Challenges in inferring spoofed traffic at IXPs

Ascertaining that a network will forward spoofed traffic usually requires an active probing vantage point in that network, effectively preventing a comprehensive view of this global Internet vulnerability. Recently, researchers have proposed using Internet Exchange Points (IXPs) as observatories to detect spoofed packets, by leveraging Autonomous System (AS) topology knowledge extracted from Border Gateway Protocol (BGP) data to infer which source addresses should legitimately appear across parts of the IXP switch fabric. We demonstrate that the existing literature does not capture several fundamental challenges to this approach, including noise in BGP data sources, heuristic AS relationship inference, and idiosyncrasies in IXP interconnectivity fabrics. We propose a novel method to navigate these challenges, leveraging customer cone semantics of AS relationships to guide precise classification of inter-domain traffic as in-cone, out-of-cone (spoofed), unverifiable, bogon, and unassigned. We apply our method to a mid-size IXP with approximately 200 members, and find an upper bound volume of out-of-cone traffic to be more than an order of magnitude less than the previous method inferred on the same data. Our work illustrates the subtleties of scientific assessments of operational Internet infrastructure, and the need for a community focus on reproducing and repeating previous methods.

[1]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2]  Christoph Dietzel,et al.  Dynam-IX: a dynamic interconnection eXchange , 2018, SIGCOMM Posters and Demos.

[3]  Athanasios V. Vasilakos,et al.  Toward Incentivizing Anti-Spoofing Deployment , 2014, IEEE Transactions on Information Forensics and Security.

[4]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[5]  Brian Haberman,et al.  Special-Purpose IP Address Registries , 2013, RFC.

[6]  Vaibhav Bajpai,et al.  Encouraging Reproducibility in Scientific Research of the Internet (Dagstuhl Seminar 18412) , 2018, Dagstuhl Reports.

[7]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[8]  Christoph Dietzel,et al.  O Peer, Where Art Thou? Uncovering Remote Peering Interconnections at IXPs , 2018, IEEE/ACM Transactions on Networking.

[9]  Georgios Smaragdakis,et al.  Beyond Counting: New Perspectives on the Active IPv4 Address Space , 2016, Internet Measurement Conference.

[10]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[11]  Alberto Dainotti,et al.  Leveraging Internet Background Radiation for Opportunistic Network Analysis , 2015, Internet Measurement Conference.

[12]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[13]  Jonathan M. Smith,et al.  Pushing the Boundaries with bdrmapIT: Mapping Router Ownership at Internet Scale , 2018, Internet Measurement Conference.

[14]  Ignacio Castro,et al.  Remote Peering: More Peering without Internet Flattening , 2014, CoNEXT.

[15]  S. Chandran,et al.  Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates , 2015 .

[16]  Anja Feldmann,et al.  Anatomy of a large european IXP , 2012, SIGCOMM '12.

[17]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[18]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[19]  Chris Donley,et al.  IANA-Reserved IPv4 Prefix for Shared Address Space , 2012, RFC.

[20]  Balachander Krishnamurthy,et al.  Towards an AS-to-organization map , 2010, IMC '10.

[21]  Anja Feldmann,et al.  There is more to IXPs than meets the eye , 2013, CCRV.

[22]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[23]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[24]  Peter Phaal,et al.  InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks , 2001, RFC.

[25]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[26]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[27]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[28]  Matthew J. Luckie,et al.  Using Loops Observed in Traceroute to Infer the Ability to Spoof , 2017, PAM.

[29]  台灣電腦網路危機處理暨協調中心 Mutually Agreed Norms for Routing Security , 2019 .

[30]  Vasileios Giotsas,et al.  AS relationships, customer cones, and validation , 2013, Internet Measurement Conference.

[31]  Matthew J. Luckie,et al.  Spurious routes in public BGP data , 2014, CCRV.

[32]  Anja Feldmann,et al.  Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses , 2017, Internet Measurement Conference.

[33]  Mark Crovella,et al.  Studying interdomain routing over long timescales , 2013, Internet Measurement Conference.

[34]  Klaus Wehrle,et al.  The Dagstuhl beginners guide to reproducibility for experimental networking research , 2019, CCRV.