UniSAV: A Unified Framework for Internet-Scale Source Address Validation
Pages 81 - 87
Abstract
To mitigate the threats of source address spoofing, many source address validation (SAV) solutions have been proposed over the past few years. However, none of them are widely deployed in practice due to lack of understanding, lack of open source implementation, and performance concerns. To address these problems, we develop a unified framework UniSAV to facilitate the understanding, design, implementation, and evaluation of existing and future SAV solutions. With UniSAV, we implement existing SAV solutions and evaluate their performance in real topologies. UniSAV further helps us to design and implement a new SAV solution to improve the performance upon existing SAV solutions.
References
[1]
[n. d.]. CAIDA AS Relationships. https://catalog.caida.org/dataset/as_relationships_serial_1. ([n. d.]).
[2]
[n. d.]. Source Address Validation in Intra-domain and Inter-domain Networks (savnet). https://datatracker.ietf.org/wg/savnet/about/. ([n. d.]).
[3]
2014. Mutually Agreed Norms for Routing Security. https://www.manrs.org/. (2014).
[4]
2015. Addressing the Challenge of IP Spoofing. https://www.internetsociety.org/resources/doc/2015/addressing-the-challenge-of-ip-spoofing/. (2015).
[5]
2015. Addressing the Challenge of IP Spoofing. https://www.internetsociety.org/resources/doc/2015/addressing-the-challenge-of-ip-spoofing/. (2015).
[6]
2018. GitHub's DDoS Incident Report. https://github.blog/2018-03-01-ddos-incident-report/. (2018).
[7]
2019. MANRS Implementation Guide: Anti-Spoofing - Preventing Traffic with Spoofed Source IP Addresses. https://www.manrs.org/netops/guide/antispoofing/. (2019).
[8]
2019. NET SCOUT THREAT INTELLIGENCE REPORT 2019. https://www.netscout.com/sites/default/files/2020-02/SECR_001_EN-2001_Web.pdf. (2019).
[9]
2020. Amazon 'thwarts largest ever DDoS cyber-attack'. https://www.bbc.co.uk/news/technology-53093611. (2020).
[10]
2022. NET SCOUT DDoS THREAT INTELLIGENCE REPORT 2019. https://www.netscout.com/threatreport/ddos-threat-intelligence-report/. (2022).
[11]
2023. Krill. https://github.com/NLnetLabs/krill. (2023).
[12]
2023. P4 Open Source Programming Language. https://opennetworking.org/p4/. (2023).
[13]
2023. The BIRD Internet Routing Daemon. https://bird.network.cz/. (2023).
[14]
Alexander Azimov, Eugene Uskov, Randy Bush, Job Snijders, Russ Housley, and Ben Maddison. 2023. A Profile for Autonomous System Provider Authorization. https://datatracker.ietf.org/doc/draft-ietf-sidrops-aspa-profile/. (2023).
[15]
Fred Baker and Pekka Savola. 2004. Ingress Filtering for Multihomed Networks. RFC 3704, Internet Engineering Task Force. (2004).
[16]
Robert Beverly and Steven Bauer. 2005. The Spoofer project: Inferring the extent of source address filtering on the Internet. In Usenix Sruti, Vol. 5. 53--59.
[17]
Casey Deccio, Alden Hilton, Michael Briggs, Trevin Avery, and Robert Richardson. 2020. Behind closed doors: a network tale of spoofing, intrusion, and false DNS security. In Proceedings of the ACM Internet Measurement Conference. 65--77.
[18]
P. Ferguson and D. Senie. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, Internet Engineering Task Force. (2000).
[19]
Lixin Gao. 2001. On inferring autonomous system relationships in the Internet. IEEE/ACM Transactions on networking 9, 6 (2001), 733--745.
[20]
Martin Hellman. 1976. New Directions in Cryptography. IEEE Transactions on Information Theory 22, 6 (1976), 644--654.
[21]
Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz. 2014. Exit from Hell? Reducing the Impact of {Amplification} {DDoS} Attacks. In 23rd USENIX security symposium (USENIX security 14). 111--125.
[22]
Adam Langley, Alistair Riddoch, Alyssa Wilk, Antonio Vicente, Charles Krasic, Dan Zhang, Fan Yang, Fedor Kouranov, Ian Swett, Janardhan Iyengar, et al. 2017. The QUIC Transport Protocol: Design and Internet-Scale Deployment. In Proc. ACM SIGCOMM.
[23]
Markus Legner, Tobias Klenze, Marc Wyss, Christoph Sprenger, and Adrian Perrig. 2020. EPIC: Every Packet Is Checked in the Data Plane of a Path-Aware Internet. In Proc. USENIX Security.
[24]
Matt Lepinski, Derrick Kong, and Stephen Kent. 2020. RFC 6482: A Profile for Route Origin Authorizations (ROAs). https://datatracker.ietf.org/doc/rfc6482/. (2020).
