Advertisement

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

  • Maciej KorczyńskiEmail author
  • Yevheniya Nosyk
  • Qasim Lone
  • Marcin Skwarek
  • Baptiste Jonglez
  • Andrzej Duda
Conference paper
  • 27 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)

Abstract

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice—Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

Keywords

IP spoofing Source Address Validation DNS resolvers 

Notes

Acknowledgments

The authors would like to thank the anonymous reviewers and our shepherd Ramakrishna Padmanabhan for their valuable feedback. This work has been carried out in the framework of the PrevDDoS project funded by the IDEX Université Grenoble Alpes “Initiative de Recherche Scientifique (IRS)”.

References

  1. 1.
    Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704, March 2004. https://rfc-editor.org/rfc/rfc3704.txt
  2. 2.
    Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed Internet source address validation filtering. In: Internet Measurement Conference. ACM (2009)Google Scholar
  3. 3.
    Beverly, R., Bauer, S.: The Spoofer project: inferring the extent of source address filtering on the Internet. In: USENIX Steps to Reducing Unwanted Traffic on the Internet (SRUTI) Workshop, July 2005Google Scholar
  4. 4.
    CAIDA: The Spoofer Project. https://www.caida.org/projects/spoofer/
  5. 5.
    The Closed Resolver Project. https://closedresolver.com
  6. 6.
    Deccio, C.: Private CommunicationGoogle Scholar
  7. 7.
    Dimitropoulos, X., Krioukov, D., Fomenkov, M., Huffaker, B., Hyun, Y., Riley, G., et al.: AS relationships: inference and validation. ACM SIGCOMM Comput. Commun. Rev. 37(1), 29–40 (2007)CrossRefGoogle Scholar
  8. 8.
    Dittrich, D., Kenneally, E.: The Menlo report: ethical principles guiding information and communication technology research. Technical report, U.S. Department of Homeland Security, August 2012Google Scholar
  9. 9.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast Internet-wide scanning and its security applications. In: USENIX Security Symposium (2013)Google Scholar
  10. 10.
    Kaminsky, D.: It’s the end of the cache as we know it. https://www.slideshare.net/dakami/dmk-bo2-k8
  11. 11.
    Korczyński, M., Król, M., van Eeten, M.: Zone poisoning: the how and where of non-secure DNS dynamic updates. In: Internet Measurement Conference. ACM (2016)Google Scholar
  12. 12.
    Kottler, S.: February 28th DDoS Incident Report. https://github.blog/2018-03-01-ddos-incident-report/
  13. 13.
    Krenc, T., Feldmann, A.: BGP prefix delegations: a deep dive. In: Internet Measurement Conference, pp. 469–475. ACM (2016)Google Scholar
  14. 14.
    Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers. In: Internet Measurement Conference. ACM (2015)Google Scholar
  15. 15.
    Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Conference on Security Symposium (2014)Google Scholar
  16. 16.
    Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., Feldmann, A.: Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses. In: Internet Measurement Conference. ACM (2017)Google Scholar
  17. 17.
    Lone, Q., Luckie, M., Korczyński, M., Asghari, H., Javed, M., van Eeten, M.: Using crowdsourcing marketplaces for network measurements: the case of Spoofer. In: Traffic Monitoring and Analysis Conference (2018)Google Scholar
  18. 18.
    Lone, Q., Luckie, M., Korczyński, M., van Eeten, M.: Using loops observed in traceroute to infer the ability to spoof. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 229–241. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-54328-4_17CrossRefGoogle Scholar
  19. 19.
    Luckie, M., Beverly, R., Koga, R., Keys, K., Kroll, J., Claffy, K.: Network hygiene, incentives, and regulation: deployment of source address validation in the Internet. In: Computer and Communications Security Conference (CCS). ACM (2019)Google Scholar
  20. 20.
    Mauch, J.: Spoofing ASNs. http://seclists.org/nanog/2013/Aug/132
  21. 21.
    Müller, L.F., Luckie, M.J., Huffaker, B., Claffy, K., Barcellos, M.P.: Challenges in inferring spoofed traffic at IXPs. In: Conference on Emerging Networking Experiments And Technologies (CoNEXT), pp. 96–109. ACM (2019)Google Scholar
  22. 22.
    Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  23. 23.
    University of Oregon Route Views Project. http://www.routeviews.org/routeviews/
  24. 24.
    Scheffler, S., Smith, S., Gilad, Y., Goldberg, S.: The unintended consequences of email spam prevention. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 158–169. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76481-8_12CrossRefGoogle Scholar
  25. 25.
    Senie, D., Ferguson, P.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000. https://rfc-editor.org/rfc/rfc2827.txt
  26. 26.
    Shue, C., Kalafut, A.: Resolvers revealed: characterizing DNS resolvers and their clients. ACM Trans. Internet Technol. 12, 1–17 (2013)CrossRefGoogle Scholar
  27. 27.
    Vixie, P., Thomson, S., Rekhter, Y., Bound, J.: Dynamic updates in the domain name system (DNS UPDATE). Internet RFC 2136, April 1997Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Maciej Korczyński
    • 1
    Email author
  • Yevheniya Nosyk
    • 1
  • Qasim Lone
    • 2
  • Marcin Skwarek
    • 1
  • Baptiste Jonglez
    • 1
  • Andrzej Duda
    • 1
  1. 1.Univ. Grenoble Alpes, CNRS, Grenoble INP, LIGGrenobleFrance
  2. 2.Delft University of TechnologyDelftThe Netherlands

Personalised recommendations