Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware Nikola Jevtic, Google Inc. Peter Reiher, UCLA

Outline What is IP spoofing? Why should we care? Route-based filtering (RBF) –Filter packets that come on unexpected path –97% effective if deployed at few core ASes –Tables must be complete! Clouseau protocol –Builds tables for RBF and keeps them current in face of route changes –Sets up spoofed packet filters –Fast and accurate decision, small impact on traffic

What is IP spoofing? ≈ ≈ ≈ From: , to: Faking the IP address in the source field of IP header Andy Lea Danny IP spoofing  RBF  Clouseau

IP spoofing uses Hide attacker’s identity Invoke replies to the spoofed address –Reflector DDoS attacks Create decoy packets that hide attacker’s vulnerability scanning Assume good host’s identity and gain priority service or status IP spoofing  RBF  Clouseau

If IP spoofing were reduced Attacks would be easier to detect and attribute We could build IP address profiles to track user behavior –Reward good users, punish bad ones Reflector attacks would be reduced IP spoofing  RBF  Clouseau

≈ ≈ ≈ Andy Lea Route Based Filtering[RBF] Build incoming tables that store incoming interface for a given source IP. Filter packets that arrive on wrong interface. Tables must be updated upon a route change. Lea’s path could overlap with Andy’s so some spoofing will go undetected. Danny [RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets’” SIGCOMM 2001 IP spoofing  RBF  Clouseau Route-based filtering

≈ ≈ ≈ Andy Lea Danny 1 2 From Interface From: , to: IP spoofing  RBF  Clouseau

RBF effectiveness If RBF is deployed on the vertex cover of AS map [RBF]vertex cover –Deployment percentage: 18.9% –Percentage of (s,d) pairs that cannot contain spoofed traffic: 96% –ASes that cannot spoof: 88% Downside: 18.9% of ASes is more than 4000! [RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets,” SIGCOMM 2001 IP spoofing  RBF  Clouseau

Open questions How well does RBF work under sparse deployment? What if incoming tables are incomplete? How to build incoming tables? IP spoofing  RBF  Clouseau

Effectiveness measures We will observe packets sent from s to d, spoofing the address p Target measure (fixed d): –How many (s,p) combinations are possible to this victim Stolen address measure (fixed p): –How many (s,d) combinations are possible spoofing this address Spoofability –How many (s,d,p) combinations are possible IP spoofing  RBF  Clouseau

Target measure May’05 IP spoofing  RBF  Clouseau

Stolen address measure May’05

Spoofability over years IP spoofing  RBF  Clouseau

Effectiveness summary First 20 filters have a considerable impact! 50 filters drastically reduce spoofing Filters receive instant benefit from RBF –They reduce their target measure –Stolen address measure is only reduced when we deploy enough filters IP spoofing  RBF  Clouseau

Filter membership Persist over 5 years(17) Persist over 3 years (14) IP spoofing  RBF  Clouseau

Long-term members IP spoofing  RBF  Clouseau

How to build incoming tables Incoming interface = outgoing interface –Asymmetric routing defeats this Participating source networks send reports along paths to destinations they talk to[SAVE] –Infer incoming interface from the route the report takes or from report’s info - partial tables! Infer incoming interface info from BGP updates[IDPF] –This allows multiple expected interfaces Infer incoming interface info from traffic IP spoofing  RBF  Clouseau

Clouseau Packets at unexpected interface trigger inference process Out of first N packets –Drop random V, store unique ID in DropQueue –Forward N-V, store unique ID in FwQueue When a packet is repeated: –If in DropQueue, gain 1 valid point –If in FwQueue, gain 1 spoof point Decision if valid score = V or spoof score = S Inference is banned for a time afterwards IP spoofing  RBF  Clouseau

Clouseau in action ≈ ≈ ≈ 1 DropQueue FwQueue 1 Drop! RC= 0 SP = 0 Drop 1,.. Forward 2, 3… IP spoofing  RBF  Clouseau

