Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr Hanoch Levy computer science computer science Interdisciplinary Center Herzliya Tel- Aviv University
Dec 26, 2015
Brief Announcement:
Spoofing Prevention Method
Anat Bremler-Barr Hanoch Levy
computer science computer science
Interdisciplinary Center Herzliya Tel-Aviv University
Spoofing
• Used by hackers to mount denial of service attacks.
• Denial of service attacks – consume the resources of victim’s network/servers
• Spoofing- forging the source IP of packets. – Easy to create (4000 attacks per week [MVS01])– Harder to filter– Harder to trace back
ISP BISP B
SpoofingNet B’
Attacker
ISP A ISP A
ISP CISP C
Net A’ Victim
Internet
Net A’ victim
Src dst
Prevention methods Today: “Good Net-Citizen“
• Ingress/Egress filtering– Implementation uRPF,ACL
– Administrative overhead– Poor incentive – “good-will” and not self-defensive
methods
ISP BISP B
Net B’
Filter out packets with src not in Net B’
ISP CISP CInternet
ISP A ISP A
Spoofing Prevention Method (SPM)
• Self defense method
• Incentive to implement– Visibility of SPM members
• Stepwise deployment
• Light mechanism
SPM architecture• Entities: AS• Key:
– Function of source AS and destination AS – Added to each packet by the source AS routers.
• Routers: – Mark at the original AS the outgoing traffic with key.– Verify at the destination AS the authenticity of the key on the
incoming packets
• Key distribution: two options:– By protocol– Learned passively
ISP BISP B
SPM Architecture
ISP A ISP A
ISP CISP C
Net B’
Net A’ Victim
Net A’ victim BC
src dst key
Attacker
Filtering spoof traffic
Key does not match the src
Benefits of SPM
• Server Traffic: Server of SPM member domain can filter at attack
time:– Spoofed traffic from other SPM ASs– Spoofed traffic that spoofs to SPM AS address space
• Client Traffic: Client of SPM member domain receives preferential
treatment at SPM domain servers• Visibility
Key • Lightweight function - not crypto: Random constant 32
bit
• Guessing the key with low probability: reduce the volume of attack by
• Function of the source and destination AS– Acquiring the key is hard
• Key remove by routers, Change periodically
– Sniffing is not a likely threat
• Place as an additional IP option
322
1
Key distribution
• The key information requires two small tables:– AS-out table - marking– AS-in table - verification
• Size of each table: 120KB each – future 480KB – AS coded by 2bytes (current 16,000, max )– Key 4 bytes
162
Key distribution
• Key information: – AS-out: synchronization inside the AS
– AS-in: needs to be learned from various ASes – a key from each AS.
• Key distribution:– Protocol: AS server (IRV[GAGIM03], route reflector).
– Passively: Learn key passively from the regular
non spoof traffic traffic that comletes the TCP handshake.
Router job• Marking – one lookup per destination (combine with IP
lookup)
Place only on traffic destined to other SPM members.
• Verification – one lookup per source.
Categorize traffic: Spoofed, non-spoofed, other (no key)
Verification modes:
Conservative verification : peace time (drop spoofed)
Aggressive verification: attack time (drop spoofed + other).
• Implement in Edge Routers:
Combine SPM with ingress/egress filtering
Motivation:Implementation benefit (Symmetric Model)
Relative Benefit of SPM
0
0.2
0.4
0.6
0.8
1
0 2000 4000 6000 8000 10000
Participiants
Rel
ativ
e B
enef
it
SPM members
SPM non members
Relative benefit SPM = Cannot spoof from SPM AS +Cannot spoof to SPM address (2K/N-(K/N)^2)
Relative Benefit of Ingress/Egress filtering
0
0.2
0.4
0.6
0.8
1
0 5000 10000
Participiants
Rel
ativ
e B
enef
itIngress/Egressfiltering members
Ingress/Egressfiltering non members
Motivation:Implementation benefit (Asymmetric Model)
•Traffic is proportional to the domain size
•Domain size ~ address space allocation ~ zipf distribution
(top 10 ISP – 27.8% of the address space [Fixedorbit]).
Relative Benefits of SPM
0
0.2
0.4
0.6
0.8
1
0 2000 4000 6000 8000 10000
Participiants
Rela
tive B
en
efi
t
SPM members
SPM non members