University of Central Florida CAP 6135: Malware and Software Vulnerability Spring 2012 Paper Presentation Dude, where’s that IP? Circumventing measurement-based.

University of Central FloridaCAP 6135: Malware and Software Vulnerability

Spring 2012

Paper Presentation

Dude, where’s that IP? Circumventing measurement-based IP geolocation

Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie

Presenter

Ahmad Alzahrani

Information about the Paper:

Authors:Phillipa Gill and Yashar Ganjali Dept. of Computer Science, University of TorontoDavid Lie Dept. of Electrical and Computer Engineering, University of TorontoBernard Wong Dept. of Computer Science, Cornell University

Presented at the 19th USENIX Security Symposium, on August 12, 2010 in San Jose, CA during the Internet Security session.

Background

• What is IP Geolocation?

Introduction

Applications benefit from IP Geolocation

–Online advertising –Search engines–Restrict access to online content

• Multimedia

–Fraud Preventions–Geolocation to locate VMs hosted by cloud provider

Motivation

Who has incentive to circumvent IP geolocation?

Web clients:– Gain access to content– Online payment fraud

Cloud service– Location-based SLAs - cloud providers.

Paper Contributions

• Evaluation of two attacks.

• First to study measurement-based geolocation of an adversary

• Studied two models of adversarial geolocation targets (end host & WAN)

Background

Measurement-based geolocation

Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. )

Ping!Ping!Ping!

courtesy Phillipa

Measurement-based geolocation

Delay-based geolocation (e.g. Constraint-based geolocation Gueye et al. )

Ping!

Ping!

Ping!

Ping!

courtesy Phillipa

12

courtesy Phillipa

Topology-aware geolocation

• Assume no direct path to target.

• Locate also hops on the way.

• Takes into account circuitous network paths.

courtesy Phillipa

Ping!Ping!

Measurement-based geolocation

• Delay-based:– Constraint-based geolocation (CBG) [Gueye et al]

– Accuracy: ~ 78-182 km

• Topology-aware:– Octant [Wong et al.]

– Delay between hops on path is considered

– Locate nodes along the path

– Median accuracy: ~ 35-40 km

Two Attacks have been studied:(1) Delay-adding attack

Increase delay by time to travel the difference

Challenge: how to map distance to delay?

-

- Access to the map function.

ci

322

L3

L2

L11g

2gForgedlocation

Two Attacks have been studied:(2) Hop-adding attack

Landmark 1

Landmark 2

1dTargetTarget

2d

Two Attacks have been studied:(2) Hop-adding attack

Multiple network entry points

Internal router (each connected to 3) Forged locationcourtesy Phillipa

Evaluation

– Are the attacks effective?

– What is the accuracy achieved by the attacker to mislead geolocation.

– Can the attacks be detected?

Experiment1 (Delay-adding Attack)

– Collected measurements inputs using 50 PlanetLab nodes.

– Each node of the 50 takes turn as target.

– Each target moved to 50 forged locations.

Delay-adding Attack - Simulation Setup

Delay-adding attack (Detectability?)

Delay-adding attack (How accurate?)

22

NYC-SFO

700 M/KM

Hop-Adding Attack - Simulation Setup

-Targets : 80 nodes (50 in US and 30 in EU)-Forget Locations : 11 inside above WAN

(4 Gateways, 15 Internal Routers)

Hop-adding attack (Detectability?)

Best-case(delay adding attack)

Hop adding attack

25

Hop-adding attack (How accurate?)

RecapSimpleAttacker

SophisticatedAttacker

Delay-basedAttack

1 1

Topology-awareAttack

1 2

1 – Detectable using region size, accuracy depends on distance to forged location.2 – High Accuracy and difficult to detect.

Conclusion

• Measurement-Based Geolocation algorithms are susceptible to delay-based and topology measurements.

• Two models of adversaries have been considered.

• Two attacks have been developed and evaluated.

• The more advanced and accurate algorithm is more susceptible to tampering

Possible Extensions

• Develop secure measurement protocol to reduce ability of attackers to change measurements .

• Provide real-world results of the proposed attacks to study the effect of network congestion state on accuracy.

Qs & As