More Web Proxy on the site http://driver.im/

research-article

Understanding the efficacy of deployed internet source address validation filtering

Authors:

Robert Beverly,

k claffyAuthors Info & Claims

IMC '09: Proceedings of the 9th ACM SIGCOMM conference on Internet measurement

Pages 356 - 369

https://doi.org/10.1145/1644893.1644936

Published: 04 November 2009 Publication History

Abstract

IP source address forgery, or "spoofing," is a long-recognized consequence of the Internet's lack of packet-level authenticity. Despite historical precedent and filtering and tracing efforts, attackers continue to utilize spoofing for anonymity, indirection, and amplification. Using a distributed infrastructure and approximately 12,000 active measurement clients, we collect data on the prevalence and efficacy of current best-practice source address validation techniques. Of clients able to test their provider's source-address filtering rules, we find 31% able to successfully spoof an arbitrary, routable source address, while 77% of clients otherwise unable to spoof can forge an address within their own /24 subnetwork. We uncover significant differences in filtering depending upon network geographic region, type, and size. Our new tracefilter tool for filter location inference finds 80% of filters implemented a single IP hop from sources, with over 95% of blocked packets observably filtered within the source's autonomous system. Finally, we provide initial longitudinal results on the evolution of spoofing revealing no mitigation improvement over four years of measurement. Our analysis provides an empirical basis for evaluating incentive and coordination issues surrounding existing and future Internet packet authentication strategies.

References

[1]

Netacuity IP intelligence, 2009. http://www.digital-element.com/.

[2]

Private communication with Cisco engineering, May 2009.

[3]

L. Andersson, E. Davies, and L. Zhang. Report from the IAB workshop on Unwanted Traffic. RFC 4948, Aug. 2007.

[4]

Arbor Networks. Worldwide infrastructure security report, 2008. http://www.arbornetworks.com/report.

[5]

F. Baker and P. Savola. Ingress Filtering for Multihomed Networks. RFC 3704, Mar. 2004.

[6]

T. Bates, P. Smith, and G. Huston. CIDR Report, 2009. http://www.cidr-report.org.

[7]

S. M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communications Review, 19:2:32--48, 1989.

Digital Library

[8]

S. M. Bellovin. ICMP traceback messages. IETF Internet Draft, Sept. 2000. http://www.cs.columbia.edu/~smb/papers/draft-bellovin-itrace-00.txt.

[9]

R. Beverly. Statistical Learning in Network Architecture. PhD thesis, MIT, June 2008.

Digital Library

[10]

R. Beverly and S. Bauer. The Spoofer Project: Inferring the extent of source address Filtering on the Internet. In Proceedings of USENIX SRUTI Workshop, July 2005.

Digital Library

[11]

R. Beverly and S. Bauer. Can you spoof IP addresses? Slashdot, May 2006. http://it.slashdot.org/article.pl?sid=06/05/02/1729257.

[12]

R. Braden. Requirements for Internet Hosts - Communication Layers. RFC 1122, Oct. 1989.

[13]

R. Bush, J. Hiebert, O. Maennel, M. Roughan, and S. Uhlig. Diagnosing the location of bogon Filters. NANOG 40, June 2007.

[14]

Cablelabs. Data over cable service interface specification (DOCSIS), 2006. http://www.cablemodem.com/.

[15]

X. Dimitropoulos, D. Krioukov, M. Fomenkov, B. Huffaker, Y. Hyun, k. claffy, and G. Riley. AS relationships: inference and validation. SIGCOMM Comput. Commun. Rev., 37(1):29--40, 2007.

Digital Library

[16]

Z. Duan, X. Yuan, and J. Chandrashekar. Constructing inter-domain packet filters to control IP spooffing based on BGP updates. In Proceedings of IEEE INFOCOM, 2006.

[17]

M. Dusi and W. John. Observing routing asymmetry in internet traffic, 2009. http://www.caida.org/research/traffic-analysis/asymmetry/.

[18]

P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, May 2000.

[19]

L. Gao. On inferring autonomous system relationships in the internet. IEEE/ACM Transactions on Networking, 9(6):733--745, 2001.

