a reproducibility study of ip spoofing detection in inter
play

A Reproducibility Study of IP Spoofing Detection in Inter-Domain - PowerPoint PPT Presentation

Sep 06, 2023 •339 likes •778 views

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann October 9, 2019 iNET RG, Hamburg University of Applied Sciences Overview IP Spoofing Mitigation in General Detection in Inter-Domain Traffic

  1. A Reproducibility Study of “IP Spoofing Detection in Inter-Domain Traffic” Jasper Eumann October 9, 2019 iNET RG, Hamburg University of Applied Sciences

  2. Overview IP Spoofing Mitigation in General Detection in Inter-Domain Traffic Results False Positive Indicators Conclusion 1

  3. IP Spoofing

  4. IP spoofing • IP spoofing injects packets that include a forged IP source address which is not its own • Replys are directed to the address in the packet and not to the origin 2

  5. Abuse potential In combination with a distributed amplification, in which small requests trigger much larger replies, this leads to serious denial of service attacks in the current Internet [5, 10]. 3

  6. Amplification and reflection attack using a DNS server AS4 Regular request/response AS2 Victim Request with spoofed address of the victim AS1 Attacker IXP Attacker AS3 DNS server 4

  7. Mitigation in General

  8. IP spoofing mitigation • The most effective mitigation of reflection attacks is ingress filtering at the network of the attacker [3, 1] • This solution is not sufficiently deployed [4] • Can only be used in the area near the attacker 5

  9. A border router blocks incoming traffic using ingress filtering AS4 Regular request/response AS2 Victim Request with spoofed address of the victim AS1 Attacker IXP Attacker AS3 DNS server 6

  10. Detection in Inter-Domain Traffic

  11. Spoofing detection in inter-domain traffic • Packets passing through an IXP are forwarded by a peering AS • Use expectation of ”covered” prefixes to filter packets • Complicated by transit providers 7

  12. Customer cone Upstream Peering Cone of AS1 IXP Cone of AS2 Cone of AS3 AS1 AS2 AS3 AS4 AS5 AS6 AS7 AS8 A customer cone includes all ASes that receive (indirect) upstream via the IXP member (AS1, AS2, AS3) 8

  13. Amplification and reflection attack using a DNS server AS4 Regular traffic AS2 Victim Traffic with spoofed address of the victim AS1 Attacker IXP Attacker IXP AS3 AS4 AS2 DNS server ? AS1 9

  14. IMC’17 methodology • Detection, Classification, and Analysis of Inter-Domain Traffic with Spoofed Source IP Addresses published at ACM IMC’17 • passive detection of packets with spoofed IP address • minimize false positive inferences [6, § 1] • Each packet that enters an IXP via an IXP member is checked via a customer cone that covers the prefix of the origin AS • Paper presents three cone approaches 10

  15. Customer cone approaches 1. Naive Approach : Uses public BGP information and considers a packet is valid if it originates from an AS that is part of an announced path for its source prefix BGP4MP|1522454399|A|206.197.187.10|14061| 185.160.179.0/24 | 14061 1299 12880 49148 |IGP|206.197.187.10|0|0|||| 11

  16. Customer cone approaches 1. Naive Approach : Uses public BGP information and considers that a packet is valid if it originates from an AS that is part of an announced path for its source prefix 2. CAIDA Customer Cone : Represents the business relationships rather than the topology. Build from AS relationships data provided by CAIDA [8] 12

  17. Customer cone approaches 1. Naive Approach : Uses public BGP information and considers that a packet is valid if it originates from an AS that is part of an announced path for its source prefix 2. CAIDA Customer Cone : Represents the business relationships rather than the topology. Build from AS relationships data provided by CAIDA [8] 3. Full Cone : Built from public BGP announcements. This approach adds transitive relationships between peers. (Main method examined in the IMC’17 paper) 13

