1 / 29

University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012

University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012. Paper Presentation Dude, where’s that IP? Circumventing measurement-based IP geolocation Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie. Presenter Ahmad Alzahrani. Information about the Paper:.

misha
Download Presentation

University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. University of Central FloridaCAP 6135: Malware and Software VulnerabilitySpring 2012 Paper Presentation Dude, where’s that IP? Circumventing measurement-based IP geolocation Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie Presenter Ahmad Alzahrani

  2. Information about the Paper: Authors: Phillipa Gill and Yashar Ganjali Dept. of Computer Science, University of Toronto David Lie Dept. of Electrical and Computer Engineering, University of Toronto Bernard Wong Dept. of Computer Science, Cornell University Presented at the 19th USENIX Security Symposium, on August 12, 2010 in San Jose, CA during the Internet Securitysession.

  3. Background • What is IP Geolocation?

  4. Introduction Applications benefit from IP Geolocation • Online advertising • Search engines • Restrict access to online content • Multimedia • Fraud Preventions • Geolocation to locate VMs hosted by cloud provider

  5. Motivation Who has incentive to circumvent IP geolocation? Web clients: • Gain access to content • Online payment fraud Cloud service • Location-based SLAs - cloud providers.

  6. Paper Contributions • Evaluation of two attacks. • First to study measurement-based geolocation of an adversary • Studied two models of adversarial geolocation targets (end host & WAN)

  7. Background

  8. Measurement-based geolocation Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. ) Ping! Ping! Ping! courtesy Phillipa

  9. Measurement-based geolocation Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. ) Ping! Ping! Ping! Ping! courtesy Phillipa

  10. 12 courtesy Phillipa

  11. Topology-aware geolocation • Assume no direct path to target. • Locate also hops on the way. • Takes into account circuitous network paths. Ping! Ping! courtesy Phillipa

  12. Measurement-based geolocation • Delay-based: • Constraint-based geolocation (CBG) [Gueye et al] • Accuracy: ~ 78-182 km • Topology-aware: • Octant [Wong et al.] • Delay between hops on path is considered • Locate nodes along the path • Median accuracy: ~ 35-40 km

  13. Two Attacks have been studied:(1) Delay-adding attack Increase delay by time to travel the difference Challenge: how to map distance to delay? - - Access to the map function. L1 L2 L3 Forged location

  14. Two Attacks have been studied:(2) Hop-adding attack Landmark 1 Target Landmark 2

  15. Two Attacks have been studied:(2) Hop-adding attack Multiple network entry points Internal router (each connected to 3) Forged location courtesy Phillipa

  16. Evaluation • Are the attacks effective? • What is the accuracy achieved by the attacker to mislead geolocation. • Can the attacks be detected? Experiment1 (Delay-adding Attack) • Collected measurements inputs using 50 PlanetLab nodes. • Each node of the 50 takes turn as target. • Each target moved to 50 forgedlocations.

  17. Delay-adding Attack - Simulation Setup

  18. Delay-adding attack (Detectability?)

  19. Delay-adding attack (How accurate?) 700 M/KM NYC-SFO 22

  20. Hop-Adding Attack - Simulation Setup -Targets : 80 nodes (50 in US and 30 in EU) -Forget Locations : 11 inside above WAN (4 Gateways, 15 Internal Routers)

  21. Hop-adding attack (Detectability?)

  22. Hop-adding attack (How accurate?) Best-case(delay adding attack) Hop adding attack 25

  23. Recap 1 – Detectable using region size, accuracy depends on distance to forged location. 2 – High Accuracy and difficult to detect.

  24. Conclusion • Measurement-Based Geolocation algorithms are susceptible to delay-based and topology measurements. • Two models of adversaries have been considered. • Two attacks have been developed and evaluated. • The more advanced and accurate algorithm is more susceptible to tampering

  25. Possible Extensions • Develop secure measurement protocol to reduce ability of attackers to change measurements . • Provide real-world results of the proposed attacks to study the effect of network congestion state on accuracy.

  26. Qs & As

More Related