06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address...
-
Upload
zoey-beanland -
Category
Documents
-
view
225 -
download
12
Transcript of 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address...
![Page 1: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/1.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 1
Prevent DoS using IP source address spoofing
MATSUZAKI ‘maz’ Yoshinobu
![Page 2: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/2.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 2
ip spoofing
creation of IP packets with source addresses other than those assigned to that host
![Page 3: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/3.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 3
Malicious uses with IP spoofing
• impersonation– session hijack or reset
• hiding– flooding attack
• reflection– ip reflected attack
![Page 4: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/4.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 4
impersonation
senderip spoofed packet
victim
partner
dst: victim
src: partner
Oh, my partner sent me a packet. I’ll proc
ess this.
![Page 5: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/5.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 5
hiding
sender
victim
ip spoofed packetdst: victim
src: random
Oops, many packets are coming. But, who
is the real source?
![Page 6: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/6.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 6
reflection
sender
ip spoofed packet
repl
y pa
cket
victim
reflector
src: victimdst: reflector
dst:
vict
im
src:
refle
ctor
Oops, a lot of replies without any re
quest…
![Page 7: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/7.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 7
ip reflected attacks
• smurf attacks– icmp echo (ping)– ip spoofing(reflection)– amplification(multiple replies)
• dns amplification attacks– dns query– ip spoofing(reflection)– amplification(bigger reply/multiple replies)
![Page 8: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/8.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 8
amplification
Sender
Sender
1. multiple replies
2. bigger reply
![Page 9: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/9.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 9
attacker
ip reflected attacks
ip spoofed packets
repl
ies
victim
openamplifier
![Page 10: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/10.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 10
smurf attack
ip spoofedping
ICMP echo replies
victim
Attacker
![Page 11: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/11.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 11
dns amplification attack
ip spoofedDNS queries
DNS replies
victim
DNSAttacker
DNS
DNSDNS
![Page 12: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/12.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 12
relations – dns amp attack
DNSDNS DNS
victim
Command&Control
DNS
DNS
stub-resolvers full-resolvers
root-servers
tld-servers
example-servers
botnet
IP spoofedDNS queries
![Page 13: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/13.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 13
attacker
solutions for ip reflected attacks
ip spoofed packets
repl
ies
victim
openamplifier
preventip spoofing
disableopen amplifiers
![Page 14: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/14.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 14
two solutions
• disable ‘open amplifier’– disable ‘directed-broadcast’– disable ‘open recursive DNS server’
• contents DNS server should accept queries from everyone, but service of resolver (cache) DNS server should be restricted to its customer.
• prevent ip spoofing!!– source address validation– BCP38 & BCP84
![Page 15: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/15.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 15
Source Address Validation
• Check the source ip address of ip packets – filter invalid source address– filter close to the packets orign as possible– filter precisely as possible
• If no networks allow ip spoofing, we can eliminate these kinds of attacks
![Page 16: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/16.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 16
close to the origin
• we can check and drop the packets which have unused address everywhere, but used space can be checked before aggregation
10.0.0.0/23
10.0.3.0/24
You arespoofing!
Hmm, this looks ok...but..
RT.a RT.b
You are spoofing!You are
spoofing!
srcip: 10.0.0.1
srcip: 0.0.0.0
srcip: 10.0.0.1
srcip: 0.0.0.0
×
××
srcip: 0.0.0.0×
You are spoofing!
srcip: 10.0.0.1×
You arespoofing!
![Page 17: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/17.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 17
how to configure the checking
• ACL– packet filter– permit valid-source, then drop any
• uRPF check– check incoming packets using ‘routing table’– look-up the return path for the source ip addre
ss– loose mode can’t stop ip reflected attacks
• use strict mode or feasible mode
![Page 18: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/18.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 18
cisco ACL example
customer network 192.168.0.0/24
ip access-list extended fromCUSTMER permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any!interface Gigabitethernet0/0 ip access-group fromCUSTOMER in!
point-to-point10.0.0.0/30
ISP Edge Router
![Page 19: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/19.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 19
juniper ACL example
customer network 192.168.0.0/24
firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } }}[edit interface ge-0/0/0 unit 0 family inet]filter { input fromCUSTOMER;}
point-to-point10.0.0.0/30
ISP Edge Router
![Page 20: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/20.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 20
cisco uRPF example
customer network 192.168.0.0/24
interface Gigabitethernet0/0 ip verify unicast source reachable-via rx
point-to-point10.0.0.0/30
ISP Edge Router
![Page 21: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/21.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 21
juniper uRPF example
customer network 192.168.0.0/24
[edit interface ge-0/0/0 unit 0 family inet]rpf-check;
point-to-point10.0.0.0/30
ISP Edge Router
![Page 22: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/22.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 22
IIJ’s policy
peer ISP upstream ISP
customer ISP
multi homedstatic customer
single homedstatic customer
IIJ/AS2497
uRPF strict mode
uRPF loose mode
![Page 23: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/23.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 23
ACL and uRPF
• ACL– deterministic
• statically configured
– maintenance of access-list
• uRPF– easy to configure – care about asymmetric routing
• strict mode is working well only for symmetric routing• loose mode can’t stop the ip reflected attack• there is no good implementation of feasible mode
![Page 24: 06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.](https://reader035.fdocuments.us/reader035/viewer/2022070307/551b689f550346d6338b49d0/html5/thumbnails/24.jpg)
06-Sep-2006 Copyright (C) 2006 Internet Initiative Japan Inc. 24
END