anti ip spoofing technique -...
TRANSCRIPT
![Page 1: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/1.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 1
anti IP spoofing technique
MATSUZAKI ‘maz’ Yoshinobu<[email protected]>
![Page 2: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/2.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 2
ip spoofing
creation of IP packets with sourceaddresses other thanthose assigned to thathost
![Page 3: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/3.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 3
Malicious uses with IP spoofing
• impersonation– session hijack or reset
• hiding– flooding attack
• reflection– ip reflected attack
![Page 4: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/4.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 4
impersonation
sender ip spoofed packet
victim
partner
dst: victim
src: partner
Oh, my partner sentme a packet. I’ll
process this.
![Page 5: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/5.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 5
hiding
sender
victim
ip spoofed packetdst: victim
src: random
Oops, many packetsare coming. But, who
is the real source?
![Page 6: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/6.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 6
reflection
senderip spoofed packet
reply
pac
ket
victim
reflectorsrc: victim
dst: reflector
dst:
victim
src:
refle
ctor
Oops, a lot ofreplies withoutany request…
![Page 7: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/7.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 7
ip reflected attacks
• smurf attacks– icmp echo (ping)– ip spoofing (reflection)– directed-broadcast amplification
• dns amplification attacks– dns query– ip spoofing (reflection)– DNS amplification
![Page 8: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/8.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 8
amplification
Sender
Sender
1. multiple replies
2. bigger reply
![Page 9: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/9.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 9
directed-broadcast amplification
Sender
icmp echo request
icmp echo replies
![Page 10: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/10.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 10
DNS amplification
Sender
ANY ?xxx.example.com
xxx.example.com IN TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DNS
![Page 11: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/11.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 11
attacker
ip reflected attacks
ip spoofed packets
repli
es
victim
openamplifier
![Page 12: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/12.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 12
smurf attack
ip spoofedping
ICMP echo replies
victim
Attacker
![Page 13: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/13.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 13
dns amplification attack
ip spoofedDNS queries
DNS replies
victim
DNSAttacker
DNS
DNSDNS
![Page 14: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/14.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 14
relations – dns amp attack
DNSDNS DNS
victim
Command&Control
DNS
DNS
stub-resolvers full-resolversroot-servers
tld-servers
example-servers
botnet
IP spoofedDNS queries
![Page 15: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/15.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 15
attacker
solutions for ip reflected attacks
ip spoofed packets
repli
es
victim
openamplifier
preventip spoofing
disableopen amplifiers
![Page 16: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/16.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 16
two solutions
• disable ‘open amplifier’– disable ‘directed-broadcast’– disable ‘open recursive DNS server’
• contents DNS server should accept queries fromeveryone, but service of resolver (cache) DNSserver should be restricted to its customer only.
• prevent ip spoofing!!– source address validation– BCP38 & BCP84
![Page 17: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/17.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 17
Source Address Validation
• Check the source ip address of ip packets– filter invalid source ip address– filter close to the packets origin as possible– filter precisely as possible
• If no networks allow ip spoofing, we caneliminate these kinds of attacks
![Page 18: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/18.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 18
our assumption
• ISP/network administrator assign ipaddress for their users.– dynamic or static– DHCP, connectivity service
• Users should use these assigned ipaddress as their source ip address.
![Page 19: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/19.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 19
close to the origin
10.0.0.0/23
10.0.3.0/24
You arespoofing!
Hmm, thislooks ok...but..
RT.a RT.b
You arespoofing!You are
spoofing!
srcip: 10.0.0.1
srcip: 0.0.0.0
srcip: 10.0.0.1
srcip: 0.0.0.0
×
××
srcip: 0.0.0.0×
You arespoofing!
srcip: 10.0.0.1×
You arespoofing!
![Page 20: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/20.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 20
how to configure the checking
• ACL– packet filter– permit valid-source, then drop any
• uRPF check– check incoming packets using ‘routing table’– look-up the return path for the source ip
address– loose mode can’t stop ip reflected attacks
• use strict mode or feasible mode
![Page 21: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/21.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 21
cisco ACL example
customer network 192.168.0.0/24
ip access-list extended fromCUSTMER permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any!interface Gigabitethernet0/0 ip access-group fromCUSTOMER in!
point-to-point10.0.0.0/30
ISP Edge Router
![Page 22: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/22.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 22
juniper ACL example
customer network 192.168.0.0/24
firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } }}[edit interface ge-0/0/0 unit 0 family inet]filter { input fromCUSTOMER;}
point-to-point10.0.0.0/30
ISP Edge Router
![Page 23: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/23.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 23
cisco uRPF example
customer network 192.168.0.0/24
interface Gigabitethernet0/0 ip verify unicast source reachable-via rx
point-to-point10.0.0.0/30
ISP Edge Router
uRPF
![Page 24: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/24.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 24
juniper uRPF example
customer network 192.168.0.0/24
[edit interface ge-0/0/0 unit 0 family inet]rpf-check;
point-to-point10.0.0.0/30
ISP Edge Router
uRPF
![Page 25: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/25.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 25
multistage verification
CustomerRouter
ISP EdgeRouter
uRPF
uRPF
Customer EdgeRouter
uRPF
• customers knowtheir network.
