understanding the efficacy of deployed internet source
play

Understanding the Efficacy of Deployed Internet Source Address - PowerPoint PPT Presentation

Sep 18, 2022 •198 likes •686 views

Understanding the Efficacy of Deployed Internet Source Address Validation Filtering Robert Beverly, Arthur Berger (MIT), Young Hyun, k claffy (UCSD/CAIDA) ACM Internet Measurement Conference 2009 Spoofer Project Background Recent

  1. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering Robert Beverly, Arthur Berger (MIT), Young Hyun, k claffy (UCSD/CAIDA) ACM Internet Measurement Conference 2009

  2. Spoofer Project • Background • Recent Relevance • Project Methodology • Results • Parting Thoughts 2

  3. Spoofed-Source IP Packets • Circumvent host network stack to forge or “spoof” source address of an IP packet • Lack of source address accountability a basic Internet weakness: – Anonymity, indirection [VP01], amplification • Security issue for more than two-decades [RTM85, SB89] • Still an attack vector? 3

  4. Circa 2004… IP source spoofing • Strong opinions doesn’t matter! from many: – Academic a) All providers filter b) All modern attacks use – Operational botnets c) Compromised hosts are – Regulatory behind NATs • …but only anecdotal data 4

  5. spoofer.csail.mit.edu • Internet-wide active measurement effort: – Quantify the extent and nature of Internet source address filtering – Understand real-world efficacy of available best- practice defenses – Validate common assumption of edge filtering • Began Feb. 2005 – Understand how filtering has evolved – Basis for driving design of more secure architectures 5

  6. Spoofer Project • Background • Recent Relevance • Project Methodology • Results • Parting Thoughts 6

  7. Prediction: spoofing increasingly a problem in the future • Spoofed traffic complicates a defenders job • Tracking spoofs is operationally difficult: – [Greene, Morrow, Gemberling NANOG 23] – Hash-based IP traceback [Snoeren01] – ICMP traceback [Bellovin00] Slide from SRUTI 2005 • Consider a 10,000 node zombie DDoS – Today (worst case scenario): if non-spoofing zombies are widely distributed, a network operator must defend against attack packets from 5% of routeable netblocks. – Future: if 25% of zombies capable of spoofing significant volume of the traffic could appear to come any part of the IPv4 address space • Adaptive programs that make use of all local host capabilities to amplify their attacks 7

  8. The Spoofing Problem (2009) • DNS Amplifier Attacks • DNS Cache Poisoning • In-Window TCP Reset Attacks • Bots that probe for ability to spoof • Spam Filter Circumvention • UW reverse traceroute • etc, etc… Can’t anticipate next attack employing IP spoofing 8

  9. The Operational Side • Arbor 2008 Infrastructure Survey: – “ Reflective amplification attacks responsible for the largest attacks (40Gbps) exploit IP spoofing ” – “ No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he’d launch the spoofed source DNS query ” • What’s an operator to do? 9

  10. Operational View • IETF BCP38 best filtering practice • But, not all sources created equal: Example Description Possible Source IP Defense IPv4 Address Space 192.168.1.1 RFC1918 Static ACL private harder 1.2.3.4 Unallocated Bogon Filters 6.1.2.3 Valid (In uRPF (loose/strict) BGP table) Client IP ⊕ (2 N ) Neighbor Switch, Spoof DOCSIS 10

  11. Operational View • We have defenses, what’s the problem? • BCP38 suffers from: – Lack of hardware support (see NANOG) – Global participation requirement – Management nightmare (edge filters) – Multi-homing, asymmetry, etc implies loose uRPF, implies little protection • This work: understand the real-world efficacy of these best practices 11

  12. Spoofer Project • Background • Recent Relevance • Project Methodology • Results • Parting Thoughts 12

  13. Spoofer Test • Willing participants run “spoofer” client to test policy, perform inference, etc. – Binaries, source publicly available – Useful diagnostic tool for many – Runs once, not an agent • Clients self-selecting – Understand population and potential bias 13

  14. Spoofer Test • Testing vulnerability of Internet to source spoofing, not prevalence of source spoofing (e.g. backscatter analysis) • Uses CAIDA’s Ark infrastructure to test many paths • Aggregate results, tomography, etc to form global picture of best-practices (BCP38) efficacy 14

  15. Archipelagio • Tied into CAIDA’s distributed measurement infrastructure (Ark) • ~40 nodes, globally distributed • Ark nodes act as IPv4/v6 spoof probe receivers 15

  16. Spoofer Operation spoofer server TCP Control Connection Client • Client confers with control server, receives test • (SRC, DST, HMAC, SEQ) probe tuples • Use TCP destination port 80 to avoid secondary filtering 16

