Presentation is loading. Please wait.

Presentation is loading. Please wait.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Published byGregory Kerry Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State."— Presentation transcript:

1 Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State University Jaideep Chandrashekar Department of Computer Science University of Minnesota

2 IP spoofing: –Forging the source address –Used by many popular DDOS attacks –Making it difficulty to defend again attacks. A D C B Y X

3 Route based packet filtering –One can fake the identity, but not the route. –A router can decide whether it is in the path from the source to the destination and drop packets that are not supposed to be there. –Route based packet filter cannot completely eliminate IP spoofing, however, it can significantly reduce it. A D C B Y X

4 Route based packet filtering requirement: –The router must know the route between any pair of source and destination addresses. Global topology information Not available in BGP. Is it possible to infer the feasible route information from BGP updates? If it is possible, what is the performance?

5 BGP basic: –Autonomous Systems (AS) are the basic units The network can be modeled as an AS graph Nodes are ASes and edges are BGP sessions Nodes own network prefixes and exchange BGP route updates to learn the reachability of prefixes Attributes associated with routes: AS path, prefix.

6 BGP basic: –An incremental protocol: updates are generated only in response to network events. –Policy based routing: Import Route selection Export

7 BGP basic: –AS relationships and routing policy: Provider-customer Peer-peer Sibling-sibling

8 BGP basic: –Property of BGP routes: Uphill path: customer-provider edges or sibling-sibling edges Downhill path: provider-customer edges or sibling-sibling edge Theorem 1 (Gao [17]): If all Ases set their export policies according to r1-r4, BGP routes belong to one of the following: –An uphill path –A downhill path –An uphill path followed by a downhill path –An uphill path followed by a peer-peer edge –A peer-to-peer edge followed by a downhill path –An uphill path followed by a peer-to-peer edge followed by a downhill path.

9 Inter Domain Packet Filters (IDPF): –Deciding feasible routes under BGP –Feasible routes in BGP are constrained by routing policies (AS relation)

10 Inter Domain Packet Filters (IDPF): –Path constrained by the routing policies

11 Assumptions in our scheme: Export rules: MUST export Import rules:

12 Inferring the feasible paths: –If u is a feasible upstream neighbor of v for packet M(u, d), node u must have exported to v its best route to reach s.

13 IDPFs:

14 Routing policy complication: –Selective announcements: –R5: restricted conditional advertisement

15 Performance: –IDPF finds a set of feasible paths instead of one best route, its performance will not be as good as the ideal route based filters [Park 2001] –Important question: How many ASes must deploy IDPF to be effective? –IDPF has two effects Reducing the number of prefixes that can be spoofed Localizing the source of spoofed packets

16 Performance metrics:

17 Data Set: –4 AS graphs from the BGP data achieved by the Oregon Route Views Project.

18 Experimental setting –Determine the feasible paths based on update logs. –Use shortest path as the route (add if the shortest path is not a feasible path) –Selecting nodes that deploy IDPF Random (rnd30/rnd50) Vertex cover If not mentioned specifically, IDPF nodes also have network ingress filtering.

19

20 Chance for completely eliminate IP spoofing:

21

22

23

24 Conclusion: –We proposed and studied IDPF –IDPF can limit the spoofing capability of attackers even when partially deployed and improves the accuracy of IP traceback –IDPF provides local incentives for deployment.

Download ppt "Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State."

Similar presentations

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011.

Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Inferring Autonomous System Relationships in the Internet Lixin Gao Dept. of Electrical and Computer Engineering University of Massachusetts, Amherst

Inferring Autonomous System Relationships in the Internet Lixin Gao Dept. of Electrical and Computer Engineering University of Massachusetts, Amherst
Inferring Autonomous System Relationships in the Internet Lixin Gao.

Inferring Autonomous System Relationships in the Internet Lixin Gao.
Inferring Autonomous System Relationships in the Internet Lixin Gao Presented by Santhosh R Thampuran.

Inferring Autonomous System Relationships in the Internet Lixin Gao Presented by Santhosh R Thampuran.
Announcement  Slides and reference materials available at  Slides and reference materials available.

Announcement  Slides and reference materials available at  Slides and reference materials available.
1 Internet Path Inflation Xenofontas Dimitropoulos.

1 Internet Path Inflation Xenofontas Dimitropoulos.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:

1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Tutorial 5 Safe Routing With BGP Based on: Internet.

Tutorial 5 Safe Routing With BGP Based on: Internet.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.

Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)

Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)

Similar presentations

Ads by Google