  18. Manual intervention • The authors of IMC’17 added “missing” links to the full cone by hand (based on whois information) • In our opinion only a full scriptable method is usable in practice • We show the properties of the cone approaches without manual intervention . 14

  19. Classification classes The full pipeline sorts packets into four classes: • Bogon : Address from a private network or other ineligible routable prefixes [9, 2, 11] • Unrouted : Source is not included in any announcement • Invalid : Packet with a spoofed source address • Regular : Regular traffic without anomalies 15

  20. Classification pipeline 127.0.0.0/8, not in cone of Traffic 192.162.0.0/16, not routable? Regular member? No No No ...? Yes Yes Yes Bogon Unrouted Invalid 16

  21. Reproduction procedure 1. Collect sampled flows data at an IXP 2. Apply scripts [7] kindly provided by the IMC’17 authors • We extended the implementation with missing functionality 3. Enhance cone construction with features for classifying payloads of spoofed traffic using libpcap 1 1 https://www.tcpdump.org/ 17

  22. Results

  23. Comparison of classification results for invalid traffic IMC 2017 Reproduced Results Bytes Packets Bytes Packets Bogon 0.003% 0.02% 0.0009% 0.0022% Unrouted 0.004% 0.02% 0.00001% 0.0001% Invalid Naive 1.1% 1.29% 0.579% 1.537% CAIDA 0.19% 0.3% 0.955% 1.563% Full 0.0099% 0.03% 0.2% 0.488% 18

  24. Time series of classified traffic distributions (Full) Regular Bogon 10 8 Unrouted Invalid Regular (IMC'17) 10 7 Bogon (IMC'17) Invalid (IMC'17) Unrouted (IMC'17) # Packets 10 6 10 5 10 4 10 3 12:00 12:00 12:00 12:00 12:00 12:00 12:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 Time 19

  25. Time series of classified traffic distributions Regular Regular Regular Bogon Bogon Bogon 10 8 10 8 10 8 Unrouted Unrouted Unrouted Invalid Invalid Invalid Regular (IMC'17) 10 7 10 7 10 7 Bogon (IMC'17) Invalid (IMC'17) Unrouted (IMC'17) # Packets # Packets # Packets 10 6 10 6 10 6 10 5 10 5 10 5 10 4 10 4 10 4 10 3 10 3 10 3 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 12:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 00:00 Time Time Time Naive CAIDA Full 20

  26. CCDF: Fractions of invalid traffic per IXP member AS (Full) 1 Fraction of members Unrouted Bogon Invalid 0.6 Invalid (IMC'17) 0.2 10 10 10 ³ 10 ¹ 10 10² % of total traffic (packets) 21

  27. CCDF: Fractions of invalid traffic per IXP member AS 1 1 1 Fraction of members Unrouted Fraction of members Unrouted Fraction of members Unrouted Bogon Bogon Bogon Invalid Invalid Invalid 0.6 0.6 0.6 Invalid (IMC'17) 0.2 0.2 0.2 10 10 10 ³ 10 ¹ 10 10² 10 10 10 ³ 10 ¹ 10 10² 10 10 10 ³ 10 ¹ 10 10² % of total traffic (packets) % of total traffic (packets) % of total traffic (packets) Naive CAIDA Full 22

  28. CDF: Packets sizes by category (Full) 1.0 Fraction of Packets 0.8 0.6 Bogon 0.4 Unrouted Invalid 0.2 Regular Invalid (IMC'17) 0 0 500 1000 1500 Packet size [Bytes] 23

  29. CDF: Packets sizes by category 1.0 1.0 1.0 Fraction of Packets Fraction of Packets Fraction of Packets 0.8 0.8 0.8 0.6 0.6 0.6 Bogon 0.4 0.4 0.4 Bogon Bogon Unrouted Unrouted Unrouted Invalid 0.2 0.2 0.2 Invalid Invalid Regular Regular Regular Invalid (IMC'17) 0 0 0 0 500 1000 1500 0 500 1000 1500 0 500 1000 1500 Packet size [Bytes] Packet size [Bytes] Packet size [Bytes] Naive CAIDA Full 24