  17. Distributed Probing spoofer server TCP Control Connection Client ark sjc-us Spoofed Source Packets ark her-gr ark san-us ark hlz-nz • Client sends HMAC keyed spoof probes to ark nodes • Includes ground-truth validation (non-spoofed) probes • UDP port 53 + random delay to avoid secondary filtering • Client runs traceroute to each ark node in parallel 17

  18. Distributed Probing spoofer server TCP Control Connection Client ark sjc-us Spoofed Source Packets ark her-gr ark san-us ark hlz-nz • Ark nodes publish to tuple space Ark Tuple Space • Server asynchronously picks up results • Run tracefilter (described next) • Return results to user via web report 18

  19. Outcome of a Probe • Blocked by OS: – Detect, revert to raw Ethernet • Hits a NAT along path: – Detect, exclude from results • Other blocking (proxy, congestion): – Detect, exclude from results • Blocked by source validation filter • Successfully received at Ark node 19

  20. Ark Enables Better Inferences Client R&E .mil Univ NZ Commercial MIT Univ ES 20

  21. Multiple Destinations • Blue line is bogon traffic, Red Valid, Green private • Greater inference power • Detect bogon filtering at multiple ASes R&E • Single server finds valid filtered; too coarse! .mil MIT Commercial Univ GR Univ NZ Univ FI 21

  22. Multiple Destinations • Metric of spoofability a path rather than a client • Allows inference on the complete AS graph • Better understanding of R&E where to employ spoofing defenses .mil MIT Commercial Univ GR Univ NZ Univ FI 22

  23. tracefilter • A tool for locating source address validation (anti-spoofing) filters along path • “traceroute for BCP38” • Better understand at finer granularity (router) who is/is not filtering 23

  24. tracefilter Client (c) spoofer server (S) • Client c works in conjunction with our server S 24

  25. tracefilter IP Src: s IP Dst: s+1 TTL: 2 Client (c) spoofer server (S) • c sends spoofed packet with: • ttl=x, src=S, dst=S+1 for 0<x<pathlen 25

  26. tracefilter IP Src: rtr IP Dst: s ICMP TTL exceeded Client (c) spoofer server (S) • S receives ICMP expiration messages from routers along path • For each decoded TTL, S records which spoofed packets are received 26

  27. tracefilter IP Src: s IP Dst: s+1 TTL: 3 Client (c) spoofer server (S) • Increase TTL, repeat • Largest TTL indicates filtering point 27

  28. tracefilter • How can S determine originating TTL of c ’s packets? • ICMP echo includes only 28 bytes of expired packet • c encodes TTL by padding payload with zeros IP UDP Payload x Probe : SRC: S TTL: x SRC: SessID DST: 53 DST: S+1 0 ICMP IP UDP Echo Type: TTL Response : SRC: S DST: S+1 TTL: 0 SRC: SessID Len: 8+x Exceeded 28

  29. Spoofer Project • Background • Recent Relevance • Project Methodology • Results • Parting Thoughts 29

  30. Client Population Slashdot! Advertised to NANOG, dshield, etc. mailing lists 30

  31. Sample Bias • Obtain general population using 20.8M unique IPs from random topology traces • Use NetAcuity for geolocation, descriptive statistics • Aggregate general population into /24s to eliminate non-homogenous poperties 31

  32. Comparing Populations • Evaluate Bias: – Country, speed, organization type, etc. • Continent Analysis Continent Population Measurement Set N. America 37% 36% Europe 29% 33% Asia 28% 17% S. America 4% 4% Oceania 1% 2% Africa 0.5% 6% 32

  33. Client Population Distribution • ~12,000 unique tests • 132 countries present in data set • Don’t claim zero bias • Do claim diverse and representative 33

  34. Questions • Are there filtering variations among paths? • What filtering methods are used? • Where in network is source validation? • Granularity of filtering? • How vulnerable is the Internet? • How has filtering evolved over >4 years? 34

  35. Path-based Filtering Variation? 35

  36. Surprising variation Path Variation among bogon and private sources: filtering deeper in-network Valid source probes reach either none (~67%) or all receivers: edge filtering 36

  37. Where is source validation? • tracefilter results: • 70% of filters at 1 st hop; 81% within first two hops 37

  38. tracefilter Results • 70% of filters at 1 st hop; 81% within first two hops • 97% of filters within first AS 38

  39. tracefilter Results • 70% of filters at 1 st hop; 81% within first two hops • 97% of filters within first AS If a spoofed packet passes through first two hops, likely to travel unimpeded to destination 39

Recommend

When can field trials contribute practically to understanding of efficacy (and when do they not?)

When can field trials contribute practically to understanding of efficacy (and when do they not?)

