Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware Nikola Jevtic,

Published bySamson Hamilton Modified over 9 years ago

Similar presentations

Presentation on theme: "Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware Nikola Jevtic,"— Presentation transcript:

1 Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware (sunshine@cis.udel.edu) Nikola Jevtic, Google Inc. Peter Reiher, UCLA

2 Outline What is IP spoofing? Why should we care? Route-based filtering (RBF) –Filter packets that come on unexpected path –97% effective if deployed at few core ASes –Tables must be complete! Clouseau protocol –Builds tables for RBF and keeps them current in face of route changes –Sets up spoofed packet filters –Fast and accurate decision, small impact on traffic

3 What is IP spoofing? ≈ ≈ ≈ 1.2.3.4 5.6.7.8 9.10.11.12 From: 1.2.3.4, to: 9.10.11.12 Faking the IP address in the source field of IP header Andy Lea Danny IP spoofing  RBF  Clouseau

4 IP spoofing uses Hide attacker’s identity Invoke replies to the spoofed address –Reflector DDoS attacks Create decoy packets that hide attacker’s vulnerability scanning Assume good host’s identity and gain priority service or status IP spoofing  RBF  Clouseau

5 If IP spoofing were reduced Attacks would be easier to detect and attribute We could build IP address profiles to track user behavior –Reward good users, punish bad ones Reflector attacks would be reduced IP spoofing  RBF  Clouseau

6 ≈ ≈ ≈ 1.2.3.4 5.6.7.8 9.10.11.12 Andy Lea Route Based Filtering[RBF] Build incoming tables that store incoming interface for a given source IP. Filter packets that arrive on wrong interface. Tables must be updated upon a route change. Lea’s path could overlap with Andy’s so some spoofing will go undetected. Danny [RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets’” SIGCOMM 2001 IP spoofing  RBF  Clouseau Route-based filtering

7 ≈ ≈ ≈ 1.2.3.4 5.6.7.8 9.10.11.12 Andy Lea Danny 1 2 From Interface 5.6.7.8 1 1.2.3.4 2 From: 1.2.3.4, to: 9.10.11.12 IP spoofing  RBF  Clouseau

8 RBF effectiveness If RBF is deployed on the vertex cover of AS map [RBF]vertex cover –Deployment percentage: 18.9% –Percentage of (s,d) pairs that cannot contain spoofed traffic: 96% –ASes that cannot spoof: 88% Downside: 18.9% of ASes is more than 4000! [RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets,” SIGCOMM 2001 IP spoofing  RBF  Clouseau

9 Open questions How well does RBF work under sparse deployment? What if incoming tables are incomplete? How to build incoming tables? IP spoofing  RBF  Clouseau

10 Effectiveness measures We will observe packets sent from s to d, spoofing the address p Target measure (fixed d): –How many (s,p) combinations are possible to this victim Stolen address measure (fixed p): –How many (s,d) combinations are possible spoofing this address Spoofability –How many (s,d,p) combinations are possible IP spoofing  RBF  Clouseau

11 Target measure May’05 IP spoofing  RBF  Clouseau

12 Stolen address measure May’05

13 Spoofability over years IP spoofing  RBF  Clouseau

14 Effectiveness summary First 20 filters have a considerable impact! 50 filters drastically reduce spoofing Filters receive instant benefit from RBF –They reduce their target measure –Stolen address measure is only reduced when we deploy enough filters IP spoofing  RBF  Clouseau

15 Filter membership Persist over 5 years(17) Persist over 3 years (14) IP spoofing  RBF  Clouseau

16 Long-term members IP spoofing  RBF  Clouseau

17 How to build incoming tables Incoming interface = outgoing interface –Asymmetric routing defeats this Participating source networks send reports along paths to destinations they talk to[SAVE] –Infer incoming interface from the route the report takes or from report’s info - partial tables! Infer incoming interface info from BGP updates[IDPF] –This allows multiple expected interfaces Infer incoming interface info from traffic IP spoofing  RBF  Clouseau

18 Clouseau Packets at unexpected interface trigger inference process Out of first N packets –Drop random V, store unique ID in DropQueue –Forward N-V, store unique ID in FwQueue When a packet is repeated: –If in DropQueue, gain 1 valid point –If in FwQueue, gain 1 spoof point Decision if valid score = V or spoof score = S Inference is banned for a time afterwards IP spoofing  RBF  Clouseau

19 Clouseau in action ≈ ≈ ≈ 1 DropQueue FwQueue 1 Drop! RC= 0 SP = 0 Drop 1,.. Forward 2, 3… IP spoofing  RBF  Clouseau

20 Clouseau in action ≈ ≈ ≈ 2 2 Forward! 1 2 RC= 0 SP = 0 Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau

21 Clouseau in action ≈ ≈ ≈ 3 3 Forward! 1 3 2 Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 0 Spoof = 0

22 Clouseau in action ≈ ≈ ≈ 1 3 1 1 2 Repeating dropped packets increases valid score Valid = 1 Spoof = 0 Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau

23 Clouseau in action ≈ ≈ ≈ 2 3 1 2 2 Repeating forwarded packets increases spoof score Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 1 Spoof = 1

24 Clouseau in action ≈ ≈ ≈ 1 3 1 1 2 Repeating dropped packets more than once doesn’t change scores Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 1 Spoof = 1

25 Clouseau in action ≈ ≈ ≈ 2 3 1 2 2 Repeating forwarded packets more than once increases spoof score Drop 1,.. Forward 2, 3… DropQueue FwQueue IP spoofing  RBF  Clouseau Valid = 1 Spoof = 2

26 Design decisions DropQueue size = V, FwQueue size = k*S Why forwarded queue? –To stop packet-repeating attacker Should S > 0? –Congestion, sources don’t use selective acks Why inference ban? –Inference lets packets through, our goal is to filter IP spoofing  RBF  Clouseau

27 Performance measures Impact on legitimate traffic –Connection delay due to drops and policing Inference delay –How long until we discover a route change or attack IP spoofing  RBF  Clouseau

28 Test setting Clouseau implemented in Linux kernel, tested in Emulab Start 10 parallel TCP connections, change route in the middle IP spoofing  RBF  Clouseau

29 Traffic delay vs. queue size p d =V/N=0.1

30 Inference time vs. queue size IP spoofing  RBF  Clouseau p d =V/N=0.1

31 IP spoofing  RBF  Clouseau Traffic delay vs. P d N=100

32 IP spoofing  RBF  Clouseau Inference time vs. P d N=100

33 Attacks Random spoofing –Detected on timeout Repeat each packet n times –Best choice: n=2 –First packet dropped  gain 1 valid point –First packet forwarded  damage is 1 spoof point –Larger damage but not larger gain for n>2 Send N packets then repeat a permutation –Attacker knows values of V, S, k –Goal is to trick Clouseau to change incoming interface –Send N packets then choose a permutation of this –N large enough to guarantee that queues fill IP spoofing  RBF  Clouseau

34 Permutation attack Good permutations for the attacker: –Have V packets from DropQueue before S packets from FwQueue Probability that the attacker manages to cheat us Probability of cheating decreases exponentially with longer queues IP spoofing  RBF  Clouseau

35 Pspoof vs queue size and p d IP spoofing  RBF  Clouseau

36 Cascaded filters Filters downstream will drop packets forwarded by filters upstream –This could lead to route changes that are wrongly inferred as spoofing - legitimate traffic dropped!!! We must break filter synchronization –Choose random delay when to start inference - synchronization still possible –Random initial delay, then mark forwarded packets in TOS or ID field with a well-known mark –Filters that spot marked packets delay or interrupt inference, wait for T seconds –Maximum wait is set to several minutes, then start inference even if mark is seen IP spoofing  RBF  Clouseau

37 Remaining design issues Spoofing attacks could still go through if they change spoofed address frequently –We only care if part of DDoS –Examine offending packets, if a lot of them have common destination detect DDoS  drop all offending traffic to this destination Operating cost –Memory cost could be large if all entries go into inference –There are ~35K incoming table entries, when aggregated –We plan to investigate use of Bloom filters to bring down the memory cost IP spoofing  RBF  Clouseau

38 Conclusions RBF can drastically reduce spoofing if deployed at 20-50 largest ASes (60% are top members for at least 3 years) Clouseau builds accurate incoming tables Quickly detects route changes/spoofing –Small impact on legitimate connections Robust to attacks IP spoofing  RBF  Clouseau

39 Questions?

40 Vertex Cover Choose minimal number of nodes so that all links have at least one node in VC. NPC problem.

41 Vertex Cover Heuristic: First choose nodes with leaf neighbors, then choose enough nodes to cover remaining links.

42 Vertex Cover Heuristic: First choose nodes with leaf neighbors, then choose enough nodes to cover remaining links.

43 Vertex Cover Heuristic: First choose nodes with leaf neighbors, then choose enough nodes to cover remaining links.

Download ppt "Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware Nikola Jevtic,"

Similar presentations

Communication Networks Recitation 3 Bridges & Spanning trees.

Communication Networks Recitation 3 Bridges & Spanning trees.
Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.

Routing in a Parallel Computer. A network of processors is represented by graph G=(V,E), where |V| = N. Each processor has unique ID between 1 and N.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #4 Mobile Ad-Hoc Networks AODV Routing.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #4 Mobile Ad-Hoc Networks AODV Routing.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
Measurement in the Internet. Outline Internet topology Bandwidth estimation Tomography Workload characterization Routing dynamics.

Measurement in the Internet. Outline Internet topology Bandwidth estimation Tomography Workload characterization Routing dynamics.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #8 Explicit Congestion Notification (RFC 3168) Limited Transmit.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #8 Explicit Congestion Notification (RFC 3168) Limited Transmit.
SAVE: Source Address Validity Enforcement Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA USENIX Work-In Progress Session Washington.

SAVE: Source Address Validity Enforcement Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA USENIX Work-In Progress Session Washington.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

Similar presentations

Ads by Google