Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)

Published byNickolas Stevens Modified over 8 years ago

Similar presentations

Presentation on theme: "IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)"— Presentation transcript:

1 IP Spoofing

2 What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)

3 Why Attackers Spoof? Hide their identity – Put a blame on someone else Confuse the defense – In DDoS, make traffic appear to come from many sources Acquire identity of a legitimate host – Leverage some trust relationship (e.g., bypass a firewall) – Hijack a TCP connection – Perform DNS hijacking

4 Ingress Filtering RFC 2827, BCP 38 – Collect a list of your prefixes P – Filter out outgoing traffic whose source IP is not from P – Filter out incoming traffic whose source IP is from P Sounds simple? – It took routers long time to put this kind of filtering on the fast path – Implementation may be tricky (multihoming) – It helps others, not you – It does not completely eliminate spoofing

5 Implementing Ingress Filtering ACL: Manually collect a list of your prefixes – Works for edge networks but not for ISPs there are way fewer ISPs (~ 6 K) than edge networks (~ 33 K) so implementing something at ISPs is faster – If a network is multihomed and does not update its new ISP with its prefixes it may lose traffic Strict reverse path forwarding – If my next hop to P is A then only A can send me traffic from P (however lots of routes are asymmetrical between ISPs)

6 Implementing Ingress Filtering Feasible reverse path forwarding – Remember all advertised next hops for P, one of them is a valid previous hop – Works correctly but lets some spoofed packets through Loose reverse path forwarding – Only drop packets if their source IP is not routable – Only 1/3 of the IPv4 space is routable so randomly spoofed packets would be dropped 2/3 of the time

7 Ingress Filtering w Multihoming Multihoming: having 2 or more upstream ISPs – For backup (but use only some) – For good performance (use the fastest one at the moment) or load balancing (use them equally) – Changing providers (temporary multihoming) A network may announce its prefixes only to one ISP (for incoming traffic) but use both for outgoing traffic or vice versa – This will lead to ingress filter drops at the ISP which is used only for outgoing traffic (ACL, strict RPF)

8 Ways Around Ingress Filtering? Announce P to both ISPs but send traffic only to ISP1 ISP1 ISP2 M2 and M3 can spoof S M1 can spoof S (subnet spoofing)

9 How Many Networks Can Spoof Spoofer project measures this – http://spoofer.caida.org/ http://spoofer.caida.org/ – Download an application, which will try to send spoofed traffic to a few hosts at CAIDA – A small percentage of hosts/nets/ASes (~10%)

10 Good Coverage

11 Who Can Spoof?

12 How Many Networks Can Spoof From http://spoofer.caida.org/ http://spoofer.caida.org/

13 Spoofing Increases Over Time From http://spoofer.caida.org/ http://spoofer.caida.org/

14 Filtering At Large Granularity From http://spoofer.caida.org/ http://spoofer.caida.org/

15 Filtering Near Sources From http://spoofer.caida.org/ http://spoofer.caida.org/

16 Small Networks More Spoofable From http://spoofer.caida.org/ http://spoofer.caida.org/

17 Commercial Networks More Spoofable From http://spoofer.caida.org/ http://spoofer.caida.org/

18 Other Spoofing Defenses Cryptographically sign your packets so that everyone can check they come from you – Crypto overhead – Must share keys with checkers – Needs wide coverage Build tables at ISPs, which tie some feature from the packet with the source prefix – Previous hop – Hop count – Packet mark

19 SPM, Passport Source puts some cryptographically secure information in each packet’s header – Routers and/or destination check it – No one else can spoof it – Requires key exchange between parties Mark could be unique to source only, or to source-destination pair or to source- destination-route tuple A. Bremler-Barr, H. Levy Spoofing Prevention Method In INFOCOM 2005

20 Route-based Filtering (RBF) Remember the previous hop that forwards traffic to you – The paper does not specify how to learn this information K. Park and H.Lee. On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In Proc. of ACM SIGCOMM, 2001.

21 Inter-domain Packet Filtering (IDPF) Remember all the possible previous hops that advertised a prefix to you – Any of them is feasible previous hop for that prefix – Feasible reverse path forwarding Z. Duan, X. Yuan, and J. Chandrashekar Controlling IP Spoofing through Inter-Domain Packet Filters, In IEEE Transactions on Dependable and Secure Computing, 2008

22 Stack PI (PiIP) Routers mark packets with unique identifier – At the destination this mark can be used to identify path traversed by traffic and for filtering – At the ISP this mark can be associated with source prefix and used to filter spoofed traffic A. Yaar, A. Perrig, D. Song StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense In IEEEE Journal on Selected Areas in Communications, 2006

23 Hop-count Filtering (HCF) Routers infer from packets the hop count between source and destination – Only a few choices for TTL start – Associate this hop count with source IP – Use it to detect/filter spoofed packets C. Yin, H. Wang, K. Shin Hop-count Filtering: An Effective Defense Against Spoofed DDoS Traffic, In ACM CCS 2003

24 Filter Table

25 Which Technique is Best? On the same topology Under sparse deployment Where should we deploy filters? J. Mirkovic, E. Kissel Comparative Evaluation of Spoofing Defenses In IEEE Transactions on Dependable and Secure Computing 2011

26 Can a filter F filter packet P P(s,d,p) – packet from source s to destination d spoofing address p Will it be filtered by F? – Filter F (s,d,p) = hit F (s,d)*diff F (s,p) Depends on whether F is on major paths Depends on the spoofing detection technique (incoming table diversity)

27 How To Choose Filters? Calculate how many (s,d,p) combinations can each filter out Choose so to maximize number of newly added combinations This is almost the same as if choosing by connectivity or AS size

28 How To Choose Filters? Calculate how many (s,d,p) combinations can each filter out Choose so to maximize number of newly added combinations This is almost the same as if choosing by connectivity or AS size

29 Performance Measures How many victims are protected from spoofing? TP How many victims are protected from reflector attacks? RAP How many sources cannot spoof? AI All measures between 0 and 1, with 1 being the best

30 Ingress Filtering

31 HCF

32 RBF, PiIP is similar

33 IDPF

34 SPM, Passport

35 Summary Route-based techniques work the best. The rest just don’t work in sparse deployment. Should be deployed at major ISPs. Open question “How to infer filter tables when routes change?”

Download ppt "IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)"

Similar presentations

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Firewall Configuration Strategies

Firewall Configuration Strategies
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.

Accurate Real-Time Identification of IP Prefix Hijacking Z. Morley Mao Xin Hu 2007 IEEE Symposium on and Privacy Oakland, California 2007 IEEE Symposium.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
1 Hop-Count Filtering: An Effective Defense Against Spoofed DDos Traffic Cheng Jin CS Department Caltech Pasadena Haining Wang CS Department College of.

1 Hop-Count Filtering: An Effective Defense Against Spoofed DDos Traffic Cheng Jin CS Department Caltech Pasadena Haining Wang CS Department College of.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Similar presentations

Ads by Google