ip spoofer project
play

IP Spoofer Project Observations on four-years of data Rob Beverly, - PowerPoint PPT Presentation

Jan 01, 2024 •100 likes •692 views

IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun {rbeverly,awberger}@csail.mit, youngh@caida ISMA AIMS 2009 February 12, 2009 Spoofer Project Background Recent Relevance Project

  1. IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun {rbeverly,awberger}@csail.mit, youngh@caida ISMA AIMS 2009 February 12, 2009

  2. Spoofer Project • Background • Recent Relevance • Project Description • What’s New: Methodology • What’s New: Data • Parting Thoughts 2

  3. Spoofed-Source IP Packets • Circumvent host network stack to forge or “spoof” source address of an IP packet • Lack of source address accountability a basic Internet weakness: – Anonymity, indirection [VP01], amplification • Security issue for more than two-decades [RTM85, Bellovin89] • Still an attack vector? 3

  4. Circa 2004… IP Source Spoofing doesn’t matter! a) All providers filter b) All modern attacks use botnets c) Compromised hosts are behind NATs 4

  5. Circa 2004… IP Source Spoofing doesn’t matter! a) All providers filter b) All modern attacks use botnets c) Compromised hosts are behind NATs !?!?! 5

  6. The Spoofer Project • Strong opinions from many sides: – Academic – Operational – Regulatory • …but only anecdotal data 6

  7. spoofer.csail.mit.edu • Internet-wide active measurement effort: – Quantify the extent and nature of Internet source address filtering • We learn and form inferences over: – Filtering policies/currently employed defenses – Filtering specificity, locations, providers, etc. – Distribution of filtering • Began Feb. 2005 7

  8. Spoofer Project • Background • Recent Relevance • Project Description • What’s New: Methodology • What’s New: Data • Parting Thoughts 8

  9. Prediction: spoofing increasingly a problem in the future • Spoofed traffic complicates a defenders job • Tracking spoofs is operationally difficult: – [Greene, Morrow, Gemberling NANOG 23] – Hash-based IP traceback [Snoeren01] – ICMP traceback [Bellovin00] Slide from SRUTI 2005 • Consider a 10,000 node zombie DDoS – Today (worst case scenario): if non-spoofing zombies are widely distributed, a network operator must defend against attack packets from 5% of routeable netblocks. – Future: if 25% of zombies capable of spoofing significant volume of the traffic could appear to come any part of the IPv4 address space • Adaptive programs that make use of all local host capabilities to amplify their attacks 9

  10. Prominent 2008 Example: DNS Amplifier Attack Attacker Victim 3 rd Party DNS Servers hack.com large TXT record 10

  11. Prominent 2008 Example: DNS Amplifier Attack Attacker Victim 3 rd Party DNS IP Src: V Servers DNS Query: hack.com TXT hack.com large TXT record 11

  12. Prominent 2008 Example: DNS Amplifier Attack Attacker Victim 3 rd Party DNS Servers $$ result IP Src: V DNS Query: hack.com TXT hack.com large TXT record 12

  13. Prominent 2008 Example: DNS Amplifier Attack Attacker Victim 3 rd Party DNS Servers IP Src: Carol IP Dst: V Large DNS TXT response hack.com large TXT record 13

  14. Prominent 2008 Example: DNS Amplifier Attack Attacker Victim 3 rd Party DNS Servers • Small spoofed DNS query is amplified into large (anonymous) response toward victim • Largest reported attack: 40Gbps* hack.com large TXT record 14 *Arbor networks 2008 infrastructure security survey

  15. Reasons to Believe Spoofing Matters (2009) • DNS Amplifier Attacks • In-Window TCP Reset Attacks • Spam Filter Circumvention • DNS Cache Poisoning • UW reverse traceroute • Spoofer web site statistics 15

  16. The Operational Side • Arbor: – “Reflective amplification attacks responsible for the largest attacks exploit IP spoofing” – “No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he’d launch the spoofed source DNS query.” • What’s an operator to do? *Arbor networks 2008 infrastructure security survey 16

  17. Operational View • Not all sources are created equal • IETF BCP38 best filtering practice Example Description Possible Source IP Defense IPv4 Address Space 1.2.3.4 Unallocated Bogon Filters 6.1.2.3 Valid (In uRPF BGP table) 192.168.1.1 RFC1918 Static private ACL Client IP ⊕ Neighbor Switch, (2 N ) Spoof DOCSIS 17

