Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr Hanoch Levy computer science computer science Interdisciplinary Center Herzliya Tel-Aviv University
Spoofing Used by hackers to mount denial of service attacks. Denial of service attacks – consume the resources of victim’s network/servers Spoofing- forging the source IP of packets. –Easy to create (4000 attacks per week [MVS01]) –Harder to filter –Harder to trace back
ISP B Spoofing Net B’ Attacker ISP A ISP C Net A’Victim Internet Net A’ victim Src dst
Prevention methods Today: “Good Net-Citizen“ Ingress/Egress filtering –Implementation uRPF,ACL –Administrative overhead –Poor incentive – “good-will” and not self-defensive methods ISP B Net B’ Filter out packets with src not in Net B’ ISP C Internet ISP A
Self-defense methods TCP intercept – router as a proxy completing the tcp handshake on behalf of the server. –Performance penalty, only TCP. Research: –TTL [PBRD01,JWS03] Filter out 90% of spoof traffic Route instability –Route path identifier [YPS03] Route instability Lack of motivation.
Spoofing Prevention Method (SPM) Self defense method Incentive to implement –Visibility of SPM members Stepwise deployment Light mechanism
SPM architecture Entities: AS Key: –Function of source AS and destination AS –Added to each packet by the source AS routers. Routers: –Mark at the original AS the outgoing traffic with key. –Verify at the destination AS the authenticity of the key on the incoming packets Key distribution: two options: – By protocol –Learned passively
ISP B SPM Architecture ISP A ISP C Net B’ Net A’ Victim Net A’ victim B C src dst key Attacker Filtering spoof traffic Key does not match the src
Benefits of SPM Server Traffic: Server of SPM member domain can filter at attack time: – Spoofed traffic from other SPM ASs – Spoofed traffic that spoofs to SPM AS address space Client Traffic: Client of SPM member domain receives preferential treatment at SPM domain servers Visibility
Key Lightweight function - not crypto: Random constant 32 bit Guessing the key with low probability: reduce the volume of attack by Function of the source and destination AS –Acquiring the key is hard Key remove by routers, Change periodically –Sniffing is not a likely threat Place as an additional IP option
Key distribution The key information requires two small tables: –AS-out table - marking –AS-in table - verification Size of each table: 120KB each – future 480KB – AS coded by 2bytes (current 16,000, max ) – Key 4 bytes
Key distribution Key information: –AS-out: synchronization inside the AS –AS-in: needs to be learned from various ASes – a key from each AS. Key distribution: –Protocol: AS server (IRV[GAGIM03], route reflector). –Passively: Learn key passively from the regular non spoof traffic traffic that comletes the TCP handshake.
Router job Marking – one lookup per destination (combine with IP lookup) Place only on traffic destined to other SPM members. Verification – one lookup per source. Categorize traffic: Spoofed, non-spoofed, other (no key) Verification modes: Conservative verification : peace time (drop spoofed) Aggressive verification: attack time (drop spoofed + other). Implement in Edge Routers: Combine SPM with ingress/egress filtering
Motivation: Implementation benefit ( Symmetric Model ) Relative Benefit = reduction in attack traffic rate = cannot spoof from AS that is member (K/N)
Motivation:Implementation benefit ( Symmetric Model) Relative benefit SPM = Cannot spoof from SPM AS +Cannot spoof to SPM address (2K/N-(K/N)^2)
Motivation:Implementation benefit (As ymmetric Model) Traffic is proportional to the domain size Domain size ~ address space allocation ~ zipf distribution (top 10 ISP – 27.8% of the address space [Fixedorbit]).
Conclusions Ingress/Egress filtering – today’s technological solution is economically ineffective SPM – economically attractive: –AS that joins – gains significant relative benefits (server traffic/client traffic) –Stepwise deployment –Visibility –Simple Questions ? Thank you !