Digital Library

[20]

B. R. Greene, C. Morrow, and B. W. Gemberling. ISP security: Real world techniques. NANOG 23, Oct. 2001.

[21]

Y. Hyun and k. claffy. Archipelago measurement infrastructure, 2009. http://www.caida.org/projects/ark/.

[22]

IANA. Special-Use IPv4 Addresses. RFC 3330, Sept. 2002.

[23]

V. Jacobsen. Traceroute, 1988. ftp://ftp.ee.lbl.gov.

[24]

C. Jin, H. Wang, and K. Shin. Hop-count Filtering: An effective defense against spoofed DoS traffic. In Proceedings of the 10th ACM (CCS), pages 30--41, Oct. 2003.

Digital Library

[25]

E. Katz-Bassett. Practical reverse traceroute. NANOG 45, Jan. 2009.

[26]

X. Liu, A. Li, X. Yang, and D. Wetherall. Passport: Secure and adoptable source authentication. In Proceedings of USENIX NSDI, 2008.

Digital Library

[27]

D. Malone and M. Luckie. Analysis of ICMP quotations. In Proceedings of the 8th Passive and Active Measurement (PAM) Workshop, Apr. 2007.

Digital Library

[28]

D. Meyer. University of Oregon RouteViews, 2007. http://www.routeviews.org.

[29]

D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 24(2):115--139, 2006.

Digital Library

[30]

R. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report 117, AT&T Bell Laboratories, 1985.

[31]

C. Morrow. BLS FastAccess internal tech needed, 2006. http://www.merit.edu/mail.archives/nanog/2006-01/msg00220.html.

[32]

NANOG. DoS attack against DNS?, 2006. http://www.merit.edu/mail.archives/nanog/2006-01/msg00279.html.

[33]

NANOG. BCP38 business case document, 2007. http://www.merit.edu/mail.archives/nanog/2007-04/msg00692.html.

[34]

R. Pang, V. Yegneswaran, P. Barford, and V. Paxson. Characteristics of Internet Background Radiation. In Proceedings of ACM Internet Measurement Conference, Oct. 2004.

Digital Library

[35]

V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks. Computer Communications Review, 31(3), July 2001.

Digital Library

[36]

Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear. Address Allocation for Private Internets. RFC 1918, Feb. 1996.

Digital Library

[37]

J. Rhett. Force10 gear, 2008. http://mailman.nanog.org/pipermail/nanog/2008-September/003524.html.

[38]

P. Savola. An effect of ignoring BCP38, 2008. http://mailman.nanog.org/pipermail/nanog/2008-September/003758.html.

[39]

P. Savola. Experiences from Using Unicast RPF. IETF Internet Draft, Jan. 2008. http://tools.ietf.org/id/draft-savola-bcp84-urpf-experiences-03.txt.

[40]

A. C. Snoeren, C. Partridge, L. A. Sancheq, C. E. Jones, F. Tchakountio, S. T. Kent, and W. T. Strayer. Hash-based IP traceback. In Proceedings of ACM SIGCOMM, 2001.

Digital Library

[41]

N. Spring, R. Mahajan, D. Wetherall, and T. Anderson. Measuring isp topologies with rocketfuel. IEEE/ACM Transactions on Networks, 12(1):2--16, 2004.

Digital Library

[42]

R. Thomas. Team Cymru bogon route-server project. http://www.cymru.com/.

[43]

J. Touch. Defending TCP Against Spoofing Attacks. RFC 4953, July 2007.

[44]

US-CERT. Multiple DNS implementations vulnerable to cache poisoning VU#800113, 2008.

[45]

P. Vixie. Securing the edge, Oct. 2002. http://www.icann.org/en/committees/security/sac004.txt.

[46]

C. Vogt. A solution space analysis for first-hop ip source address validation. IETF Internet Draft, Jan. 2009. http://www.ietf.org/internet-drafts/draft-ietf-savi-rationale-00.txt.