  18. Operational View • We have defenses, what’s the problem? • BCP38 suffers from: – Incentive problem – Lack of hardware support (see NANOG) – Management nightmare (edge filters) > 30% don’t filter! *Arbor networks 2008 infrastructure security survey 18

  19. Spoofer Project • Background • Recent Relevance • Project Description • What’s New: Methodology • What’s New: Data • Parting Thoughts 19

  20. Spoofer Test Client • Willing participants run “spoofer” client to test policy, perform inference, etc. – Binaries, source publicly available 20

  21. Spoofer Operation spoofer server Client Record Spoofed Source Packets Correlate • Clients attempt to send series of spoofed UDP packets to collection server: – 5 of each type with random inter-packet delay DB – UDP port 53 to avoid secondary filtering – Payload includes unique14 byte identifier • Server stores received packets in DB 21

  22. Spoofer Operation TCP Control Connection spoofer server Client Record Spoofed Source Packets Correlate • Spoofer client sends a report of spoofed packets to server via TCP DB • Client traceroutes to server and sends result • TCP destination port 80 used to avoid secondary filtering effects 22

  23. Client Population Slashdot! Advertised to Still NANOG, dshield, receiveing etc. mailing lists results 23

  24. Client Population Distribution 24

  25. Filtering Specificity • Clients test own IP ⊕ (2^n) for 0<n<24 • Filtering on a /8 boundary enables a client within that network to spoof ~16M addresses • >30% of clients “unable” to spoof can spoof neighbors • Exclude “neighbor spoof” from macro results 25

  26. • Spoofable: spoofing of private, unallocated, or valid IP packets possible from these locations • Agrees to a first-order with Arbor survey • But… these numbers cause even more disagreement! 26

  27. Spoofer Project • Background • Recent Relevance • Project Description • What’s New: Methodology • What’s New: Data • Parting Thoughts 27

  28. What’s New: Methodology • Goal: – Resolve ambiguity – Increase confidence • New: – tracefilter – Tied into CAIDA’s ark distributed measurement infrastructure – More detailed analysis – Longitudinal analysis over four-years of data 28

  29. tracefilter • A tool for locating source address validation (anti-spoofing) filters along path • “traceroute for BCP38” • Better understand who is/is not filtering 29

  30. tracefilter Client (c) spoofer server (S) • Client c works in conjunction with our server S 30

  31. tracefilter IP Src: s IP Dst: s+1 TTL: 2 Client (c) spoofer server (S) • c sends spoofed packet with: • ttl=x, src=S, dst=S+1 for 0<x<pathlen 31

  32. tracefilter IP Src: rtr IP Dst: s ICMP TTL exceeded Client (c) spoofer server (S) • S receives ICMP expiration messages from routers along path • For each decoded TTL, S records which spoofed packets are received 32

  33. tracefilter IP Src: s IP Dst: s+1 TTL: 3 Client (c) spoofer server (S) • Increase TTL, repeat • Largest TTL indicates filtering point 33

  34. tracefilter • How can S determine originating TTL of c ’s packets? • ICMP echo includes only 28 bytes of expired packet • c encodes TTL by padding payload with zeros IP UDP Payload 0x Probe : SRC: S TTL: x SRC: SessID DST: 53 DST: S+1 ICMP IP UDP Echo Type: TTL Response : SRC: S DST: S+1 TTL: 0 SRC: SessID Len: 8+x Exceeded 34

  35. tracefilter Results • 70% of filters at 1 st hop; 81% within first two hops 35

  36. tracefilter Results • 70% of filters at 1 st hop; 81% within first two hops • 97% of filters within first AS 36

  37. tracefilter Results • 70% of filters at 1 st hop; 81% within first two hops • 97% of filters within first AS If a spoofed packet passes through first two hops, likely to travel unimpeded to destination 37

  38. Ark Support • Spoofer tester now tied into CAIDA’s archipelago distributed measurement infrastructure (Ark) • Provides invaluable additional inference capability • Allows us to resolve aforementioned ambiguity 38

  39. Utilizing Ark Infrastructure spoofer server TCP Control Connection Client ark sjc-us ark her-gr ark san-us ark hlz-nz • Server and Ark nodes agree on common HMAC key • Provide client with (SRC, DST, KEY, SEQ) tuples 39

  40. Utilizing Ark Infrastructure spoofer server TCP Control Connection Client ark sjc-us Spoofed Source Packets ark her-gr ark san-us ark hlz-nz • Client sends HMAC keyed spoof probes to ark nodes • Client runs traceroute to each ark node in parallel 40

