Upload
liko
View
35
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Clouseau: A practical IP spoofing defense through route-based filtering. Jelena Mirkovic, University of Delaware ([email protected]) Nikola Jevtic, Google Inc. Peter Reiher, UCLA. Outline. What is IP spoofing? Why should we care? Route-based filtering (RBF) - PowerPoint PPT Presentation
Citation preview
Clouseau: A practical IP spoofing defense through route-based
filteringJelena Mirkovic, University of
Delaware([email protected])
Nikola Jevtic, Google Inc.Peter Reiher, UCLA
Outline
What is IP spoofing? Why should we care?Route-based filtering (RBF)– Filter packets that come on unexpected path– 97% effective if deployed at few core ASes– Tables must be complete!
Clouseau protocol– Builds tables for RBF and keeps them current in face of route changes
– Sets up spoofed packet filters– Fast and accurate decision, small impact on traffic
What is IP spoofing?
≈
≈≈
1.2.3.4
5.6.7.8
9.10.11.12
From: 1.2.3.4, to: 9.10.11.12
Faking the IP address in the sourcefield of IP header
Andy
Lea
Danny
IP spoofing RBF Clouseau
IP spoofing uses
Hide attacker’s identityInvoke replies to the spoofed address– Reflector DDoS attacks
Create decoy packets that hide attacker’s vulnerability scanningAssume good host’s identity and gain priority service or status
IP spoofing RBF Clouseau
If IP spoofing were reduced
Attacks would be easier to detect and attributeWe could build IP address profiles to track user behavior– Reward good users, punish bad ones
Reflector attacks would be reduced
IP spoofing RBF Clouseau
≈
≈≈
1.2.3.4
5.6.7.8
9.10.11.12
Andy
Lea
Route Based Filtering[RBF]Build incoming tables that store incoming interface for a given source IP. Filter packets that arrive on wrong interface. Tables must be updated upon a route change. Lea’s path could overlap with Andy’s so some spoofing will go undetected.
Danny
[RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets’” SIGCOMM 2001
IP spoofing RBF Clouseau
Route-based filtering
Route-based filtering
≈
≈≈
1.2.3.4
5.6.7.8
9.10.11.12
Andy
Lea
Danny
1
2
From Interface5.6.7.8 11.2.3.4 2
From: 1.2.3.4, to: 9.10.11.12
IP spoofing RBF Clouseau
RBF effectiveness
If RBF is deployed on the vertex cover of AS map [RBF]– Deployment percentage: 18.9%– Percentage of (s,d) pairs that cannot contain spoofed traffic: 96%
– ASes that cannot spoof: 88%
Downside: 18.9% of ASes is more than 4000!
[RBF] K. Park, H. Lee,”On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets,” SIGCOMM 2001
IP spoofing RBF Clouseau
Open questions
How well does RBF work under sparse deployment?What if incoming tables are incomplete?How to build incoming tables?
IP spoofing RBF Clouseau
Effectiveness measures
We will observe packets sent from s to d, spoofing the address p Target measure (fixed d):– How many (s,p) combinations are possible to this victim
Stolen address measure (fixed p):– How many (s,d) combinations are possible spoofing this address
Spoofability– How many (s,d,p) combinations are possible
IP spoofing RBF Clouseau
Target measure May’05IP spoofing RBF Clouseau
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50Number of filters
Target measure
filtersPOPallPOPfiltersCONallCON
IP spoofing RBF Clouseau
Stolen address measure May’05
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50Number of filters
Stolen address measure
filtersPOPallPOPfiltersCONallCON
