1 / 43

Clouseau: A practical IP spoofing defense through route-based filtering

Clouseau: A practical IP spoofing defense through route-based filtering. Jelena Mirkovic, University of Delaware (sunshine@cis.udel.edu) Nikola Jevtic, Google Inc. Peter Reiher, UCLA. Outline. What is IP spoofing? Why should we care? Route-based filtering (RBF)

liko
Download Presentation

Clouseau: A practical IP spoofing defense through route-based filtering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware (sunshine@cis.udel.edu)Nikola Jevtic, Google Inc. Peter Reiher, UCLA

  2. Outline • What is IP spoofing? Why should we care? • Route-based filtering (RBF) • Filter packets that come on unexpected path • 97% effective if deployed at few core ASes • Tables must be complete! • Clouseau protocol • Builds tables for RBF and keeps them current in face of route changes • Sets up spoofed packet filters • Fast and accurate decision, small impact on traffic

  3. IP spoofing RBF  Clouseau What is IP spoofing? From: 1.2.3.4, to: 9.10.11.12 5.6.7.8 ≈ Andy ≈ 9.10.11.12 ≈ Danny Faking the IP address in the sourcefield of IP header 1.2.3.4 Lea

  4. IP spoofing RBF  Clouseau IP spoofing uses • Hide attacker’s identity • Invoke replies to the spoofed address • Reflector DDoS attacks • Create decoy packets that hide attacker’s vulnerability scanning • Assume good host’s identity and gain priority service or status

  5. IP spoofing RBF  Clouseau If IP spoofing were reduced • Attacks would be easier to detect and attribute • We could build IP address profiles to track user behavior • Reward good users, punish bad ones • Reflector attacks would be reduced

  6. IP spoofing RBF  Clouseau Route-based filtering 5.6.7.8 ≈ Andy ≈ 9.10.11.12 ≈ Danny Route Based Filtering[RBF] Build incoming tables that store incoming interface for a given source IP. Filter packets that arrive on wrong interface. Tables must be updated upon a route change. Lea’s path could overlap with Andy’s so some spoofing will go undetected. 1.2.3.4 Lea [RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets’” SIGCOMM 2001

  7. IP spoofingRBF  Clouseau From: 1.2.3.4, to: 9.10.11.12 Route-based filtering 5.6.7.8 ≈ 1 Andy ≈ 2 9.10.11.12 From Interface 5.6.7.8 1 1.2.3.4 2 ≈ Danny 1.2.3.4 Lea

  8. IP spoofingRBF  Clouseau RBF effectiveness • If RBF is deployed on the vertex cover of AS map [RBF] • Deployment percentage: 18.9% • Percentage of (s,d) pairs that cannot contain spoofed traffic: 96% • ASes that cannot spoof: 88% • Downside: 18.9% of ASes is more than 4000! [RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets,” SIGCOMM 2001

  9. IP spoofingRBF  Clouseau Open questions • How well does RBF work under sparse deployment? • What if incoming tables are incomplete? • How to build incoming tables?

  10. IP spoofingRBF  Clouseau Effectiveness measures • We will observe packets sent from s to d, spoofing the address p • Target measure (fixed d): • How many (s,p) combinations are possible to this victim • Stolen address measure (fixed p): • How many (s,d) combinations are possible spoofing this address • Spoofability • How many (s,d,p) combinations are possible

  11. IP spoofingRBF  Clouseau Target measure May’05

  12. IP spoofingRBF  Clouseau Stolen address measure May’05

  13. IP spoofingRBF  Clouseau Spoofability over years

  14. IP spoofingRBF  Clouseau Effectiveness summary • First 20 filters have a considerable impact! • 50 filters drastically reduce spoofing • Filters receive instant benefit from RBF • They reduce their target measure • Stolen address measure is only reduced whenwe deploy enough filters

  15. IP spoofingRBF  Clouseau Filter membership Persist over 5 years(17) Persist over 3 years (14)

  16. IP spoofingRBF  Clouseau Long-term members

  17. IP spoofingRBFClouseau How to build incoming tables • Incoming interface = outgoing interface • Asymmetric routing defeats this • Participating source networks send reports along paths to destinations they talk to[SAVE] • Infer incoming interface from the route the report takes or from report’s info - partial tables! • Infer incoming interface info from BGP updates[IDPF] • This allows multiple expected interfaces • Infer incoming interface info from traffic

  18. IP spoofingRBFClouseau Clouseau • Packets at unexpected interface trigger inference process • Out of first N packets • Drop random V, store unique ID in DropQueue • Forward N-V, store unique ID in FwQueue • When a packet is repeated: • If in DropQueue, gain 1 valid point • If in FwQueue, gain 1 spoof point • Decision if valid score = V or spoof score = S • Inference is banned for a time afterwards