• good for precise filter
• We can filter spoofedtraffic at earliy stage.
![Page 26: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/26.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 26
uRPF - failures
• common failures– unused space– private space– wrong address
• asymmetric routing failures– multi-connected network– transit LAN
• special failures– private/non-routed backbone network
![Page 27: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/27.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 27
unused space
• if there is no filter,these packets keeplooping until ttlexpired....
• fix the routing!• add null routes on
the customer routercustomer network 192.168.0.0/24
ISP Edge Router
192.168.0.0/16 ×
src: 10.0.0.1dst: 192.168.1.1
default
uRPF
![Page 28: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/28.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 28
private space
• usual case
• bad implementationof NAT
• mis-configuration– router/firewall– networkhome network
(private address)
ISP Edge Router
NAT Router
×
NATdidn’twork
uRPF
![Page 29: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/29.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 29
wrong IP address
• mobile PC tryingtheir old IP
• mis-configuration– typo
• just spoofing
ISP Edge Router
×
customer network 192.168.0.0/24
ip: 10.0.0.1
uRPF
![Page 30: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/30.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 30
multi-connected network
ip address from ISP A192.168.0.0/24
ip address from ISP B172.16.0.0/24
ISP A ISP B
uRPF uRPF
src: 172.16.0.2
×
• PBR can fix this.
![Page 31: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/31.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 31
transit LAN
uRPF uRPF×
• packets to the router interface may filter
RT.1 RT.2src: externaldst: RT.2 interface
![Page 32: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/32.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 32
private/non-routed backbone
uRPFbackbone usingprivate address
• backbone hiding technique... but• icmp error messages will be filtered.
– traceroute can’t show the ISP1’s network– this also breaks PMTUD
ISP A ISP B
×
![Page 33: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/33.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 33
IIJ’s case
• discussion• router capability• policy• problems
![Page 34: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/34.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 34
internal discussion
• Do we need anti-spoofing in our network?– We heard a rumor that attackers don’t use ip
spoofing anymore in these days.
• Answer is YES.– ip spoofing is still used for attacks.
• dns amplification attacks– preparation for new attacks using ip-spoofing
![Page 35: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/35.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 35
kubo graph #1
![Page 36: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/36.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 36
kubo graph #2
![Page 37: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/37.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 37
router uRPF capability #1
• Cisco– uRPF loose/strict mode
• Cisco 72xx, 75xx– software processing....
• Cisco sup2, sup720– hardware support for uRPF/ACL – one uRPF mode per box
![Page 38: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/38.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 38
router uRPF capability #2
• Cisco 12xxx GSR– depends on engine type of line card– E0,E1: software processing– E2: per physical interface, exclusion ACL– E3: loose mode only– microcode reload...
![Page 39: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/39.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 39
router uRPF capability #3
• Juniper T/M– works fine – ‘feasible’ means ‘set of same length prefixes’
routing tableprefix pref.10.0.0.0/24 10010.0.0.0/24 120
routing tableprefix 10.0.0.0/2410.0.0.0/30
feasible non-feasible
![Page 40: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/40.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 40
router uRPF capability
• Cisco– depends on box/linecard– uRPF strict/loose mode are supported– some boxes use software processing
• additional 5~20% cpu load
• Juniper– works fine– need some hack to export cflowd data of
discarded traffic
![Page 41: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/41.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 41
our initial choice
• single homed user– simple – uRPF strict mode or ACL
• multihomed user– bgp customer(ISPs)– enterprise (need for redundancy)– uRPF loose mode
• ・・・ something is better than nothing
![Page 42: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/42.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 42
IIJ’s policy
peer ISP upstream ISP
customer ISP
multi homedstatic customer
single homedstatic customer
IIJ/AS2497
uRPF strict mode
uRPF loose mode
![Page 43: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/43.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 43
ACL and uRPF
• ACL– deterministic
• statically configured
– maintenance of access-list • uRPF
– easy to configure – care about asymmetric routing
• strict mode is working well only for symmetric routing• loose mode can’t stop the ip reflected attack• there are few venders support of feasible mode
![Page 44: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/44.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 44
problems
• uRPF/ACL works fine in most case. – bug, device capability, performance...
• less confidence for uRPF– operations know uRPF, but never use it.– test it!
• unaware of Source Address Validation– why do we need this?
![Page 45: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/45.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 45
Why do we need?
• Source Address Validation do NOT protectyour users from DoS/Attacks/Etc. directly.
• This reduce malicious activity.– sending ip spoofed packets from your
network.• If no networks allow ip spoofing, we can
eliminate these kinds of attacks.
![Page 46: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/46.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 46
bogon traffic
150Mbps
36Kpps6Kpps
1.8Mbps
![Page 47: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/47.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 47
please considerSource
AddressValidation
in your network
![Page 48: anti IP spoofing technique - APRICOTapricot.net/apricot2007/presentation/conference/security_stream/... · Title: anti-ip-spoofing.ppt Author: Gaurab Upadhaya Created Date: 3/1/2007](https://reader034.vdocument.in/reader034/viewer/2022051509/5ad788047f8b9a865b8c52f3/html5/thumbnails/48.jpg)
Copyright (C) 2006 Internet Initiative Japan Inc. 48
END