Challenges in Inferring Spoofed Traffic at IXPs Matthew Luckie - - PowerPoint PPT Presentation
Challenges in Inferring Spoofed Traffic at IXPs Matthew Luckie Bradley Huffaker Lucas Mller University of Waikato CAIDA/UC San Diego UFRGS/CAIDA Kc Claffy Marinho Barcellos CAIDA/UC San Diego UFRGS/University of Waikato ACM CoNEXT
UFRGS/CAIDA
University of Waikato
CAIDA/UC San Diego
CAIDA/UC San Diego
UFRGS/University of Waikato
ACM CoNEXT 2019 — Orlando, Florida, U.S.A. December 9-12, 2019
2
3
3
3
3
4
IPv4 header
4
IPv4 header
4
IPv4 header
5
5
We need to identify networks lacking SAV deployment, but doing this is challenging at Internet scale
5
We need to identify networks lacking SAV deployment, but doing this is challenging at Internet scale
vantage point in each network being tested
5
We need to identify networks lacking SAV deployment, but doing this is challenging at Internet scale
vantage point in each network being tested
CAIDA's 2017 visualization of IPv4 Internet topology at the Autonomous System (AS) level
5
We need to identify networks lacking SAV deployment, but doing this is challenging at Internet scale
vantage point in each network being tested
assessment of Internet spoofing
CAIDA's 2017 visualization of IPv4 Internet topology at the Autonomous System (AS) level
6
700+ Internet Exchange Points (IXP)
[PeeringDB, 2019]
We need to identify networks lacking SAV deployment, but doing this is challenging at Internet scale
vantage point in each network being tested
assessment of Internet spoofing
7
8
9
9
Provide detailed analysis of methodological challenges for inferring spoofed packets at IXPs
9
Provide detailed analysis of methodological challenges for inferring spoofed packets at IXPs
Developed a methodology to classify flows, navigating through all challenges identified
9
Provide detailed analysis of methodological challenges for inferring spoofed packets at IXPs
Developed a methodology to classify flows, navigating through all challenges identified
Used our methodology and compare it with the state-of-the-art[1] at an IXP in Brazil, reporting our findings
[1] Lichtblau et al. Detection, Classification, and Analysis of Inter-domain Traffic with Spoofed Source IP Addresses. In: ACM IMC, 2017.
10
10
IXP traffic flow data and topology information
10
IXP traffic flow data and topology information valid IP address space per Autonomous System (AS)
10
IXP traffic flow data and topology information valid IP address space per Autonomous System (AS) Classification Pipeline Methodology list of networks with and without SAV, with evidence to support
11
11
11
11
11
11
11
12
IP Address Space
12
IETF Reserved Bogons
Usable IP Address Space
12
Unassigned Routed
IETF Reserved Bogons
Usable IP Address Space
12
Unassigned Routed
IETF Reserved Bogons
Usable IP Address Space
Inferred based on BGP data and the links established by each AS
12
Unassigned Routed
IETF Reserved Bogons
Usable IP Address Space
Inferred based on BGP data and the links established by each AS Define the set of ASes a given AS can reach through its customers Customer Cones
13
168.228.252.0/22 200.17.80.0/20 200.132.59.0/24 200.236.32.0/19 200.19.0.0/21 200.238.0.0/18 … 13.32.136.2/23 52.216.180/24 75.2.82.0/24 161.38.206.0/23 216.137.62.0/24 … AS64505 Prefix-level Customer Cone Amazon’s AS Prefix-level Customer Cone
