three years in the life of the spoofer project
play

Three Years in the Life of the Spoofer Project Matthew Luckie, Ken - PowerPoint PPT Presentation

Mar 06, 2023 •332 likes •779 views

Three Years in the Life of the Spoofer Project Matthew Luckie, Ken Keys, Ryan Koga, Robert Beverly, kc claffy https://spoofer.caida.org/ WTMC, August 20th 2018 w w w . cai da. or Pitch Measurement enables solutions to fundamentally

  1. Three Years in the Life of the Spoofer Project Matthew Luckie, Ken Keys, Ryan Koga, 
 Robert Beverly, kc claffy https://spoofer.caida.org/ WTMC, August 20th 2018 w w w . cai da. or

  2. Pitch • Measurement enables solutions to fundamentally non- technical security problems - Peer pressure - Industry standards (common practices) - Regulation • Whatever the solution is, it cannot be effective without rigorous, publicly observable measurement 2

  3. Flashback: WTMC 2016 keynote “ There has never been a greater need for comprehensive Internet metrics than now. 
 Even basic security-critical facts about the 
 Internet, such as “How many systems are botted?” 
 or “ What networks still don’t do Source Address Validation? ” remain murky and 
 ” poorly quantified. 3

  4. Why does SAV matter? • Attacker sends packet with spoofed source IP address • Receiver cannot always know if packet’s source is authentic src src dst dst large 
 small 
 payload V R R V response 
 request 
 payload V R R V packets packets Attacker A Receiver R Victim V Volumetric Reflection-Amplification Attack 4

  5. Why does SAV matter? • Lack of filtering allows anonymous denial of service attacks. • Example: CloudFlare reports 400Gbps attacks on their systems through 2016; GitHub a 1.7Tbps attack in 2018 400Gbps 240Gbps 80Gbps Feb 7 Feb 13 Feb 19 Feb 25 https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks/ 5

  6. Why does SAV matter? • Lack of filtering allows anonymous denial of service attacks. • Example: CloudFlare reports >1K DoS attack events on their systems, per day, starting Feb 2016 1.4K 1K 600 200 Oct Nov Dec Jan Feb Mar https://blog.cloudflare.com/a-winter-of-400gbps-weekend-ddos-attacks/ 6

  7. Why does SAV matter? • Impossible to prevent people from accidentally opening up new amplification vectors, or attackers using them • We must instead make the infrastructure resilient to these natural human tendencies - 2013 DNS: 300 Gbps against Spamhaus - 2014 NTP: 400 Gbps against Cloudflare - 2018 memcached: 1.7 Tbps attack against GitHub • Not enough to just measure SAV deployment; 
 need to encourage remediation and change in behavior 7

  8. Defenses • BCP38 : Network ingress filtering: defeating denial of service attacks which employ IP Source Address Spoofing - https://tools.ietf.org/html/bcp38 - May 2000 • BCP84 : Ingress filtering for multi-homed networks - https://tools.ietf.org/html/bcp84 - March 2004 - Not always straightforward to deploy “source address validation” (SAV): BCP84 provides advice how to deploy 8

  9. The Spoofer Project • A DHS-funded crowd-sourced effort (2015-present) to measure SAV deployment in the Internet - Project started by Robert Beverly while MIT student (2005) - Measures ISP filtering practices for packets with spoofed source IP addresses • Important security issue in the Internet to measure, but a project that faces incentive issues everywhere https://spoofer.caida.org/ 9

  10. Incentive Issues everywhere • Incentive incompatible problem for - Research Community - Crowd-sourcing Volunteers - Network Operators - Funding Agencies 10

  11. Incentive Issues: Research Community • SAV measurement has a high cost of entry compared measuring DNSSEC deployment, or TLS properties • SAV requires a Vantage Point in a network of interest • Hard to get an Internet-wide sample to publish on SAV • Inevitable questions about sample bias 11