[25]
Dan Li, Jianping Wu, Mingqing Huang, Lancheng Qin, and Nan Geng. 2022. DSAV Framework: Validating Source Addresses via SAV Tables Generated by a Distributed Control-plane Protocol. https://datatracker.ietf.org/doc/slides-113-savnet-dsav-framework/. (2022).
[26]
Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher, and Lixia Zhang. 2002. SAVE: Source Address Validity Enforcement Protocol. In Proc. IEEE INFOCOM.
[27]
Xin Liu, Ang Li, Xiaowei Yang, and David Wetherall. 2008. Passport: Secure and Adoptable Source Authentication. In USENIX NSDI.
[28]
Qasim Lone, Alisa Frik, Matthew Luckie, Maciej Korczyński, Michel van Eeten, and Carlos Ganán. 2022. Deployment of Source Address Validation by Network Operators: a Randomized Control Trial. In IEEE SP.
[29]
D McPherson, F Baker, and J Halpern. 2013. Source Address Validation Improvement (SAVI) Threat Scope. (2013).
[30]
Long Pan, Jiahai Yang, Lin He, Zhiliang Wang, Leyao Nie, Guanglei Song, and Yaozhong Liu. 2022. Your Router is My Prober: Measuring IPv6 Networks via ICMP Rate Limiting Side Channels. arXiv preprint arXiv:2210.13088 (2022).
[31]
Gregor N Purdy. 2004. Linux iptables Pocket Reference: Firewalls, NAT & Accounting. O'Reilly Media, Inc.
[32]
Lancheng Qin, Li Chen, Dan Li, Honglin Ye, and Yutian Wang. 2024. Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed. In NDSS.
[33]
Lancheng Qin, Dan Li, Ruifeng Li, and Kang Wang. 2022. Themis: Accelerating the Detection of Route Origin Hijacking by Distinguishing Legitimate and Illegitimate MOAS. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 4509--4524. https://www.usenix.org/conference/usenixsecurity22/presentation/qin
[34]
Benjamin Rothenberger, Dominik Roos, Markus Legner, and Adrian Perrig. 2020. PISKES: Pragmatic Internet-scale Key-establishment System. In Proc. ACM Asia CCS.
[35]
Kotikalapudi Sriram, Igor Lubashev, and Doug Montgomery. 2020. Source Address Validation Using BGP UPDATEs, ASPA, and ROA (BAR-SAV). https://datatracker.ietf.org/doc/draft-sriram-sidrops-bar-sav/. (2020).
[36]
Kotikalapudi Sriram, Doug Montgomery, and Jeffrey Haas. 2020. Enhanced Feasible-Path Unicast Reverse Path Forwarding. RFC 8704, Internet Engineering Task Force. (2020).
[37]
Jianping Wu, Dan Li, Libin Liu, Mingqing Huang, and Kotikalapudi Sriram. 2023. Source Address Validation in Inter-domain Networks Gap Analysis, Problem Statement, and Requirements. https://datatracker.ietf.org/doc/draft-ietf-savnet-inter-domain-problem-statement/. (2023).
[38]
Su Yingying, Li Dan, Chen Li, Li Qi, and Ling Sitong. [n. d.]. dRR: A Decentralized, Scalable, and Auditable Architecture for RPKI Repository. In NDSS.
Index Terms
- UniSAV: A Unified Framework for Internet-Scale Source Address Validation
Recommendations
Open source unified communications: the new paradigm to cut costs and extend productivity
OSDOC '12: Proceedings of the Workshop on Open Source and Design of CommunicationIn this paper, we propose an architecture based on three layers (infrastructure, server hardware and operating system, and business applications) for a unified communications solutions exclusively sustained on open source technologies and open ...
Understanding the efficacy of deployed internet source address validation filtering
IMC '09: Proceedings of the 9th ACM SIGCOMM conference on Internet measurementIP source address forgery, or "spoofing," is a long-recognized consequence of the Internet's lack of packet-level authenticity. Despite historical precedent and filtering and tracing efforts, attackers continue to utilize spoofing for anonymity, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
110 pages
ISBN:9798400707230
DOI:10.1145/3673422
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
- Internet Society: Internet Society
- SIGCOMM: ACM Special Interest Group on Data Communication
In-Cooperation
- IRTF: Internet Research Task Force
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 20 July 2024
Check for updates
Qualifiers
- Short-paper
- Research
- Refereed limited
Funding Sources
Conference
ANRW '24
Sponsor:
- Internet Society
- SIGCOMM
Acceptance Rates
Overall Acceptance Rate 34 of 58 submissions, 59%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 69Total Downloads
- Downloads (Last 12 months)69
- Downloads (Last 6 weeks)6
Reflects downloads up to 02 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in