Presentation is loading. Please wait.

Presentation is loading. Please wait.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

Similar presentations


Presentation on theme: "06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu."— Presentation transcript:

1 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu

2 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.2 ip spoofing creation of IP packets with source addresses other than those assigned to that host

3 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.3 Malicious uses with IP spoofing impersonation –session hijack or reset hiding –flooding attack reflection –ip reflected attack

4 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.4 impersonation sender ip spoofed packet victim partner dst: victim src: partner Oh, my partner sent me a packet. I’ll process this.

5 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.5 hiding sender victim ip spoofed packet dst: victim src: random Oops, many packets are coming. But, who is the real source?

6 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.6 reflection sender ip spoofed packet reply packet victim reflector src: victim dst: reflector dst: victim src: reflector Oops, a lot of replies without any request…

7 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.7 ip reflected attacks smurf attacks –icmp echo (ping) –ip spoofing(reflection) –amplification(multiple replies) dns amplification attacks –dns query –ip spoofing(reflection) –amplification(bigger reply/multiple replies)

8 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.8 amplification Sender 1. multiple replies 2. bigger reply

9 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.9 attacker ip reflected attacks ip spoofed packets replies victim open amplifier

10 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.10 smurf attack ip spoofed ping ICMP echo replies victim Attacker

11 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.11 dns amplification attack ip spoofed DNS queries DNS replies victim DNS Attacker DNS

12 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.12 relations – dns amp attack DNS victim Command&Control DNS stub-resolvers full-resolvers root-servers tld-servers example-servers botnet IP spoofed DNS queries

13 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.13 attacker solutions for ip reflected attacks ip spoofed packets replies victim open amplifier prevent ip spoofing disable open amplifiers

14 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.14 two solutions disable ‘open amplifier’ –disable ‘directed-broadcast’ –disable ‘open recursive DNS server’ contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer. prevent ip spoofing!! –source address validation –BCP38 & BCP84

15 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.15 Source Address Validation Check the source ip address of ip packets –filter invalid source address –filter close to the packets orign as possible –filter precisely as possible If no networks allow ip spoofing, we can eliminate these kinds of attacks

16 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.16 close to the origin we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation / /24 You are spoofing! Hmm, this looks ok...but.. RT.aRT.b You are spoofing! srcip: srcip: srcip: srcip: × × × × You are spoofing! srcip: × You are spoofing!

17 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.17 how to configure the checking ACL –packet filter –permit valid-source, then drop any uRPF check –check incoming packets using ‘routing table’ –look-up the return path for the source ip address –loose mode can’t stop ip reflected attacks use strict mode or feasible mode

18 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.18 cisco ACL example customer network /24 ip access-list extended fromCUSTMER permit ip any permit ip any deny ip any any ! interface Gigabitethernet0/0 ip access-group fromCUSTOMER in ! point-to-point /30 ISP Edge Router

19 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.19 juniper ACL example customer network /24 firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { /16; /30; } then accept; } term Default { then discard; } [edit interface ge-0/0/0 unit 0 family inet] filter { input fromCUSTOMER; } point-to-point /30 ISP Edge Router

20 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.20 cisco uRPF example customer network /24 interface Gigabitethernet0/0 ip verify unicast source reachable-via rx point-to-point /30 ISP Edge Router

21 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.21 juniper uRPF example customer network /24 [edit interface ge-0/0/0 unit 0 family inet] rpf-check; point-to-point /30 ISP Edge Router

22 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.22 IIJ’s policy peer ISP upstream ISP customer ISP multi homed static customer single homed static customer IIJ/AS2497 uRPF strict mode uRPF loose mode

23 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.23 ACL and uRPF ACL –deterministic statically configured –maintenance of access-list  uRPF –easy to configure –care about asymmetric routing  strict mode is working well only for symmetric routing loose mode can’t stop the ip reflected attack there is no good implementation of feasible mode

24 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.24 END


Download ppt "06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu."

Similar presentations


Ads by Google