1 / 38

Dude, where’s that IP? Circumventing measurement-based IP geolocation

Dude, where’s that IP? Circumventing measurement-based IP geolocation. Paper Presentation CAP6135: Malware and Software Vulnerability Analysis – Spring 2013 Omar Nakhila. Citation and acknowledgement.

kosey
Download Presentation

Dude, where’s that IP? Circumventing measurement-based IP geolocation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dude, where’s that IP? Circumventing measurement-based IP geolocation Paper Presentation CAP6135: Malware and Software Vulnerability Analysis – Spring 2013 Omar Nakhila

  2. Citation and acknowledgement • Gill, Phillipa, Yashar Ganjali, and Bernard Wong. "Dude, Where’s That IP? Circumventing Measurement-based IP Geolocation." USENIX Security Symposium 19th , Washington DC, August 11-13, 2010. • http://en.wikipedia.org/wiki/Speed_of_electricity

  3. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  4. What is IP geolocation? • IP geolocation aims to solve the problem of determining the geographic location of a given IP address.

  5. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  6. Why IP geolocation? • Online advertisers and search engines advertise their content based on the client’s location.

  7. Why IP geolocation? Cont. • Online content providers such as : • Hulu. • Youtube • etc. limit their content distribution to specific geographic regions.

  8. Why IP geolocation? Cont. • Law enforcement.

  9. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  10. IP geolocation classification • Passive IP geolocation. • Ueses geolocation databases such as : • MaxMind. • Quova. • Active IP geolocation. • Delay-based. • Constraint-Based Geolocation (CBG) • Topology-aware. • Octant. • Other.

  11. Delay-based IP geolocation • Constraint-Based Geolocation (CBG) Landmark B User IP Location (Target) y3 D_AB=x1 x3 D_AC=x2 Best Line Function Landmark A Landmark C Ping Ping Ping

  12. Delay-based IP geolocation • Constraint-Based Geolocation (CBG) Landmark B User IP Location (Target) Landmark A Landmark C x3

  13. Delay-based IP geolocation attack • Constraint-Based Geolocation (CBG) • Speed of light attack. • Delay time = Distance / Speed • Speed of electricity in an unshielded copper conductor ranges 95 to 97% that of the speed of light, while in a typical coaxial cable it is about 66% of the speed of light. • Best line attack. • The attacker has access to the best line function in landmarks! y3 x3

  14. Delay-based IP geolocation attack. Landmark B User IP Location (Fake Location) y3 ϵ error User IP Location (Real Location) x3 ϴ error Landmark A Landmark C Ping User IP Location (Desired Fake Location)

  15. Delay-based IP geolocation attack evaluation

  16. Delay-based geolocation attack evaluation

  17. Delay-based IP geolocation attack results SOL Best line function

  18. Delay-based IP geolocation attack results

  19. Limiting delay-based IP geolocation attack

  20. Topology-aware IP geolocation • Octant Landmark B User IP Location (Target) Using Tracert And ping Landmark A Landmark C

  21. Topology-aware IP geolocation • Octant single gateway Landmark B User IP Location (Target) Delay of the last route Using Tracert And ping Landmark A Landmark C

  22. Topology-aware IP geolocation • Octant single gateway based attack Landmark B User IP Location (Target) Using Tracert And ping Landmark A Landmark C

  23. Topology-aware IP geolocation • Octant multi-gateway based. Delay of the last route Landmark B User IP Location (Target) Using Tracert And ping Delay of the last route Landmark A Landmark C Delay of the last route

  24. Topology-aware IP geolocation attack. • Octant multi-gateway based attack. User IP Location (Fake Location) User IP Location (Target) Landmark B Using Tracert And ping Landmark A Landmark C

  25. Topology-aware IP geolocation attack. • Naming attack, can effect on both single and mutli-gateway topology-aware geolocation. • The attack based on undns tool. • Each router will have a DNS domain name. • undns tool will map router DNS domain name to a city. • This naming attack requires the attacker is capable of crafting a domain name that can deceive the undns tool.

  26. Topology-aware IP geolocation • Octant naming attack. Domain name belongs to Nevada Landmark B User IP Location (Target) Fake Router Location Using Tracert And ping Landmark A Landmark C

  27. Topology-aware IP geolocation attack simulation. Fake location Fake Router Gateways • 4 gateway routers (Black Colored) • 11 forged locations (T ) ( White Colored) • and 14 non-existent internal routers (F) (Red Colored) • 80 Targets (50 North America and 30 European)

  28. Topology-aware geolocation attack results

  29. Topology-aware geolocation attack results

  30. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  31. Paper Contribution • The paper surveyed that the current IP geolocation algorithms such as (CBG and Octant) accuracies of 35-194 km, making them suitable for geolocation within a country. • Also, the paper illustrated how the above IP geolocation algorithm can be vulnerable. • Then, the paper proposed that a delay based attack can be detected by setting a certain threshold to the size of the localization region.

  32. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  33. Paper Weakness • The paper didn’t explain the complexity of gaining access to the best line function. • The paper also didn’t explain the complexity to manipulate undns tool. • Lack of an efficient detection method to catch undnstopology-aware IP geolocationattack. • The scientific reasoning for PlantLab landmarks distribution with the relation to the IP geolocationwas not clear. • Using ping and trace-route to measure the delay time and route information is not recommended since administrator tend to drop theses types of packets.

  34. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  35. Paper Improvement • The impact of Landmarks distribution on both attacks. • Study the effect of using a reliable protocols to limit both attacks.

  36. Presentation Agenda • What is IP geolocation? • Why IP geolocation? • IP geolocation classification and attacks. • Paper contribution. • Paper weakness. • Paper improvement. • Questions and answers.

  37. Question and Answer

  38. Thank You

More Related