikato

Internet Anycast: Performance, Problems and Potential

/15/$ IEEE

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

BGP Routing Table Report

Mutually Agreed Norms for Routing Security NAME

IPv6 at Google. Lorenzo Colitti

Current procedures, challenges and opportunities for collection and analysis of Criminal Justice statistics CERT-GH

On the Prevalence and Characteristics of MPLS Deployments in the Open Internet

IPv6 routing table Introduction 1. Impressions. An overview of the global IPv6 routing table. September 3, 2003 RIPE 46, Amsterdam

A First Look at QUIC in the Wild

Internet2 DDoS Mitigation Update

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Tracing the Path to YouTube -

IRNC-SP: Sustainable data-handling and analysis methodologies for the IRNC networks

Measuring IPv6 Adoption

IPv6 Deployment in Africa

Welcome to PHOENIX CONTACT Routing

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Data Plane Protection. The googles they do nothing.

MANRS Mutually Agreed Norms for Routing Security

SDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich

DDoS Protection in Backbone Networks

Internet exchange Federation Project Funding Proposal

LISP: Intro and Update

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Transcription:

Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ DDoS PI meeting, March 9 2017 www.caida.o

What is the Problem? Lack of filtering allows anonymous denial of service attacks. Example: CloudFlare reports 400Gbps attacks on their systems through 2016 400Gbps 240Gbps 80Gbps Feb 7 Feb 13 Feb 19 Feb 25 https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks/ 2

What is the Problem? Lack of filtering allows anonymous denial of service attacks. Example: CloudFlare reports >1K DoS attack events on their systems, per day, starting Feb 2016 1.4K 1K 600 200 Oct Nov Dec Jan Feb Mar https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks/ 3

Why does spoofing matter? Attacker sends packet with spoofed source IP address Receiver cannot always know if packet s source is authentic src dst src dst small V R payload R V large request response packets V R payload R V packets Attacker A Receiver R Victim V Volumetric Reflection-Amplification Attack 4

Defenses BCP38: Network ingress filtering: defeating denial of service attacks which employ IP Source Address Spoofing - https://tools.ietf.org/html/bcp38 - May 2000 BCP84: Ingress filtering for multi-homed networks - https://tools.ietf.org/html/bcp84 - March 2004 Not always straightforward to deploy source address validation (SAV): BCP84 provides advice how to deploy 5

Tragedy of the Commons Deploying source address validation is primarily for the benefit of other networks Incentive not clear for some networks - majority of networks do seem to deploy filtering - filtering gives an operator moral high-ground to pressure other networks to deploy, which does benefit the operator - Cyber Insurance takes into account security practice of the network: QuadMetrics.com ISOC RoutingManifesto.org: Mutually Agreed Norms for Routing Security (MANRS) 6

Which networks have deployed filtering? No public data that allows a network to show that they have (or have not) deployed filtering OpenResolverProject: allows detection of which networks have not deployed filtering based on DNS request forwarding - requires a buggy open resolver - public reporting at network and AS level MIT/CMAND Spoofer Project: aggregate statistics of spoofability based on crowd-sourced tests - user had to manually run tests - no public reporting at network or AS level 7

Spoofer: Client/Server Overview Client TCP control connection Spoofer Server Spoofed packets Database CAIDA Ark Vantage Points 8

Spoofer: Client/Server Overview Client tests ability to spoof packets of different types - Routed and Private - IPv4 and IPv6 traceroute to infer forward path to destinations tracefilter to infer first location of filtering in a path - traceroute but with spoofed packets Filtering prefix granularity: how many addresses in the same network prefix can be spoofed? 9

CAIDA Spoofer Project: New Features Client/Server system provides new useful features - by default publish anonymized results, and by default share unanonymized results for remediation - Runs in background, automatically testing new networks the host is attached to, once per week, IPv4 and IPv6 - GUI to browse test results from your host, and schedule tests - Speed improvements through parallelized probing https://spoofer.caida.org/recent_tests.php 10

CAIDA Spoofer Project: New Features Reporting Engine publicly shows outcomes of sharable tests - Allows users to select outcomes per country: which networks in a country need attention? per ASN: which subnets need attention? per provider: which of my BGP customers can spoof? - What address space does an AS announce, or could act as transit for? Is that address space stable? Useful for deploying ACLs https://spoofer.caida.org/recent_tests.php 11

