SLIDE 1 A Reproducibility Study of “IP Spoofing Detection in Inter-Domain Traffic”
Jasper Eumann October 9, 2019
iNET RG, Hamburg University of Applied Sciences
SLIDE 2 Overview
IP Spoofing Mitigation in General Detection in Inter-Domain Traffic Results False Positive Indicators Conclusion
1
SLIDE 3
IP Spoofing
SLIDE 4 IP spoofing
- IP spoofing injects packets that include a forged IP source
address which is not its own
- Replys are directed to the address in the packet and not to
the origin
2
SLIDE 5 Abuse potential
In combination with a distributed amplification, in which small requests trigger much larger replies, this leads to serious denial of service attacks in the current Internet [5, 10].
3
SLIDE 6 Amplification and reflection attack using a DNS server
Request with spoofed
address of the victim
Regular request/response
AS2 IXP AS1 Attacker Attacker AS3 DNS server AS4 Victim
4
SLIDE 7
Mitigation in General
SLIDE 8 IP spoofing mitigation
- The most effective mitigation of reflection attacks is ingress
filtering at the network of the attacker [3, 1]
- This solution is not sufficiently deployed [4]
- Can only be used in the area near the attacker
5
SLIDE 9 A border router blocks incoming traffic using ingress filtering
Request with spoofed
address of the victim
Regular request/response
AS2 IXP AS1 Attacker Attacker AS3 DNS server AS4 Victim
6
SLIDE 10
Detection in Inter-Domain Traffic
SLIDE 11 Spoofing detection in inter-domain traffic
- Packets passing through an IXP are forwarded by a peering AS
- Use expectation of ”covered” prefixes to filter packets
- Complicated by transit providers
7
SLIDE 12 Customer cone IXP AS2 AS1 AS3 AS5 AS6 AS4 AS7 AS8
Upstream Peering Cone of AS1 Cone of AS2 Cone of AS3
A customer cone includes all ASes that receive (indirect) upstream via the IXP member (AS1, AS2, AS3)
8
SLIDE 13 Amplification and reflection attack using a DNS server
IXP AS2 AS4
?
AS1
Traffic with spoofed
address of the victim
Regular traffic
AS2 IXP AS1 Attacker Attacker AS3 DNS server AS4 Victim
9
SLIDE 14 IMC’17 methodology
- Detection, Classification, and Analysis of Inter-Domain Traffic
with Spoofed Source IP Addresses published at ACM IMC’17
- passive detection of packets with spoofed IP address
- minimize false positive inferences [6, § 1]
- Each packet that enters an IXP via an IXP member is checked
via a customer cone that covers the prefix of the origin AS
- Paper presents three cone approaches
10
SLIDE 15 Customer cone approaches
- 1. Naive Approach: Uses public BGP information and considers
a packet is valid if it originates from an AS that is part of an announced path for its source prefix
BGP4MP|1522454399|A|206.197.187.10|14061| 185.160.179.0/24 | 14061 1299 12880 49148 |IGP|206.197.187.10|0|0||||
11
SLIDE 16 Customer cone approaches
- 1. Naive Approach: Uses public BGP information and considers
that a packet is valid if it originates from an AS that is part of an announced path for its source prefix
- 2. CAIDA Customer Cone: Represents the business
relationships rather than the topology. Build from AS relationships data provided by CAIDA [8]
12
SLIDE 17 Customer cone approaches
- 1. Naive Approach: Uses public BGP information and considers
that a packet is valid if it originates from an AS that is part of an announced path for its source prefix
- 2. CAIDA Customer Cone: Represents the business
relationships rather than the topology. Build from AS relationships data provided by CAIDA [8]
- 3. Full Cone: Built from public BGP announcements. This
approach adds transitive relationships between peers. (Main method examined in the IMC’17 paper)
13
SLIDE 18 Manual intervention
- The authors of IMC’17 added “missing” links to the full cone
by hand (based on whois information)
- In our opinion only a full scriptable method is usable in
practice
- We show the properties of the cone approaches without
manual intervention .