  41. Utilizing Ark Infrastructure spoofer server TCP Control Connection Client ark sjc-us Spoofed Source Packets ark her-gr ark san-us ark hlz-nz Ark Tuple Space • Ark nodes publish to tuple space • Server asynchronously picks up results 41

  42. Value of Ark • How does Ark allow us better inference • Example: 42

  43. Multiple Destinations Client R&E .mil Univ NZ Commercial MIT Univ ES 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Spoofer Project Rob Beverly &lt;rbeverly@mit.edu&gt; MIT CSAIL March 30, 2005 Spoofer

The Spoofer Project Rob Beverly &lt;rbeverly@mit.edu&gt; MIT CSAIL March 30, 2005 Spoofer

The Spoofer Project Rob Beverly &lt;rbeverly@mit.edu&gt; MIT CSAIL March 30, 2005 Spoofer Project Background High-profile spoofing-based DDoS attacks in 2000, 2001 Does spoofing really matter in 2005? All ISP filter, right?

346 views • 10 slides
Three Years in the Life of the Spoofer Project Matthew Luckie, Ken Keys, Ryan Koga, Robert

Three Years in the Life of the Spoofer Project Matthew Luckie, Ken Keys, Ryan Koga, Robert

Three Years in the Life of the Spoofer Project Matthew Luckie, Ken Keys, Ryan Koga, Robert Beverly, kc claffy https://spoofer.caida.org/ WTMC, August 20th 2018 w w w . cai da. or Pitch Measurement enables solutions to fundamentally

779 views • 43 slides
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source address filtering on the

421 views • 31 slides
Cross-Layer PEP-Spoofer Approach to improve TCP Performance in DVB-RCS Netw orks Giovanni

Cross-Layer PEP-Spoofer Approach to improve TCP Performance in DVB-RCS Netw orks Giovanni

ESA Workshop on Satellite PEPs Current Status and Future Directions Cross-Layer PEP-Spoofer Approach to improve TCP Performance in DVB-RCS Netw orks Giovanni Giambene, Snezana Hadzic CNIT - Research Unit of the University of Siena Via Roma,

393 views • 37 slides
Understanding the Efficacy of Deployed Internet Source Address Validation Filtering Robert

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering Robert

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering Robert Beverly, Arthur Berger (MIT), Young Hyun, k claffy (UCSD/CAIDA) ACM Internet Measurement Conference 2009 Spoofer Project Background Recent

686 views • 47 slides
Project Project Project Evolution of project Structured Collaborative Project Unstructured

Project Project Project Evolution of project Structured Collaborative Project Unstructured

Alain Fournier Presentation: Project Management Tools for Increasing Project Success! Alain is a Project and Portfolio Management Solutions Executive with Microsoft Canada specializing in Cloud Productivity Solutions Have over 20 years of

428 views • 21 slides
evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A

evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A

Effective post project evaluations An unsuccessful project? An unsuccessful project? An unsuccessful project? A successful project? Agenda for today Who are LCMB? The context for post project evaluation The project lifecycle Post project

476 views • 32 slides
BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title:

BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title:

BPR4GDPR Project Presentation Project ID Project acronym: BPR4GDPR Project title: Business Process Re-engineering and functional toolkit for GDPR compliance Contract number: 787149 Funded under the H2020 call DS-08-2017

421 views • 22 slides
HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT

HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT

HHS // IHS HIT MODERNIZATION PROJECT HHS // IHS HIT Modernization Project PROJECT PURPOSE The HHS IHS HIT Modernization Project is sponsored by the U.S. Department of Health and Human Services Office of the Chief Technology Officer (HHS OCTO)

712 views • 13 slides
NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization

NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization

2 nd Annual Rural Community Development Initiative Capacity Building and Wood Utilization Workshop NORTH FORK BIOENERGY PROJECT PROJECT STATUS Project Overview Project Team and Organization Major Milestones Accomplishments

631 views • 12 slides
2013 Project Excellence Awards Project Requirements In-house design project Project

2013 Project Excellence Awards Project Requirements In-house design project Project

2013 Project Excellence Awards Project Requirements In-house design project Project constructed or near completion Judging Criteria Unique design considerations Constructability Post-construction performance Stakeholder

682 views • 29 slides
This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps.