  30. Traffic mix per protocol and dst port of invalid packets (Full) total ICMP 0.37% 53 123 161 443 ephe. other total UDP 1.18% < 0 . 1% 0.35% 19.73% 0.94% 0.81% 20.36% 80 443 27015 10100 ephe. other total TCP 3.50% 62.29% 0.00% 0.00% 6.75% 13.67% 79.45% 25

  31. False Positive Indicators

  32. False positive indicators Idea: Check if we actually identified invalid traffic 1. SSL over TCP 2. HTTP responses 3. ICMP echo replies 4. TCP packets carrying ACKs 5. Malformed packets (e.g., transport port 0) 26

  33. False positive indicators by approach Naive CAIDA Full SSL over TCP 3.985% 4.166% 6.395% HTTP response 0.174% 0.134% 0.117% ICMP echo reply 0.056% 0.070% 0.043% TCP ACK 86.188% 69.197% 76.079% malformed 0.000% 0.000% 0.001% 27

  34. Conclusion

  35. Conclusion • The manual intervention has a significant effect on the results • Without strong adjustments the methodology cannot be used in automatically fashion 28

  36. Questions? Thanks for your attention! 29

  37. References i F. Baker and P. Savola. Ingress Filtering for Multihomed Networks. RFC 3704, IETF, March 2004. M. Cotton and L. Vegoda. Special Use IPv4 Addresses. RFC 5735, IETF, January 2010. P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, IETF, May 2000.

  38. References ii David Freedman, Brian Foust, Barry Greene, Ben Maddison, Andrei Robachevsky, Job Snijders, and Sander Steffann. Mutually Agreed Norms for Routing Security (MANRS) Implementation Guide. RIPE Documents ripe-706, RIPE, June 2018. Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. Millions of Targets Under Attack: A Macroscopic Characterization of the DoS Ecosystem. In Proc. of the 2017 Internet Measurement Conference , IMC ’17, pages 100–113, New York, NY, USA, 2017. ACM.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann,

A Reproducibility Study of IP Spoofing Detection in Inter-Domain Traffic Jasper Eumann, Raphael Hiesgen, Thomas C. Schmidt, Matthias Whlisch t.schmidt@haw-hamburg.de Spoofing Detection in Interdomain Traffic Starting Point: Our

326 views • 8 slides
Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and Spoofing Detec:on Usable Authen:ca:on (2FA) Security of Blockchains / Cryptocurrencies Trusted Compu:ng Secure Proximi mity / Distance Measureme

589 views • 30 slides
Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept.,

Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept.,

Recent trends in Interference Mitigation and Spoofing Detection ! Fabio Dovis ! Electronics Dept., Politecnico di Torino, Italy ! !&quot;#$%&amp;''()*++,(-./0121,(3*4*54)*++( Outline ! GNSS vulnerabilities ! Classification of interfering

970 views • 50 slides
Discussion: Reproducibility and Cross-study Replicability of Prognostic Signatures from High

Discussion: Reproducibility and Cross-study Replicability of Prognostic Signatures from High

Discussion: Reproducibility and Cross-study Replicability of Prognostic Signatures from High Throughput Genomic Data Lee Dicker Rutgers University May 2, 2014 Rutgers Statistics Symposium Discussion: Reproducibility and Cross-study

371 views • 12 slides
IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke

IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke

Chair for Network Architectures and Services Technische Universitt Mnchen IP Spoofing Detection Through Time to Live Header Analysis Final Talk BSc Informatics Arno Hilke Supervisor : Prof. Dr.-Ing. Georg Carle Advisors : Quirin Scheitle,

