1. Controlling IP Spoofing via Inter-Domain
Packet Filters
Samuel raju
Department of information technology
Jntu Kakinada university
1
2. IP Spoofing
• What is IP spoofing? ds
c
ds
– Act to fake source IP address
– Used by many DDoS attacks
c d
• High-profile DDoS attack on root DNS servers
in early February 2006
b a
• Why it remains popular?
– Hard to isolate attack traffic from legitimate one s
– Hard to pinpoint the true attacker
– Many attacks rely on IP spoofing
• Man-in-the-middle attacks such as TCP hijacking/DNS poisoning
• Reflector-based attacks
2
3. Route-Based Packet Filters [PL01]
• Based on observation
ds
– Attackers can spoof source address, ds
– But they cannot control route packets takes c d
• How it works
– Packets only allowed on best path from
source to destination b a
• Requirement
– Filters need to know global topology info
– Not available in path-vector based Internet
routing system s
• Our Objectives
– Is it possible to construct packet filters without global topology
information?
– If it is possible, what is the performance?
3
4. Internet Routing Architecture
• Consists of large number of network domains,
– Or Autonomous Systems (ASes)
– About 25,000 currently
• Three common AS relationships
– Provider-customer
– Peering
– Sibling
X Y
A B C D
E F G
4
5. Internet Inter-Domain Routing
• Border Gateway Protocol (BGP), a policy-based routing protocol
– Import policies
• Which route is more preferred
– Route selection
• Which route should be chosen as the best route
– Export policies
• To which neighbors should I announce the best route
• AS relationship determines routing policies
A net effect of routing policies is that
they limit the possible paths between each AS pair. 5
6. Topological Routes vs. Feasible Routes
• Topological routes
– Loop-free paths between a pair of nodes
• Feasible routes
– Loop-free paths between a pair of nodes that not violate routing policies
Topological Feasible routes
c d routes
sad
sbd sad c d
sabd sbd
sacd
b a sbad
sbcd b a
sabcd
sacbd
sbacd
s sbcad
s
6
7. Assumptions on Import/Export Policies
• Import policies
• Export policies
• These policies commonly used on current Internet
7
8. Inter-Domain Packet Filters (IDPF)
• Filtering packets based feasible routes
– Packets can only travel on feasible routes from s to d
• Inferring feasible routes
– If u is a feasible upstream neighbor of v for packet M(s, d),
node u must have exported to v its best route to reach s.
8
9. Constructing IDPF
• Node v accepts packet M(s, d) forwarded by node u
if and only if
• IDPFs allow traffic to go through any feasible route
– Correct in that they do not drop valid packets
– May affect the performance compared to route-based
filtering
9
10. Performance
• IDPF has two effects
– Reducing the number of prefixes that can be spoofed
– Localizing the true source of spoofed packets
• IDPF finds a set of feasible paths instead of one best
route, its performance will not be as good as the ideal
route-based packet filters [PL01]
10
11. Performance Metrics [PL01]
• VictimFraction( τ )
– Proportion of ASes that if attacked, the attacker can at most spoof τ ASes.
– Effectiveness of IDPFs in protecting ASes against spoofing attacks
– VictimFraction(1), immunity to all spoofing attacks
• τ
AttackFraction( )
– Proportion of ASes from which attacker can forge addresses of at most τASes.
– Effectiveness of IDPFs in limiting spoofing capability of attackers
– AttactFracion(1), fraction of Ases from which attacker cannot spoof others’ adress
• VictimTraceFraction(τ )
τ
– Proportion of ASes being attacked that can localize the true origin within ASes.
– Effectiveness of IDPFs in reducing traceback efforts
– VictimTraceFraction(1), fraction of Ases can trace spoofed traffic to true origin (AS)
11
12. Data Sets
• 4 AS graphs from the BGP data achieved by the
Oregon Route Views Project.
12
13. Experimental Settings
• Determine the feasible paths based on update logs.
• Use shortest path as the route (add if the shortest
path is not a feasible path)
• Selecting nodes that deploy IDPF
– Random (rnd30/rnd50)
– Vertex cover
– If not mentioned specifically, IDPF nodes also have network
ingress filtering.
