Detection, Classification, and Analysis of Inter-Domain Traffic - - PowerPoint PPT Presentation

Detection, Classification, and Analysis

• f Inter-Domain Traffic

with Spoofed Source IP Addresses

@Internet Measurement Conference ’17, London

Introduction

The Unsolved Spoofing Problem

Need for insights about qualitative and quantitative characteristics of spoofed traffic and AS level spoofability

Detecting Spoofed Traffic is Hard...

?

SRC IP: 149.10.4.2

?

How do we decide if a given packet has a spoofed source IP address?

Overview

Contributions

passive

Contributions

passive

Contributions

passive

Contributions

passive

Identifying Spoofed Traffic

Classifying IP Source Addresses

What we want to uncover... not of the interface of the sending host Feature we can leverage...

Classifying IP Source Addresses

What we want to uncover... not of the interface of the sending host Feature we can leverage...

Classifying IP Source Addresses

What we want to uncover... not of the interface of the sending host Feature we can leverage...

Things We Should Never See on the Internet: Bogon

IPv4 space routable (86.2%) bogon (13.8%)

Bogon

Things We Should Never See on the Internet: Unrouted

IPv4 space routable (86.2%) unrouted (18.1%) AS agnostic bogon (13.8%)

Unrouted

• not

Who is Allowed to Send What?

IPv4 space routed (68.1%) invalid valid AS specific routable (86.2%) unrouted (18.1%) AS agnostic bogon (13.8%)

valid source valid prefixes per AS

Who is Allowed to Send What?

IPv4 space routed (68.1%) invalid valid AS specific routable (86.2%) unrouted (18.1%) AS agnostic bogon (13.8%)

valid source valid prefixes per AS

Who is Allowed to Send What?

IPv4 space routed (68.1%) invalid valid AS specific routable (86.2%) unrouted (18.1%) AS agnostic bogon (13.8%)

valid source valid prefixes per AS

Identifying Invalid: Legitimate IP Address Space per AS

• ther ASes

AS B AS D AS C AS A

Public Internet

Identifying Invalid: Legitimate IP Address Space per AS

• ther ASes

AS B AS D AS C AS A

AS A announcing prefixes p1 and p2 to the other ASes Public Internet p1, p2 Announcement

Assumption

Identifying Invalid: Legitimate IP Address Space per AS

• ther ASes

AS B AS D AS C AS A

AS A announcing prefixes p1 and p2 to the other ASes Public Internet p1, p2 p1 p2 ... List of valid prefixes for AS A Announcement

Identifying Invalid: Legitimate IP Address Space per AS

• ther ASes

AS B AS D AS C AS A

Public Internet p1, p2,p3,p4,p5,p6 p4, p5, p6 p3 Extend prefix list of AS A by prefixes of downstream ASes p1 p2 p3 p4 p5 p6 Announcement

Identifying Invalid: Legitimate IP Address Space per AS

• ther ASes

AS B AS D AS C

Public Internet p1, p2,p3,p4,p5,p6 p4, p5, p6 p3 p1 p2 p3 p4 p5 p6 Announcement

AS A

Traffic from AS A with SRC IP not announced by AS A or its downstream AS Traffic Flow SRC IP ∉ {p1,p2,p3,p4,p5,p6}

NOT

Identifying invalid: Three Approaches

“Naive” approach CAIDA Customer Cone (CC) Full Cone

Identifying invalid: Three Approaches

“Naive” approach CAIDA Customer Cone (CC) Full Cone

Identifying invalid: Three Approaches

“Naive” approach CAIDA Customer Cone (CC) Full Cone

Identifying invalid: Three Approaches

“Naive” approach CAIDA Customer Cone (CC) Full Cone

Identifying invalid: Three Approaches

“Naive” approach CAIDA Customer Cone (CC) Full Cone

Challenges

Multi AS Organisations Hidden AS relationships Not all traffic is intentionally spoofed (stray traffic)

Applying Our Methodology at a Large European IXP

Flow Data

700 members 5 Tb/s 4 weeks

How Much Traffic do We Find?

Total Traffic % Bytes

• 500

1000 1500 Packet sizes Fraction of Packets 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid Regular

amplification attacks answer traffic orders of magnitude larger

How Much Traffic do We Find?