Client GUI Signed Installers MacOS Windows Linux Open Source C++ 12

Client/Server Deployment Since releasing new client in May 2016, increasing trend of more tests (yellow line) - Benefit of system running in background 13

Reporting Engine: Recent Tests 14

Reporting Engine: Recent Tests Able to break down by country, perhaps useful for regional CERTs. In this case US-CERT 15

Reporting Engine: Recent Tests Addresses anonymized: IPv4: /24 IPv6: /40 16

Reporting Engine: Recent Tests NATs behave differently: Some may block spoofed traffic Some uselessly rewrite Some do not rewrite and pass spoofed packets 17

Reporting Engine: Recent Tests Some spoofing from behind a NAT prevented by egress filtering 18

Reporting Engine: Recent Tests Some networks may have deployed IPv4 filtering, but forgotten to deploy IPv6 filtering 19

Notifications and Remediation Currently, we (Matthew) manually send notifications to abuse contacts of prefixes from which we received spoofed packet Successful filtering deployment: weekly tests show spoofed packets are now blocked. Thanks, Compass. 20

Other Remediation Strategies AS9876, NOW Internet. Emailed abuse@ 26 Sept 2016. 21

Other Remediation Strategies ACLs are the best fit... when the configuration is not too dynamic,.. if the number of used prefixes is low. - BCP84 https://spoofer.caida.org/prefixes.php?asn=9876 https://spoofer.caida.org/provider.php Webpages by Stuart Thomson, Waikato 22

Fraction of Stub ASes Practicality of Ingress Access Lists ACLs are the most bulletproof solution when done properly, and the best fit... when the configuration is not too dynamic,.. if the number of used prefixes is low. - BCP84 During 2015, ~5% and ~3% of ASes announced different IPv4 and IPv6 address space month-to-month, respectively. 25 20 15 10 5 0 Jan 98 Jan 00 BCP 38 Jan 02 Jan 04 BCP 84 Jan 06 Jan 08 Jan 10 Jan 12 IPv4 IPv6 Jan 14 Source: Routeviews and RIPE RIS data Jan 16 23

Practicality of Ingress Access Lists ACLs are the best fit... when the configuration is not too dynamic,.. if the number of used prefixes is low. - BCP84 Fraction of Stub ASes In August 2016, 86.9% of stub ASes would require an IPv4 ACL of no more than 4 prefixes. More than half of IPv4 ACLs defined in January 2012 would still be unchanged today. 1 0.8 0.6 0.4 0.2 0 August 2016: IPv4, 46693 ASes IPv6, 7265 ASes 0 2 4 6 8 10 # Prefixes in Ingress ACL Fraction unchanged 1 0.8 0.6 0.4 0.2 0 Jan 12 Jan 13 IPv4 ASes IPv6 ASes Jan 14 Jan 15 Jan 16 Source: Routeviews and RIPE RIS data 24

Growing evidence of remediation https://spoofer.caida.org/remedy.php 25

Should I install the client? Yes! Room full of laptops and people who travel (use different networks). Great opportunity to collect new users and grow visibility of filtering deployment practice What about NAT? - Not all NAT systems filter packets with spoofed source addresses - Roughly 35% of test results that showed spoof-ability were conducted from behind a NAT 26

Expanding View of Filtering Policy Use CAIDA traceroute data to infer customer-provider links to stub ASes that imply lack of ingress filtering by provider Goal: - expand view of filtering policy - spur additional deployment of ingress ACLs Method suggested by Jared Mauch (NTT), joint work with Qasim Lone, Maciej Korczynski, Michel van Eeten (TU Delft) https://spoofer.caida.org/trspoof.php 27

Traceroute Spoofer Provider #1 Provider #2 V S Stub AS V S Source address is from Vantage Point (VP) running traceroute V S Packet should be filtered by #2 because the source address belongs to a different network than the stub AS 28

Traceroute Spoofer: 3356-5088 Customer-Provider Link Suggested Ingress ACL https://spoofer.caida.org/trspoof.php 29

Summary Reporting Engine publicly shows outcomes of sharable tests, ~6K unique IPs in hundreds of ASNs per month. - Allows users to select outcomes per country: which networks in a country need attention? per ASN: which subnets need attention? per provider: which of my BGP customers can spoof? - Allows operators to view address space announced by an AS, or could act as transit for, over time. - Please install and use the system! https://spoofer.caida.org/ 30

Acknowledgements Project funded by U.S. Department of Homeland Security (DHS) Science and Technology (S&T) directorate Contacts: - spoofer-info@caida.org 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback