Transcript Controlling IP Spoofing via Inter-Domain Packet Filters

Controlling IP Spoofing via Inter-Domain
Packet Filters
Zhenhai Duan
Department of Computer Science
Florida State University
1
IP Spoofing
• What is IP spoofing?
d sc
– Act to fake source IP address
– Used by many DDoS attacks
ds
c
d
b
a
• High-profile DDoS attack on root DNS servers
in early February 2006
• Why it remains popular?
– Hard to isolate attack traffic from legitimate one
– Hard to pinpoint the true attacker
– Many attacks rely on IP spoofing
s
• Man-in-the-middle attacks such as TCP hijacking/DNS poisoning
• Reflector-based attacks
2
Route-Based Packet Filters [PL01]
• Based on observation
– Attackers can spoof source address,
– But they cannot control route packets takes
ds
ds
c
d
b
a
• How it works
– Packets only allowed on best path from
source to destination
• Requirement
– Filters need to know global topology info
– Not available in path-vector based Internet
routing system
s
• Our Objectives
– Is it possible to construct packet filters without global topology
information?
– If it is possible, what is the performance?
3
Internet Routing Architecture
• Consists of large number of network domains,
– Or Autonomous Systems (ASes)
– About 25,000 currently
• Three common AS relationships
– Provider-customer
– Peering
– Sibling
X
Y
A
E
B
F
C
D
G
4
Internet Inter-Domain Routing
• Border Gateway Protocol (BGP), a policy-based routing protocol
– Import policies
• Which route is more preferred
– Route selection
• Which route should be chosen as the best route
– Export policies
• To which neighbors should I announce the best route
• AS relationship determines routing policies
A net effect of routing policies is that
they limit the possible paths between each AS pair.
5
Topological Routes vs. Feasible Routes
• Topological routes
– Loop-free paths between a pair of nodes
• Feasible routes
– Loop-free paths between a pair of nodes that not violate routing policies
Topological routes
c
d
b
a
s
sad
sbd
sabd
sacd
sbad
sbcd
sabcd
sacbd
sbacd
sbcad
Feasible routes
sad
sbd
c
d
b
a
s
6
Assumptions on Import/Export Policies
• Import policies
• Export policies
• These policies commonly used on current Internet
7
Inter-Domain Packet Filters (IDPF)
• Filtering packets based feasible routes
– Packets can only travel on feasible routes from s to d
• Inferring feasible routes
– If u is a feasible upstream neighbor of v for packet M(s, d),
node u must have exported to v its best route to reach s.
8
Constructing IDPF
• Node v accepts packet M(s, d) forwarded by node u
if and only if
• IDPFs allow traffic to go through any feasible route
– Correct in that they do not drop valid packets
– May affect the performance compared to route-based
filtering
9
Performance
• IDPF has two effects
– Reducing the number of prefixes that can be spoofed
– Localizing the true source of spoofed packets
• IDPF finds a set of feasible paths instead of one best
route, its performance will not be as good as the ideal
route-based packet filters [PL01]
10
Performance Metrics [PL01]
• VictimFraction(  )
– Proportion of ASes that if attacked, the attacker can at most spoof
– Effectiveness of IDPFs in protecting ASes against spoofing attacks
– VictimFraction(1), immunity to all spoofing attacks
• AttackFraction( )

ASes.

– Proportion of ASes from which attacker can forge addresses of at most
ASes.
– Effectiveness of IDPFs in limiting spoofing capability of attackers
– AttactFracion(1), fraction of Ases from which attacker cannot spoof others’ adress
• VictimTraceFraction( )

– Proportion of ASes being attacked that can localize the true origin within ASes.
– Effectiveness of IDPFs in reducing traceback efforts
– VictimTraceFraction(1), fraction of Ases can trace spoofed traffic to true origin (AS)
11
Data Sets
• 4 AS graphs from the BGP data achieved by the
Oregon Route Views Project.
12
Experimental Settings
• Determine the feasible paths based on update logs.
• Use shortest path as the route (add if the shortest
path is not a feasible path)
• Selecting nodes that deploy IDPF
– Random (rnd30/rnd50)
– Vertex cover
– If not mentioned specifically, IDPF nodes also have network
ingress filtering.
13
VictimFraction (G2004c)
• Effectiveness of IDPFs in protecting ASes from spoofing
attacks
– VictimFraction(1) is zero unless all nodes support IDPFs
– It is very hard to protect ASes from all spoofing attacks
14
AttackFraction (G2004c)
• Effectiveness of IDPFs in limiting spoofing capability
of attackers
– AttackFraction(1) = 80.8%, 59.2%, and 36.2%, respectively
– IDPFs very effective in limiting spoofing capability
15
VictimTraceFraction (G2004c )
• Effectiveness of IDPFs in reducing traceback effort
28
– VictimTraceFraction(28) = 1, all ASes can localize attackers
to at most 28 ASes for VC IDPF placement
16
Filtering with Precise Routing Info vs BGP
7
28
G2004c, VC
17
IDPFs with/without Network Ingress Filtering
28
87
G2004c, VC
18
Related Work
• Route-Based Packet Filters [SIGCOMM01]
• Unicast reverse packet forwarding [RFC1812]
• Unicast reverse packet forwarding loose mode
[CISCO]
• Hop-Count Filtering [CCS03]
• Path Identification/StackPi [SSP03]/[JSAC06]
• Source Address Validation Enforcement (SAVE)
[INFOCOM02]
• Spoofing Prevention Method [INFOCOM05]
• Network Ingress Filtering [RFC2267]
• Gogon Route Server Project [Cymru]
19
Summary
• We proposed an Inter-Domain Packet Filters
architecture (IDPF) and studied it performance.
• IDPF can effectively limit the spoofing capability of
attackers even when partially deployed and improves
the accuracy of IP traceback.
• Moreover performance studies in
– “Constructing Inter-Domain Packet Filters to Control IP
Spoofing Based on BGP Updates”, INFOCOM 2006
– And its TR version
20
Routing Policy Complications
• Some ASes do not follow the import/export policies
assumed in IDPFs
– Requiring restricted traffic forwarding to work with IDPFs
21
Impact of Routing Dynamics
• IDPFs works well with dynamics caused by network
failure events
• IDPFs may drop valid packets during routing
dynamics caused by new network announcement (or
recovery from fail-down network event), IDPFs may
also fail to detect spoofed packets
– However, reachability information propagated much faster
than failure information
22