Spoofability over yearsIP spoofing RBF Clouseau
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 10 20 30 40 50Number of filters
Spoofability
20012002200320042005
Effectiveness summary
First 20 filters have a considerable impact!50 filters drastically reduce spoofing Filters receive instant benefit from RBF – They reduce their target measure– Stolen address measure is only reduced whenwe deploy enough filters
IP spoofing RBF Clouseau
Filter membership2005 2001 2002 2003 2004 20053356 701 701 7018 7018 33567018 1239 6461 701 3356 7018
701 7018 7018 1239 701 7011239 6461 1239 209 568 1239
209 3561 568 1 1239 209174 1 1 3561 2914 174
7132 2914 2914 2914 174 71323549 209 3561 3549 209 35492914 702 293 3356 7132 2914
702 3549 714 702 6461 702721 174 8918 3257 3549 721
6461 293 209 6461 12956 64613561 3356 174 1668 4134 35613320 9057 3257 3491 721 3320
12956 6453 5673 7911 3320 129563303 4766 6453 4637 17676 33036939 5673 3549 16631 3561 69392516 3908 1103 293 2686 25164637 568 3320 4766 71 4637
13237 2548 702 5511 237 132374589 5650 2686 3908 702 45894766 2686 237 5673 13237 47662828 6172 2647 721 2647 28283491 1755 721 11608 4637 34916453 3320 2828 2686 293 64532686 6347 71 6539 3303 26864323 3786 9057 1299 714 43237911 2828 1668 3320 6939 79116539 1267 80 568 33 65395511 703 4134 3786 5511 55111299 2907 5511 174 2516 12993786 1785 6805 4323 2152 3786
286 3967 7170 2548 4766 2864134 237 3908 6395 80 41341668 5511 3356 2647 15412 16688220 1103 680 6347 4589 82202497 1221 4766 852 6453 24972152 8335 6172 703 1668 21522907 3269 2907 2828 4837 29074713 3215 8434 2907 6762 47133257 4323 1267 4134 2907 32572856 3303 17676 1267 6805 28561221 2497 852 237 1103 12211273 2647 786 7132 680 12731267 5006 3786 3269 1299 1267
22773 577 4538 2856 6539 227731257 4230 5466 3215 786 12576395 714 4637 4713 3292 6395
19262 4134 577 2497 6395 192623269 2856 1299 1221 3491 3269
Persist over 5 years(17)
Persist over 3 years (14)
IP spoofing RBF Clouseau
Long-term members
7018, 2686 AT&T701, 702 UUNET Technologies, Inc.
1239 Sprint 209 Qwest
3561 Savvis 2914 Verio, Inc.3549 Global Crossing6461 Abovenet Communications, Inc3356 Level 3 Communications, LLC
174 Cogent Communications 3320, 5511 RIPE Network Coordination Centre
4766, 4134, 2907 Asia Pacific Network Information Centre
IP spoofing RBF Clouseau
How to build incoming tables
Incoming interface = outgoing interface– Asymmetric routing defeats this
Participating source networks send reports along paths to destinations they talk to[SAVE]– Infer incoming interface from the route the report takes or from report’s info - partial tables!
Infer incoming interface info from BGP updates[IDPF]– This allows multiple expected interfaces
Infer incoming interface info from traffic
IP spoofing RBF Clouseau
Clouseau
Packets at unexpected interface trigger inference processOut of first N packets– Drop random V, store unique ID in DropQueue– Forward N-V, store unique ID in FwQueue
When a packet is repeated:– If in DropQueue, gain 1 valid point– If in FwQueue, gain 1 spoof point
Decision if valid score = V or spoof score = S Inference is banned for a time afterwards
IP spoofing RBF Clouseau
Clouseau in action
≈
≈≈
1
DropQueue
FwQueue
1
Drop!
RC= 0SP = 0
Drop 1,.. Forward 2, 3…
IP spoofing RBF Clouseau
Clouseau in action
≈
≈≈
2
2
Forward!
1
2
RC= 0SP = 0
Drop 1,.. Forward 2, 3…
DropQueue
FwQueue
IP spoofing RBF Clouseau
Clouseau in action
≈
≈≈
3
3
Forward!