[47]

A. Yaar, A. Perrig, and D. Song. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense. IEEE Selected Areas in Communications, Oct. 2006.

Digital Library

Cited By

Mirsadeghi SLuo BLiao XXu JKirda ELie D(2024)Poster: In-switch Defense against DNS Amplification DDoS AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691404(4964-4966)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691404
Wang XXu KGuo YWang HFu SLi QWu BWu J(2024)Toward Practical Inter-Domain Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2024.337711632:4(3126-3141)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3377116
Dai YHuang TWang S(2024)DAmpADFComputers and Security10.1016/j.cose.2024.103718139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103718
Show More Cited By

Index Terms

Understanding the efficacy of deployed internet source address validation filtering
1. Networks
  1. Network protocols
  2. Network services
    1. Network monitoring

Recommendations

Privacy-Preserving Data Packet Filtering Protocol with Source IP Authentication

Packet filtering allows a network gateway to control the network traffic flows and protect the computer system. Most of the recent research works on the filtering systems mainly concern the performance, reliability and defence against common network ...
RFC 5210: A Source Address Validation Architecture (SAVA) Testbed and Deployment Experience
Defense against spoofed IP traffic using hop-count filtering

IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '09: Proceedings of the 9th ACM SIGCOMM conference on Internet measurement

November 2009

468 pages

ISBN:9781605587714

DOI:10.1145/1644893

Program Chairs:
Anja Feldmann
Deutsche Telekom Laboratories / TU Berlin
,
Laurent Mathy
Lancaster University

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

In-Cooperation

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

IMC '09

Sponsor:

SIGCOMM

IMC '09: Internet Measurement Conference

November 4 - 6, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

84
Total Citations
View Citations
706
Total Downloads

Downloads (Last 12 months)36
Downloads (Last 6 weeks)3

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mirsadeghi SLuo BLiao XXu JKirda ELie D(2024)Poster: In-switch Defense against DNS Amplification DDoS AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691404(4964-4966)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691404
Wang XXu KGuo YWang HFu SLi QWu BWu J(2024)Toward Practical Inter-Domain Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2024.337711632:4(3126-3141)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3377116
Dai YHuang TWang S(2024)DAmpADFComputers and Security10.1016/j.cose.2024.103718139:COnline publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103718
Evtimova M(2023)Hyperparameter Tuning for Address Validation using OptunaWSEAS TRANSACTIONS ON COMPUTER RESEARCH10.37394/232018.2024.12.1012(105-111)Online publication date: 13-Nov-2023
https://doi.org/10.37394/232018.2024.12.10
Nosyk YKorczyński MDuda A(2023)Guardians of DNS Integrity: A Remote Method for Identifying DNSSEC Validators Across the Internet2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00201(1470-1479)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00201
Nosyk YKorczyński MLone QSkwarek MJonglez BDuda A(2023)The Closed Resolver Project: Measuring the Deployment of Inbound Source Address ValidationIEEE/ACM Transactions on Networking10.1109/TNET.2023.325741331:6(2589-2603)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257413
Evtimova M(2023)Validation algorithm for aligning postal addresses available on the Internet*2023 International Conference on Applied Mathematics & Computer Science (ICAMCS)10.1109/ICAMCS59110.2023.00019(75-80)Online publication date: 8-Aug-2023
https://doi.org/10.1109/ICAMCS59110.2023.00019
Alharbi FZhou YQian FQian ZAbu-Ghazaleh N(2022)DNS Poisoning of Operating System Caches: Attacks and MitigationsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314233119:4(2851-2863)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2022.3142331
Lone QFrik ALuckie MKorczyński Mvan Eeten MGañán C(2022)Deployment of Source Address Validation by Network Operators: A Randomized Control Trial2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833701(2361-2378)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833701
DeLaughter SSollins KTyson GBarahouei Pasandi HWolf L(2021)Using proof-of-work to mitigate spoofing-based denial of service attacksProceedings of the CoNEXT Student Workshop10.1145/3488658.3493789(15-16)Online publication date: 7-Dec-2021
https://dl.acm.org/doi/10.1145/3488658.3493789
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents