ip spoofing defense
DESCRIPTION
IP Spoofing Defense. On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon. Outlines. IP Spoofing. Impersonation. Reflection. Hiding. IP Spoofing Defense. host-based Defense Methods. Cryptographic Solutions. SYN Cookies. IP Puzzles. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/1.jpg)
IP Spoofing Defense
On the State of IP Spoofing Defense
TOBY EHRENKRANZ and JUN LIUniversity of Oregon
1IP Spoofing Defense
![Page 2: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/2.jpg)
Outlines
IP Spoofing
IP Spoofing Defense
host-based Defense Methods
Router-Based Defense Methods
Hybrid Defenses
References
Impersonation
Hiding
Reflection
Cryptographic Solutions
SYN CookiesIP Puzzles
Ingress/Egress Filtering Distributed Packet Filtering (DPF)Source Address Validity Enforcement (SAVE)
Pi
2IP Spoofing Defense
![Page 3: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/3.jpg)
IP Spoofing
Introduction
Definition
Creation of IP packets with source addresses different than thoseassigned to that host.
Malicious use of IP Spoofing
Impersonation
Hiding
Reflection
• Session hijack or reset
• Flood attack
• IP reflected attack
3IP Spoofing Defense
![Page 4: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/4.jpg)
Session hijack or reset
Impersonation
Attacker
IP spoofed packet
Src: PartnerDst: Victim Src: Victim
Dst: Partner
Assumes the partner has sent a packet,
starts responding
Partner
Victim
4IP Spoofing Defense
![Page 5: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/5.jpg)
Flood attack
Attacker
Victim
Src: RandomDst: Victim
Hiding
5IP Spoofing Defense
![Page 6: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/6.jpg)
Reflection
Smurf attacks
DNS amplification attacks
IP spoofing (reflection)
DNS query
DNS amplification
Src: VictimDst: Reflector
IP spoofed packet
A lot of reply without request
Src: ReflectorDst: Victim
Reply
Reflector
Victim
Attacker
6IP Spoofing Defense
![Page 7: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/7.jpg)
IP Reflected Attacks
7IP Spoofing Defense
![Page 8: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/8.jpg)
DNS Amplification Attack
8IP Spoofing Defense
![Page 9: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/9.jpg)
IP Spoofing Defense
Three classes of solutions
1 Host-based solutions
No need to change network infrastructureEasy to deploy Too late for their reaction
Router-based solutions
Core or edge solutions
Harder to deploy
Most effective
Hybrid solutions
Routers + hosts
9IP Spoofing Defense
![Page 10: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/10.jpg)
Cryptographic Solutions
Host-based solutions
Require hand-shaking to set up secret keys between two hosts
Communication between the two hosts can be encrypted
Attacker cannot successfully spoof packets to create connection
While IPSec is effective in many cases, it has some drawbacks
Handshaking fails
It is not feasible to require all hosts to connect through IPSecEncryption cost( time )Encryption reduce the performance
10IP Spoofing Defense
![Page 11: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/11.jpg)
SYN Cookies
Some servers use SYN cookies to prevent opening connections tospoofed source addresses
The server with SYN cookies does not allocate resources until the3-way handshake is complete
How Does It Work?
Server sends SYN+ACK with cookies V
When it receives client’s response, it checks the V
If it is cookie value + 1 ⇒ it creates the connection
11IP Spoofing Defense
![Page 12: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/12.jpg)
IP Puzzles
A server sends an IP puzzle to a client
The client solves the puzzle by some computational task
The server allows to connect only after receiving the correct solution.
The puzzle is sent to the listed hosts, not the attacker
From the listed hosts ⇒ not the attacker
12IP Spoofing Defense
![Page 13: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/13.jpg)
Router-Based Defense Methods
most host-based methods can be used in routers
IPSec and IP puzzles have been used in routers
13IP Spoofing Defense
![Page 14: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/14.jpg)
Ingress/Egress Filtering
Filtering packets before
The key is the knowledge of expected IP address at a particular port
Reverse Path filtering can help to build this knowledge
coming to local network ⇒ ingress filtering
before leaving local network ⇒ egress filtering
It is not easy to obtain this knowledge in some networks with complicated topologies
A router knows which networks are reachable from any of its interfaces.
• This is routing table
14IP Spoofing Defense
![Page 15: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/15.jpg)
Ingress/Egress Filtering
Drawbacks:
Hard to deployment
It can not stop local spoofing
RPF may drop legitimate packets
With less than 100% deployment, IEF is ineffective
15IP Spoofing Defense
![Page 16: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/16.jpg)
Distributed Packet Filtering (DPF)
Routers throughout the network maintain the incoming direction of a packet through their interfaces
Which interface receives an packet with a particular source address
A router can detect a spoofing packet if it arrives on a different interface
This limits the number of addresses attackers can use
16IP Spoofing Defense
![Page 17: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/17.jpg)
Source Address Validity Enforcement (SAVE)
Filters packets based on their incoming direction
Every router maintains and update its own incoming table
SAVE assumes all router deploy SAVE
Not feasible
17IP Spoofing Defense
![Page 18: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/18.jpg)
Hybrid Defenses
Utilizes both routers and hosts solutions
Routers mark packets as they travel
Hosts can take actions
18IP Spoofing Defense
![Page 19: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/19.jpg)
19
Path identifier (Pi) was originally designed to defend against DoS attacksIt also provides an IP spoofing defense
Pi uses IP fragmentation field to identify the path a packet traveledThe fragmentation field is marked along the path
Each router along the path sets a bit of the fragmentation field
When a packet reaches its destination the fragmentation field containsa marking that is almost unique
The end-host does not know the path a packet has traveled, butif multiple packets have the same marking bits set, then
• it is highly likely that they have traveled the same path
Packets with the same source address, but different marking can be filtered
Path identifier
IP Spoofing Defense
![Page 21: IP Spoofing Defense](https://reader033.vdocument.in/reader033/viewer/2022051316/56814846550346895db55b9c/html5/thumbnails/21.jpg)
21
References
On the state of IP spoofing defense.
ACM Transactions on Internet Technology (TOIT), 9(2):6:1–6:??, May 2009.
Network security class
http://www.wikipedia.org/
IP Spoofing Defense