ip spoofer project - caidasecure site prediction: spoofing increasingly a problem in the future...
TRANSCRIPT
![Page 1: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/1.jpg)
IP Spoofer Project
ISMA AIMS 2009February 12, 2009
Rob Beverly, Arthur Berger, Young Hyun{rbeverly,awberger}@csail.mit, youngh@caida
Observations on four-years of data
![Page 2: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/2.jpg)
2
Spoofer Project
• Background• Recent Relevance• Project Description• What’s New: Methodology• What’s New: Data• Parting Thoughts
![Page 3: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/3.jpg)
3
Spoofed-Source IP Packets
• Circumvent host network stack to forge or“spoof” source address of an IP packet
• Lack of source address accountability abasic Internet weakness:– Anonymity, indirection [VP01], amplification
• Security issue for more than two-decades[RTM85, Bellovin89]
• Still an attack vector?
![Page 4: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/4.jpg)
4
Circa 2004…
IP Source Spoofing doesn’tmatter!
a) All providers filterb) All modern attacks use botnetsc) Compromised hosts are behind NATs
![Page 5: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/5.jpg)
5
Circa 2004…
IP Source Spoofing doesn’tmatter!
a) All providers filterb) All modern attacks use botnetsc) Compromised hosts are behind NATs
!?!?!
![Page 6: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/6.jpg)
6
The Spoofer Project
• Strong opinions from many sides:– Academic– Operational– Regulatory
• …but only anecdotal data
![Page 7: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/7.jpg)
7
spoofer.csail.mit.edu• Internet-wide active measurement effort:
– Quantify the extent and nature of Internet sourceaddress filtering
• We learn and form inferences over:– Filtering policies/currently employed defenses– Filtering specificity, locations, providers, etc.– Distribution of filtering
• Began Feb. 2005
![Page 8: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/8.jpg)
8
Spoofer Project
• Background• Recent Relevance• Project Description• What’s New: Methodology• What’s New: Data• Parting Thoughts
![Page 9: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/9.jpg)
9
Prediction: spoofing increasinglya problem in the future
• Spoofed traffic complicates a defenders job• Tracking spoofs is operationally difficult:
– [Greene, Morrow, Gemberling NANOG 23]– Hash-based IP traceback [Snoeren01]– ICMP traceback [Bellovin00]
• Consider a 10,000 node zombie DDoS– Today (worst case scenario): if non-spoofing zombies are
widely distributed, a network operator must defend againstattack packets from 5% of routeable netblocks.
– Future: if 25% of zombies capable of spoofing significantvolume of the traffic could appear to come any part of theIPv4 address space
• Adaptive programs that make use of all local hostcapabilities to amplify their attacks
Slide from SRUTI 2005
![Page 10: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/10.jpg)
10
Prominent 2008 Example: DNSAmplifier Attack
VictimAttacker
3rd Party DNSServers
hack.comlarge TXTrecord
![Page 11: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/11.jpg)
11
Prominent 2008 Example: DNSAmplifier Attack
VictimAttacker
3rd Party DNSServers
hack.comlarge TXTrecord
IP Src: VDNS Query: hack.com TXT
![Page 12: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/12.jpg)
12
Prominent 2008 Example: DNSAmplifier Attack
VictimAttacker
3rd Party DNSServers
hack.comlarge TXTrecord
IP Src: VDNS Query: hack.com TXT
$$ result
![Page 13: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/13.jpg)
13
Prominent 2008 Example: DNSAmplifier Attack
VictimAttacker
3rd Party DNSServers
hack.comlarge TXTrecord
IP Src: CarolIP Dst: VLarge DNS TXT response
![Page 14: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/14.jpg)
14
Prominent 2008 Example: DNSAmplifier Attack
VictimAttacker
3rd Party DNSServers
hack.comlarge TXTrecord
• Small spoofed DNS query isamplified into large (anonymous)response toward victim• Largest reported attack: 40Gbps*
*Arbor networks 2008 infrastructure security survey
![Page 15: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/15.jpg)
15
Reasons to Believe SpoofingMatters (2009)
• DNS Amplifier Attacks• In-Window TCP Reset Attacks• Spam Filter Circumvention• DNS Cache Poisoning• UW reverse traceroute• Spoofer web site statistics
![Page 16: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/16.jpg)
16
The Operational Side
• Arbor:– “Reflective amplification attacks responsible
for the largest attacks exploit IP spoofing”– “No bots were used in this attack. The
attacker had a small number of compromisedLinux boxes from which he’d launch thespoofed source DNS query.”
• What’s an operator to do?