13
14. VictimFraction (G2004c)
• Effectiveness of IDPFs in protecting ASes from spoofing
attacks
– VictimFraction(1) is zero unless all nodes support IDPFs
– It is very hard to protect ASes from all spoofing attacks
14
15. AttackFraction (G2004c)
• Effectiveness of IDPFs in limiting spoofing capability
of attackers
– AttackFraction(1) = 80.8%, 59.2%, and 36.2%, respectively
– IDPFs very effective in limiting spoofing capability
15
16. VictimTraceFraction (G2004c )
• Effectiveness of IDPFs in reducing traceback effort
28
– VictimTraceFraction(28) = 1, all ASes can localize attackers
to at most 28 ASes for VC IDPF placement
16
20. Summary
• We proposed an Inter-Domain Packet Filters
architecture (IDPF) and studied it performance.
• IDPF can effectively limit the spoofing capability of
attackers even when partially deployed and improves
the accuracy of IP traceback.
• Moreover performance studies in
– “Constructing Inter-Domain Packet Filters to Control IP
Spoofing Based on BGP Updates”, INFOCOM 2006
– And its TR version
20
21. Routing Policy Complications
• Some ASes do not follow the import/export policies
assumed in IDPFs
– Requiring restricted traffic forwarding to work with IDPFs
21
22. Impact of Routing Dynamics
• IDPFs works well with dynamics caused by network
failure events
• IDPFs may drop valid packets during routing
dynamics caused by new network announcement (or
recovery from fail-down network event), IDPFs may
also fail to detect spoofed packets
– However, reachability information propagated much faster
than failure information
22
Editor's Notes
Today I will talk about a technique that is used to control IP spoofing. The technique is called inter-domain packet filtering.
Many DDoS attacks fake the source addresses of the attack traffic, this is called IP spoofing. For example, most recently, a high-profile DDoS attack on root DNS servers in early February 2006 used IP spoofing. The figure shows an example. An attacker in node c trying to attack node d, but claims the traffic is from node s by faking the source address of the attack traffic. Although there are many advanced techniques available to attackers, but IP spoofing remains popular for a number of reasons. First, IP spoofing makes it very hard for victim to distinguish attack traffic from legitimate traffic, attack traffic may appear to come from all around the world. Second, IP spoofing makes it hard to pinpoint the true origin of the attackers. Many complicated traceback techniques were proposed over the years. Third, and possibly most importantly, many ddos attacks rely on IP spoofing. For example, the man-in-the-middle attacks such as TCP hijacking and DNS poisoning requires to fake the source address, the reflector based ddos attacks also requires faking the source address. So how we should control the IP spoofing problem?
One promising technique is route-based packet filtering. It is based on the following observation, although attackers can fake the source address of attack traffic, they cannot control the route that the attack packets take from the source to the destination. Based on this observation, route-based packet filters only allows packets to be forwarded along the best route from the source to the destination. If a packet appears at a router that is not on the best route from source to destination, the packet is believed to have a faked source address and is dropped by the filter. However, in order for a route-based packet filter to work correctly, it must knows the best routes from any source to any destination, in principle, it needs to know the global topology information. Routing systems that employ link-state routing protocol like can satisfy this requirement. However, in the routing systems that use distance vector or path vector, this requirement can not be satisfied. The current Internet uses a path vector routing protocol, border gateway protocol (BGP), therefore, route-based packet filtering cannot be supported in the current Internet. In this work, we tried to answer a basic question: can we use the similar idea to construct packet filters but without the requirement of global topology information? And if so, what is the performance of the packet filter?
First we need to introduce some basic background on Internet inter-domain routing. The Internet consists of a large number of network domains, or autonomous systems (ASes).Ases provides Internet access server to one another based on the relationships between the ASes. Currently there are three major relationships on the Internet. The first one is a provider-customer relationship, where a customer pays a provider for carrying traffic to and from the customer. Normally providers are much larger than the customers. The second is a peering relationship, where two networks (two peers) agree to carry traffic from each other and their customers. Normally two peers are of similar size, they do not pay each other. In Sibling relationship, two Ases provides transit services to each others. Normally two sibling Ases are under the same administration domain, for example, resulting from company merging. In the figure, X is the provider of A. X guarantees that A (and its customers) can access the global Internet. A and B are in a peering relationship, A and B agrees that they can access each other, but they do not provide global Internet access to each other.