14
SLIDE 19 Classification classes
The full pipeline sorts packets into four classes:
- Bogon: Address from a private network or other ineligible
routable prefixes [9, 2, 11]
- Unrouted: Source is not included in any announcement
- Invalid: Packet with a spoofed source address
- Regular: Regular traffic without anomalies
15
SLIDE 20 Classification pipeline
Traffic 127.0.0.0/8, 192.162.0.0/16, ...? Bogon not routable? Unrouted not in cone of member? Invalid Regular Yes No Yes No Yes No
16
SLIDE 21 Reproduction procedure
- 1. Collect sampled flows data at an IXP
- 2. Apply scripts [7] kindly provided by the IMC’17 authors
- We extended the implementation with missing functionality
- 3. Enhance cone construction with features for classifying
payloads of spoofed traffic using libpcap1
1https://www.tcpdump.org/
17
SLIDE 22
Results
SLIDE 23 Comparison of classification results for invalid traffic
IMC 2017 Reproduced Results Bytes Packets Bytes Packets Bogon 0.003% 0.02% 0.0009% 0.0022% Unrouted 0.004% 0.02% 0.00001% 0.0001% Invalid Naive 1.1% 1.29% 0.579% 1.537% CAIDA 0.19% 0.3% 0.955% 1.563% Full 0.0099% 0.03% 0.2% 0.488%
18
SLIDE 24 Time series of classified traffic distributions (Full)
00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 Time 103 104 105 106 107 108 # Packets
Regular Bogon Unrouted Invalid Regular (IMC'17) Bogon (IMC'17) Invalid (IMC'17) Unrouted (IMC'17)
19
SLIDE 25 Time series of classified traffic distributions
00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 Time 103 104 105 106 107 108 # Packets
Regular Bogon Unrouted Invalid
Naive
00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 Time 103 104 105 106 107 108 # Packets
Regular Bogon Unrouted Invalid
CAIDA
00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 Time 103 104 105 106 107 108 # Packets
Regular Bogon Unrouted Invalid Regular (IMC'17) Bogon (IMC'17) Invalid (IMC'17) Unrouted (IMC'17)
Full
20
SLIDE 26 CCDF: Fractions of invalid traffic per IXP member AS (Full)
10 10 10 ³ 10 ¹ 10 10²
% of total traffic (packets)
0.2 0.6 1
Fraction of members
Unrouted Bogon Invalid Invalid (IMC'17) 21
SLIDE 27 CCDF: Fractions of invalid traffic per IXP member AS
10 10 10 ³ 10 ¹ 10 10²
% of total traffic (packets)
0.2 0.6 1
Fraction of members
Unrouted Bogon Invalid
Naive
10 10 10 ³ 10 ¹ 10 10²
% of total traffic (packets)
0.2 0.6 1
Fraction of members
Unrouted Bogon Invalid
CAIDA
10 10 10 ³ 10 ¹ 10 10²
% of total traffic (packets)
0.2 0.6 1
Fraction of members
Unrouted Bogon Invalid Invalid (IMC'17)
Full
22
SLIDE 28 CDF: Packets sizes by category (Full)
500 1000 1500 Packet size [Bytes] 0.2 0.4 0.6 0.8 1.0 Fraction of Packets
Bogon Unrouted Invalid Regular Invalid (IMC'17) 23
SLIDE 29 CDF: Packets sizes by category
500 1000 1500 Packet size [Bytes] 0.2 0.4 0.6 0.8 1.0 Fraction of Packets
Bogon Unrouted Invalid Regular
Naive
500 1000 1500 Packet size [Bytes] 0.2 0.4 0.6 0.8 1.0 Fraction of Packets
Bogon Unrouted Invalid Regular
CAIDA
500 1000 1500 Packet size [Bytes] 0.2 0.4 0.6 0.8 1.0 Fraction of Packets
Bogon Unrouted Invalid Regular Invalid (IMC'17)
Full
24
SLIDE 30 Traffic mix per protocol and dst port of invalid packets (Full)
ICMP total 0.37% UDP 53 123 161 443 ephe.
