Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr Hanoch Levy computer science computer science Interdisciplinary Center Herzliya Tel-Aviv.

Brief Announcement:

Spoofing Prevention Method

Anat Bremler-Barr Hanoch Levy

computer science computer science

Interdisciplinary Center Herzliya Tel-Aviv University

Spoofing

• Used by hackers to mount denial of service attacks.

• Denial of service attacks – consume the resources of victim’s network/servers

• Spoofing- forging the source IP of packets. – Easy to create (4000 attacks per week [MVS01])– Harder to filter– Harder to trace back

ISP BISP B

SpoofingNet B’

Attacker

ISP A ISP A

ISP CISP C

Net A’ Victim

Internet

Net A’ victim

Src dst

Prevention methods Today: “Good Net-Citizen“

• Ingress/Egress filtering– Implementation uRPF,ACL

– Administrative overhead– Poor incentive – “good-will” and not self-defensive

methods

ISP BISP B

Net B’

Filter out packets with src not in Net B’

ISP CISP CInternet

ISP A ISP A

Spoofing Prevention Method (SPM)

• Self defense method

• Incentive to implement– Visibility of SPM members

• Stepwise deployment

• Light mechanism

SPM architecture• Entities: AS• Key:

– Function of source AS and destination AS – Added to each packet by the source AS routers.

• Routers: – Mark at the original AS the outgoing traffic with key.– Verify at the destination AS the authenticity of the key on the

incoming packets

• Key distribution: two options:– By protocol– Learned passively

ISP BISP B

SPM Architecture

ISP A ISP A

ISP CISP C

Net B’

Net A’ Victim

Net A’ victim BC

src dst key

Attacker

Filtering spoof traffic

Key does not match the src

Benefits of SPM

• Server Traffic: Server of SPM member domain can filter at attack

time:– Spoofed traffic from other SPM ASs– Spoofed traffic that spoofs to SPM AS address space

• Client Traffic: Client of SPM member domain receives preferential

treatment at SPM domain servers• Visibility

Key • Lightweight function - not crypto: Random constant 32

bit

• Guessing the key with low probability: reduce the volume of attack by

• Function of the source and destination AS– Acquiring the key is hard

• Key remove by routers, Change periodically

– Sniffing is not a likely threat

• Place as an additional IP option

322

1

Key distribution

• The key information requires two small tables:– AS-out table - marking– AS-in table - verification

• Size of each table: 120KB each – future 480KB – AS coded by 2bytes (current 16,000, max )– Key 4 bytes

162

Key distribution

• Key information: – AS-out: synchronization inside the AS

– AS-in: needs to be learned from various ASes – a key from each AS.

• Key distribution:– Protocol: AS server (IRV[GAGIM03], route reflector).

– Passively: Learn key passively from the regular

non spoof traffic traffic that comletes the TCP handshake.

Router job• Marking – one lookup per destination (combine with IP

lookup)

Place only on traffic destined to other SPM members.

• Verification – one lookup per source.

Categorize traffic: Spoofed, non-spoofed, other (no key)

Verification modes:

Conservative verification : peace time (drop spoofed)

Aggressive verification: attack time (drop spoofed + other).

• Implement in Edge Routers:

Combine SPM with ingress/egress filtering

Motivation:Implementation benefit (Symmetric Model)

Relative Benefit of SPM

0

0.2

0.4

0.6

0.8

1

0 2000 4000 6000 8000 10000

Participiants

Rel

ativ

e B

enef

it

SPM members

SPM non members

Relative benefit SPM = Cannot spoof from SPM AS +Cannot spoof to SPM address (2K/N-(K/N)^2)

Relative Benefit of Ingress/Egress filtering

0

0.2

0.4

0.6

0.8

1

0 5000 10000

Participiants

Rel

ativ

e B

enef

itIngress/Egressfiltering members

Ingress/Egressfiltering non members

Motivation:Implementation benefit (Asymmetric Model)

•Traffic is proportional to the domain size

•Domain size ~ address space allocation ~ zipf distribution

(top 10 ISP – 27.8% of the address space [Fixedorbit]).

Relative Benefits of SPM

0

0.2

0.4

0.6

0.8

1

0 2000 4000 6000 8000 10000

Participiants

Rela

tive B

en

efi

t

SPM members

SPM non members

Conclusions

• Ingress/Egress filtering – today’s technological solution is economically ineffective

• SPM – economically attractive: – AS that joins – gains significant relative benefits

(server traffic/client traffic)– Stepwise deployment– Visibility– Simple

Questions

? Thank you

!