663 views • 16 slides
disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such DDoS attacks addressing spoofing attempts to eliminate spoofing, not adopted IETF BCPs 38-84, ISOC MANRS scrubbing centers (eg Akamai,

700 views • 19 slides
Haltermann Test &amp; Reference Fuels Proposed CARB-III Repeatability and Reproducibility Study

Haltermann Test &amp; Reference Fuels Proposed CARB-III Repeatability and Reproducibility Study

Haltermann Test &amp; Reference Fuels Proposed CARB-III Repeatability and Reproducibility Study Study Basis Fuel samples produced in lab under controlled conditions Manufacturing scale would present additional challenges 16

387 views • 3 slides
Inter-Arrival Curves for Multi-Mode and Online Anomaly Detection Mahmoud Salem, Mark Crowley,

Inter-Arrival Curves for Multi-Mode and Online Anomaly Detection Mahmoud Salem, Mark Crowley,

Work-in-Progress Session Inter-Arrival Curves for Multi-Mode and Online Anomaly Detection Mahmoud Salem, Mark Crowley, and Sebastian Fischmeister 2 Inter-arrival Curves for Anomaly Detection [1] Inter-arrival curves make good features for

514 views • 8 slides
Reproducibility and Cross-study Replicability of Prognostic Signatures from High Throughput

Reproducibility and Cross-study Replicability of Prognostic Signatures from High Throughput

Reproducibility and Cross-study Replicability of Prognostic Signatures from High Throughput Genomic Data giovanni parmigiani@dfci.harvard.edu 2014 Rutgers Statistics Symposium signatures and prognosis Sorlie PNAS 03 CuratedOvarianData

275 views • 24 slides
TRAINING INTER STATE STUDY TOUR TO NDRI KARNAL TRAINING INTER STATE STUDY TOUR TO

TRAINING INTER STATE STUDY TOUR TO NDRI KARNAL TRAINING INTER STATE STUDY TOUR TO

TRAINING INTER STATE STUDY TOUR TO NDRI KARNAL TRAINING INTER STATE STUDY TOUR TO JALGAON STUDY TOUR TO JAIPUR TRAINING WITHIN STATE TRANING AT KVK BAJAURA TRAINING WITHIN DISTRICT TRAINING AT TRAINING AT RICE AND WHEAT RESERCH

478 views • 24 slides
New NIH requirements regarding Rigor and Reproducibility

New NIH requirements regarding Rigor and Reproducibility

New NIH requirements regarding Rigor and Reproducibility http://grants.nih.gov/reproducibility/faqs.htm 1. The scientific premise of the proposed research 2. Rigorous experimental design for robust and unbiased results 3. Consideration of

333 views • 10 slides
The structure of European development Community detection in inter-industry and external

The structure of European development Community detection in inter-industry and external

Introduction Methodology Community Detection Labour and Subsystems From IO to Countries From Trade to Commodities The structure of European development Community detection in inter-industry and external trade networks Nadia Garbellini

839 views • 65 slides
Computational Reproducibility in Production Physics Applications Numerical Reproducibility at

Computational Reproducibility in Production Physics Applications Numerical Reproducibility at

Slide 1 Computational Reproducibility in Production Physics Applications Numerical Reproducibility at Exascale Workshop Supercomputing 2015 November 20, 2015 Robert W. Robey Los Alamos National Laboratory LA-UR-15-28798 UNCLASSIFIED

115 views • 10 slides
Open data provenance and reproducibility: a case study from publishing CMS open data Tibor

Open data provenance and reproducibility: a case study from publishing CMS open data Tibor

Open data provenance and reproducibility: a case study from publishing CMS open data Tibor Simko 1 Heitor Pascoal de Bittencourt 2 Edgar Carrera 2 Clemens Lange 2 Kati Lassila-Perini 2 Lara Lloret 2 Tom McCauley 2 Jan Okraska 1 Daniel

391 views • 15 slides
Study on Winter Road Surface Friction Characteristics and Their Reproducibility Roberto TOKUNAGA 1