  12. Incentive Issues: Volunteers • To obtain an Internet-wide view, we rely on volunteers installing measurement software on their computer • Few volunteers are likely to have been the victim of an attack relying on ability to spoof, or could individually contribute in a significant way “ If we want the public to embrace Internet 
 measurement activities, they will need to be 
 made aware of its importance, and the potential 
 role that the public can play in collecting ” and reporting data using standardized tools. — Paul Vixie, WTMC 2016 12

  13. Incentive Issues: Network Operators • Deploying source address validation is primarily for the benefit of other networks • Incentive not clear for some networks - majority of networks do seem to deploy filtering - filtering gives an operator moral high-ground to pressure other networks to deploy, which does benefit the operator - “Cyber Insurance” takes into account security 
 practice of the network • ISOC RoutingManifesto.org: Mutually Agreed 
 Norms for Routing Security (MANRS) 13

  14. Incentive Issues: Funding Agencies • SAV is a global problem; typically individual governments provide funding obtained from their nation’s taxpayers • Need to have impact for a project to continue to receive funding • Limited commercialization opportunities for SAV measurement • Class of public health task, but computer security doesn’t have that 14

  15. Three Years in the Life of Spoofer • Data Collection: we built a new software system for collecting crowd-sourced SAV measurements • Data Reporting: we built a public-facing website for reporting test outcomes • Remediation : we privately contact network operators, and send geographically-scoped emails to network operator mailing lists 15

  16. Spoofer: Client/Server Overview TCP control connection Spoofer 
 Client Server Spoofed 
 packets Database CAIDA Ark Vantage Points 16

  17. Spoofer Client Overview • Client tests ability to spoof packets of different types - Routed and Private addresses - IPv4 and IPv6 - Leaving and Entering the network hosting the client • traceroute to infer forward path to destinations • tracefilter to infer first location of filtering in a path - traceroute but with spoofed packets • Filtering prefix granularity: how many addresses in the same network prefix can be spoofed? 17

  18. Spoofer Client Overview • opt-in to publicly share anonymized results, and 
 opt-in to share unanonymized results for remediation • Automatically tests networks the host is attached to, once per week, by running in the background • GUI to browse test results from your host, and schedule tests • Speed improvements through parallelized probing https://spoofer.caida.org/ 18

  19. Spoofer Client GUI Signed 
 Installers MacOS 
 Windows 
 Linux Open 
 Source C++ 19

  20. Client/Server Deployment • Since releasing new client in May 2016, increasing trend of more tests (yellow line) - Benefit of system running in background 20

  21. Client/Server Deployment • Peak coincided with experiments by Qasim Lone et al. when they solicited work through Amazon Turk and similar platforms - TMA 2018 paper 21

  22. Spoofer Reporting Engine • Publicly shows outcomes of sharable tests • Allows users to select outcomes • per country: which networks in a country need attention? • per ASN: which subnets need attention? • per provider: which of my BGP customers can spoof? • What address space does an AS announce, or could act as transit for? Is that address space stable? • Useful for deploying ACLs https://spoofer.caida.org/ 22

  23. Reporting Engine: Recent Tests 23

  24. Reporting Engine: Recent Tests Able to break down by country, perhaps 
 useful for regional CERTs. 
 In this case US-CERT 24

  25. Reporting Engine: Recent Tests Addresses anonymized: IPv4: /24 IPv6: /40 25

  26. Reporting Engine: Recent Tests NATs behave differently: Some may block spoofed traffic Some uselessly rewrite Some do not rewrite and pass spoofed packets 26

  27. Reporting Engine: Recent Tests Some spoofing from behind a NAT 
 prevented by egress filtering 27

  28. Reporting Engine: Recent Tests Some networks may have deployed IPv4 filtering, 
 but forgotten to deploy IPv6 filtering 28

  29. IPv4 Spoofing: All Tests • 5K IPs tested per 30 days starting 2017 • 19% of tested ASes did not block spoofed packets • 5% of tested IPv4 blocks did not block spoofed packets 29

  30. IPv4 Spoofing: No NAT Tests • 600 to 700 IPs tested per 30 days starting 2017 • ~35% of tested ASes did not block spoofed packets • 15% of tested IPv4 blocks did not block spoofed packets 30