*Arbor networks 2008 infrastructure security survey
![Page 17: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/17.jpg)
17
Operational View
Switch,DOCSIS
StaticACL
uRPF
BogonFilters
PossibleDefense
NeighborSpoof
RFC1918private
Valid (InBGP table)
Unallocated
Description
Client IP ⊕(2N)
192.168.1.1
6.1.2.3
1.2.3.4
ExampleSource IP
IPv4 Address Space
• Not all sources are created equal• IETF BCP38 best filtering practice
![Page 18: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/18.jpg)
18
Operational View• We have defenses, what’s the problem?• BCP38 suffers from:
– Incentive problem– Lack of hardware support (see NANOG)– Management nightmare (edge filters)
> 30% don’t filter!*Arbor networks 2008 infrastructure
security survey
![Page 19: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/19.jpg)
19
Spoofer Project
• Background• Recent Relevance• Project Description• What’s New: Methodology• What’s New: Data• Parting Thoughts
![Page 20: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/20.jpg)
20
Spoofer Test Client
• Willing participants run “spoofer” client totest policy, perform inference, etc.– Binaries, source publicly available
![Page 21: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/21.jpg)
21
Spoofer Operation
Client spoofer server
Spoofed Source Packets
DB
Correlate
Record
• Clients attempt to send series of spoofedUDP packets to collection server:
– 5 of each type with random inter-packet delay– UDP port 53 to avoid secondary filtering– Payload includes unique14 byte identifier
• Server stores received packets in DB
![Page 22: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/22.jpg)
22
Spoofer Operation
Client spoofer server
TCP Control Connection
Spoofed Source Packets
DB
Correlate
Record
• Spoofer client sends a report ofspoofed packets to server via TCP
• Client traceroutes to server andsends result
• TCP destination port 80 used toavoid secondary filtering effects
![Page 23: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/23.jpg)
23
Client Population
Advertised toNANOG, dshield,etc. mailing lists
Slashdot!
Stillreceiveingresults
![Page 24: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/24.jpg)
24
Client Population Distribution
![Page 25: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/25.jpg)
25
Filtering Specificity• Clients test own IP ⊕
(2^n) for 0<n<24• Filtering on a /8
boundary enables aclient within thatnetwork to spoof~16M addresses
• >30% of clients“unable” to spoof canspoof neighbors
• Exclude “neighborspoof” from macroresults
![Page 26: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/26.jpg)
26
• Spoofable: spoofing of private, unallocated, orvalid IP packets possible from these locations
• Agrees to a first-order with Arbor survey• But… these numbers cause even more
disagreement!
![Page 27: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/27.jpg)
27
Spoofer Project
• Background• Recent Relevance• Project Description• What’s New: Methodology• What’s New: Data• Parting Thoughts
![Page 28: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/28.jpg)
28
What’s New: Methodology
• Goal:– Resolve ambiguity– Increase confidence
• New:– tracefilter– Tied into CAIDA’s ark distributed
measurement infrastructure– More detailed analysis– Longitudinal analysis over four-years of data
![Page 29: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/29.jpg)
29
tracefilter
• A tool for locating source addressvalidation (anti-spoofing) filters along path
• “traceroute for BCP38”• Better understand who is/is not filtering
![Page 30: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/30.jpg)
30
tracefilter
Client (c)spoofer server (S)
• Client c works in conjunction with ourserver S
![Page 31: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/31.jpg)
31
tracefilter
Client (c)spoofer server (S)
IP Src: sIP Dst: s+1TTL: 2
• c sends spoofed packet with:• ttl=x, src=S, dst=S+1 for 0<x<pathlen
![Page 32: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/32.jpg)
32
tracefilter
Client (c)spoofer server (S)
IP Src: rtrIP Dst: sICMP TTL exceeded
• S receives ICMP expiration messagesfrom routers along path
• For each decoded TTL, S records whichspoofed packets are received
![Page 33: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/33.jpg)
33
tracefilter
Client (c)spoofer server (S)
IP Src: sIP Dst: s+1TTL: 3
• Increase TTL, repeat• Largest TTL indicates filtering point
![Page 34: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/34.jpg)
34
tracefilter• How can S determine originating TTL of c’s
packets?• ICMP echo includes only 28 bytes of expired
packet• c encodes TTL by padding payload with zeros
SRC: S DST: S+1 TTL: 0 SRC: SessID Len: 8+xType: TTLExceeded
ICMP IP UDP Echo
Response:
SRC: S DST: S+1 TTL: x SRC: SessID DST: 53 0x
IP UDP Payload
Probe:
![Page 35: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/35.jpg)
35
tracefilter Results
• 70% of filters at 1st
hop; 81% withinfirst two hops
![Page 36: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/36.jpg)
36
tracefilter Results
• 70% of filters at 1st
hop; 81% withinfirst two hops
• 97% of filters withinfirst AS
![Page 37: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/37.jpg)
37
tracefilter Results
• 70% of filters at 1st
hop; 81% withinfirst two hops
• 97% of filters withinfirst AS
If a spoofed packet passes through first two hops,likely to travel unimpeded to destination
![Page 38: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/38.jpg)
38
Ark Support
• Spoofer tester now tied into CAIDA’sarchipelago distributed measurementinfrastructure (Ark)
• Provides invaluable additional inferencecapability
• Allows us to resolve aforementionedambiguity
![Page 39: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/39.jpg)
39
Utilizing Ark Infrastructure
Client
spoofer server
TCP Control Connection
ark sjc-us
ark hlz-nzark san-us
ark her-gr
• Server and Ark nodes agree on common HMAC key• Provide client with (SRC, DST, KEY, SEQ) tuples
![Page 40: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/40.jpg)
40
Utilizing Ark Infrastructure
Client
spoofer server
TCP Control Connection
Spoofed Source Packets
ark sjc-us
ark hlz-nzark san-us
ark her-gr
• Client sends HMAC keyed spoof probes to ark nodes• Client runs traceroute to each ark node in parallel
![Page 41: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/41.jpg)
41
Utilizing Ark Infrastructure
Client
spoofer server
TCP Control Connection
Spoofed Source Packets
ark sjc-us
ark hlz-nzark san-us
ark her-gr
Ark Tuple Space• Ark nodes publish to tuple space• Server asynchronously picks up results
![Page 42: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/42.jpg)
42
Value of Ark
• How does Ark allow us better inference• Example:
![Page 43: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/43.jpg)
43
Multiple DestinationsClient
Commercial
R&E
Univ NZ
MIT
.mil
Univ ES
![Page 44: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/44.jpg)
44
Multiple Destinations• Blue line is bogon traffic (IP:1.2.3.4)
• Much greater inference power• Detect bogon filtering at multiple
ASes• MIT server alone finds bogons
filtered; too coarse!
