Transcript Talk Slides - FSU Computer Science Department

Constructing Inter-Domain
Packet Filters to Control IP
Spoofing Based on BGP Updates
Zhenhai Duan, Xin Yuan
Department of Computer Science
Florida State University
Jaideep Chandrashekar
Department of Computer Science
University of Minnesota
• Outline:
– Background
• IP spoofing
• Route based packet filtering
– Related BGP concepts
– Inter-domain Packet Filters (IDPF)
• General idea
• Assumptions
• Technique to compute the filters
– Performance
– Conclusion
• IP spoofing:
B
A
X
Y
C
D
– Forging the source address
– Used by many popular DDOS attacks
– Making it difficulty to defend again attacks.
• Route based packet filtering [K. Park, SIGCOMM 2001]
B
A
X
Y
C
D
– One can fake the identity, but not the route.
– A router can decide whether it is in the path from the
source to the destination and drop packets that are not
supposed to be there.
• Route based packet filtering Requirement:
– The router must know the route between any
pair of source and destination addresses.
• Global topology information
• Not available in BGP.
• Is it possible to build route based packet
filters from BGP updates?
• If it is possible, what is the performance?
• BGP:
– Autonomous Systems (ASes) are the basic units
• The network can be modeled as an AS graph
• Nodes are ASes and edges are BGP sessions
• Nodes own network prefixes and exchange BGP
route updates to learn the reachability of prefixes
• Attributes associated with routes: AS path, prefix.
– Policy based routing:
• Import
• Route selection
• Export
• BGP:
– Routing policies are usually decided by the AS
relation
• Provider-customer
• Peer-peer
• Sibling-sibling
• Inter Domain Packet Filters (IDPF):
– IDPF decides feasible routes under BGP
– Feasible routes in BGP are constrained by
routing policies (AS relation)
– Path constrained by the routing policies
• Assumptions in our scheme:
• Export rules: MUST export
• Import rules:
• Inferring the feasible paths:
– If u is a feasible upstream neighbor of v for
packet M(s, d), node u must have exported to v
its best route to reach s.
• Building IDPF:
– Node v accepts packet M(s, d) forwarded by
node u if and only if
– IDPFs allow traffic to go through any feasible
route
• May affect the performance
• No problem in the path exploration phase.
• Routing policy complication:
– Selective announcements:
– r5: restricted conditional advertisement
• Performance:
– IDPF has two effects
• Reducing the number of prefixes that can be spoofed
• Localizing the source of spoofed packets
– IDPF finds a set of feasible paths instead of one
best route, its performance will not be as good
as the ideal route based packet filters [Park
2001]
• Performance metrics [Park 2001]:
– 1 ( ) : the proportion of ASes that if attacked
by an attacker, the attacker can at most spoof 
ASes.
– 2 ( ) : the proportion of ASes from which an
attacker can forge addresses of at most 
ASes.
–  1 ( ) : the proportion of ASes being attacked
that can localize the true origin within 
ASes.
• Data Set:
– 4 AS graphs from the BGP data achieved by the
Oregon Route Views Project.
• Experimental setting
– Determine the feasible paths based on update
logs.
– Use shortest path as the route (add if the
shortest path is not a feasible path)
– Selecting nodes that deploy IDPF
• Random (rnd30/rnd50)
• Vertex cover
• If not mentioned specifically, IDPF nodes also have
network ingress filtering.
1 ( ) on G2004c
1 (1) on G2004c
2 ( ) on G2004c
 1 ( ) on G2004c
• Conclusion:
– We proposed an Inter-domain Packet Filters
architecture (IDPF) and studied it performance.
– IDPF can limit the spoofing capability of
attackers even when partially deployed and
improves the accuracy of IP traceback.
– IDPF provides local incentives for deployment.