1

Controlling IP Spoofing via Inter-Domain Packet Filters

Zhenhai Duan

Department of Computer Science

Florida State University

2

IP Spoofing

• What is IP spoofing?– Act to fake source IP address

– Used by many DDoS attacks• High-profile DDoS attack on root DNS servers

in early February 2006

• Why it remains popular?– Hard to isolate attack traffic from legitimate one

– Hard to pinpoint the true attacker

– Many attacks rely on IP spoofing• Man-in-the-middle attacks such as TCP hijacking/DNS poisoning• Reflector-based attacks

c d

b a

s

d cd sd s

3

Route-Based Packet Filters [PL01]

• Based on observation– Attackers can spoof source address,

– But they cannot control route packets takes

• How it works– Packets only allowed on best path from

source to destination

• Requirement– Filters need to know global topology info

– Not available in path-vector based Internet

routing system

• Our Objectives – Is it possible to construct packet filters without global topology

information?

– If it is possible, what is the performance?

c d

b a

s

d sd s

4

Internet Routing Architecture

• Consists of large number of network domains, – Or Autonomous Systems (ASes)

– About 25,000 currently

• Three common AS relationships– Provider-customer

– Peering

– Sibling X Y

E

DCBA

F G

5

Internet Inter-Domain Routing

• Border Gateway Protocol (BGP), a policy-based routing protocol– Import policies

• Which route is more preferred

– Route selection• Which route should be chosen as the best route

– Export policies• To which neighbors should I announce the best route

• AS relationship determines routing policies

A net effect of routing policies is that

they limit the possible paths between each AS pair.

6

Topological Routes vs. Feasible Routes

• Topological routes– Loop-free paths between a pair of nodes

• Feasible routes– Loop-free paths between a pair of nodes that not violate routing policies

c d

b a

s

Topological routess a d

s b ds a b ds a c ds b a ds b c ds a b c ds a c b ds b a c ds b c a d

Feasible routes

s a ds b d

c d

b a

s

7

Assumptions on Import/Export Policies

• Import policies

• Export policies

• These policies commonly used on current Internet

8

Inter-Domain Packet Filters (IDPF)

• Filtering packets based feasible routes– Packets can only travel on feasible routes from s to d

• Inferring feasible routes

– If u is a feasible upstream neighbor of v for packet M(s, d), node u must have exported to v its best route to reach s.

9

Constructing IDPF

• Node v accepts packet M(s, d) forwarded by node u if and only if

• IDPFs allow traffic to go through any feasible route– Correct in that they do not drop valid packets– May affect the performance compared to route-based

filtering

10

Performance

• IDPF has two effects– Reducing the number of prefixes that can be spoofed– Localizing the true source of spoofed packets

• IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route-based packet filters [PL01]

11

Performance Metrics [PL01]• VictimFraction( )

– Proportion of ASes that if attacked, the attacker can at most spoof ASes.– Effectiveness of IDPFs in protecting ASes against spoofing attacks– VictimFraction(1), immunity to all spoofing attacks

• AttackFraction( )– Proportion of ASes from which attacker can forge addresses of at most ASes. – Effectiveness of IDPFs in limiting spoofing capability of attackers– AttactFracion(1), fraction of Ases from which attacker cannot spoof others’ adress

• VictimTraceFraction( )– Proportion of ASes being attacked that can localize the true origin within ASes.– Effectiveness of IDPFs in reducing traceback efforts– VictimTraceFraction(1), fraction of Ases can trace spoofed traffic to true origin (AS)

12

Data Sets

• 4 AS graphs from the BGP data achieved by the Oregon Route Views Project.

13

Experimental Settings

• Determine the feasible paths based on update logs.• Use shortest path as the route (add if the shortest

path is not a feasible path)• Selecting nodes that deploy IDPF

– Random (rnd30/rnd50)– Vertex cover– If not mentioned specifically, IDPF nodes also have network

ingress filtering.

14

VictimFraction (G2004c)

• Effectiveness of IDPFs in protecting ASes from spoofing attacks

– VictimFraction(1) is zero unless all nodes support IDPFs– It is very hard to protect ASes from all spoofing attacks

15

AttackFraction (G2004c)

• Effectiveness of IDPFs in limiting spoofing capability of attackers

– AttackFraction(1) = 80.8%, 59.2%, and 36.2%, respectively– IDPFs very effective in limiting spoofing capability

16

VictimTraceFraction (G2004c )

• Effectiveness of IDPFs in reducing traceback effort

– VictimTraceFraction(28) = 1, all ASes can localize attackers to at most 28 ASes for VC IDPF placement

28

17

Filtering with Precise Routing Info vs BGP

7 28

G2004c, VC

18

IDPFs with/without Network Ingress Filtering

28 87

G2004c, VC

19

Related Work

• Route-Based Packet Filters [SIGCOMM01]• Unicast reverse packet forwarding [RFC1812]• Unicast reverse packet forwarding loose mode

[CISCO]• Hop-Count Filtering [CCS03]• Path Identification/StackPi [SSP03]/[JSAC06]• Source Address Validation Enforcement (SAVE)

[INFOCOM02]• Spoofing Prevention Method [INFOCOM05]• Network Ingress Filtering [RFC2267]• Gogon Route Server Project [Cymru]

20

Summary

• We proposed an Inter-Domain Packet Filters architecture (IDPF) and studied it performance.

• IDPF can effectively limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback.

• Moreover performance studies in– “Constructing Inter-Domain Packet Filters to Control IP

Spoofing Based on BGP Updates”, INFOCOM 2006– And its TR version

21

Routing Policy Complications

• Some ASes do not follow the import/export policies assumed in IDPFs

– Requiring restricted traffic forwarding to work with IDPFs

22

Impact of Routing Dynamics

• IDPFs works well with dynamics caused by network failure events

• IDPFs may drop valid packets during routing dynamics caused by new network announcement (or recovery from fail-down network event), IDPFs may also fail to detect spoofed packets– However, reachability information propagated much faster

than failure information