  31. IPv6 Spoofing • 1.5K to 2K IPs tested per 30 days starting 2017 • ~35% of tested ASes did not block spoofed packets • 15% of tested IPv6 blocks did not block spoofed packets 31

  32. Fraction of prefixes not filtering by country 32

  33. Notifications and Remediation • Currently, we send notifications to abuse contacts of prefixes from which we received spoofed packet • We have also started to send geo-scoped emails to NOG lists https://spoofer.caida.org/remedy.php 33

  34. Notifications and Remediation Monthly 
 email to 
 NANOG } Inferred 
 Remediation } Problems Inferred 34

  35. Notifications and Remediation Monthly 
 email to 
 GTER (br) } Inferred 
 Remediation } Problems Inferred 35

  36. Notifications and Remediation Notifications Remediation 300 1400 Pause in 
 Cumulative Remediation Inferences Cumulative Notification Emails 1200 250 notifications 1000 200 800 150 600 100 400 Start monthly 
 50 NOG emails 200 0 0 Jan ’16 Apr Jul Oct ’17 Apr Jan Jul Oct ’18 Apr Jan Jul Oct ’16 ’16 ’16 ’17 ’17 ’17 ’18 ’18 ’18 Date Sent 1543 private notifications, 328 remediation inferences 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun

IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun

IP Spoofer Project Observations on four-years of data Rob Beverly, Arthur Berger, Young Hyun {rbeverly,awberger}@csail.mit, youngh@caida ISMA AIMS 2009 February 12, 2009 Spoofer Project Background Recent Relevance Project

692 views • 58 slides
The Spoofer Project Rob Beverly <rbeverly@mit.edu> MIT CSAIL March 30, 2005 Spoofer

The Spoofer Project Rob Beverly <rbeverly@mit.edu> MIT CSAIL March 30, 2005 Spoofer

The Spoofer Project Rob Beverly <rbeverly@mit.edu> MIT CSAIL March 30, 2005 Spoofer Project Background High-profile spoofing-based DDoS attacks in 2000, 2001 Does spoofing really matter in 2005? All ISP filter, right?

346 views • 10 slides
The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly

The Spoofer Project Inferring the Extent of Source Address Filtering on the Internet Rob Beverly and Steve Bauer {rbeverly,bauer}@mit.edu The Spoofer Project Goal: Quantify the extent and nature of source address filtering on the

421 views • 31 slides
Jacobs Life: In Egypt 17 Years In Assyria (Laban) 20 Years In Canaan 110 Years Life

Jacobs Life: In Egypt 17 Years In Assyria (Laban) 20 Years In Canaan 110 Years Life

And Jacob lived in the land of Egypt seventeen years. So the length of Jacobs life was one hundred and forty-seven years. Gen 47:28 Jacobs Life: In Egypt 17 Years In Assyria (Laban) 20 Years In Canaan 110 Years Life of

350 views • 34 slides
Cross-Layer PEP-Spoofer Approach to improve TCP Performance in DVB-RCS Netw orks Giovanni

Cross-Layer PEP-Spoofer Approach to improve TCP Performance in DVB-RCS Netw orks Giovanni

ESA Workshop on Satellite PEPs Current Status and Future Directions Cross-Layer PEP-Spoofer Approach to improve TCP Performance in DVB-RCS Netw orks Giovanni Giambene, Snezana Hadzic CNIT - Research Unit of the University of Siena Via Roma,

393 views • 37 slides
Extra healthy years or just extra years? What do we know about the gap between life expectancy

Extra healthy years or just extra years? What do we know about the gap between life expectancy

Extra healthy years or just extra years? What do we know about the gap between life expectancy and healthy life expectancy on the island of Ireland? 7 March 2013 Kevin P Balanda, Lorraine Fahy, Safa Abdalla, Steve Barron Institute of Public

217 views • 20 slides
New Pattullo Bridge Project Public Workshop Feb 2012 New Pattullo Bridge Project Background