Commercial
R&E
Univ NZ
MIT
.mil
Univ ES
![Page 45: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/45.jpg)
45
Multiple Destinations• Metric of spoofability now a path
rather than a client• Allows inference on the
complete AS graph• Better understanding of where to
employ spoofing defenses
Commercial
R&E
Univ NZ
MIT
.mil
Univ ES
![Page 46: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/46.jpg)
46
Spoofer Project
• Background• Recent Relevance• Project Description• What’s New: Methodology• What’s New: Data• Parting Thoughts
![Page 47: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/47.jpg)
47
Deeper Analysis
• Question we want to answer:– Geographic analysis– Large or small providers filter?– What kinds of providers?
![Page 48: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/48.jpg)
48
Geographic (Tests)
![Page 49: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/49.jpg)
49
Geographic (Spoofable)
10.5%Africa9.2%Europe9.7%Australia
20.3%Asia
8.7%NorthAmerica
10.5%SouthAmerica
SpoofableRegion
![Page 50: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/50.jpg)
50
DNS Stats
• Asia, Mexico highspoofing success
• OS blocked ratesencouraging
• Large numbers ofnon-NAT hosts,especially .edu
![Page 51: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/51.jpg)
51
Connection Classes
• DSL, cableeasiest tocontrol (builtintoarchitecture)
• Commercial,unknownhighestspoofing rates
![Page 52: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/52.jpg)
52
AS Degree
• Small or largeprovidersfiltering?
• Surprisingly,no clear trend
• Work requiredacross theboard (or anew solution)
![Page 53: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/53.jpg)
53
Spoofer Project
• Background• Recent Relevance• Project Description• What’s New: Methodology• What’s New: Data• Longitudinal Analysis• Parting Thoughts
![Page 54: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/54.jpg)
54
Parting Thoughts (1)
58%BogonFilters
Unallocated1.2.3.4
StaticACL
uRPF
Defense
1%
90%
Percent
RFC1918private
Valid (InBGP table)
Description
172.16.1.100
6.1.2.3
Spoofed Source
• Among clients able to spoof, what sourcescan they spoof?
![Page 55: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/55.jpg)
55
Parting Thoughts (1)
58%BogonFilters
Unallocated1.2.3.4
StaticACL
uRPF
Defense
1%
90%
Percent
RFC1918private
Valid (InBGP table)
Description
172.16.1.100
6.1.2.3
Spoofed Source
Low hanging fruit already employed,problem is harder!
![Page 56: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/56.jpg)
56
Parting Thoughts (2)
• Tracefilter exposes operational tension betweencurrent filtering incentives and difficultymanaging edge filters
• If a spoofed packet isn’t filtered at edge, willtravel unimpeded to destination
• Should we think about core filtering techniques?– StackPI– ML approaches with soft response (rbeverly thesis
work)– Others
![Page 57: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/57.jpg)
57
Parting Thoughts• Even after all these years, source spoofing
problem not solved– BCP38 has been around for 9 years– BCP38 great, but incentives wrong
• Single unfiltered ingress can compromise entireInternet system– Can we plug every hole?– Regulatory Response? … but multinational?– Spoofer page for public provider flogging?
• What’s needed (biased opinion!):– Clean slate design– Filtering in the core
![Page 58: IP Spoofer Project - CAIDASecure Site Prediction: spoofing increasingly a problem in the future •Spoofed traffic complicates a defenders job •Tracking spoofs is operationally difficult:](https://reader035.vdocument.in/reader035/viewer/2022062608/6079a49ccc5c3a063b196e91/html5/thumbnails/58.jpg)
58
Parting Thoughts• Even after all these years, source spoofing
problem not solved– BCP38 has been around for x years– BCP38 great, but incentives wrong
• Single unfiltered ingress can compromise entireInternet system– Can we plug every hole?– Regulatory Response? … but multinational?– Spoofer page for public provider flogging?
• What’s needed (biased opinion!):– Clean slate design– Filtering in the core
Thanks!http://spoofer.csail.mit.edu