This document discusses detecting spoofing at internet exchange points (IXPs). It begins by providing background on Cloudflare and some statistics on their global network. It then discusses how spoofing allows very small requests to become large distributed denial of service (DDoS) attacks. The document outlines Cloudflare's IXPantiSpoofer script, which matches MAC addresses from an IXP to autonomous system (AS) numbers to detect spoofing. It encourages improving detection methods and argues that IXPs could help alert members to misconfigurations and isolate malicious traffic, improving security for all members.

1. Detecting Spoofing at IXPs
APRICOT 2018
Tom Paseka

2. About Cloudflare
Cloudflare makes websites faster and safer using our globally distributed network to
deliver essential services to any website
● Performance
● Content
● Optimisation
● Security
● 3rd party services
● Analytics

3. Some numbers...
● 100+ PoPs
● 50+ Countries
● 150+ Internet exchanges
● >400bn Web requests a day ~10% of all web requests
● Regular DDoS attacks larger than 500Gbps, 300M PPS

4. Spoofing?

5. Spoofing?
● A very small request becomes a very big attack
● Lots of focus on fixing the applications causing
the spoofing.
○ Not much on fixing the source of spoofing
Some of the projects:
● openntpproject.org
● openresolverproject.org
● bcp38.info

6. Spoofed Attacks - History that we’ve seen
When Nickname Type Volume
2011 SNMP Amp SNMP Amplification /
Reflection
80Gbps
2013 Spamhaus DNS Amplification /
Reflection
300Gbps
2014 "Winter of Attacks" Direct 400Gbps
2015 NTP Amp NTP Amplification /
Reflection
400Gbps+
2016 IoT Direct 500Gbps+

7. Why does this matter?

8. Spoofing Enables Impersonation

9. Why does spoofing
matter?
•This is my good friend
Walt Wollny
•Let’s say, he was
assaulted, but it was by
masked assailant
•Without removing the
mask, there can’t be legal
retribution
•Without attribution,
there can be no
discussion!

10. What about IXPs

11. Detecting Spoofing?
● Detecting spoofing can be challenging
● uRPF?
● Some Diagrams:

12. Where did the attack come from?

13. Where did the attack come from?

14. Detecting Spoofing
● Using flow (net, s, j, etc) it's easy to record
incoming interface
● Simple logic can determine if it’s spoofed:
An interface connected a hosting provider
is highly unlikely to have traffic from
Google IPs.

15. How about at an IXP?

16. How about at an IXP?

17. How about an IXP?
● OK, We can see the source interface on
our router, but there are hundreds of
possible sources on the other side.
● MAC addresses!

18. Enter some basic scripting!

19. sflowtool + my PHP = IXPantiSpoofer
# sflowtool -p 9888 -l | php sflow.php
defining AS-SETs to MAC matching
loading the IRR data into memory.
collecting flow data.....
Packet didnt match irr:
Source: 192.168.1.23,
Destination:104.16.23.235,
MAC:0ca4029f756a,
IRR SET:AS-SKYNETBE

20. IXP anti Spoofer
● Script does several things:
○ Takes input of ARP table from your router (as a text file)
○ Downloads that ASN’s IRR set with bgpq3 and aggregate
with aggregate/aggregate6 (manual step)
○ Receives sflow packets in text format from sflowtool
(https://github.com/sflow/sflowtool)
○ Matches MAC address to IRR set and checks if IP address
is member of IRR set.
● Code is here: https://github.com/tpaseka/IXPantiSpoofer

21. sflowtool + my awful PHP = IXPantiSpoofer
# sflowtool -p 9888 -l | php sflow.php
defining AS-SETs to MAC matching
loading the IRR data into memory.
collecting flow data.....
Packet didnt match irr:
Source: 192.168.1.23,
Destination:104.16.23.235,
MAC:0ca4029f756a,
IRR SET:AS-SKYNETBE

22. Make it better!
● Improve detection of spoofing.
● Code it properly, re-implement away from PHP
● Make it faster!
● Use better libraries (hint:
https://github.com/job/aggregate6 <3 Job)
● Collect metrics, draw pretty graphs
● IRR data isn’t 100%, but it's a first step.

23. Make it better!
● Get Cisco to support MAC address fields in
NetFlow v9
● Get Juniper to support MAC address fields
in IPFIX/jflow
● Can’t reiterate the above enough
● Please add this support!

24. Make it better!
Dear Cisco Juniper Other __________,
I require your software to support the following
feature(s)
MAC data in IPFIX/jflow/NetFlow v9/10
traceroute: IPv6 traceroute with as-number-lookup not
supported yet (Juniper ER: ER 28631)
These features are business requirements needed for me to
operate your product.

25. Make it better!
● Convince an IXP to run it!
● Huge value to report on spoofed traffic
● IXPs can help to alert members of
misconfiguration for spoofing
● For malicious members, these can be
stopped / isolated / disconnected
● Internet becomes a little bit better.

26. Make it better!
● I can already hear the IXPs saying “what
about privacy?!”
● This can be done in preprocessing, you
already process flow frames and this can
be added
● What might it look like?

27. Make it better!
<grafana of IXP traffic>

28. Make it better!
● Why stop here?
● IXPs can do further to help their members
● Further than source detection, look at
destination detection
● Transit-detection? See if someone is
sending a default to your port for free
transit.

29. Summary
● Data is easy to collect and available in many
cases already.
● Detection is simple.
● Identifying and stopping the source of spoofing
greatly improves the internet for everyone.
● IXPs might be able to offer better products too!

30. Questions ? Criticisms ? General Banter?

31. Thank you!