On the Internet, Ases employs a common inter-domain routing protocol, the border gateway protocol (BGP) to exchange reachability to each other. It is important to note that BGP is a policy-based routing protocol, in the sense that, the selection and propagation of routing information is constrained by AS relationships, or more specifically, the import routing policies and export routing policies. When a domain receive routes to a destination from neighbors, it first applies so called import policies to decide which routes are more preferred, and then it selects a single best route to the destination. Based on export policies, the network determines to which neighbors the best routes should be announced. Note that the routing policies are determined by the AS relationships. For example, the following table should the common routing policies employed on the Internet. Look at column marked as “r1”. It states how routes should be announced to a provider from a customer. It states that routes learned from a provider or peer should not announced to another provider. Essentially, this export routing policy says that a customer should not provide transit service to provider, and a peer should not provide transit service to another peer. Importantly, a net effect of the routing policies is that, they limit the possible paths between each AS pair, or source/destination pair.
To see this more clearly, we compare the topological routes and feasible routes between source and destination on the Internet. In the figure, each node represents a single AS. We say a loop-free path between each pair of nodes a topological routes. Topological routes are determined by the network topology. We call a topological route a feasible route, if the construction of the route does not violate the routing policies imposed by the AS relationship. Consider the example network. It is easy to check that there are 10 topological routes from source s to destination node d. However, there are only two routes are feasibly, assuming a, b, c, d, have a mutual peering relationship, and a and b are providers of s. To see this, simply note that c is not a provider of either s or d, so that c should not forward any packets from s to d.
More specifically, we assume that all Ases will follow the following import and export routing policies. The import routing policy simply states that an AS will prefer a route learned from a customer or sibling, over the routes learned from a provider or peers. The export routing policies are the same as before. Note that these import and export routing policies are commonly used on the current Internet.
Normally we can present the basic idea of the inter-domain packet filtering, IDPF. IDPF filters packets based feasible routes, that is the routes that are constrained by routing policies. Essentially, packets from a source and destination can only travel along the feasible routes. Normally the question is, can a BGP router infer the upstream router along a feasible route? Fortunately, we can as shown in the following lemma. In principle, the lemma states that, if a u is the upstream neighbor along a feasible route from source s to destination d, then, u must have exported to a its best route to reach s. We note that, this does not impose symmetric routing on the Internet, that is, the route from s to d and the route from d to s can be different.
In summary, IDPF works as follows. Node v accepts packets claiming from s to d, if and only if, u has exported its best route to the source to v. Given that best route from a source to a destination is one of the feasible routes, we know that IDPF is correct in that it will not drop valid packets. However, it is also clear that IDPF is less powerful than route-based packet filters.
Next we will study the performance of IDPFs. Before we present the details, we summarize the effects of IDPFs. IDPFs help limit the spoofing capability of attackers. Even with partial deployment of IDPFs on the Internet, attackers in an AS cannot spoof the IP address of other ASes. When a spoofed packet cannot be stopped, IDPFs help to localize the true source of the packet to be within a small number of ASes. However, as we have discussed, IDPFs are slightly less effective in filtering spoofed packets compared to the ideal route-based packet filters.
We use the same set of performance metrics as introduced in PL01 to study the performance of IDPFs. VictimFraction(tao): proportion of Ases, that if attacked, the attacker can at most spoof addresses of tao Ases, no matter where the attacker launched the attack. It illustrates the effectiveness of IDPFs in protecting Ases against spoofing based attacks. IN particular, victimFraction(1), is the fraction of Ases being attacked, that no matter where the attacker launched attack, the attacker cannot spoof other Ases’ ip addresses. AttackFraction(tao), fraction of Ases from which an attacker can forge addresses of at most \\tao Ases, no matter where the victim is. It shows the effectiveness of IDPFs in limiting spoofing capability of attackers. In particular, attackFraction(1) is the fraction of Ases, that an attacker cannot forge other Ases’s address, no matter where the victim is. VictimTraceFraction(\\ta0), fraction of Ases being attacked, can localize the true origin to be within at most tao Ases, no matter where the attacker is.