13
168.228.252.0/22 200.17.80.0/20 200.132.59.0/24 200.236.32.0/19 200.19.0.0/21 200.238.0.0/18 … 13.32.136.2/23 52.216.180/24 75.2.82.0/24 161.38.206.0/23 216.137.62.0/24 … AS64505 Prefix-level Customer Cone Amazon’s AS Prefix-level Customer Cone
Core Switch Legend: IXP switching fabric #X Switch
14
Core Switch CF #1 CF #2 CF #3 CF #4 Legend: Switch Physical connection CF: Colocation Facility IXP switching fabric #X
15
Core Switch CF #1 CF #2
AS C AS B
CF #3 CF #4 Legend: Physical connection and VLAN configured to neighbor
AS Z
Autonomous System IXP switching fabric #X
AS D AS A
Switch Physical connection CF: Colocation Facility
16
Core Switch CF #1 CF #2
AS C AS B
CF #3 CF #4 Legend:
Res Z
Reseller
AS F AS G Res J
IXP switching fabric #X Stacked VLAN (IEEE 802.1q, QinQ)
AS H AS D AS E
Reseller-Tag: IXP-Tag:
AS A
Physical connection and VLAN configured to neighbor
AS Z
Autonomous System Switch Physical connection CF: Colocation Facility
17
Core Switch Core Switch CF #1 CF #2
AS C AS B
CF #3 CF #4 Legend: CF #5 CF #6
AS F AS G Res J
IXP switching fabric #X IXP switching fabric #Y
AS H AS D AS E AS E AS A Res Z
Reseller Stacked VLAN (IEEE 802.1q, QinQ) Reseller-Tag: IXP-Tag: Physical connection and VLAN configured to neighbor
AS Z
Autonomous System Switch Physical connection CF: Colocation Facility
18
Core Switch Core Switch CF #1 CF #2
AS C AS B
CF #3 CF #4 Legend: CF #5 CF #6
Connection between metropolitan regions
AS F AS G Res J
IXP switching fabric #X IXP switching fabric #Y
AS H AS D AS E AS E
Res K Res K AS A Res Z
Reseller Stacked VLAN (IEEE 802.1q, QinQ) Reseller-Tag: IXP-Tag: Physical connection and VLAN configured to neighbor
AS Z
Autonomous System Switch Physical connection CF: Colocation Facility
19
Core Switch Core Switch CF #1 CF #2
AS C AS B
CF #3 CF #4 Legend: CF #5 CF #6
AS F AS G Res J
IXP switching fabric #X IXP switching fabric #Y
AS H AS D AS E AS E
M
Res K Res K AS A
and VLAN configured Autonomous
20
IXP
services
not visible to the IP layer or in the BGP Protocol
classification processing
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic Transits only traffic from its customer cone Transits only traffic from its customer cone
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic Transits only traffic from its customer cone Transits only traffic from its customer cone
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic Transits only traffic from its customer cone Transits only traffic from its customer cone
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic Transits only traffic from its customer cone
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic Transits only traffic from its customer cone
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic Transits only traffic from its customer cone
(1) c2p: customer-to-provider (2) p2p: peer-to-peer
A B Pe Cu Pr customer B to provider A D C Pe Cu Pr C D Pe Cu Pr F Pe Cu Pr G H E Pe Cu Pr Pe Cu Pr
peer C to peer D provider E to customer F sibling G to sibling H transits only traffic from its customer cone transits all traffic (3) p2c: provider-to-customer (4) s2s: sibling-to-sibling Pr: Provider Pe: Peer Cu: Customer
X Y Z X Y Z
Legend Y will not transit packets sourced in Z to X. Y will transit packets sourced in Z to X.
