IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense

Outlines IP Spoofing IP Spoofing Defense host-based Defensehost-based Defense Methods Router-Based Defense Methods Hybrid Defenses References Impersonation Hiding Reflection Cryptographic Solutions SYN Cookies IP Puzzles Ingress/Egress Filtering Distributed Packet Filtering (DPFDistributed Packet Filtering (DPF) Source Address Validity Enforcement (SAVE) Pi 2 IP Spoofing Defense

IP Spoofing Introduction Definition Creation of IP packets with source addresses different than those assigned to that host. Malicious use of IP Spoofing Impersonation Hiding Reflection Session hijack or reset Flood attack IP reflected attack 3 IP Spoofing Defense

Session hijack or reset Impersonation Attacker IP spoofed packet Src: Partner Dst: Victim Src: Victim Dst: Partner Assumes the partner has sent a packet, starts responding Partner Victim 4 IP Spoofing Defense

Flood attack Attacker Victim Src: Random Dst: Victim Hiding 5 IP Spoofing Defense

Reflection Smurf attacks DNS amplification attacks IP spoofing (reflection) DNS query DNS amplification Src: Victim Dst: Reflector IP spoofed packet A lot of reply without request Src: Reflector Dst: Victim Reply Reflector Victim Attacker 6 IP Spoofing Defense

IP Reflected Attacks 7 IP Spoofing Defense

DNS Amplification Attack 8 IP Spoofing Defense

Three classes of solutions 1 Host-based solutions No need to change network infrastructure Easy to deploy Too late for their reaction Router-based solutions Core or edge solutions Harder to deploy Most effective Hybrid solutions Routers + hosts 9 IP Spoofing Defense

Cryptographic Solutions Host-based solutions Require hand-shaking to set up secret keys between two hosts Communication between the two hosts can be encrypted Attacker cannot successfully spoof packets to create connection While IPSec is effective in many cases, it has some drawbacks Handshaking fails It is not feasible to require all hosts to connect through IPSec Encryption cost( time ) Encryption reduce the performance 10 IP Spoofing Defense

SYN Cookies Some servers use SYN cookies to prevent opening connections to spoofed source addresses The server with SYN cookies does not allocate resources until the 3-way handshake is complete How Does It Work? Server sends SYN+ACK with cookies V When it receives client’s response, it checks the V If it is cookie value + 1 ⇒ it creates the connection 11 IP Spoofing Defense

IP Puzzles A server sends an IP puzzle to a client The client solves the puzzle by some computational task The server allows to connect only after receiving the correct solution. The puzzle is sent to the listed hosts, not the attacker From the listed hosts ⇒ not the attacker 12 IP Spoofing Defense

Router-Based Defense Methods most host-based methods can be used in routers IPSec and IP puzzles have been used in routers 13 IP Spoofing Defense

Ingress/Egress Filtering Filtering packets before The key is the knowledge of expected IP address at a particular port Reverse Path filtering can help to build this knowledge coming to local network ⇒ ingress filtering before leaving local network ⇒ egress filtering It is not easy to obtain this knowledge in some networks with complicated topologies A router knows which networks are reachable from any of its interfaces. This is routing table 14 IP Spoofing Defense

Ingress/Egress Filtering Drawbacks: Hard to deployment It can not stop local spoofing RPF may drop legitimate packets With less than 100% deployment, IEF is ineffective 15 IP Spoofing Defense

Distributed Packet Filtering (DPF) Routers throughout the network maintain the incoming direction of a packet through their interfaces Which interface receives an packet with a particular source address A router can detect a spoofing packet if it arrives on a different interface This limits the number of addresses attackers can use 16 IP Spoofing Defense

Source Address Validity Enforcement (SAVE) Filters packets based on their incoming direction Every router maintains and update its own incoming table SAVE assumes all router deploy SAVE Not feasible 17 IP Spoofing Defense

Hybrid Defenses Utilizes both routers and hosts solutions Routers mark packets as they travel Hosts can take actions 18 IP Spoofing Defense

19 Path identifier (Pi) was originally designed to defend against DoS attacks It also provides an IP spoofing defense Pi uses IP fragmentation field to identify the path a packet traveled The fragmentation field is marked along the path Each router along the path sets a bit of the fragmentation field When a packet reaches its destination the fragmentation field contains a marking that is almost unique The end-host does not know the path a packet has traveled, but if multiple packets have the same marking bits set, then it is highly likely that they have traveled the same path Packets with the same source address, but different marking can be filtered Path identifier IP Spoofing Defense

20 Thank you If you have any questions please at IP Spoofing Defense

21 References On the state of IP spoofing defense. ACM Transactions on Internet Technology (TOIT), 9(2):6:1–6:??, May Network security class IP Spoofing Defense