1 / 21

IP Spoofing Defense

IP Spoofing Defense. On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon. Outlines. IP Spoofing. Impersonation. Reflection. Hiding. IP Spoofing Defense. host-based Defense Methods. Cryptographic Solutions. SYN Cookies. IP Puzzles.

maxine
Download Presentation

IP Spoofing Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon

  2. Outlines IP Spoofing Impersonation Reflection Hiding IP Spoofing Defense host-based DefenseMethods Cryptographic Solutions SYN Cookies IP Puzzles Router-Based Defense Methods Ingress/Egress Filtering Distributed Packet Filtering (DPF) Source Address Validity Enforcement (SAVE) Hybrid Defenses Pi References

  3. Introduction IP Spoofing Definition Creation of IP packets with source addresses different than those assigned to that host. Malicious use of IP Spoofing Impersonation • Session hijack or reset Hiding • Flood attack Reflection • IP reflected attack

  4. Impersonation Session hijack or reset Attacker Partner IP spoofed packet Src: Partner Dst: Partner Dst: Victim Src: Victim Assumes the partner has sent a packet, starts responding Victim

  5. Hiding Flood attack Attacker Src: Random Dst: Victim Victim

  6. Reflection Smurf attacks IP spoofing (reflection) DNS amplification attacks DNS query DNS amplification Reflector Attacker Src: Victim Dst: Reflector IP spoofed packet Victim A lot of reply without request Src: Reflector Dst: Victim Reply

  7. IP Reflected Attacks

  8. DNS Amplification Attack

  9. IP Spoofing Defense Three classes of solutions 1 Host-based solutions No need to change network infrastructure Easy to deploy Too late for their reaction Router-based solutions Core or edge solutions Most effective Harder to deploy Hybrid solutions Routers + hosts

  10. Host-based solutions Cryptographic Solutions Require hand-shaking to set up secret keys between two hosts Communication between the two hosts can be encrypted Attacker cannot successfully spoof packets to create connection Handshaking fails While IPSec is effective in many cases, it has some drawbacks It is not feasible to require all hosts to connect through IPSec Encryption cost( time ) Encryption reduce the performance

  11. SYN Cookies Some servers use SYN cookies to prevent opening connections to spoofed source addresses The server with SYN cookies does not allocate resources until the 3-way handshake is complete How Does It Work? Server sends SYN+ACK with cookies V When it receives client’s response, it checks the V If it is cookie value + 1 ⇒ it creates the connection

  12. IP Puzzles A server sends an IP puzzle to a client The client solves the puzzle by some computational task The server allows to connect only after receiving the correct solution. From the listed hosts ⇒ not the attacker The puzzle is sent to the listed hosts, not the attacker

  13. Router-Based Defense Methods most host-based methods can be used in routers IPSec and IP puzzles have been used in routers

  14. Ingress/Egress Filtering Filtering packets before coming to local network ⇒ ingress filtering before leaving local network ⇒ egress filtering The key is the knowledge of expected IP address at a particular port It is not easy to obtain this knowledge in some networks with complicated topologies Reverse Path filtering can help to build this knowledge A router knows which networks are reachable from any of its interfaces. • This is routing table

  15. Ingress/Egress Filtering Drawbacks: Hard to deployment With less than 100% deployment, IEF is ineffective It can not stop local spoofing RPF may drop legitimate packets

  16. Distributed Packet Filtering (DPF) Routers throughout the network maintain the incoming direction of a packet through their interfaces Which interface receives an packet with a particular source address A router can detect a spoofing packet if it arrives on a different interface This limits the number of addresses attackers can use

  17. Source Address Validity Enforcement (SAVE) Filters packets based on their incoming direction Every router maintains and update its own incoming table SAVE assumes all router deploy SAVE Not feasible

  18. Hybrid Defenses Utilizes both routers and hosts solutions Routers mark packets as they travel Hosts can take actions

  19. Path identifier Path identifier (Pi) was originally designed to defend against DoSattacks It also provides an IP spoofing defense Pi uses IP fragmentation field to identify the path a packet traveled The fragmentation field is marked along the path Each router along the path sets a bit of the fragmentation field When a packet reaches its destination the fragmentation field contains a marking that is almost unique The end-host does not know the path a packet has traveled, but if multiple packets have the same marking bits set, then • it is highly likely that they have traveled the same path Packets with the same source address, but different marking can be filtered

  20. Thank you If you have any questions please email at amjhb@hotmail.com

  21. References On the state of IP spoofing defense. ACM Transactions on Internet Technology (TOIT), 9(2):6:1–6:??, May 2009. http://www.wikipedia.org/ Network security class

More Related