  19. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… RC= 0 SP = 0 1 ≈ Drop! ≈ ≈ DropQueue 1 FwQueue

  20. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… RC= 0 SP = 0 2 ≈ Forward! 2 ≈ ≈ DropQueue 1 FwQueue 2

  21. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… Valid = 0 Spoof = 0 3 ≈ Forward! 3 ≈ ≈ DropQueue 1 FwQueue 2 3

  22. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… Valid = 1 Spoof = 0 1 ≈ 1 ≈ ≈ DropQueue 1 FwQueue 2 3 Repeating dropped packets increases valid score

  23. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… Valid = 1 Spoof = 1 2 ≈ 2 ≈ ≈ DropQueue 1 FwQueue 2 3 Repeating forwarded packets increases spoof score

  24. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… Valid = 1 Spoof = 1 1 ≈ 1 ≈ ≈ DropQueue 1 FwQueue 2 3 Repeating dropped packets more than once doesn’t change scores

  25. IP spoofingRBFClouseau Clouseau in action Drop 1,.. Forward 2, 3… Valid = 1 Spoof = 2 2 ≈ 2 ≈ ≈ DropQueue 1 FwQueue 2 3 Repeating forwarded packets more than once increases spoof score

  26. IP spoofingRBFClouseau Design decisions • DropQueue size = V, FwQueue size = k*S • Why forwarded queue? • To stop packet-repeating attacker • Should S > 0? • Congestion, sources don’t use selective acks • Why inference ban? • Inference lets packets through, our goal is to filter

  27. IP spoofingRBFClouseau Performance measures • Impact on legitimate traffic • Connection delay due to drops and policing • Inference delay • How long until we discover a route change or attack

  28. IP spoofingRBFClouseau Test setting • Clouseau implemented in Linux kernel, tested in Emulab • Start 10 parallel TCP connections, change route in the middle

  29. IP spoofingRBFClouseau Traffic delay vs. queue size pd=V/N=0.1

  30. IP spoofingRBFClouseau Inference time vs. queue size pd=V/N=0.1

  31. IP spoofingRBFClouseau Traffic delay vs. Pd N=100

  32. IP spoofingRBFClouseau Inference time vs. Pd N=100

  33. IP spoofingRBFClouseau Attacks • Random spoofing • Detected on timeout • Repeat each packet n times • Best choice: n=2 • First packet dropped  gain 1 valid point • First packet forwarded  damage is 1 spoof point • Larger damage but not larger gain for n>2 • Send N packets then repeat a permutation • Attacker knows values of V, S, k • Goal is to trick Clouseau to change incoming interface • Send N packets then choose a permutation of this • N large enough to guarantee that queues fill

  34. IP spoofingRBFClouseau Permutation attack • Good permutations for the attacker: • Have V packets from DropQueue before S packets from FwQueue • Probability that the attacker manages to cheat us • Probability of cheating decreases exponentially with longer queues

  35. IP spoofingRBFClouseau Pspoof vs queue size and pd

  36. IP spoofingRBFClouseau Cascaded filters • Filters downstream will drop packets forwarded by filters upstream • This could lead to route changes that are wrongly inferred as spoofing - legitimate traffic dropped!!! • We must break filter synchronization • Choose random delay when to start inference - synchronization still possible • Random initial delay, then mark forwarded packets in TOS or ID field with a well-known mark • Filters that spot marked packets delay or interrupt inference, wait for T seconds • Maximum wait is set to several minutes, then start inference even if mark is seen

  37. IP spoofingRBFClouseau Remaining design issues • Spoofing attacks could still go through if they change spoofed address frequently • We only care if part of DDoS • Examine offending packets, if a lot of them have common destination detect DDoS  drop all offending traffic to this destination • Operating cost • Memory cost could be large if all entries go into inference • There are ~35K incoming table entries, when aggregated • We plan to investigate use of Bloom filters to bring down the memory cost

  38. IP spoofingRBFClouseau Conclusions • RBF can drastically reduce spoofing if deployed at 20-50 largest ASes (60% are top members for at least 3 years) • Clouseau builds accurate incoming tables • Quickly detects route changes/spoofing • Small impact on legitimate connections • Robust to attacks

  39. Questions?

  40. Vertex Cover Choose minimal number of nodes so that alllinks have at least one node in VC. NPC problem.

  41. Vertex Cover Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.

  42. Vertex Cover Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.

  43. Vertex Cover Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.

More Related