When can field trials contribute practically to understanding of efficacy (and when do they not?) Professor James Wood Disease Dynamics Unit, Dept Veterinary Medicine and Interdisciplinary Research Centre in Infectious Diseases University of

141 views • 13 slides
Understanding the Understanding the Bios/Photos Internet Internet Law School Event

Understanding the Understanding the Bios/Photos Internet Internet Law School Event

5/3/2004 Announcements U.S. National Cybersecurity Axess U.S. National Cybersecurity Forum Understanding the Understanding the Bios/Photos Internet Internet Law School Event William J. Perry Martin Casado Keith

240 views • 10 slides
Understanding Educators Self-efficacy, Compassion Fatigue, and School Connectedness During the

Understanding Educators Self-efficacy, Compassion Fatigue, and School Connectedness During the

Understanding Educators Self-efficacy, Compassion Fatigue, and School Connectedness During the COVID-19 Pandemic Chunyan Yang, Ph.D. Graduate School of Education University of California, Berkeley Alberti Center for Bullying Abuse

847 views • 49 slides
A Deployed Analyst A Deployed Analyst in in The Vietnam War The Vietnam War E. B. Vandiver

A Deployed Analyst A Deployed Analyst in in The Vietnam War The Vietnam War E. B. Vandiver

A Deployed Analyst A Deployed Analyst in in The Vietnam War The Vietnam War E. B. Vandiver III 24 August 2007 1 Purpose Relate the experiences of a deployed analyst during the Vietnam War in the late 1960s. Compare the experience

643 views • 42 slides
Understanding Internet Focus Institutions [Session 6] Theresa Swinehart General Manager, Global

Understanding Internet Focus Institutions [Session 6] Theresa Swinehart General Manager, Global

Understanding Internet Focus Institutions [Session 6] Theresa Swinehart General Manager, Global Partnerships ICANN ITU Workshop on Internet Governance Geneva, 26-27 February 2004 The Internet Arpa Network September 1969 The Internet -

371 views • 18 slides
I Want My Internet TV Understanding IPTV Performance in Residential Broadband Environments Colin

I Want My Internet TV Understanding IPTV Performance in Residential Broadband Environments Colin

I Want My Internet TV Understanding IPTV Performance in Residential Broadband Environments Colin Perkins What is Internet TV? Television service delivered using an Internet connection, rather than using a dedicated TV distribution network

671 views • 18 slides
Drug Efficacy and Response Minutes of the TEG on Drug Efficacy and Response Malaria Policy

Drug Efficacy and Response Minutes of the TEG on Drug Efficacy and Response Malaria Policy

Drug Efficacy and Response Minutes of the TEG on Drug Efficacy and Response Malaria Policy Advisory Committee, Geneva, Switzerland, 16 March 2016 Outline Update on artemisinin resistance Monitoring efficacy and effectiveness of

765 views • 30 slides
IT deployed in the FLORENCE D. HUDSON World of Smart Cities SVP and Chief Innovation Officer

IT deployed in the FLORENCE D. HUDSON World of Smart Cities SVP and Chief Innovation Officer

IT deployed in the FLORENCE D. HUDSON World of Smart Cities SVP and Chief Innovation Officer and Connected IEEE CHASE JUNE 27, 2016 Healthcare 1 Advances in technology and cultural evolution are ushering in a new era the Internet of

518 views • 24 slides
Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima &lt;keiichi@iijlab.net&gt; Internet Initiative Japan Inc. / WIDE Project PROJECT Background Widely deployed Internet Available in

658 views • 34 slides
Introduction to Global Internet Governance Internet Week Guyana 9/13 October 2017

Introduction to Global Internet Governance Internet Week Guyana 9/13 October 2017

Introduction to Global Internet Governance Internet Week Guyana 9/13 October 2017 kevon@lacnic.net What is the Internet? How does it work? Source: ICANN Historical Facts about the Internet 1975: TCP/IP test between two networks (Stanford

634 views • 25 slides
Internet censorship is everywhere Source:

Internet censorship is everywhere Source:

Internet censorship is everywhere Source: https://freedomhouse.org/report/freedom-net/freedom-net-2016 Commonly censored content Unapproved news (Fake News!!111) Wikipedia (usually partially) Facebook Google (all services), YouTube

539 views • 37 slides
Efficacy and Crop Safety Data Development Issues David Richardson Pesticides Safety Directorate

Efficacy and Crop Safety Data Development Issues David Richardson Pesticides Safety Directorate

Global Minor Uses Summit Efficacy and Crop Safety Data Development Issues David Richardson Pesticides Safety Directorate York, UK. Content Content Efficacy why efficacy? Efficacy why efficacy? Working to common