Study on Winter Road Surface Friction Characteristics and Their Reproducibility Roberto TOKUNAGA 1

2016 International Conference &amp; Workshop on Winter Maintenance and Surface Transportation Weather Study on Winter Road Surface Friction Characteristics and Their Reproducibility Roberto TOKUNAGA 1 , Akihiro FUJIMOTO 1 , Kenji SATO 1 , Naoto

189 views • 14 slides
Compressing Inverted Indexes with Recursive Graph Bisection: A Reproducibility Study Joel

Compressing Inverted Indexes with Recursive Graph Bisection: A Reproducibility Study Joel

Compressing Inverted Indexes with Recursive Graph Bisection: A Reproducibility Study Joel Mackenzie 1 Antonio Mallia 2 Mathias Petri 3 J. Shane Culpepper 1 Torsten Suel 2 1 RMIT University, Melbourne, Australia 2 New York University, New York, USA

1.07k views • 61 slides
Right-Linear Grammars Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department

Right-Linear Grammars Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department

Objectives Conversion to Right-Linear Grammar Right-Linear Grammars Dr. Mattox Beckman University of Illinois at Urbana-Champaign Department of Computer Science Objectives Conversion to Right-Linear Grammar Objectives You should be able to

287 views • 9 slides
A 10GE Monitoring System Arin Vijn arien@ams-ix.net Agenda - Introduction The role of an

A 10GE Monitoring System Arin Vijn arien@ams-ix.net Agenda - Introduction The role of an

A 10GE Monitoring System Arin Vijn arien@ams-ix.net Agenda - Introduction The role of an internet exchange (IX). - The problem to be solved. Real life examples - The chosen solution for that problem * The Force10's P10 IDS/IPS card *

887 views • 57 slides
JUST THE MATHS SLIDES NUMBER 16.6 LAPLACE TRANSFORMS 6 (The Dirac unit impulse function)

JUST THE MATHS SLIDES NUMBER 16.6 LAPLACE TRANSFORMS 6 (The Dirac unit impulse function)

JUST THE MATHS SLIDES NUMBER 16.6 LAPLACE TRANSFORMS 6 (The Dirac unit impulse function) by A.J.Hobson 16.6.1 The definition of the Dirac unit impulse function 16.6.2 The Laplace Transform of the Dirac unit impulse function 16.6.3

447 views • 16 slides
7 Network Layer Network Layer BGP basics Internet inter-AS routing: BGP when AS2 advertises

7 Network Layer Network Layer BGP basics Internet inter-AS routing: BGP when AS2 advertises

Network Layer Network Layer RIP ( Routing Information Protocol) RIP advertisements distance vectors: exchanged among distance vector algorithm neighbors every 30 sec via Response included in BSD-UNIX Distribution in 1982 Message

746 views • 3 slides
A Brief Review of Quantum Information Aspects of Black Hole Evaporation Reference: M. Hotta and

A Brief Review of Quantum Information Aspects of Black Hole Evaporation Reference: M. Hotta and

A Brief Review of Quantum Information Aspects of Black Hole Evaporation Reference: M. Hotta and A. Sugita, Prog. Theor. Exp. Phys, 123B04 (2015). M. Hotta, R. Schtzhold and W. G. Unruh, Phys. Rev. D 91, 124060 (2015). M. Hotta, Y. Nambu, and

1.33k views • 105 slides
Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing

Scalable Routing Outline Routing Algorithms Scalability 1 Overview Forwarding vs Routing forwarding: to select an output port based on destination address and routing table routing: process by which routing table is built

543 views • 13 slides
The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983

The elliptic-curve zoo D. J. Bernstein University of Illinois at Chicago EC point counting 1983 (published 1985) Schoof: Algorithm to count points on elliptic curves over finite fields. Input: prime power q ; F q such that 6(4

784 views • 47 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides

More recommend