Spoofing Prevention Method Srikanth T.S.S. Sri Lakshmi Ramya S.

Slides:



Advertisements
Similar presentations
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Advertisements

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Guide to Network Defense and Countermeasures Second Edition
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Firewalls and Intrusion Detection Systems
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
A DoS Limiting Network Architecture An Overview by - Amit Mondal.
Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
FIREWALL Mạng máy tính nâng cao-V1.
Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr Hanoch Levy computer science computer science Interdisciplinary Center Herzliya Tel-Aviv.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Chapter 22 Network Layer: Delivery, Forwarding, and Routing
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
CSC8320. Outline Content from the book Recent Work Future Work.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
Access Control List (ACL)
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Karlstad University IP security Ge Zhang
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
DoS/DDoS attack and defense
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Data Security in Local Network Using Distributed Firewall Presented By- Rahul N.Bais Guide Prof. Vinod Nayyar H.O.D Prof.Anup Gade.
Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.
1 Kyung Hee University Chapter 11 User Datagram Protocol.
IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Firewalls.
دیواره ی آتش.
ITIS 6167/8167: Network and Information Security
Outline The spoofing problem Approaches to handle spoofing
Computer Networks Protocols
Presentation transcript:

Spoofing Prevention Method Srikanth T.S.S. Sri Lakshmi Ramya S

Spoofing  An attempt to gain access to a systemby posing as an authorized user  Attacker forges the source IP of packets – Spoofing the source IP  “Spoofed” IP is an arbitrary IP address selected randomly or intentionally  Major tool used by hackers to mount DoS attacks

Characteristics of spoofed attacks  Weakens the ability to mitigate an attack  Makes law enforcement harder

Existing mechanisms  Ingress / Egress Filtering  Trace Back  Attempts to mitigate the packet at the destination

Existing mechanisms -Ingress and Egress filtering  Ingress – An ISP prohibits receiving from its stub connected networks packets whose source address does not belong to the corresponding stub network address space  Egress – A router or a firewall which is the gateway of a stub network filters out any packet whose source address does not belong to the network address space

Existing mechanisms -Ingress and Egress filtering (contd.)  Limitations Allows Spoofing within a stub network Not self defensive Effective only when implemented by large number of networks Deployment is costly Incentive for an ISP is very low

Existing mechanisms – Traceback  Determines path an attack flow traverses  Two methods of traceback Stamping packets with router signature Use of a special collector to analyze the path

Existing mechanisms – TCP Intercept  Router checks the real host behind the source address by completing the 3-way handshake  If connection with client is established, then address considered not spoofed  Drawbacks: Applicable only to TCP. Cannot protect UDP traffic or any other connectionless traffic Poses serious performance penalty

Spoofing Prevention Method (SPM)  Unique temporal key K(S,D) associated with each pair ordered air of source destination networks (AS’s autonomous systems)  Router closer to the destination verify authenticity of the source address of the packet  Effective and provides incentive to ISP’s implementing SPM

Working of SPM  Packet leaving a source network S tagged with Key K(S,D)  Destination network upon reception of packet verifies the packet using the key & then removes the key  Keys are changed periodically

SPM Skeleton  Key Structure & its placement  Key Distribution Protocol  Key Updates  SPM Routers

Key  16/32 bit  Placed in the ID field in the IP header where the source address appear  Not efficient to place key in IP option field.  Simple Memory Lookups – One look up per packet  No cryptographic functions involved

IP Header

Key Selection Methodology  Each Source address  Each Source-Destination address pair  Each Source Destination Network pair  Each Source Destination AS pair

AS Out Table & AS In Table  AS Out Table Present in the sending router Maintains keys for marking flows  AS In Table Present in the Destination router Maintains keys for verification of flows

Key Distribution Methods  Passive Key Information Distribution Avoids use of a dedicated Key distribution protocol Keys in the AS-in Table are learned passively from the tagged keys that come from non spoofed addresses Can identify a non spoofed traffic if it is TCP traffic

Key Distribution Methods  Active Distribution Protocol Central server to manage key distribution and selection AS server performs the following tasks  Choosing the keys for the AS-out table  Distributing the AS-out table to the routers  Announcing the keys from AS-out table to other AS servers  Building the AS-in table from other server announcements  Updating the As-in table in the routers in its AS

