* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Controlling IP Spoofing via Inter-Domain Packet Filters
Survey
Document related concepts
Asynchronous Transfer Mode wikipedia , lookup
Computer network wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Airborne Networking wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Distributed firewall wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
Transcript
Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University 1 IP Spoofing • What is IP spoofing? d sc – Act to fake source IP address – Used by many DDoS attacks ds c d b a • High-profile DDoS attack on root DNS servers in early February 2006 • Why it remains popular? – Hard to isolate attack traffic from legitimate one – Hard to pinpoint the true attacker – Many attacks rely on IP spoofing s • Man-in-the-middle attacks such as TCP hijacking/DNS poisoning • Reflector-based attacks 2 Route-Based Packet Filters [PL01] • Based on observation – Attackers can spoof source address, – But they cannot control route packets takes ds ds c d b a • How it works – Packets only allowed on best path from source to destination • Requirement – Filters need to know global topology info – Not available in path-vector based Internet routing system s • Our Objectives – Is it possible to construct packet filters without global topology information? – If it is possible, what is the performance? 3 Internet Routing Architecture • Consists of large number of network domains, – Or Autonomous Systems (ASes) – About 25,000 currently • Three common AS relationships – Provider-customer – Peering – Sibling X Y A E B F C D G 4 Internet Inter-Domain Routing • Border Gateway Protocol (BGP), a policy-based routing protocol – Import policies • Which route is more preferred – Route selection • Which route should be chosen as the best route – Export policies • To which neighbors should I announce the best route • AS relationship determines routing policies A net effect of routing policies is that they limit the possible paths between each AS pair. 5 Topological Routes vs. Feasible Routes • Topological routes – Loop-free paths between a pair of nodes • Feasible routes – Loop-free paths between a pair of nodes that not violate routing policies Topological routes c d b a s sad sbd sabd sacd sbad sbcd sabcd sacbd sbacd sbcad Feasible routes sad sbd c d b a s 6 Assumptions on Import/Export Policies • Import policies • Export policies • These policies commonly used on current Internet 7 Inter-Domain Packet Filters (IDPF) • Filtering packets based feasible routes – Packets can only travel on feasible routes from s to d • Inferring feasible routes – If u is a feasible upstream neighbor of v for packet M(s, d), node u must have exported to v its best route to reach s. 8 Constructing IDPF • Node v accepts packet M(s, d) forwarded by node u if and only if • IDPFs allow traffic to go through any feasible route – Correct in that they do not drop valid packets – May affect the performance compared to route-based filtering 9 Performance • IDPF has two effects – Reducing the number of prefixes that can be spoofed – Localizing the true source of spoofed packets • IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route-based packet filters [PL01] 10 Performance Metrics [PL01] • VictimFraction( ) – Proportion of ASes that if attacked, the attacker can at most spoof – Effectiveness of IDPFs in protecting ASes against spoofing attacks – VictimFraction(1), immunity to all spoofing attacks • AttackFraction( ) ASes. – Proportion of ASes from which attacker can forge addresses of at most ASes. – Effectiveness of IDPFs in limiting spoofing capability of attackers – AttactFracion(1), fraction of Ases from which attacker cannot spoof others’ adress • VictimTraceFraction( ) – Proportion of ASes being attacked that can localize the true origin within ASes. – Effectiveness of IDPFs in reducing traceback efforts – VictimTraceFraction(1), fraction of Ases can trace spoofed traffic to true origin (AS) 11 Data Sets • 4 AS graphs from the BGP data achieved by the Oregon Route Views Project. 12 Experimental Settings • Determine the feasible paths based on update logs. • Use shortest path as the route (add if the shortest path is not a feasible path) • Selecting nodes that deploy IDPF – Random (rnd30/rnd50) – Vertex cover – If not mentioned specifically, IDPF nodes also have network ingress filtering. 13 VictimFraction (G2004c) • Effectiveness of IDPFs in protecting ASes from spoofing attacks – VictimFraction(1) is zero unless all nodes support IDPFs – It is very hard to protect ASes from all spoofing attacks 14 AttackFraction (G2004c) • Effectiveness of IDPFs in limiting spoofing capability of attackers – AttackFraction(1) = 80.8%, 59.2%, and 36.2%, respectively – IDPFs very effective in limiting spoofing capability 15 VictimTraceFraction (G2004c ) • Effectiveness of IDPFs in reducing traceback effort 28 – VictimTraceFraction(28) = 1, all ASes can localize attackers to at most 28 ASes for VC IDPF placement 16 Filtering with Precise Routing Info vs BGP 7 28 G2004c, VC 17 IDPFs with/without Network Ingress Filtering 28 87 G2004c, VC 18 Related Work • Route-Based Packet Filters [SIGCOMM01] • Unicast reverse packet forwarding [RFC1812] • Unicast reverse packet forwarding loose mode [CISCO] • Hop-Count Filtering [CCS03] • Path Identification/StackPi [SSP03]/[JSAC06] • Source Address Validation Enforcement (SAVE) [INFOCOM02] • Spoofing Prevention Method [INFOCOM05] • Network Ingress Filtering [RFC2267] • Gogon Route Server Project [Cymru] 19 Summary • We proposed an Inter-Domain Packet Filters architecture (IDPF) and studied it performance. • IDPF can effectively limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback. • Moreover performance studies in – “Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates”, INFOCOM 2006 – And its TR version 20 Routing Policy Complications • Some ASes do not follow the import/export policies assumed in IDPFs – Requiring restricted traffic forwarding to work with IDPFs 21 Impact of Routing Dynamics • IDPFs works well with dynamics caused by network failure events • IDPFs may drop valid packets during routing dynamics caused by new network announcement (or recovery from fail-down network event), IDPFs may also fail to detect spoofed packets – However, reachability information propagated much faster than failure information 22