21
Transits only traffic from its customer cone Transits all traffic
22
Spoofer-IX method
MAC-to-AS mapping traffjc fmow data
list of networks inferred as with and without SAV, with evidence to support IXP data (§5)
bogon prefjxes unassigned prefjxes routable address space per AS
Address space fundamentals(§2.2)
Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records
Stage 1: Build the Customer Cone
Route Server data Looking Glass Server data
Stage 2: Classify IXP Traffjc
IXP list
(§4.1) (§4.2) (§4)
VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output
See paper for details
22
Spoofer-IX method
MAC-to-AS mapping traffjc fmow data
list of networks inferred as with and without SAV, with evidence to support IXP data (§5)
bogon prefjxes unassigned prefjxes routable address space per AS
Address space fundamentals(§2.2)
Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records
Stage 1: Build the Customer Cone
Route Server data Looking Glass Server data
Stage 2: Classify IXP Traffjc
IXP list
(§4.1) (§4.2) (§4)
VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output
See paper for details
Divided into two stages
22
Spoofer-IX method
MAC-to-AS mapping traffjc fmow data
list of networks inferred as with and without SAV, with evidence to support IXP data (§5)
bogon prefjxes unassigned prefjxes routable address space per AS
Address space fundamentals(§2.2)
Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records
Stage 1: Build the Customer Cone
Route Server data Looking Glass Server data
Stage 2: Classify IXP Traffjc
IXP list
(§4.1) (§4.2) (§4)
VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output
See paper for details
Divided into two stages
22
Spoofer-IX method
MAC-to-AS mapping traffjc fmow data
list of networks inferred as with and without SAV, with evidence to support IXP data (§5)
bogon prefjxes unassigned prefjxes routable address space per AS
Address space fundamentals(§2.2)
Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records
Stage 1: Build the Customer Cone
Route Server data Looking Glass Server data
Stage 2: Classify IXP Traffjc
IXP list
(§4.1) (§4.2) (§4)
VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output
See paper for details
Divided into two stages
23
(state-of-the-art [1])
(Prefix-level Customer Cone)
Brief overview in this talk See paper for full details
23
(state-of-the-art [1])
(Prefix-level Customer Cone)
Brief overview in this talk See paper for full details
Do not distinguish types of AS-relationships Takes into account the semantics of AS-relationships [2]
23
(state-of-the-art [1])
(Prefix-level Customer Cone)
Brief overview in this talk See paper for full details
sacrifices specificity, i.e., inflating the address space considered legitimate
[1] Lichtblau et al. Detection, Classification, and Analysis
In: ACM IMC, 2017.
Spoofer-IX method MAC-to-AS mapping traffjc fmow data list of networks inferred as with and without SAV, with evidence to support IXP data (§5) bogon prefjxes unassigned prefjxes routable address space per AS Address space fundamentals(§2.2) Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records Stage 1: Build the Customer Cone Route Server data Looking Glass Server data Stage 2: Classify IXP Traffjc IXP list (§4.1) (§4.2) (§4) VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm outputDo not distinguish types of AS-relationships Takes into account the semantics of AS-relationships [2]
23
(state-of-the-art [1])
(Prefix-level Customer Cone)
Brief overview in this talk See paper for full details
sacrifices specificity, i.e., inflating the address space considered legitimate
accommodates traffic engineering practices
[1] Lichtblau et al. Detection, Classification, and Analysis
In: ACM IMC, 2017. [2] Luckie et al. AS Relationships, Customer Cones, and Validation. In: ACM IMC, 2013.
Spoofer-IX method MAC-to-AS mapping traffjc fmow data list of networks inferred as with and without SAV, with evidence to support IXP data (§5) bogon prefjxes unassigned prefjxes routable address space per AS Address space fundamentals(§2.2) Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records Stage 1: Build the Customer Cone Route Server data Looking Glass Server data Stage 2: Classify IXP Traffjc IXP list (§4.1) (§4.2) (§4) VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm outputDo not distinguish types of AS-relationships Takes into account the semantics of AS-relationships [2]
24
Is SRC AS in Ingress AS's Customer Cone?
Unverifiable Out-of-Cone In-cone
Do we have Mac-to-AS Mapping (ingress, egress) validation ? Given the ingress and egress ASs, is there a verifiable Customer Cone?
No No Yes Yes Yes No source IP + ingress and egress AS + VLANs
Is SRC IP Bogon? Is SRC IP Unassigned?
Bogon No start: for each flow Yes Unassigned Yes source IP only + VLANs No
Phase 1 Phase 2 Phase 3
Spoofer-IX method MAC-to-AS mapping traffjc fmow data list of networks inferred as with and without SAV, with evidence to support IXP data (§5) bogon prefjxes unassigned prefjxes routable address space per AS Address space fundamentals(§2.2) Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records Stage 1: Build the Customer Cone Route Server data Looking Glass Server data Stage 2: Classify IXP Traffjc IXP list (§4.1) (§4.2) (§4) VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output 24
Is SRC AS in Ingress AS's Customer Cone?
Unverifiable Out-of-Cone In-cone
Do we have Mac-to-AS Mapping (ingress, egress) validation ? Given the ingress and egress ASs, is there a verifiable Customer Cone?
No No Yes Yes Yes No source IP + ingress and egress AS + VLANs
Is SRC IP Bogon? Is SRC IP Unassigned?
