Using Loops Observed in Traceroute to Infer the Ability to Spoof

Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.

[1]  David D. Clark,et al.  bdrmap: Inference of Borders Between IP Networks , 2016, Internet Measurement Conference.

[2]  Olivier Bonaventure,et al.  Avoiding transient loops during IGP convergence in IP networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[3]  Matthew J. Luckie,et al.  Scamper: a scalable and extensible packet prober for active measurement of the internet , 2010, IMC '10.

[4]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[5]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[6]  Lixin Gao,et al.  A measurement study of persistent forwarding loops on the Internet , 2007, Comput. Networks.

[7]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[8]  Brice Augustin,et al.  Avoiding traceroute anomalies with Paris traceroute , 2006, IMC '06.

[9]  kc claffy,et al.  Initial longitudinal analysis of IP source spoofing capability on the Internet , 2013 .

[10]  Vasileios Giotsas,et al.  AS relationships, customer cones, and validation , 2013, Internet Measurement Conference.

[11]  Jonathan M. Smith,et al.  MAP-IT: Multipass Accurate Passive Inferences from Traceroute , 2016, Internet Measurement Conference.

[12]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[13]  Paul Vixie,et al.  Rate-limiting State , 2014, ACM Queue.

[14]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[15]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.