Total Traffic % Bytes

• 500

1000 1500 Packet sizes Fraction of Packets 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid Regular

amplification attacks answer traffic orders of magnitude larger

How Many IXP Member ASes Contribute?

72% 52% 57% 30% of the IXP members do not filter any class!

14.59% 9.18% 2.24% 8.92% 18.11% 16.67% 30.29% Regular Bogon Unrouted Invalid

Who Contributes? hosters end-user ISPs

How Many IXP Member ASes Contribute?

72% 52% 57% 30% of the IXP members do not filter any class!

14.59% 9.18% 2.24% 8.92% 18.11% 16.67% 30.29% Regular Bogon Unrouted Invalid

Who Contributes? hosters end-user ISPs

How Many IXP Member ASes Contribute?

72% 52% 57% 30% of the IXP members do not filter any class!

14.59% 9.18% 2.24% 8.92% 18.11% 16.67% 30.29% Regular Bogon Unrouted Invalid

Who Contributes? hosters end-user ISPs

How Many IXP Member ASes Contribute?

72% 52% 57% 30% of the IXP members do not filter any class!

14.59% 9.18% 2.24% 8.92% 18.11% 16.67% 30.29% Regular Bogon Unrouted Invalid

Who Contributes? hosters end-user ISPs

What We Find: Traffic Mix

fraction of packets 0.0 0.2 0.4 0.6 0.8 1.0 r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d 80 443 123 27015 10100 28960

• ther

TCP DST UDP DST TCP SRC UDP SRC

What We Find: Traffic Mix

fraction of packets 0.0 0.2 0.4 0.6 0.8 1.0 r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d 80 443 123 27015 10100 28960

• ther

TCP DST UDP DST TCP SRC UDP SRC

What We Find: Traffic Mix

fraction of packets 0.0 0.2 0.4 0.6 0.8 1.0 r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d r e g u l a r b

• g
• n

u n r

• u

t e d i n v a l i d 80 443 123 27015 10100 28960

• ther

TCP DST UDP DST TCP SRC UDP SRC

Attack Patterns: Selective Spoofing

SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3

63.115.52.200 64.61.128.157 115.84.242.113 12.151.32.194

SRC: 130.149.220.3SRC: 130.149.220.3 SRC: 130.149.220.3

47.96.36.133 130.149.220.3

Selective Spoofing

Attack Patterns: Selective Spoofing

SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3 SRC: 130.149.220.3

63.115.52.200 64.61.128.157 115.84.242.113 12.151.32.194

SRC: 130.149.220.3SRC: 130.149.220.3 SRC: 130.149.220.3

47.96.36.133 130.149.220.3

Attack response traffic

Selective Spoofing

Attack Patterns: Random Spoofing

130.149.220.3

SRC: 192.168.1.4 SRC: 1.1.1.1 SRC: 10.20.1.15 SRC: 123.64.10.1 SRC: 23.23.23.23 SRC: 255.255.255.0 SRC: 1.1.1.2 SRC: 23.23.23.24 SRC: 23.23.23.25 SRC: 8.8.8.8 SRC: 43.77.80.23

Random Spoofing

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Random vs. Selective Spoofing

# SRC IPs / # Pkts Fraction of DST IPs 0.0 0.2 0.4 0.6 0.8 1.0

Bogon Unrouted Invalid

0.2 0.4 0.6 0.8 1.0

Who is being Spoofed? (Invalid Source IPs)

64 128 192 256 invalid

Who is being Spoofed? (Invalid Source IPs)

64 128 192 256 invalid

Who is being Spoofed? (Invalid Source IPs)

64 128 192 256 invalid

Who is being Spoofed? (Invalid Source IPs)

64 128 192 256 invalid

Who is being Spoofed? (Invalid Source IPs)

64 128 192 256 invalid

NTP Amplification Attacks

Time UDP port 123 (NTP) traffic 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 105 106 107 108

Bytes from amplifier Bytes to amplifier

NTP Amplification Attacks

Time UDP port 123 (NTP) traffic 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 105 106 107 108

Bytes from amplifier Bytes to amplifier

NTP Amplification Attacks

Time UDP port 123 (NTP) traffic 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 12:00 0:00 105 106 107 108

Bytes from amplifier Bytes to amplifier

Conclusion

Summary

Passive Very conservative minimize false positives in the wild Future work

Summary

Passive Very conservative minimize false positives in the wild Future work