Understanding the efficacy of deployed internet source address validation filtering

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback
Take a look at the new version of this page: [ beta version ]. Tell us what you think.

Understanding the efficacy of deployed internet source address validation filtering

Full text

Pdf (592 KB)

Source

Internet Measurement Conference archive
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference table of contents

Chicago, Illinois, USA

SESSION: Routing table of contents

Pages: 356-369

Year of Publication: 2009

ISBN:978-1-60558-771-4

Authors

Robert Beverly	Massachusettes Institute of Technology, Cambridge, MA, USA
Arthur Berger	Massachusettes Institute of Technology, Cambridge, MA, USA
Young Hyun	CAIDA, La Jolla, CA, USA
k claffy	CAIDA, La Jolla, CA, USA

Sponsor

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 21, Downloads (12 Months): 66, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1644893.1644936 What is a DOI?

ABSTRACT

IP source address forgery, or "spoofing," is a long-recognized consequence of the Internet's lack of packet-level authenticity. Despite historical precedent and filtering and tracing efforts, attackers continue to utilize spoofing for anonymity, indirection, and amplification. Using a distributed infrastructure and approximately 12,000 active measurement clients, we collect data on the prevalence and efficacy of current best-practice source address validation techniques. Of clients able to test their provider's source-address filtering rules, we find 31% able to successfully spoof an arbitrary, routable source address, while 77% of clients otherwise unable to spoof can forge an address within their own /24 subnetwork. We uncover significant differences in filtering depending upon network geographic region, type, and size. Our new tracefilter tool for filter location inference finds 80% of filters implemented a single IP hop from sources, with over 95% of blocked packets observably filtered within the source's autonomous system. Finally, we provide initial longitudinal results on the evolution of spoofing revealing no mitigation improvement over four years of measurement. Our analysis provides an empirical basis for evaluating incentive and coordination issues surrounding existing and future Internet packet authentication strategies.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Netacuity IP intelligence, 2009. http://www.digital-element.com/.
	2	Private communication with Cisco engineering, May 2009.
	3	L. Andersson, E. Davies, and L. Zhang. Report from the IAB workshop on Unwanted Traffic. RFC 4948, Aug. 2007.
	4	Arbor Networks. Worldwide infrastructure security report, 2008. http://www.arbornetworks.com/report.
	5	F. Baker and P. Savola. Ingress Filtering for Multihomed Networks. RFC 3704, Mar. 2004.
	6	T. Bates, P. Smith, and G. Huston. CIDR Report, 2009. http://www.cidr-report.org.
	7	S. M. Bellovin, Security problems in the TCP/IP protocol suite, ACM SIGCOMM Computer Communication Review, v.19 n.2, p.32-48, April 1, 1989 [doi>10.1145/378444.378449]
	8	S. M. Bellovin. ICMP traceback messages. IETF Internet Draft, Sept. 2000. http://www.cs.columbia.edu/~smb/papers/draft-bellovin-itrace-00.txt.
	9	Robert Edward Beverly, IV , Karen R. Sollins, Statistical learning in network architecture, Massachusetts Institute of Technology, Cambridge, MA, 2008
	10	Robert Beverly , Steven Bauer, The spoofer project: inferring the extent of source address filtering on the internet, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.8-8, July 07, 2005, Cambridge, MA
	11	R. Beverly and S. Bauer. Can you spoof IP addresses? Slashdot, May 2006. http://it.slashdot.org/article.pl?sid=06/05/02/1729257.
	12	R. Braden. Requirements for Internet Hosts - Communication Layers. RFC 1122, Oct. 1989.
	13	R. Bush, J. Hiebert, O. Maennel, M. Roughan, and S. Uhlig. Diagnosing the location of bogon Filters. NANOG 40, June 2007.
	14	Cablelabs. Data over cable service interface specification (DOCSIS), 2006. http://www.cablemodem.com/.