This project goes under eight different steps. This project goes under eight different steps. Chapter One: The first step is about narrating some facts, by which my project and research were based on. Egypt is located in north east africa,

690 views • 46 slides
Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE

Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE

Agenda 1. Introductions 2. Sign-in 3. Project Location 4. Project Background 5. POE Drainage Alternatives 6. Project Benefits 7. Open Forum 8. Adjourn Project Location Project Background ASCG Inc. completed a Project Development

321 views • 15 slides
Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project

Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project

Minimum Spanning Data Structures and Trees Algorithms CSE 373 SU 18 BEN JONES 1 Announcements - Project 3 Due Tonight - Project 4 Assigned Today - Same partners as project 3 - We will re-run project 3 grading on project 4, just like the

704 views • 59 slides
Presentation Agenda Project History/Background Project Overview Current Project Status

Presentation Agenda Project History/Background Project Overview Current Project Status

Presentation Agenda Project History/Background Project Overview Current Project Status Project Opportunities 1 1 Pre-Solicitation Conference June 2018 www.newnicebridge.com 2 Welcome and Introductions Project Team MDTA

776 views • 38 slides
1 We will begin with some background information on the project. We will then talk about why we

1 We will begin with some background information on the project. We will then talk about why we

Welcome. My name is Mark Frechette. I am the project director for the New York State Department of Transportations (NYSDOT) I 81 Viaduct Project. Thank you for being here tonight. The project team has been working hard and we are excited to

548 views • 39 slides
Ambiguity Interactive Activation and Competition model (McClelland &amp; Rumelhart, 1981) 1 / 1 3

Ambiguity Interactive Activation and Competition model (McClelland &amp; Rumelhart, 1981) 1 / 1 3

Ambiguity Interactive Activation and Competition model (McClelland &amp; Rumelhart, 1981) 1 / 1 3 / 1 Letter font 2 / 1 4 / 1 Occluded letter features: W O R [R/K] Pseudoword superiority effect 5 / 1 7 / 1 Word superiority effect TRACE

306 views • 4 slides
Be#er IETF Presenta/ons 0 Goals Advice for people

Be#er IETF Presenta/ons 0 Goals Advice for people

Be#er IETF Presenta/ons 0 Goals Advice for people presen/ng internet-dra=s at an IETF mee/ng Improve the discussion to end up with be#er

401 views • 13 slides
Styles and Themes By T oma Vajngerl @CollaboraOffjce www.CollaboraOffjce.com Styles Styles

Styles and Themes By T oma Vajngerl @CollaboraOffjce www.CollaboraOffjce.com Styles Styles

Styles and Themes By T oma Vajngerl @CollaboraOffjce www.CollaboraOffjce.com Styles Styles Preview Added style manager for creating style previews Currently only for Character and Paragraph styles Used it in Styles &amp;

411 views • 18 slides
More Java Graphics Shape Classes: Face Check out Faces from SVN Finish Java Graphics: text and

More Java Graphics Shape Classes: Face Check out Faces from SVN Finish Java Graphics: text and

More Java Graphics Shape Classes: Face Check out Faces from SVN Finish Java Graphics: text and color new Ellipse2D.Double(double x, double y, double w, double h) new Line2D.Double(double x1, double y1, double x2, double y2) new

369 views • 8 slides
Identity, Security and Privacy: Mobile Web Payments Giri Mandyam March 25, 2014 W3C Web

Identity, Security and Privacy: Mobile Web Payments Giri Mandyam March 25, 2014 W3C Web

Open Source Open Possibilities Identity, Security and Privacy: Mobile Web Payments Giri Mandyam March 25, 2014 W3C Web Payments Workshop Open Source Open Possibilities PAGE 1 Mobile Web Payments - Legacy Premium SMS still popular

218 views • 7 slides
Searches for new physics with unconventional signatures at ATLAS and CMS Kevin Pedro (FNAL) on

Searches for new physics with unconventional signatures at ATLAS and CMS Kevin Pedro (FNAL) on

FERMILAB-SLIDES-19-013-PPD Searches for new physics with unconventional signatures at ATLAS and CMS Kevin Pedro (FNAL) on behalf of the ATLAS and CMS Collaborations March 26, 2019 This document was prepared by [ATLAS AND CMS Collabrations]

448 views • 34 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina

Protecting Wi-Fi Beacons from Outsider Forgeries Mathy Vanhoef, Prasant Adhikari, and Christina Ppper WiSec, 9 July 2020. Background: beacons Wi-Fi networks use beacons to announce their presence They are sent every ~100 ms by an

713 views • 32 slides

More recommend