New Pattullo Bridge Project Public Workshop Feb 2012 New Pattullo Bridge Project Background

New Pattullo Bridge Project Public Workshop Feb 2012 New Pattullo Bridge Project Background Helpful Facts Opened in: 1937 Design Life: 50 years Current age: 75 years Bridge corridor owned by TransLink: 1.2 km 24-hour traffic volume:

430 views • 23 slides
WHERE THERES HOPE, THERES LIFE Dr. Janet Stum bo Introduction Twenty-two years ago I was

WHERE THERES HOPE, THERES LIFE Dr. Janet Stum bo Introduction Twenty-two years ago I was

WHERE THERES HOPE, THERES LIFE Dr. Janet Stum bo Introduction Twenty-two years ago I was leading an enviable life as a veterinary surgeon. I enjoyed every m inute of m y life. In fact, I was in love with it. Then in a single m om ent I

380 views • 7 slides
Project American Life (PAL) OMMS 6 th Grade Not your average field trip! Project American Life

Project American Life (PAL) OMMS 6 th Grade Not your average field trip! Project American Life

Project American Life (PAL) OMMS 6 th Grade Not your average field trip! Project American Life (PAL) YMCA Hargis Retreat Chelsea, AL http://www.projectamericanlifealabama.com Project American Life (PAL) Red Team: October 20-23 White

406 views • 7 slides
Housing & Health 91.9 years Between 2003 and 2007, life expectancy varied by as much as 33

Housing & Health 91.9 years Between 2003 and 2007, life expectancy varied by as much as 33

Garth Graham MD MPH FACP FACC President Aetna Foundation Why Where You Live: Housing & Health 91.9 years Between 2003 and 2007, life expectancy varied by as much as 33 years in Boston. 58.9 years Source: Center on Human Needs, Virginia

410 views • 9 slides
#longevity trending globally life expectancy + 20 years 2014 + 1.2 years per decade 1950

#longevity trending globally life expectancy + 20 years 2014 + 1.2 years per decade 1950

#longevity trending globally life expectancy + 20 years 2014 + 1.2 years per decade 1950 public medical nutrition health tech #longevity trending globally 3 life expectancy voting power 1. 1.1B 1Bn spending muscle social capital

272 views • 25 slides
D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t

D r o u g h 33.6 -45.5 33.6 -45.5 11 years 5.4 years 11 years 5.4 years years t years Figure 2. Precipitation anomalies during 11 years of the dust bowl (1930-1940) Station Set-up Montana Mesonet January 2018 4 36 ranchers

533 views • 36 slides
Foundations for life Developing a partnership between Early Years and Public Health in Tower

Foundations for life Developing a partnership between Early Years and Public Health in Tower

Foundations for life Developing a partnership between Early Years and Public Health in Tower Hamlets Pauline Hoare, Head of Integrated Early Years Service LEAF 0-5 Years Services Workforce Workshop 7 th October 2016 Overview Child Health

616 views • 19 slides
Years of Life Lost to Diabetes Take, say 200, persons follow till all are dead Bendix

Years of Life Lost to Diabetes Take, say 200, persons follow till all are dead Bendix

Expected life time illustrated Years of Life Lost to Diabetes Take, say 200, persons follow till all are dead Bendix Carstensen Steno Diabetes Center compute the mean age at death (life time) Gentofte, Denmark that is the

210 views • 9 slides
Expected Residual Life time and Years of Life Lost Bendix Carstensen Steno Diabetes Center

Expected Residual Life time and Years of Life Lost Bendix Carstensen Steno Diabetes Center

Expected Residual Life time and Years of Life Lost Bendix Carstensen Steno Diabetes Center Copenhagen, Denmark & Dept. of Biostatistics, University of Copenhagen VicBiostats, Melbourne, 23 February 2017 http://BendixCarstensen.com 1/ 41

813 views • 14 slides
What the research tells us The early years of a child s life are critical in impacting on

What the research tells us The early years of a child s life are critical in impacting on

What the research tells us The early years of a child s life are critical in impacting on a range of outcomes through the life course The environment experienced by a young child literally sculpts the brain and establishes the