	15	Xenofontas Dimitropoulos , Dmitri Krioukov , Marina Fomenkov , Bradley Huffaker , Young Hyun , kc claffy , George Riley, AS relationships: inference and validation, ACM SIGCOMM Computer Communication Review, v.37 n.1, January 2007 [doi>10.1145/1198255.1198259]
	16	Z. Duan, X. Yuan, and J. Chandrashekar. Constructing inter-domain packet filters to control IP spooffing based on BGP updates. In Proceedings of IEEE INFOCOM, 2006.
	17	M. Dusi and W. John. Observing routing asymmetry in internet traffic, 2009. http://www.caida.org/research/traffic-analysis/asymmetry/.
	18	P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, May 2000.
	19	Lixin Gao, On inferring autonomous system relationships in the internet, IEEE/ACM Transactions on Networking (TON), v.9 n.6, p.733-745, December 2001 [doi>10.1109/90.974527]
	20	B. R. Greene, C. Morrow, and B. W. Gemberling. ISP security: Real world techniques. NANOG 23, Oct. 2001.
	21	Y. Hyun and k. claffy. Archipelago measurement infrastructure, 2009. http://www.caida.org/projects/ark/.
	22	IANA. Special-Use IPv4 Addresses. RFC 3330, Sept. 2002.
	23	V. Jacobsen. Traceroute, 1988. ftp://ftp.ee.lbl.gov.
	24	Cheng Jin , Haining Wang , Kang G. Shin, Hop-count filtering: an effective defense against spoofed DDoS traffic, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948116]
	25	E. Katz-Bassett. Practical reverse traceroute. NANOG 45, Jan. 2009.
	26	Xin Liu , Ang Li , Xiaowei Yang , David Wetherall, Passport: secure and adoptable source authentication, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.365-378, April 16-18, 2008, San Francisco, California
	27	D. Malone and M. Luckie. Analysis of ICMP quotations. In Proceedings of the 8th Passive and Active Measurement (PAM) Workshop, Apr. 2007.
	28	D. Meyer. University of Oregon RouteViews, 2007. http://www.routeviews.org.
	29	David Moore , Colleen Shannon , Douglas J. Brown , Geoffrey M. Voelker , Stefan Savage, Inferring Internet denial-of-service activity, ACM Transactions on Computer Systems (TOCS), v.24 n.2, p.115-139, May 2006 [doi>10.1145/1132026.1132027]
	30	R. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report 117, AT&T Bell Laboratories, 1985.
	31	C. Morrow. BLS FastAccess internal tech needed, 2006. http://www.merit.edu/mail.archives/nanog/2006-01/msg00220.html.
	32	NANOG. DoS attack against DNS?, 2006. http://www.merit.edu/mail.archives/nanog/2006-01/msg00279.html.
	33	NANOG. BCP38 business case document, 2007. http://www.merit.edu/mail.archives/nanog/2007-04/msg00692.html.
	34	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy [doi>10.1145/1028788.1028794]
	35	Vern Paxson, An analysis of using reflectors for distributed denial-of-service attacks, ACM SIGCOMM Computer Communication Review, v.31 n.3, July 2001 [doi>10.1145/505659.505664]
	36	Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. Address Allocation for Private Internets. RFC 1918, Feb. 1996.
	37	J. Rhett. Force10 gear, 2008. http://mailman.nanog.org/pipermail/nanog/2008-September/003524.html.
	38	P. Savola. An effect of ignoring BCP38, 2008. http://mailman.nanog.org/pipermail/nanog/2008-September/003758.html.
	39	P. Savola. Experiences from Using Unicast RPF. IETF Internet Draft, Jan. 2008. http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt.
	40	Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States [doi>10.1145/383059.383060]
	41	Neil Spring , Ratul Mahajan , David Wetherall , Thomas Anderson, Measuring ISP topologies with rocketfuel, IEEE/ACM Transactions on Networking (TON), v.12 n.1, p.2-16, February 2004 [doi>10.1109/TNET.2003.822655]
	42	R. Thomas. Team Cymru bogon route-server project. http://www.cymru.com/.
	43	J. Touch. Defending TCP Against Spoofing Attacks. RFC 4953, July 2007.
	44	US-CERT. Multiple DNS implementations vulnerable to cache poisoning VU#800113, 2008.
	45	P. Vixie. Securing the edge, Oct. 2002. http://www.icann.org/en/committees/security/sac004.txt.
	46	C. Vogt. A solution space analysis for first-hop ip source address validation. IETF Internet Draft, Jan. 2009. http://www.ietf.org/internet-drafts/draft-ietf-savi-rationale-00.txt.
	47	A. Yaar, A. Perrig, and D. Song. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense. IEEE Selected Areas in Communications, Oct. 2006.