Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice - Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

[1]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[2]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[3]  Craig A. Shue,et al.  Resolvers Revealed: Characterizing DNS Resolvers and their Clients , 2013, TOIT.

[4]  Anja Feldmann,et al.  BGP Prefix Delegations: A Deep Dive , 2016, Internet Measurement Conference.

[5]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[6]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[7]  Sharon Goldberg,et al.  The Unintended Consequences of Email Spam Prevention , 2018, PAM.

[8]  Matthew J. Luckie,et al.  Using Loops Observed in Traceroute to Infer the Ability to Spoof , 2017, PAM.

[9]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[10]  Anja Feldmann,et al.  Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses , 2017, Internet Measurement Conference.

[11]  Michal Król,et al.  Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates , 2016, Internet Measurement Conference.

[12]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[13]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[14]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[15]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[16]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[17]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[18]  Dmitri V. Krioukov,et al.  AS relationships: inference and validation , 2006, CCRV.

[19]  Bradley Huffaker,et al.  Challenges in inferring spoofed traffic at IXPs , 2019, CoNEXT.

[20]  Matthew J. Luckie,et al.  Using Crowdsourcing Marketplaces for Network Measurements: The Case of Spoofer , 2018, 2018 Network Traffic Measurement and Analysis Conference (TMA).