Filtering Spoofed Packets

Slides:



Advertisements
Similar presentations
Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.
Advertisements

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
The subnet /28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
– Chapter 4 – Secure Routing
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IIT Indore © Neminath Hubballi
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Access Control List ACL. Access Control List ACL.
1 © 2004 Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 11 Access Control Lists (ACLs)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
BCP-38 demo Alan Barrett Geert Jan de Groot & cast of thousands.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
Presentation on ip spoofing BY
Internet Quarantine: Requirements for Containing Self-Propagating Code
Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Troubleshooting a Network
DDoS Attacks on Financial Institutions Presentation
Distributed Denial of Service Attacks
Firewalls.
Distributed Denial of Service (DDoS) Attacks
Ingress Filtering, Site Multihoming, and Source Address Selection
Outline Basics of network security Definitions Sample attacks
NAT / PAT.
Defending Against DDoS
Stateless Source Address Mapping for ICMPv6 Packets
Introduction to Networking
Who should be responsible for risks to basic Internet infrastructure?
Chapter 4: Access Control Lists (ACLs)
Defending Against DDoS
Intro to Denial of Serice Attacks
Firewalls Purpose of a Firewall Characteristic of a firewall
NAT / PAT.
Security Physical Layer, DoS and DDoS
Firewalls Jiang Long Spring 2002.
IIT Indore © Neminath Hubballi
DDoS Attack and Its Defense
Intrusion Detection and Hackers Exploits IP Spoofing Attack
Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Distributed Denial of Service Attacks
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Distributed Denial of Service (DDoS) Attacks
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out

A typical connection from an ISP to a customer ISP border router Customer border router Customer Network

The Problem Attackers gain control of thousands of millions of hosts Worm or virus infection Bot nets Hosts send forged packets IP source = forgery (random or victim) IP destination = victim Forged packets go to victims DNS request, TCP SYN, etc. Responses go to random places or other victims DNS response, TCP ACK/RST, ICMP, etc.

Customer border router Forged packets Victim 1 ISP border router Victim 2 Customer border router Customer Network PC with virus or attacker

“Denial of Service” (DoS) attacks The attacker wants to cause some service to stop working for some victim Attacker controls many hosts Attacker instructs hosts to send forged packets to victim Victim gets lots of packets from many sources Distributed Denial of Service (DDoS) Difficult for victim to filter effectively when packets have forged source addresses

Ingress filtering ISPs can block the forged packets as they transit from the customer network to the ISP border router ISP knows what IP addresses the customer is allowed to use ISP can therefore block packets with source IP addresses outside the range that the customer is allowed to use This will prevent the attack

Why use Ingress Filtering Save bandwidth from ISP to victims by not forwarding forged packets If you don't send forged packets, you won't be contacted by investigators If you send forged packets, you may eventually be blacklisted by other ISPs When your customers are the victms, you will wish that other ISPs had blocked the attack

Simple case: Single-homed customer If the customer is single-homed, then the only addresses they are allowed to use are the addresses that the ISP routes to them ISP can easily configure the border router to block all other addresses Cisco feature: interface Serial1/2 ip verify unicast reverse-path

Complex case: Multi-homed customer If the customer is multi-homed, then they may also use addresses from other ISPs e.g. Satellite downlink from ISP A, uplink to ISP B ISPs can still block the forged packets Need to have a list of valid addresses Use generic filtering features, such as cisco access lists Not just one trivial command, but still worth doing

Further Reading BCP 38 (RFC 2827) Team Cymru A few presentations http://www.ietf.org/rfc/rfc2827.txt Team Cymru http://www.cymru.com/ A few presentations http://bgphints.ruud.org/articles/urpf.html http://www.nanog.org/mtg- 0602/pdf/greene.ppt http://www.cisco.com/warp/public/ 732/Tech/security/docs/urpf.pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.