Presentation is loading. Please wait.

Presentation is loading. Please wait.

Filtering Spoofed Packets

Published byAbigayle Owen Modified over 6 years ago

Similar presentations

Presentation on theme: "Filtering Spoofed Packets"— Presentation transcript:

1 Filtering Spoofed Packets
Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out

2 A typical connection from an ISP to a customer
ISP border router Customer border router Customer Network

3 The Problem Attackers gain control of thousands of millions of hosts
Worm or virus infection Bot nets Hosts send forged packets IP source = forgery (random or victim) IP destination = victim Forged packets go to victims DNS request, TCP SYN, etc. Responses go to random places or other victims DNS response, TCP ACK/RST, ICMP, etc.

4 Customer border router
Forged packets Victim 1 ISP border router Victim 2 Customer border router Customer Network PC with virus or attacker

5 “Denial of Service” (DoS) attacks
The attacker wants to cause some service to stop working for some victim Attacker controls many hosts Attacker instructs hosts to send forged packets to victim Victim gets lots of packets from many sources Distributed Denial of Service (DDoS) Difficult for victim to filter effectively when packets have forged source addresses

6 Ingress filtering ISPs can block the forged packets as they transit from the customer network to the ISP border router ISP knows what IP addresses the customer is allowed to use ISP can therefore block packets with source IP addresses outside the range that the customer is allowed to use This will prevent the attack

7 Why use Ingress Filtering
Save bandwidth from ISP to victims by not forwarding forged packets If you don't send forged packets, you won't be contacted by investigators If you send forged packets, you may eventually be blacklisted by other ISPs When your customers are the victms, you will wish that other ISPs had blocked the attack

8 Simple case: Single-homed customer
If the customer is single-homed, then the only addresses they are allowed to use are the addresses that the ISP routes to them ISP can easily configure the border router to block all other addresses Cisco feature: interface Serial1/2 ip verify unicast reverse-path

9 Complex case: Multi-homed customer
If the customer is multi-homed, then they may also use addresses from other ISPs e.g. Satellite downlink from ISP A, uplink to ISP B ISPs can still block the forged packets Need to have a list of valid addresses Use generic filtering features, such as cisco access lists Not just one trivial command, but still worth doing

10 Further Reading BCP 38 (RFC 2827) Team Cymru A few presentations
Team Cymru A few presentations 0602/pdf/greene.ppt 732/Tech/security/docs/urpf.pdf

Download ppt "Filtering Spoofed Packets"

Similar presentations

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.

Source Validation 111. BCP 38 Ingress Packet Filtering Your customers should not be sending any IP packets out to the Internet with a source address other.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
The subnet 192.168.32.16/28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.

The subnet /28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
– Chapter 4 – Secure Routing

– Chapter 4 – Secure Routing

Similar presentations

Ads by Google