Transcript SPM
Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr computer science Hanoch Levy computer science Interdisciplinary Center Herzliya Tel-Aviv University Spoofing • Used by hackers to mount denial of service attacks. • Denial of service attacks – consume the resources of victim’s network/servers • Spoofing- forging the source IP of packets. – Easy to create (4000 attacks per week [MVS01]) – Harder to filter – Harder to trace back Attacker Spoofing Net B’ ISP B Src dst Net A’ victim ISP C Internet ISP A Net A’ Victim Prevention methods Today: “Good Net-Citizen“ • Ingress/Egress filtering – Implementation uRPF,ACL Filter out packets with src not in Net B’ Net B’ ISP B Internet ISP A – Administrative overhead – Poor incentive – “good-will” and not self-defensive methods ISP C Spoofing Prevention Method (SPM) • Self defense method • Incentive to implement – Visibility of SPM members • Stepwise deployment • Light mechanism SPM architecture • Entities: AS • Key: – Function of source AS and destination AS – Added to each packet by the source AS routers. • Routers: – Mark at the original AS the outgoing traffic with key. – Verify at the destination AS the authenticity of the key on the incoming packets • Key distribution: two options: – By protocol – Learned passively Attacker SPM Architecture Net B’ ISP B src dst key Net A’ victim BC ISP A Net A’ ISP C Key does not match the src Filtering spoof traffic Victim Benefits of SPM • Server Traffic: Server of SPM member domain can filter at attack time: – Spoofed traffic from other SPM ASs – Spoofed traffic that spoofs to SPM AS address space • Client Traffic: Client of SPM member domain receives preferential treatment at SPM domain servers • Visibility Key • Lightweight function - not crypto: Random constant 32 bit • Guessing the key with low probability: reduce the volume 1 of attack by 32 2 • Function of the source and destination AS – Acquiring the key is hard • Key remove by routers, Change periodically – Sniffing is not a likely threat • Place as an additional IP option Key distribution • The key information requires two small tables: – AS-out table - marking – AS-in table - verification • Size of each table: 120KB each – future 480KB 216 – AS coded by 2bytes (current 16,000, max – Key 4 bytes ) Key distribution • Key information: – AS-out: synchronization inside the AS – AS-in: needs to be learned from various ASes – a key from each AS. • Key distribution: – Protocol: AS server (IRV[GAGIM03], route reflector). – Passively: Learn key passively from the regular non spoof traffic traffic that comletes the TCP handshake. Router job • Marking – one lookup per destination (combine with IP lookup) Place only on traffic destined to other SPM members. • Verification – one lookup per source. Categorize traffic: Spoofed, non-spoofed, other (no key) Verification modes: Conservative verification : peace time (drop spoofed) Aggressive verification: attack time (drop spoofed + other). • Implement in Edge Routers: Combine SPM with ingress/egress filtering Motivation:Implementation benefit (Symmetric Model) Relative Benefit of SPM Relative Benefit of Ingress/Egress filtering Ingress/Egress filtering members Ingress/Egress filtering non members Relative Benefit 1 0.8 SPM members 0.6 SPM non members 0.4 0.2 Relative Benefit 1 0.8 0.6 0.4 0.2 0 0 0 5000 0 10000 2000 4000 6000 8000 10000 Participiants Participiants Relative benefit SPM = Cannot spoof from SPM AS +Cannot spoof to SPM address (2K/N-(K/N)^2) Motivation:Implementation benefit (Asymmetric Model) Relative Benefits of SPM SPM members SPM non members Relative Benefit 1 0.8 0.6 0.4 0.2 0 0 2000 4000 6000 8000 Participiants •Traffic is proportional to the domain size •Domain size ~ address space allocation ~ zipf distribution (top 10 ISP – 27.8% of the address space [Fixedorbit]). 10000 Conclusions • Ingress/Egress filtering – today’s technological solution is economically ineffective • SPM – economically attractive: – AS that joins – gains significant relative benefits (server traffic/client traffic) – Stepwise deployment – Visibility – Simple