261 likes | 660 Views
Controlling IP Spoofing via Inter-Domain Packet Filters. Zhenhai Duan Department of Computer Science Florida State University. c. s. s. d. d. d. IP Spoofing. What is IP spoofing? Act to fake source IP address Used by many DDoS attacks High-profile DDoS attack on root DNS servers
E N D
Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University
c s s d d d IP Spoofing • What is IP spoofing? • Act to fake source IP address • Used by many DDoS attacks • High-profile DDoS attack on root DNS servers in early February 2006 • Why it remains popular? • Hard to isolate attack traffic from legitimate one • Hard to pinpoint the true attacker • Many attacks rely on IP spoofing • Man-in-the-middle attacks such as TCP hijacking/DNS poisoning • Reflector-based attacks c d b a s
s s d d Route-Based Packet Filters [PL01] • Based on observation • Attackers can spoof source address, • But they cannot control route packets takes • How it works • Packets only allowed on best path from source to destination • Requirement • Filters need to know global topology info • Not available in path-vector based Internet routing system • Our Objectives • Is it possible to construct packet filters without global topology information? • If it is possible, what is the performance? c d b a s
Internet Routing Architecture • Consists of large number of network domains, • Or Autonomous Systems (ASes) • About 25,000 currently • Three common AS relationships • Provider-customer • Peering • Sibling X Y A B C D E F G
Internet Inter-Domain Routing • Border Gateway Protocol (BGP), a policy-based routing protocol • Import policies • Which route is more preferred • Route selection • Which route should be chosen as the best route • Export policies • To which neighbors should I announce the best route • AS relationship determines routing policies A net effect of routing policies is that they limit the possible paths between each AS pair.
c d b a s Topological Routes vs. Feasible Routes • Topological routes • Loop-free paths between a pair of nodes • Feasible routes • Loop-free paths between a pair of nodes that not violate routing policies Topological routes Feasible routes s a d s b d s a b d s a c d s b a d s b c d s a b c d s a c b d s b a c d s b c a d c d s a d s b d b a s
Assumptions on Import/Export Policies • Import policies • Export policies • These policies commonly used on current Internet
Inter-Domain Packet Filters (IDPF) • Filtering packets based feasible routes • Packets can only travel on feasible routes from s to d • Inferring feasible routes • If u is a feasible upstream neighbor of v for packet M(s, d), node u must have exported to v its best route to reach s.
Constructing IDPF • Node v accepts packet M(s, d) forwarded by node u if and only if • IDPFs allow traffic to go through any feasible route • Correct in that they do not drop valid packets • May affect the performance compared to route-based filtering
Performance • IDPF has two effects • Reducing the number of prefixes that can be spoofed • Localizing the true source of spoofed packets • IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route-based packet filters [PL01]
Performance Metrics [PL01] • VictimFraction( ) • Proportion of ASes that if attacked, the attacker can at most spoof ASes. • Effectiveness of IDPFs in protecting ASes against spoofing attacks • VictimFraction(1), immunity to all spoofing attacks • AttackFraction( ) • Proportion of ASes from which attacker can forge addresses of at most ASes. • Effectiveness of IDPFs in limiting spoofing capability of attackers • AttactFracion(1), fraction of Ases from which attacker cannot spoof others’ adress • VictimTraceFraction( ) • Proportion of ASes being attacked that can localize the true origin within ASes. • Effectiveness of IDPFs in reducing traceback efforts • VictimTraceFraction(1), fraction of Ases can trace spoofed traffic to true origin (AS)
Data Sets • 4 AS graphs from the BGP data achieved by the Oregon Route Views Project.
Experimental Settings • Determine the feasible paths based on update logs. • Use shortest path as the route (add if the shortest path is not a feasible path) • Selecting nodes that deploy IDPF • Random (rnd30/rnd50) • Vertex cover • If not mentioned specifically, IDPF nodes also have network ingress filtering.
VictimFraction (G2004c) • Effectiveness of IDPFs in protecting ASes from spoofing attacks • VictimFraction(1) is zero unless all nodes support IDPFs • It is very hard to protect ASes from all spoofing attacks
AttackFraction (G2004c) • Effectiveness of IDPFs in limiting spoofing capability of attackers • AttackFraction(1) = 80.8%, 59.2%, and 36.2%, respectively • IDPFs very effective in limiting spoofing capability
VictimTraceFraction (G2004c ) • Effectiveness of IDPFs in reducing traceback effort • VictimTraceFraction(28) = 1, all ASes can localize attackers to at most 28 ASes for VC IDPF placement 28
Filtering with Precise Routing Info vs BGP 7 28 G2004c, VC
IDPFs with/without Network Ingress Filtering 87 28 G2004c, VC
Related Work • Route-Based Packet Filters [SIGCOMM01] • Unicast reverse packet forwarding [RFC1812] • Unicast reverse packet forwarding loose mode [CISCO] • Hop-Count Filtering [CCS03] • Path Identification/StackPi [SSP03]/[JSAC06] • Source Address Validation Enforcement (SAVE) [INFOCOM02] • Spoofing Prevention Method [INFOCOM05] • Network Ingress Filtering [RFC2267] • Gogon Route Server Project [Cymru]
Summary • We proposed an Inter-Domain Packet Filters architecture (IDPF) and studied it performance. • IDPF can effectively limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback. • Moreover performance studies in • “Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates”, INFOCOM 2006 • And its TR version
Routing Policy Complications • Some ASes do not follow the import/export policies assumed in IDPFs • Requiring restricted traffic forwarding to work with IDPFs
Impact of Routing Dynamics • IDPFs works well with dynamics caused by network failure events • IDPFs may drop valid packets during routing dynamics caused by new network announcement (or recovery from fail-down network event), IDPFs may also fail to detect spoofed packets • However, reachability information propagated much faster than failure information