Clouseau in action ≈ ≈ ≈ 2 2 Forward! 1 2 RC= 0 SP = 0 Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau

Clouseau in action ≈ ≈ ≈ 3 3 Forward! Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 0 Spoof = 0

Clouseau in action ≈ ≈ ≈ Repeating dropped packets increases valid score Valid = 1 Spoof = 0 Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau

Clouseau in action ≈ ≈ ≈ Repeating forwarded packets increases spoof score Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 1 Spoof = 1

Clouseau in action ≈ ≈ ≈ Repeating dropped packets more than once doesn’t change scores Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 1 Spoof = 1

Clouseau in action ≈ ≈ ≈ Repeating forwarded packets more than once increases spoof score Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 1 Spoof = 2

Design decisions DropQueue size = V, FwQueue size = k*S Why forwarded queue? –To stop packet-repeating attacker Should S > 0? –Congestion, sources don’t use selective acks Why inference ban? –Inference lets packets through, our goal is to filter IP spoofing  RBF  Clouseau

Performance measures Impact on legitimate traffic –Connection delay due to drops and policing Inference delay –How long until we discover a route change or attack IP spoofing  RBF  Clouseau

Test setting Clouseau implemented in Linux kernel, tested in Emulab Start 10 parallel TCP connections, change route in the middle IP spoofing  RBF  Clouseau

Traffic delay vs. queue size p d =V/N=0.1

Inference time vs. queue size IP spoofing  RBF  Clouseau p d =V/N=0.1

IP spoofing  RBF  Clouseau Traffic delay vs. P d N=100

IP spoofing  RBF  Clouseau Inference time vs. P d N=100

Attacks Random spoofing –Detected on timeout Repeat each packet n times –Best choice: n=2 –First packet dropped  gain 1 valid point –First packet forwarded  damage is 1 spoof point –Larger damage but not larger gain for n>2 Send N packets then repeat a permutation –Attacker knows values of V, S, k –Goal is to trick Clouseau to change incoming interface –Send N packets then choose a permutation of this –N large enough to guarantee that queues fill IP spoofing  RBF  Clouseau

Permutation attack Good permutations for the attacker: –Have V packets from DropQueue before S packets from FwQueue Probability that the attacker manages to cheat us Probability of cheating decreases exponentially with longer queues IP spoofing  RBF  Clouseau

Pspoof vs queue size and p d IP spoofing  RBF  Clouseau

Cascaded filters Filters downstream will drop packets forwarded by filters upstream –This could lead to route changes that are wrongly inferred as spoofing - legitimate traffic dropped!!! We must break filter synchronization –Choose random delay when to start inference - synchronization still possible –Random initial delay, then mark forwarded packets in TOS or ID field with a well-known mark –Filters that spot marked packets delay or interrupt inference, wait for T seconds –Maximum wait is set to several minutes, then start inference even if mark is seen IP spoofing  RBF  Clouseau

Remaining design issues Spoofing attacks could still go through if they change spoofed address frequently –We only care if part of DDoS –Examine offending packets, if a lot of them have common destination detect DDoS  drop all offending traffic to this destination Operating cost –Memory cost could be large if all entries go into inference –There are ~35K incoming table entries, when aggregated –We plan to investigate use of Bloom filters to bring down the memory cost IP spoofing  RBF  Clouseau

Conclusions RBF can drastically reduce spoofing if deployed at largest ASes (60% are top members for at least 3 years) Clouseau builds accurate incoming tables Quickly detects route changes/spoofing –Small impact on legitimate connections Robust to attacks IP spoofing  RBF  Clouseau

Questions?

Vertex Cover Choose minimal number of nodes so that all links have at least one node in VC. NPC problem.

Vertex Cover Heuristic: First choose nodes with leaf neighbors, then choose enough nodes to cover remaining links.

Vertex Cover Heuristic: First choose nodes with leaf neighbors, then choose enough nodes to cover remaining links.

Vertex Cover Heuristic: First choose nodes with leaf neighbors, then choose enough nodes to cover remaining links.