Abstract
Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CAIDA spoofer project. https://spoofer.caida.org/
Mutually Agreed Norms for Routing Security (MANRS). https://www.routingmanifesto.org/manrs/
Open Resolver Project. http://openresolverproject.org/
Augustin, B., Cuvellier, X., Orgogozo, B., Viger, F., Friedman, T., Latapy, M., Magnien, C., Teixeira, R.: Avoiding traceroute anomalies with Paris traceroute. In: IMC, pp. 153â158, October 2006
Baker, F., Savola, P.: Ingress filtering for multihomed networks. RFC 3704, IETF BCP84, March 2004
Bellovin, S.: Security problems in the TCP/IP protocol suite. CCR 19(2), 32â48 (1989)
Beverly, R., Bauer, S.: The spoofer project: inferring the extent of source address filtering on the Internet. In: Proceedings of USENIX SRUTI, July 2005
Beverly, R., Berger, A., Hyun, Y., claffy, k.: Understanding the efficacy of deployed Internet source address validation. In: IMC, pp. 356â369, November 2009
Beverly, R., Koga, R., claffy, kc.: Initial longitudinal analysis of IP source spoofing capability on the Internet, July 2013. http://www.internetsociety.org/
Bright, P.: Spamhaus DDoS grows to Internet-threatening size, March 2013
Ferguson, P., Senie, D.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. RFC 2827, IETF BCP38, May 2000
Francois, P., Bonaventure, O.: Avoiding transient loops during IGP convergence in IP networks. In: INFOCOM, pp. 237â247, March 2005
Huffaker, B., Keys, K., Koga, R., claffy, kc.: CAIDA inferred AS to organization mapping dataset. https://www.caida.org/data/as-organizations/
KĂŒhrer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplication DDoS attacks. In: USENIX Security, August 2014
Luckie, M.: Scamper: a scalable and extensible packet prober for active measurement of the Internet. In: IMC, pp. 239â245, November 2010
Luckie, M., Dhamdhere, A., Huffaker, B., Clark, D., claffy, k.: bdrmap: inference of borders between IP networks. In: IMC, pp. 381â396, November 2016
Luckie, M., Huffaker, B., Dhamdhere, A., Giotsas, V., claffy, k.: AS relationships, customer cones, and validation. In: IMC, pp. 243â256, October 2013
Marder, A., Smith, J.M.: MAP-IT: multipass accurate passive inferences from traceroute. In: IMC, November 2016
Prince, M.: Technical details behind a 400 Gbps NTP amplification DDoS attack. http://blog.cloudflare.com/
Vixie, P.: Rate-limiting state: the edge of the Internet is an unruly place. ACM Queue 12(2), 1â5 (2014)
Xia, J., Gao, L., Fei, T.: A measurement study of persistent forwarding loops on the Internet. Comput. Netw. 51(17), 4780â4796 (2007)
Acknowledgments
The technique in this paper is based on an idea from Jared Mauch. Christian Keil (DFN-CERT) provided informative feedback. This work was partly funded by the EU Advanced Cyber Defence Centre (ACDC) project CIP-ICT-PSP.2012.5.1 #325188. This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency, Cyber Security Division BAA HSHQDC-14-R-B0005, and the Government of United Kingdom of Great Britain and Northern Ireland via contract number D15PC00188.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lone, Q., Luckie, M., KorczyĆski, M., van Eeten, M. (2017). Using Loops Observed in Traceroute to Infer the Ability to Spoof. In: Kaafar, M., Uhlig, S., Amann, J. (eds) Passive and Active Measurement. PAM 2017. Lecture Notes in Computer Science(), vol 10176. Springer, Cham. https://doi.org/10.1007/978-3-319-54328-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-54328-4_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54327-7
Online ISBN: 978-3-319-54328-4
eBook Packages: Computer ScienceComputer Science (R0)