Bogon No start: for each flow Yes Unassigned Yes source IP only + VLANs No
Phase 1 Phase 2 Phase 3
this phase is independent of any routing semantics
Spoofer-IX method MAC-to-AS mapping traffjc fmow data list of networks inferred as with and without SAV, with evidence to support IXP data (§5) bogon prefjxes unassigned prefjxes routable address space per AS Address space fundamentals(§2.2) Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records Stage 1: Build the Customer Cone Route Server data Looking Glass Server data Stage 2: Classify IXP Traffjc IXP list (§4.1) (§4.2) (§4) VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output 25
Is SRC AS in Ingress AS's Customer Cone?
Unverifiable Out-of-Cone In-cone
Do we have Mac-to-AS Mapping (ingress, egress) validation ? Given the ingress and egress ASs, is there a verifiable Customer Cone?
No No Yes Yes Yes No source IP + ingress and egress AS + VLANs
Is SRC IP Bogon? Is SRC IP Unassigned?
Bogon No start: for each flow Yes Unassigned Yes source IP only + VLANs No
Phase 1 Phase 2 Phase 3
packets that are not suitable to inference of spoofing using the inferred cones
26
Is SRC AS in Ingress AS's Customer Cone?
Unverifiable Out-of-Cone In-cone
Do we have Mac-to-AS Mapping (ingress, egress) validation ? Given the ingress and egress ASs, is there a verifiable Customer Cone?
No No Yes Yes Yes No source IP + ingress and egress AS + VLANs
Is SRC IP Bogon? Is SRC IP Unassigned?
Bogon No start: for each flow Yes Unassigned Yes source IP only + VLANs No
Phase 1 Phase 2 Phase 3
packets whose source IP belongs to the sending AS’s customer cone address space are classified as in-cone. Otherwise, we classify the packet as out-of-cone
Spoofer-IX method MAC-to-AS mapping traffjc fmow data list of networks inferred as with and without SAV, with evidence to support IXP data (§5) bogon prefjxes unassigned prefjxes routable address space per AS Address space fundamentals(§2.2) Prefjx-Level Customer Cone Algorithm Traffjc Classifjcation Pipeline AS-Level Customer Cone Algorithm AS Relationship Inference Algorithm prefjx-to-AS mapping AS relationships inferred siblings ASes IXP validation data to check AS-relationships and prefjxes inferred BGP routing data IANA allocated ASes records Stage 1: Build the Customer Cone Route Server data Looking Glass Server data Stage 2: Classify IXP Traffjc IXP list (§4.1) (§4.2) (§4) VLANs mapping (see Flowchart in §4.2 with the details) AS Relationship Inference Algorithm output at the Brazilian IX.br ecosystem
among 200+ members
27 Blue box: IXPs Iocations.
Brazilian IX.br ecosystem [IX.br, 2019]
[1] Lichtblau et al. Detection, Classification, and Analysis of Inter-domain Traffic with Spoofed Source IP Addresses. In: ACM IMC, 2017.
28
Brief overview See paper for details
29
Apr 1 - May 6, 2017 May 1 - Jun 5, 2019
(i) In-cone (ii) Unverifiable (iv) Bogon (iii) Out-of-cone
29
Apr 1 - May 6, 2017 May 1 - Jun 5, 2019
29
Apr 1 - May 6, 2017 May 1 - Jun 5, 2019
29
Apr 1 - May 6, 2017 May 1 - Jun 5, 2019
29
Apr 1 - May 6, 2017 May 1 - Jun 5, 2019
29
Apr 1 - May 6, 2017 May 1 - Jun 5, 2019
30
(a) Spoofer-IX (b) State-of-the-art
30
(a) Spoofer-IX (b) State-of-the-art
30
(a) Spoofer-IX (b) State-of-the-art
31
(b) State-of-the-art
Traffic Volume (Gbps) 0.5 1 transport 1.5 2 2.5 3 01 May 02 May 03 May 04 May 05 May 06 May 07 May 08
May p2c−outofcone
Unverifiable traffic
92.6% was sent from a provider to a customer across the exchange — where no cone of valid addresses applies
32
(b) State-of-the-art (a) Spoofer-IX
33
(b) State-of-the-art (a) Spoofer-IX
34
(b) State-of-the-art (a) Spoofer-IX
35
35
Lucas Müller lfmuller@inf.ufrgs.br