1
3
2
Drop 1,.. Forward 2, 3…
DropQueue
FwQueue
IP spoofing RBF Clouseau
Valid = 0Spoof = 0
Clouseau in action
≈
≈≈
1
3
1
1
2
Repeating dropped packets increases valid score
Valid = 1Spoof = 0
Drop 1,.. Forward 2, 3…
DropQueue
FwQueue
IP spoofing RBF Clouseau
Clouseau in action
≈
≈≈
2
3
1
2
2
Repeating forwarded packets increases spoof score
Drop 1,.. Forward 2, 3…
DropQueue
FwQueue
IP spoofing RBF Clouseau
Valid = 1Spoof = 1
Clouseau in action
≈
≈≈
1
3
1
1
2
Repeating dropped packets more than once doesn’t change scores
Drop 1,.. Forward 2, 3…
DropQueue
FwQueue
IP spoofing RBF Clouseau
Valid = 1Spoof = 1
Clouseau in action
≈
≈≈
2
3
1
2
2
Repeating forwarded packets more than once increases spoof score
Drop 1,.. Forward 2, 3…
DropQueue
FwQueue
IP spoofing RBF Clouseau
Valid = 1Spoof = 2
Design decisions
DropQueue size = V, FwQueue size = k*SWhy forwarded queue?– To stop packet-repeating attacker
Should S > 0?– Congestion, sources don’t use selective acks
Why inference ban?– Inference lets packets through, our goal is to filter
IP spoofing RBF Clouseau
Performance measures
Impact on legitimate traffic– Connection delay due to drops and policing
Inference delay– How long until we discover a route change or attack
IP spoofing RBF Clouseau
Test setting
Clouseau implemented in Linux kernel, tested in EmulabStart 10 parallel TCP connections, change route in the middle
IP spoofing RBF Clouseau
IP spoofing RBF ClouseauTraffic delay vs. queue size
80
90
100
110
120
130
140
0 100 200 300 400 500 600N
Connection duration (s)
baseline avg + stdev
baseline avg - stdevpd=V/N=0.1
Inference time vs. queue size
IP spoofing RBF Clouseau
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
0 100 200 300 400 500 600
N
Inference delay (s)
pd=V/N=0.1
IP spoofing RBF Clouseau
Traffic delay vs. Pd
80
90
100
110
120
130
140
0 0.2 0.4 0.6 0.8 1
Pd
Connection duration (s)
baseline avg + stdev
baseline avg - stdevN=100
IP spoofing RBF Clouseau
Inference time vs. Pd
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
0 0.2 0.4 0.6 0.8 1
Pd
Inference delay (s)
N=100
Attacks
Random spoofing – Detected on timeout
Repeat each packet n times– Best choice: n=2– First packet dropped gain 1 valid point– First packet forwarded damage is 1 spoof point – Larger damage but not larger gain for n>2
Send N packets then repeat a permutation– Attacker knows values of V, S, k– Goal is to trick Clouseau to change incoming interface
– Send N packets then choose a permutation of this– N large enough to guarantee that queues fill
IP spoofing RBF Clouseau
Permutation attack
Good permutations for the attacker:– Have V packets from DropQueue before S packets from FwQueue
Probability that the attacker manages to cheat us
Probability of cheating decreases exponentially with longer queues
IP spoofing RBF Clouseau
Pspoof vs queue size and pd
IP spoofing RBF Clouseau
0
100
200
300
400
500
600
700
800
0 0.2 0.4 0.6 0.8 1
Pd
N
10-10
10-5
10-3
Cascaded filters
Filters downstream will drop packets forwarded by filters upstream– This could lead to route changes that are wrongly inferred as spoofing - legitimate traffic dropped!!!
We must break filter synchronization– Choose random delay when to start inference - synchronization still possible
– Random initial delay, then mark forwarded packets in TOS or ID field with a well-known mark
– Filters that spot marked packets delay or interrupt inference, wait for T seconds
– Maximum wait is set to several minutes, then start inference even if mark is seen
IP spoofing RBF Clouseau
Remaining design issues
Spoofing attacks could still go through if they change spoofed address frequently– We only care if part of DDoS– Examine offending packets, if a lot of them have common destination detect DDoS drop all offending traffic to this destination
Operating cost– Memory cost could be large if all entries go into inference
– There are ~35K incoming table entries, when aggregated
– We plan to investigate use of Bloom filters to bring down the memory cost
IP spoofing RBF Clouseau
Conclusions
RBF can drastically reduce spoofing if deployed at 20-50 largest ASes (60% are top members for at least 3 years)Clouseau builds accurate incoming tables Quickly detects route changes/spoofing – Small impact on legitimate connections
Robust to attacks
IP spoofing RBF Clouseau
Questions?
Vertex Cover
Choose minimal number of nodes so that alllinks have at least one node in VC. NPC problem.
Vertex Cover
Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.
Vertex Cover
Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.
Vertex Cover
Heuristic: First choose nodes with leaf neighbors, thenchoose enough nodes to cover remaining links.