779 views • 44 slides
USA VOLLEYBALL JUNIOR PLAYER AGE DEFINITION For use during the 2019-2020 Season To determine the

USA VOLLEYBALL JUNIOR PLAYER AGE DEFINITION For use during the 2019-2020 Season To determine the

USA VOLLEYBALL JUNIOR PLAYER AGE DEFINITION For use during the 2019-2020 Season To determine the correct age division, please find the Month of Birth in the left column and then the year of birth in the same row. The heading of the column

228 views • 7 slides
P ARALLELISM ON H ETEROGENEOUS C ACHE - C OHERENT S YSTEMS Moyang Wang, Tuan Ta, Lin Cheng,

P ARALLELISM ON H ETEROGENEOUS C ACHE - C OHERENT S YSTEMS Moyang Wang, Tuan Ta, Lin Cheng,

E FFICIENTLY S UPPORTING D YNAMIC T ASK P ARALLELISM ON H ETEROGENEOUS C ACHE - C OHERENT S YSTEMS Moyang Wang, Tuan Ta, Lin Cheng, Christopher Batten Computer Systems Laboratory Cornell University Page 1 of 26 M ANYCORE P ROCESSORS Motivation

1.12k views • 80 slides
Analysis and modeling of the KAD P2P network Bachelor thesis summary presentation Maximilian

Analysis and modeling of the KAD P2P network Bachelor thesis summary presentation Maximilian

Lehrstuhl f ur Netzarchitekturen und Netzdienste Analysis and modeling of the KAD P2P network Bachelor thesis summary presentation Maximilian Sievert Lehrstuhl f ur Netzarchitekturen und Netzdienste Institut f ur Informatik

569 views • 30 slides
Crowdsourcing semantic data management: challenges and opportunities Elena Simperl Karlsruhe

Crowdsourcing semantic data management: challenges and opportunities Elena Simperl Karlsruhe

Crowdsourcing semantic data management: challenges and opportunities Elena Simperl Karlsruhe Institute of Technology, Germany Talk at WIMS 2012: International Conference on Web Intelligence, Mining and Semantics Craiova, Romania; June 2012

646 views • 27 slides
Whose Internet Is It, Anyway? Blackhat DC 2010 Andrew Fried, ISC, SURBL Richard Cox, Spamhaus

Whose Internet Is It, Anyway? Blackhat DC 2010 Andrew Fried, ISC, SURBL Richard Cox, Spamhaus

Whose Internet Is It, Anyway? Blackhat DC 2010 Andrew Fried, ISC, SURBL Richard Cox, Spamhaus Ben Butler, GoDaddy How we use the Internet Web Surfing Email Social Networking (Facebook, MySpace,Twitter) Word Processing,

381 views • 34 slides
The fight against SPAM An Internet Number Resources

The fight against SPAM An Internet Number Resources

The fight against SPAM An Internet Number Resources Management Perspec5ve By Amreesh D. Phokeer 04/12/2015 Overview 1. Background 2. Sta2s2cs 3.

474 views • 32 slides
On Measuring the Client- Side DNS Infrastructure Kyle Schomp , Tom Callahan, Michael

On Measuring the Client- Side DNS Infrastructure Kyle Schomp , Tom Callahan, Michael

On Measuring the Client- Side DNS Infrastructure Kyle Schomp , Tom Callahan, Michael Rabinovich , Mark Allman Case Western Reserve University International Computer Science Institute 10/23/2013 ACM IMC 2013 1 Motivation

1.07k views • 64 slides
Fourth Quarter 2014 Investor Call M. Terry Turner, President and CEO Harold R. Carpenter, EVP

Fourth Quarter 2014 Investor Call M. Terry Turner, President and CEO Harold R. Carpenter, EVP

Fourth Quarter 2014 Investor Call M. Terry Turner, President and CEO Harold R. Carpenter, EVP and CFO January 21, 2015 Safe Harbor Statements Forward-looking statements Certain of the statements in this presentation may constitute

805 views • 54 slides

More recommend