Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Published byKenneth Armstrong Modified over 9 years ago

Similar presentations

Presentation on theme: "IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense."— Presentation transcript:

1 IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense

2 Outlines IP Spoofing IP Spoofing Defense host-based Defensehost-based Defense Methods Router-Based Defense Methods Hybrid Defenses References Impersonation Hiding Reflection Cryptographic Solutions SYN Cookies IP Puzzles Ingress/Egress Filtering Distributed Packet Filtering (DPFDistributed Packet Filtering (DPF) Source Address Validity Enforcement (SAVE) Pi 2 IP Spoofing Defense

3 IP Spoofing Introduction Definition Creation of IP packets with source addresses different than those assigned to that host. Malicious use of IP Spoofing Impersonation Hiding Reflection Session hijack or reset Flood attack IP reflected attack 3 IP Spoofing Defense

4 Session hijack or reset Impersonation Attacker IP spoofed packet Src: Partner Dst: Victim Src: Victim Dst: Partner Assumes the partner has sent a packet, starts responding Partner Victim 4 IP Spoofing Defense

5 Flood attack Attacker Victim Src: Random Dst: Victim Hiding 5 IP Spoofing Defense

6 Reflection Smurf attacks DNS amplification attacks IP spoofing (reflection) DNS query DNS amplification Src: Victim Dst: Reflector IP spoofed packet A lot of reply without request Src: Reflector Dst: Victim Reply Reflector Victim Attacker 6 IP Spoofing Defense

7 IP Reflected Attacks 7 IP Spoofing Defense

8 DNS Amplification Attack 8 IP Spoofing Defense

9 Three classes of solutions 1 Host-based solutions No need to change network infrastructure Easy to deploy Too late for their reaction Router-based solutions Core or edge solutions Harder to deploy Most effective Hybrid solutions Routers + hosts 9 IP Spoofing Defense

10 Cryptographic Solutions Host-based solutions Require hand-shaking to set up secret keys between two hosts Communication between the two hosts can be encrypted Attacker cannot successfully spoof packets to create connection While IPSec is effective in many cases, it has some drawbacks Handshaking fails It is not feasible to require all hosts to connect through IPSec Encryption cost( time ) Encryption reduce the performance 10 IP Spoofing Defense

11 SYN Cookies Some servers use SYN cookies to prevent opening connections to spoofed source addresses The server with SYN cookies does not allocate resources until the 3-way handshake is complete How Does It Work? Server sends SYN+ACK with cookies V When it receives client’s response, it checks the V If it is cookie value + 1 ⇒ it creates the connection 11 IP Spoofing Defense

12 IP Puzzles A server sends an IP puzzle to a client The client solves the puzzle by some computational task The server allows to connect only after receiving the correct solution. The puzzle is sent to the listed hosts, not the attacker From the listed hosts ⇒ not the attacker 12 IP Spoofing Defense

13 Router-Based Defense Methods most host-based methods can be used in routers IPSec and IP puzzles have been used in routers 13 IP Spoofing Defense

14 Ingress/Egress Filtering Filtering packets before The key is the knowledge of expected IP address at a particular port Reverse Path filtering can help to build this knowledge coming to local network ⇒ ingress filtering before leaving local network ⇒ egress filtering It is not easy to obtain this knowledge in some networks with complicated topologies A router knows which networks are reachable from any of its interfaces. This is routing table 14 IP Spoofing Defense

15 Ingress/Egress Filtering Drawbacks: Hard to deployment It can not stop local spoofing RPF may drop legitimate packets With less than 100% deployment, IEF is ineffective 15 IP Spoofing Defense

16 Distributed Packet Filtering (DPF) Routers throughout the network maintain the incoming direction of a packet through their interfaces Which interface receives an packet with a particular source address A router can detect a spoofing packet if it arrives on a different interface This limits the number of addresses attackers can use 16 IP Spoofing Defense

17 Source Address Validity Enforcement (SAVE) Filters packets based on their incoming direction Every router maintains and update its own incoming table SAVE assumes all router deploy SAVE Not feasible 17 IP Spoofing Defense

18 Hybrid Defenses Utilizes both routers and hosts solutions Routers mark packets as they travel Hosts can take actions 18 IP Spoofing Defense

19 19 Path identifier (Pi) was originally designed to defend against DoS attacks It also provides an IP spoofing defense Pi uses IP fragmentation field to identify the path a packet traveled The fragmentation field is marked along the path Each router along the path sets a bit of the fragmentation field When a packet reaches its destination the fragmentation field contains a marking that is almost unique The end-host does not know the path a packet has traveled, but if multiple packets have the same marking bits set, then it is highly likely that they have traveled the same path Packets with the same source address, but different marking can be filtered Path identifier IP Spoofing Defense

20 20 Thank you If you have any questions please email at amjhb@hotmail.com IP Spoofing Defense

21 21 References On the state of IP spoofing defense. ACM Transactions on Internet Technology (TOIT), 9(2):6:1–6:??, May 2009. Network security class http://www.wikipedia.org/ IP Spoofing Defense

Download ppt "IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Security Issues In Mobile IP

Security Issues In Mobile IP
Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Similar presentations

Ads by Google