Presentation is loading. Please wait.

Presentation is loading. Please wait.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

Published byZoey Beanland Modified over 9 years ago

Similar presentations

Presentation on theme: "06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu."— Presentation transcript:

1 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu

2 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.2 ip spoofing creation of IP packets with source addresses other than those assigned to that host

3 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.3 Malicious uses with IP spoofing impersonation –session hijack or reset hiding –flooding attack reflection –ip reflected attack

4 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.4 impersonation sender ip spoofed packet victim partner dst: victim src: partner Oh, my partner sent me a packet. I’ll process this.

5 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.5 hiding sender victim ip spoofed packet dst: victim src: random Oops, many packets are coming. But, who is the real source?

6 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.6 reflection sender ip spoofed packet reply packet victim reflector src: victim dst: reflector dst: victim src: reflector Oops, a lot of replies without any request…

7 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.7 ip reflected attacks smurf attacks –icmp echo (ping) –ip spoofing(reflection) –amplification(multiple replies) dns amplification attacks –dns query –ip spoofing(reflection) –amplification(bigger reply/multiple replies)

8 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.8 amplification Sender 1. multiple replies 2. bigger reply

9 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.9 attacker ip reflected attacks ip spoofed packets replies victim open amplifier

10 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.10 smurf attack ip spoofed ping ICMP echo replies victim Attacker

11 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.11 dns amplification attack ip spoofed DNS queries DNS replies victim DNS Attacker DNS

12 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.12 relations – dns amp attack DNS victim Command&Control DNS stub-resolvers full-resolvers root-servers tld-servers example-servers botnet IP spoofed DNS queries

13 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.13 attacker solutions for ip reflected attacks ip spoofed packets replies victim open amplifier prevent ip spoofing disable open amplifiers

14 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.14 two solutions disable ‘open amplifier’ –disable ‘directed-broadcast’ –disable ‘open recursive DNS server’ contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer. prevent ip spoofing!! –source address validation –BCP38 & BCP84

15 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.15 Source Address Validation Check the source ip address of ip packets –filter invalid source address –filter close to the packets orign as possible –filter precisely as possible If no networks allow ip spoofing, we can eliminate these kinds of attacks

16 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.16 close to the origin we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation 10.0.0.0/23 10.0.3.0/24 You are spoofing! Hmm, this looks ok...but.. RT.aRT.b You are spoofing! srcip: 10.0.0.1 srcip: 0.0.0.0 srcip: 10.0.0.1 srcip: 0.0.0.0 × × × × You are spoofing! srcip: 10.0.0.1 × You are spoofing!

17 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.17 how to configure the checking ACL –packet filter –permit valid-source, then drop any uRPF check –check incoming packets using ‘routing table’ –look-up the return path for the source ip address –loose mode can’t stop ip reflected attacks use strict mode or feasible mode

18 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.18 cisco ACL example customer network 192.168.0.0/24 ip access-list extended fromCUSTMER permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any ! interface Gigabitethernet0/0 ip access-group fromCUSTOMER in ! point-to-point 10.0.0.0/30 ISP Edge Router

19 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.19 juniper ACL example customer network 192.168.0.0/24 firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } [edit interface ge-0/0/0 unit 0 family inet] filter { input fromCUSTOMER; } point-to-point 10.0.0.0/30 ISP Edge Router

20 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.20 cisco uRPF example customer network 192.168.0.0/24 interface Gigabitethernet0/0 ip verify unicast source reachable-via rx point-to-point 10.0.0.0/30 ISP Edge Router

21 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.21 juniper uRPF example customer network 192.168.0.0/24 [edit interface ge-0/0/0 unit 0 family inet] rpf-check; point-to-point 10.0.0.0/30 ISP Edge Router

22 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.22 IIJ’s policy peer ISP upstream ISP customer ISP multi homed static customer single homed static customer IIJ/AS2497 uRPF strict mode uRPF loose mode

23 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.23 ACL and uRPF ACL –deterministic statically configured –maintenance of access-list  uRPF –easy to configure –care about asymmetric routing  strict mode is working well only for symmetric routing loose mode can’t stop the ip reflected attack there is no good implementation of feasible mode

24 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.24 END

Download ppt "06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu."

Similar presentations

Network Layer Delivery Forwarding and Routing

Network Layer Delivery Forwarding and Routing
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Packet filtering using cisco access listsINET97 / track 2 # 1 packet filters using cisco access lists Fri 19 June 97.

Packet filtering using cisco access listsINET97 / track 2 # 1 packet filters using cisco access lists Fri 19 June 97.
Security Issues In Mobile IP

Security Issues In Mobile IP
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
1 Linux IP Masquerading Brian Vargyas XNet Information Systems.

1 Linux IP Masquerading Brian Vargyas XNet Information Systems.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Student Guide www.visioninfosystems.org Access List.

Student Guide Access List.

Similar presentations

Ads by Google