total 1.18% < 0.1% 0.35% 19.73% 0.94% 0.81% 20.36% TCP 80 443 27015 10100 ephe.
total 3.50% 62.29% 0.00% 0.00% 6.75% 13.67% 79.45%
25
SLIDE 31
False Positive Indicators
SLIDE 32 False positive indicators
Idea: Check if we actually identified invalid traffic
- 1. SSL over TCP
- 2. HTTP responses
- 3. ICMP echo replies
- 4. TCP packets carrying ACKs
- 5. Malformed packets (e.g., transport port 0)
26
SLIDE 33 False positive indicators by approach
Naive CAIDA Full SSL over TCP 3.985% 4.166% 6.395% HTTP response 0.174% 0.134% 0.117% ICMP echo reply 0.056% 0.070% 0.043% TCP ACK 86.188% 69.197% 76.079% malformed 0.000% 0.000% 0.001%
27
SLIDE 34
Conclusion
SLIDE 35 Conclusion
- The manual intervention has a significant effect on the results
- Without strong adjustments the methodology cannot be used
in automatically fashion
28
SLIDE 36 Questions?
Thanks for your attention!
29
SLIDE 37 References i
Ingress Filtering for Multihomed Networks. RFC 3704, IETF, March 2004.
Special Use IPv4 Addresses. RFC 5735, IETF, January 2010.
- P. Ferguson and D. Senie.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, IETF, May 2000.
SLIDE 38
References ii
David Freedman, Brian Foust, Barry Greene, Ben Maddison, Andrei Robachevsky, Job Snijders, and Sander Steffann. Mutually Agreed Norms for Routing Security (MANRS) Implementation Guide. RIPE Documents ripe-706, RIPE, June 2018. Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. Millions of Targets Under Attack: A Macroscopic Characterization of the DoS Ecosystem. In Proc. of the 2017 Internet Measurement Conference, IMC ’17, pages 100–113, New York, NY, USA, 2017. ACM.
SLIDE 39
References iii
Franziska Lichtblau, Florian Streibelt, Thorben Kr¨ uger, Philipp Richter, and Anja Feldmann. Detection, Classification, and Analysis of Inter-Domain Traffic with Spoofed Source IP Addresses. In Proceedings of the 2017 Internet Measurement Conference, IMC ’17, pages 86–99, New York, NY, USA, 2017. ACM. Franziska Lichtblau, Florian Streibelt, Thorben Kr¨ uger, Philipp Richter, and Anja Feldmann. transitive closure cone, 2018. Accessed: 2019-08-28.
SLIDE 40 References iv
Matthew Luckie, Bradley Huffaker, Amogh Dhamdhere, Vasileios Giotsas, and kc claffy. AS Relationships, Customer Cones, and Validation. In Conference on Internet Measurement Conference, IMC’13, pages 243–256, New York, NY, USA, 2013. ACM.
- Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and
- E. Lear.
Address Allocation for Private Internets. RFC 1918, IETF, February 1996.
SLIDE 41 References v
Fabrice J. Ryba, Matthew Orlinski, Matthias W¨ ahlisch, Christian Rossow, and Thomas C. Schmidt. Amplification and DRDoS Attack Defense – A Survey and New Perspectives. Technical Report arXiv:1505.07892, Open Archive: arXiv.org, June 2015.
- J. Weil, V. Kuarsingh, C. Donley, C. Liljenstolpe, and
- M. Azinger.
IANA-Reserved IPv4 Prefix for Shared Address Space. RFC 6598, IETF, April 2012.
SLIDE 42 Top port UDP DST distribution of invalid packets
Naive 443 53 4500 3074 ephemeral
12.140% 4.040% 1.800% 1.218% 34.012% 44.664% CAIDA 443 53 3074 1193 ephemeral
30.921% 3.637% 1.296% 0.951% 28.181% 33.507% Full 443 53 16759 161 ephemeral
77.174% 5.472% 1.645% 1.406% 5.129% 8.157%
