Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State University Jaideep Chandrashekar Department of Computer Science University of Minnesota

Outline: –Background IP spoofing Route based packet filtering –Related BGP concepts –Inter-domain Packet Filters (IDPF) General idea Assumptions Technique to compute the filters –Performance –Conclusion

IP spoofing: –Forging the source address –Used by many popular DDOS attacks –Making it difficulty to defend again attacks. A D C B Y X

Route based packet filtering [K. Park, SIGCOMM 2001] –One can fake the identity, but not the route. –A router can decide whether it is in the path from the source to the destination and drop packets that are not supposed to be there. A D C B Y X

Route based packet filtering Requirement: –The router must know the route between any pair of source and destination addresses. Global topology information Not available in BGP. Is it possible to build route based packet filters from BGP updates? If it is possible, what is the performance?

BGP: –Autonomous Systems (ASes) are the basic units The network can be modeled as an AS graph Nodes are ASes and edges are BGP sessions Nodes own network prefixes and exchange BGP route updates to learn the reachability of prefixes Attributes associated with routes: AS path, prefix. –Policy based routing: Import Route selection Export

BGP: –Routing policies are usually decided by the AS relation Provider-customer Peer-peer Sibling-sibling

Inter Domain Packet Filters (IDPF): –IDPF decides feasible routes under BGP –Feasible routes in BGP are constrained by routing policies (AS relation)

–Path constrained by the routing policies

Assumptions in our scheme: Export rules: MUST export Import rules:

Inferring the feasible paths: –If u is a feasible upstream neighbor of v for packet M(s, d), node u must have exported to v its best route to reach s.

Building IDPF: –Node v accepts packet M(s, d) forwarded by node u if and only if –IDPFs allow traffic to go through any feasible route May affect the performance No problem in the path exploration phase.

Routing policy complication: –Selective announcements: –r5: restricted conditional advertisement

Performance: –IDPF has two effects Reducing the number of prefixes that can be spoofed Localizing the source of spoofed packets –IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route based packet filters [Park 2001]

Performance metrics [Park 2001]: – : the proportion of ASes that if attacked by an attacker, the attacker can at most spoof ASes. – : the proportion of ASes from which an attacker can forge addresses of at most ASes. – : the proportion of ASes being attacked that can localize the true origin within ASes.

Data Set: –4 AS graphs from the BGP data achieved by the Oregon Route Views Project.

Experimental setting –Determine the feasible paths based on update logs. –Use shortest path as the route (add if the shortest path is not a feasible path) –Selecting nodes that deploy IDPF Random (rnd30/rnd50) Vertex cover If not mentioned specifically, IDPF nodes also have network ingress filtering.

Conclusion: –We proposed an Inter-domain Packet Filters architecture (IDPF) and studied it performance. –IDPF can limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback. –IDPF provides local incentives for deployment.