Changing keys periodically  periodical key updates to increase system security.  Method 1 : Each AS server periodically selects a new set of random keys and distributes it to other AS servers Keys changed in different AS’es in different times During replacement router holds 2 keys – old & new

Changing keys periodically  Method 2 : Each AS server associated with a pseudo random number generator AS tables filled at predefined times with random number

SPM Routers  Two tasks Tagging outgoing packets with key Packet Authentication

SPM Routers - Tagging  Tagging done at Edge Routers  Edge Routers - capable of distinguishing packets originated in its AS and packets outside AS  Requires look up on the destination address  Piggybacked on IP lookup process  Cost of tagging is minimal

 Additional IP Lookup required, hence cost is high  Packets categorization SPM Recognized Spoofed Traffic SPM Certified Non Spoofed Traffic All Other Traffic SPM Routers – Dynamic Authentication Process

SPM Routers –Dynamic Authentication Process (contd.)  Types of Verification & Discard modes Peace Time (Conservative)  Only packets of the first category is completely discarded  Packets of Category 1 discarded even if there is no attack. Attack Time (Aggressive)  When DDoS attack is detected  Category 1 & 3 completely discarded  Gives greater incentive to SPM deployed traffic

Analysis of Benefits and Incentives of SPM  Evaluate amount of damage caused to domain i due to attacks.  Evaluation is conducted as follows  No defense approach  Ingress/Egress filtering approach  SPM approach

Analysis of Benefits and Incentives of SPM (contd.)  Assume that the Internet consists of N domains, indexed 1,2,…,N. Let INT = {1,2,…,N} denote this set.  Let be the rate of attacks performed from domain I to domain j where the address of I is spoofed to an address in domain k.  Total attack rate directed at domain i:

Analysis of Benefits and Incentives of SPM (contd.)  Amount of damage inflicted on servers placed in domain i is denoted by  Damage reduction is denoted by  Relative damage reduction is denoted by

Damage (attack rate) under No Defense  Total damage to domain I is given by the overall attack rate at the domain :

Damage Reduction under Ingress/Egress Filtering Defense  Assume a set of domains denoted IE {1,2,…,N} conducts ingress/egress filtering  Damage Reduction of domain i is given by

Damage Reduction Under Ingress/Egress Club Defense  Domains that implement ingress/egress filtering conduct it exclusively to traffic destined to domains in IE  Benefits members of IE when compared to non members  Damage reduction is given by

Damage Reduction under SPM Defense  Assume partners of SPM treat SPM produced and authenticated packets at higher priority  Damage reduction is expressed in two ways  SPM with ingress/egress filtering :

Comparison to other Methods  Fully Symmetric System (identical domain sizes). Let  Assume size of each of the defense sets IE, IECLUB, SPM, SPMIE is given by K Under no defense: Under ingress/egress filtering: Under SPM

Comparison of Methods - Results Ingress/Egress FilteringSMP+Ingress/Egress

Discussion on Results  Under ingress/egress filtering the relative benefit for a participant is identical to that of a non-participant  Under Ingress/Egress club, there is some relative benefit to its participants but if the club is small, there is little incentive  Under SPM, the benefits are always sufficiently larger

Asymmetric System  Domain sizes and traffic generated by them are not identical  Assume that the domain size is distributed in a Zipf * like distribution  Under Zipf distribution, the size of domain i, i = 1,2,…N is X i = X/i for some constant X

Benefits of SPM plus Ingress/Egress under Asymmetric traffic The benefit for participating domains grows very rapidly with the SPM size. This is inferred by the fact that large fractions of attacks are directed to large domains

Client Traffic  When SPM contains many members and the defense used by the attacked server is conservative, SPM client derives little advantage  When SPM contains less members and aggressive type of defense is used, clients derive large advantage  Benefits to the domain clients complements the benefits to the domain servers,hence greater incentive of joining SPM

Concluding Remarks  Ingress filtering economically ineffective –poor incentive for any network  SPM most compatible to today’s internet  SPM can be used by network routers to eliminate or reduce spoofing attacks.  Significantly greater incentive for a network deploying SPM  Effective even if deployed by fraction of networks.