Transcript Dude, where’s that IP? Circumventing measurement-based IP geolocation

Dude, where’s that IP? Circumventing
measurement-based IP geolocation
Paper Presentation
CAP6135: Malware and Software Vulnerability
Analysis – Spring 2013
Omar Nakhila
Citation and acknowledgement
• Gill, Phillipa, Yashar Ganjali, and Bernard Wong.
"Dude,
Where’s
That
IP?
Circumventing
Measurement-based IP Geolocation." USENIX
Security Symposium 19th , Washington DC, August 1113, 2010.
• http://en.wikipedia.org/wiki/Speed_of_electricity
2
Presentation Agenda
•
•
•
•
•
•
•
3
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
What is IP geolocation?
• IP geolocation aims to solve the problem of
determining the geographic location of a given
IP address.
4
Presentation Agenda
•
•
•
•
•
•
•
5
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
Why IP geolocation?
• Online advertisers and search engines
advertise their content based on the client’s
location.
6
Why IP geolocation? Cont.
• Online content providers such as :
– Hulu.
– Youtube
– etc.
limit their content distribution to specific geographic
regions.
7
Why IP geolocation? Cont.
• Law enforcement.
9
Presentation Agenda
•
•
•
•
•
•
•
10
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
IP geolocation classification
• Passive IP geolocation.
– Ueses geolocation databases such as :
• MaxMind.
• Quova.
• Active IP geolocation.
– Delay-based.
• Constraint-Based Geolocation (CBG)
– Topology-aware.
• Octant.
11
– Other.
Delay-based IP geolocation
• Constraint-Based Geolocation (CBG)
Landmark B
User IP Location
(Target)
y3
D_AB=x1
x3
D_AC=x2
Landmark C
12
Best Line Function
Ping
Ping
Landmark A
Delay-based IP geolocation
• Constraint-Based Geolocation (CBG)
Landmark B
User IP Location
(Target)
Landmark A
Landmark C
x3
13
Delay-based IP geolocation attack
• Constraint-Based Geolocation (CBG)
– Speed of light attack.
• Delay time = Distance / Speed
• Speed of electricity in an unshielded copper conductor
ranges 95 to 97% that of the speed of light, while in a
typical coaxial cable it is about 66% of the speed of
light.
– Best line attack.
• The attacker has access to the best line function in
y3
landmarks!
x3
14
Delay-based IP geolocation attack.
Landmark B
User IP Location
(Fake Location)
ϵ error
Landmark C
User IP Location
(Real Location)
x3
ϴ error
User IP Location
(Desired Fake Location)
15
y3
Landmark A
Ping
Delay-based IP geolocation attack evaluation
16
Delay-based geolocation attack evaluation
17
Delay-based IP geolocation attack results
SOL
18
Best line function
Delay-based IP geolocation attack results
19
Limiting delay-based IP geolocation attack
20
Topology-aware IP geolocation
• Octant
User IP Location
(Target)
Landmark B
Using Tracert
And ping
Landmark C
21
Landmark A
Topology-aware IP geolocation
• Octant single gateway
User IP Location
(Target)
Delay of the
last route
Landmark B
Using Tracert
And ping
Landmark C
22
Landmark A
Topology-aware IP geolocation
• Octant single gateway based attack
User IP Location
(Target)
Landmark B
Using Tracert
And ping
Landmark C
23
Landmark A
Topology-aware IP geolocation
• Octant multi-gateway based.
User IP Location
(Target)
Delay of the
last route
Landmark B
Using Tracert
And ping
Landmark C
24
Delay of the
last route
Delay of the
last route
Landmark A
Topology-aware IP geolocation attack.
• Octant multi-gateway based attack.
User IP Location
(Fake Location)
User IP Location
(Target)
Landmark B
Using Tracert
And ping
Landmark C
25
Landmark A
Topology-aware IP geolocation attack.
• Naming attack, can effect on both single and
mutli-gateway topology-aware geolocation.
• The attack based on undns tool.
• Each router will have a DNS domain name.
• undns tool will map router DNS domain name
to a city.
• This naming attack requires the attacker is
capable of crafting a domain name that can
deceive the undns tool.
26
Topology-aware IP geolocation
• Octant naming attack.
User IP Location
(Target)
Fake Router
Location
Domain name
belongs to Nevada
Landmark B
Using Tracert
And ping
Landmark C
27
Landmark A
Topology-aware IP geolocation attack simulation.
Fake Router
Fake location
Gateways
•
•
•
•
4 gateway routers (Black Colored)
11 forged locations (T ) ( White Colored)
and 14 non-existent internal routers (F) (Red Colored)
80 Targets (50 North America and 30 European)
28
Topology-aware geolocation attack results
29
Topology-aware geolocation attack results
30
Presentation Agenda
•
•
•
•
•
•
•
31
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
Paper Contribution
• The paper surveyed that the current IP
geolocation algorithms such as (CBG and
Octant) accuracies of 35-194 km, making them
suitable for geolocation within a country.
• Also, the paper illustrated how the above IP
geolocation algorithm can be vulnerable.
• Then, the paper proposed that a delay based
attack can be detected by setting a certain
threshold to the size of the localization region.
32
Presentation Agenda
•
•
•
•
•
•
•
33
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
Paper Weakness
• The paper didn’t explain the complexity of
gaining access to the best line function.
• The paper also didn’t explain the complexity to
manipulate undns tool.
• Lack of an efficient detection method to catch
undns topology-aware IP geolocation attack.
• The scientific reasoning for PlantLab landmarks
distribution with the relation to the IP
geolocation was not clear.
• Using ping and trace-route to measure the delay
time and route information is not recommended
since administrator tend to drop theses types of
packets.
34
Presentation Agenda
•
•
•
•
•
•
•
35
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
Paper Improvement
• The impact of Landmarks distribution on both
attacks.
• Study the effect of using a reliable protocols to
limit both attacks.
36
Presentation Agenda
•
•
•
•
•
•
•
37
What is IP geolocation?
Why IP geolocation?
IP geolocation classification and attacks.
Paper contribution.
Paper weakness.
Paper improvement.
Questions and answers.
Question and Answer
38
Thank You
39