Presentation is loading. Please wait.

Presentation is loading. Please wait.

Outline The spoofing problem Approaches to handle spoofing

Published byMolly Newton Modified over 5 years ago

Similar presentations

Presentation on theme: "Outline The spoofing problem Approaches to handle spoofing"— Presentation transcript:

1 Handling IP Spoofing Advanced Network Security Peter Reiher August, 2014

2 Outline The spoofing problem Approaches to handle spoofing
Spoofing, backscatter and DDoS detection

3 The Problem Existing Internet protocols and infrastructure allow forgery of some IP packet header fields In particular, the source address field can often be forged

4 Why Is That a Problem? Can’t trust where packets came from
If packet causes trouble, can’t determine its true source Particularly important for distributed denial of service attacks A requirement for reflector attacks But relevant for other situations

5 Limitations of the Problem
If attacker forges source address in packet, probably won’t see the response So spoofing only useful when attacker doesn’t care about response Usually denial of service attacks Many TCP attacks don’t work with spoofing This point is not universally true

6 Types of Spoofing General spoofing
Attacker chooses a random IP address for source address Subnet spoofing Attacker chooses an address from the subnet his real machine is on With suitable sniffing, can see responses Harder for some types of filtering

7 Combating Spoofing Basic approaches: Authenticate address
Prevent delivery of packets with spoofed addresses Trace packets with spoofed addresses to their true source

8 Address Authentication
Would require cryptography at the packet level Can be done with IPSec Incurs cryptographic costs Could we afford to do this for all packets? Requires key infrastructure for all IP addresses E.g., a PK pair for each address Or PK pair for each subnet and an authority to do the signing Simple IPSec approach requires all senders to cooperate

9 Preventing Delivery of Spoofed Packets
Somehow recognize that address is spoofed Usually based on information about network topology and addresses Methods could be simple or complex Different methods require different deployment strategies

10 General Spoofing Detection Approaches
Detect in the core Detect at the sending end I A B J C H Detect at the receiving end D G F E

11 Examples of These Approaches
Source end: Ingress filtering Destination end: Egress filtering Hop count filtering Core deployment: SAVE

12 My network shouldn’t be creating packets with this source address
Ingress Filtering My network shouldn’t be creating packets with this source address * So drop the packet

13 The Problem With Ingress Filtering
It protects other people from spoofing It doesn’t protect you from spoofing A slightly different version offers slight protection But it doesn’t offer anyone else protection People don’t deploy defenses that only help others Some question on how widely ingress filtering is deployed Also, ingress filtering can’t stop all spoofing You can still spoof other addresses on your subnet

14 Deployment of Ingress Filtering
Becoming more common All modern routers include it as an option Spoofer Project estimates that 60-80% of the Internet is unspoofable I am unconvinced by their methodology But probably is a significant fraction

15 Packets with this source address should be going out, not coming in
Egress Filtering Packets with this source address should be going out, not coming in * So drop the packet

16 The Problem With Egress Filtering
Good deployment incentive, since it protects deploying network Works great For what it does But it doesn’t do much It can only catch a small fraction of all spoofed addresses No easy way to extend its range

17 Hop Count Filtering A destination end approach
Destinations keep track of the hop count in IP packets Per source address They later compare hop counts of new packets to stored ones If no match, assume spoofing

18 Problems With Hop Count Filtering
Assumes spoofer can’t guess correct hop count Assumes correct hop count doesn’t change much Assumes we do our learning when no spoofing is happening

19 SAVE A core deployment strategy
Ensure that routers know proper incoming interface for particular source addresses Check each packet at its incoming interface Drop or flag packets on the wrong interface Key problem: How to build these tables? “Reversing routing tables” doesn’t work

20 The SAVE Protocol Create the tables by having routers send each other “reverse routing” messages “I send you packets with these source addresses” Receiving router observes interface these updates arrived on Uses update and interface info to build the tables

21 SAVE at Work Packets coming in on wrong interface can be dropped C RE
4 B D 5 E 6 C 4 5 RE 1 2 10 RC 6 E A B A RA 3 RD FORWARDING INTERFACE 11 ADDRESS C 7 8 D B B RB 9 D 2 A 7 C 8 D 9 E A 8 C D 9 E E 2 INCOMING TABLE B FORWARDING TABLE Packets coming in on wrong interface can be dropped

22 Did SAVE Work? Yes, but . . . Only in full deployment
All routers had to run SAVE Otherwise, not all routing updates would be reflected by SAVE updates Not a realistic requirement

23 Tracing Spoofed Packets
Don’t prevent spoofing But figure out who sent the spoofed packets Hard to do after the fact Internet doesn’t keep records of packets sent through routers Only feasible for ongoing streams of spoofed packets

24 Traceback An approach to trace the source of streams of spoofed packets Assumes bad nodes are sending long lasting streams of spoofed packets Not necessarily with the same spoofed addresses But to the same destinations Designed for DDoS

25 Problems With Traceback Approaches
Require long lasting stream of spoofed packets Requires cooperation of core routers In contiguous deployment Even if it works, what then? Doesn’t stop the spoofing itself

26 Spoofing and Backscatter
Many DDoS attacks use IP spoofing So packets with spoofed addresses get delivered to the victim Who tries to respond to them What happens to the responses?

27 The Result of Delivering a Spoofed Packet
A response to the spoofed packet gets delivered Not to the true sender But to the owner of the spoofed address

28 What Does the Recipient Do With This Reply?
In most cases, nothing He didn’t ask for it, so he’ll probably discard it But what if he’s a node whose job it is to watch for bad network stuff? He just got a signal of bad network stuff I.e., spoofing

29 Detecting DDoS With Backscatter
A big DDoS attack sends lots of spoofed packets Typically with randomly chosen addresses If a set of machines watches for unsolicited responses, It can deduce stuff about DDoS attacks

30 What Can Backscatter Tell Us?
That an attack is ongoing Who is being attacked How big the attack is How long it lasts Requires some sophisticated analysis But people have done it successfully

31 Conclusion IP spoofing allows many harmful attacks to take place
It’s an unavoidable outcome of the design of IP Existing solutions are only somewhat effective Spoofing still widely used

Download ppt "Outline The spoofing problem Approaches to handle spoofing"

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.

1 Securing Information Transmission by Redundancy Jun LiPeter ReiherGerald Popek Computer Science Department UCLA NISS Conference October 21, 1999.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.
1 Internet Protocol: Forwarding IP Datagrams Chapter 7.

1 Internet Protocol: Forwarding IP Datagrams Chapter 7.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.

Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.

Similar presentations

Ads by Google