Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses

IP traffic with forged source addresses (i.e., spoofed traffic) enables a series of threats ranging from the impersonation of remote hosts to massive denial-of-service attacks. Consequently, IP address spoofing received considerable attention with efforts to either suppress spoofing, to mitigate its consequences, or to actively measure the ability to spoof in individual networks. However, as of today, we still lack a comprehensive understanding both of the prevalence and the characteristics of spoofed traffic "in the wild" as well as of the networks that inject spoofed traffic into the Internet. In this paper, we propose and evaluate a method to passively detect spoofed packets in traffic exchanged between networks in the inter-domain Internet. Our detection mechanism identifies both source IP addresses that should never be visible in the inter-domain Internet (i.e., unrouted and bogon sources) as well as source addresses that should not be sourced by individual networks, as inferred from BGP routing information. We apply our method to classify the traffic exchanged between more than 700 networks at a large European IXP. We find that the majority of connected networks do not, or not consistently, filter their outgoing traffic. Filtering strategies and contributions of spoofed traffic vary heavily across networks of different types and sizes. Finally, we study qualitative characteristics of spoofed traffic, regarding both application popularity as well as structural properties of addresses. Combining our observations, we identify and study dominant attack patterns.

[1]  Christian Rossow,et al.  Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks , 2014, WOOT.

[2]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[3]  Athanasios V. Vasilakos,et al.  Toward Incentivizing Anti-Spoofing Deployment , 2014, IEEE Transactions on Information Forensics and Security.

[4]  Internet Assigned Numbers Authority Special-Use IPv4 Addresses , 2002, RFC.

[5]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[6]  Michelle Cotton,et al.  Special Use IPv4 Addresses , 2010, RFC.

[7]  Vasileios Giotsas,et al.  Improving the discovery of IXP peering links through passive BGP measurements , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[8]  Anja Feldmann,et al.  Peering at Peerings: On the Role of IXP Route Servers , 2014, Internet Measurement Conference.

[9]  Randy Bush,et al.  A Primer on IPv4 Scarcity , 2014, CCRV.

[10]  Alberto Dainotti,et al.  Errata for: Estimating internet address space usage through passive measurements (SIGCOMM CCR (Vol. 44, Issue 1, January, 2014) , 2014, CCRV.

[11]  Minlan Yu,et al.  The Dark Menace: Characterizing Network-based Attacks in the Cloud , 2015, Internet Measurement Conference.

[12]  John S. Heidemann,et al.  Connection-Oriented DNS to Improve Privacy and Security , 2015, 2015 IEEE Symposium on Security and Privacy.

[13]  Balachander Krishnamurthy,et al.  Towards an AS-to-organization map , 2010, IMC '10.

[14]  Giovane C. M. Moura,et al.  Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event , 2016, Internet Measurement Conference.

[15]  Athanasios V. Vasilakos,et al.  Passive IP Traceback: Disclosing the Locations of IP Spoofers From Path Backscatter , 2015, IEEE Transactions on Information Forensics and Security.

[16]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[17]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[18]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[19]  Jun Bi,et al.  A deployable approach for inter-AS anti-spoofing , 2011, 2011 19th IEEE International Conference on Network Protocols.

[20]  Matthew J. Luckie,et al.  Using Loops Observed in Traceroute to Infer the Ability to Spoof , 2017, PAM.

[21]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[22]  Jun Bi,et al.  Source address validation solution with OpenFlow/NOX architecture , 2011, 2011 19th IEEE International Conference on Network Protocols.

[23]  Gang Ren,et al.  Source Address Validation: Architecture and Protocol Design , 2007, 2007 IEEE International Conference on Network Protocols.

[24]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[25]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[26]  Vasileios Giotsas,et al.  AS relationships, customer cones, and validation , 2013, Internet Measurement Conference.

[27]  台灣電腦網路危機處理暨協調中心 Mutually Agreed Norms for Routing Security , 2019 .

[28]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[29]  Alberto Dainotti,et al.  Lost in Space: Improving Inference of IPv4 Address Space Utilization , 2016, IEEE Journal on Selected Areas in Communications.

[30]  Brice Augustin,et al.  Avoiding traceroute anomalies with Paris traceroute , 2006, IMC '06.

[31]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[32]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[33]  R. Nowak,et al.  Toward a Model for Source Addresses of Internet Background Radiation , 2006 .

[34]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[35]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[36]  B. Huffaker,et al.  Software Systems for Surveying Spoofing Susceptibility , 2014 .

[37]  Nick Feamster,et al.  Accountable internet protocol (aip) , 2008, SIGCOMM '08.

[38]  Katerina J. Argyraki,et al.  Optimal Filtering of Source Address Prefixes: Models and Algorithms , 2009, IEEE INFOCOM 2009.

[39]  Modem pravalika,et al.  Passive Ip Trace back: Disclosing the Locations of Ip Spoofers from Path Backscatter , 2017 .

[40]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[41]  Chris Donley,et al.  IANA-Reserved IPv4 Prefix for Shared Address Space , 2012, RFC.

[42]  Jérome Durand,et al.  BGP Operations and Security , 2015, RFC.

[43]  Anja Feldmann,et al.  Distilling the Internet's Application Mix from Packet-Sampled Traffic , 2015, PAM.

[44]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[45]  Amir Herzberg,et al.  LOT: A Defense Against IP Spoofing and Flooding Attacks , 2012, TSEC.

[46]  Jelena Mirkovic,et al.  Comparative Evaluation of Spoofing Defenses , 2011, IEEE Transactions on Dependable and Secure Computing.