349 views • 24 slides
WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a

WIDE updates Kenjiro Cho IIJ/WIDE Project August 1, 2012 Understanding Internet Dynamics from a Global View the Internet is an evolving open system no central point, no typical network or user complexity everywhere: topology, usage

608 views • 13 slides
The Internet 2011-10-10 Saturday, 3 December 2011 The internet has grown through cooperation and

The Internet 2011-10-10 Saturday, 3 December 2011 The internet has grown through cooperation and

The Internet 2011-10-10 Saturday, 3 December 2011 The internet has grown through cooperation and interconnection between countless local networks. In principle the internet accepts information from any source and makes best e fg orts to deliver

505 views • 25 slides
The Internet Spirit 2011-10-11 Saturday, 3 December 2011 The internet has grown through

The Internet Spirit 2011-10-11 Saturday, 3 December 2011 The internet has grown through

The Internet Spirit 2011-10-11 Saturday, 3 December 2011 The internet has grown through cooperation and interconnection between countless local networks. In principle the internet accepts information packets from any source and makes best e fg

591 views • 28 slides
Internet of Things (IoT) Who are Pinacl? Enablers of Digital Transformation Over 35 years

Internet of Things (IoT) Who are Pinacl? Enablers of Digital Transformation Over 35 years

Internet of Things (IoT) Who are Pinacl? Enablers of Digital Transformation Over 35 years of industry experience turnover 15.5m FY17 Specialists in Wireless and Network Infrastructure Deployed Smart City solutions across York,

466 views • 9 slides
Topic 2: Efficacy endpoints in clinical trials: Industry Perspective T B i n n o v a t i o n f o

Topic 2: Efficacy endpoints in clinical trials: Industry Perspective T B i n n o v a t i o n f o

EMA Workshop on update of TB Guideline 25 November, 2016 London, England Topic 2: Efficacy endpoints in clinical trials: Industry Perspective T B i n n o v a t i o n f o r t o m o r r o w . Efficacy Endpoints and Efficacy Assessment

220 views • 10 slides
ITU Workshop on Internet Governance: Session 7: Understanding Intergovernmental Organisations

ITU Workshop on Internet Governance: Session 7: Understanding Intergovernmental Organisations

ITU Workshop on Internet Governance: Session 7: Understanding Intergovernmental Organisations Dr Tim Kelly, Head, Strategy and Policy Unit International Telecommunication Union (ITU) 27 February 2004 The views expressed in this

314 views • 8 slides
Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web

Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web

Physical Infrastructure Week 1 INFM 603 Agenda The Computer The Internet The Web The Course Source: Wikipedia Source: Wikipedia Source: Wikipedia Source: Wikipedia Source: Wikipedia The Big Picture Memory Processor

1.18k views • 80 slides
Source:

Source:

We are Here Source: Max Pixel Source: David Dixon Source: Google Earth Source: Arpingstone Source: Lee Cannon Source: Richard Drdul Source: Nicolas Nova

467 views • 20 slides
Social Support and Support enables Self-Efficacy Self-Efficacy: Self-Efficacy cultivates

Social Support and Support enables Self-Efficacy Self-Efficacy: Self-Efficacy cultivates

Mediator and Moderator Methods Single Mediator Model MEDIATOR M a b INDEPENDENT DEPENDENT VARIABLE VARIABLE c X Y Based on David P. MacKinnon Arizona State University 2003 and Preacher &amp; Hayes, 2004 Other names for Mediators

584 views • 6 slides
Promoting African Internet Economy Dawit Bekele Director, African Regional Bureau Internet

Promoting African Internet Economy Dawit Bekele Director, African Regional Bureau Internet

Promoting African Internet Economy Dawit Bekele Director, African Regional Bureau Internet Society 2 Introduction 1/3 rd of Africans have access to the Internet Contribution of Internet to the GDP: 1.1 Source: McKinsey Global

839 views • 10 slides
Past, Present, and Future of Spoofed-source IP Packets Paul Vixie Chairman and Founder Internet

Past, Present, and Future of Spoofed-source IP Packets Paul Vixie Chairman and Founder Internet

Past, Present, and Future of Spoofed-source IP Packets Paul Vixie Chairman and Founder Internet Systems Consortium Overview IP Spoofing: the root of most evil DNS RRL: radical DDoS opt-out Spoofed Source Attacks: Essence attacker

335 views • 14 slides
Addressing the Efficacy- Effectiveness gap London, EMA, December 2010 Hans-Georg Eichler An

Addressing the Efficacy- Effectiveness gap London, EMA, December 2010 Hans-Georg Eichler An

Addressing the Efficacy- Effectiveness gap London, EMA, December 2010 Hans-Georg Eichler An agency of the European Union Efficacy versus effectiveness Efficacy is the extent to which an intervention does more good than harm under ideal

467 views • 22 slides

More recommend