Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

Published bySharlene Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University."— Presentation transcript:

1 1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University

2 2 IP Spoofing What is IP spoofing? –Act to fake source IP address –Used by many DDoS attacks High-profile DDoS attack on root DNS servers in early February 2006 Why it remains popular? –Hard to isolate attack traffic from legitimate one –Hard to pinpoint the true attacker –Many attacks rely on IP spoofing Man-in-the-middle attacks such as TCP hijacking/DNS poisoning Reflector-based attacks cd ba s d c d s d s

3 3 Route-Based Packet Filters [PL01] Based on observation –Attackers can spoof source address, –But they cannot control route packets takes How it works –Packets only allowed on best path from source to destination Requirement –Filters need to know global topology info –Not available in path-vector based Internet routing system Our Objectives –Is it possible to construct packet filters without global topology information? –If it is possible, what is the performance? cd ba s d s d s

4 4 Internet Routing Architecture Consists of large number of network domains, –Or Autonomous Systems (ASes) –About 25,000 currently Three common AS relationships –Provider-customer –Peering –Sibling XY E DCBA FG

5 5 Internet Inter-Domain Routing Border Gateway Protocol (BGP), a policy-based routing protocol –Import policies Which route is more preferred –Route selection Which route should be chosen as the best route –Export policies To which neighbors should I announce the best route AS relationship determines routing policies A net effect of routing policies is that they limit the possible paths between each AS pair.

6 6 Topological Routes vs. Feasible Routes Topological routes –Loop-free paths between a pair of nodes Feasible routes –Loop-free paths between a pair of nodes that not violate routing policies cd ba s Topological routes s a d s b d s a b d s a c d s b a d s b c d s a b c d s a c b d s b a c d s b c a d Feasible routes s a d s b d cd ba s

7 7 Assumptions on Import/Export Policies Import policies Export policies These policies commonly used on current Internet

8 8 Inter-Domain Packet Filters (IDPF) Filtering packets based feasible routes –Packets can only travel on feasible routes from s to d Inferring feasible routes –If u is a feasible upstream neighbor of v for packet M(s, d), node u must have exported to v its best route to reach s.

9 9 Constructing IDPF Node v accepts packet M(s, d) forwarded by node u if and only if IDPFs allow traffic to go through any feasible route –Correct in that they do not drop valid packets –May affect the performance compared to route-based filtering

10 10 Performance IDPF has two effects –Reducing the number of prefixes that can be spoofed –Localizing the true source of spoofed packets IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route-based packet filters [PL01]

11 11 Performance Metrics [PL01] VictimFraction( ) –Proportion of ASes that if attacked, the attacker can at most spoof ASes. –Effectiveness of IDPFs in protecting ASes against spoofing attacks –VictimFraction(1), immunity to all spoofing attacks AttackFraction( ) –Proportion of ASes from which attacker can forge addresses of at most ASes. –Effectiveness of IDPFs in limiting spoofing capability of attackers –AttactFracion(1), fraction of Ases from which attacker cannot spoof others’ adress VictimTraceFraction( ) –Proportion of ASes being attacked that can localize the true origin within ASes. –Effectiveness of IDPFs in reducing traceback efforts –VictimTraceFraction(1), fraction of Ases can trace spoofed traffic to true origin (AS)

12 12 Data Sets 4 AS graphs from the BGP data achieved by the Oregon Route Views Project.

13 13 Experimental Settings Determine the feasible paths based on update logs. Use shortest path as the route (add if the shortest path is not a feasible path) Selecting nodes that deploy IDPF –Random (rnd30/rnd50) –Vertex cover –If not mentioned specifically, IDPF nodes also have network ingress filtering.

14 14 VictimFraction (G 2004c ) Effectiveness of IDPFs in protecting ASes from spoofing attacks –VictimFraction(1) is zero unless all nodes support IDPFs –It is very hard to protect ASes from all spoofing attacks

15 15 AttackFraction (G 2004c ) Effectiveness of IDPFs in limiting spoofing capability of attackers –AttackFraction(1) = 80.8%, 59.2%, and 36.2%, respectively –IDPFs very effective in limiting spoofing capability

16 16 VictimTraceFraction (G 2004c ) Effectiveness of IDPFs in reducing traceback effort –VictimTraceFraction(28) = 1, all ASes can localize attackers to at most 28 ASes for VC IDPF placement 28

17 17 Filtering with Precise Routing Info vs BGP 728 G 2004c, VC

18 18 IDPFs with/without Network Ingress Filtering 28 87 G 2004c, VC

19 19 Related Work Route-Based Packet Filters [SIGCOMM01] Unicast reverse packet forwarding [RFC1812] Unicast reverse packet forwarding loose mode [CISCO] Hop-Count Filtering [CCS03] Path Identification/StackPi [SSP03]/[JSAC06] Source Address Validation Enforcement (SAVE) [INFOCOM02] Spoofing Prevention Method [INFOCOM05] Network Ingress Filtering [RFC2267] Gogon Route Server Project [Cymru]

20 20 Summary We proposed an Inter-Domain Packet Filters architecture (IDPF) and studied it performance. IDPF can effectively limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback. Moreover performance studies in –“Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates”, INFOCOM 2006 –And its TR version

21 21 Routing Policy Complications Some ASes do not follow the import/export policies assumed in IDPFs –Requiring restricted traffic forwarding to work with IDPFs

22 22 Impact of Routing Dynamics IDPFs works well with dynamics caused by network failure events IDPFs may drop valid packets during routing dynamics caused by new network announcement (or recovery from fail-down network event), IDPFs may also fail to detect spoofed packets –However, reachability information propagated much faster than failure information

Download ppt "1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University."

Similar presentations

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Next Generation Network Architectures Summary John.

1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Next Generation Network Architectures Summary John.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Lecture 9 Overview. Hierarchical Routing scale – with 200 million destinations – can’t store all dests in routing tables! – routing table exchange would.

Lecture 9 Overview. Hierarchical Routing scale – with 200 million destinations – can’t store all dests in routing tables! – routing table exchange would.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011.

Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.

Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization –All routers are identical –Network is flat. Not true in Practice Hierarchical.

Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization –All routers are identical –Network is flat. Not true in Practice Hierarchical.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.

Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)

Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Similar presentations

Ads by Google