Idpf [EDocFind[1].Com]

8/6/2019 Idpf [EDocFind[1].Com]

1/24

Constructing Inter-DomainPacket Filters to Control IP

Spoofing Based on BGP Updates

Zhenhai Duan, Xin YuanDepartment of Computer Science

Florida State University

Jaideep Chandrashekar Department of Computer Science

University of Minnesota


2/24

IP spoofing:

Forging the source address

Used by many popular DDOS attacks Making it difficulty to defend again attacks.

A

D

C

B

YX


3/24

R oute based packet filtering

One can fake the identity, but not the route. A router can decide whether it is in the path from the

source to the destination and drop packets that are notsupposed to be there.

R oute based packet filter cannot completely eliminateIP spoofing, however, it can significantly reduce it.

A

D

C

B

YX


4/24

R oute based packet filtering requirement:

The router must know the route between any pair of source and destination addresses.Global topology information

N ot available in BGP.

Is it possible to infer the feasible routeinformation from BGP updates?

If it is possible, what is the performance?


5/24

BGP basic:

Autonomous Systems (AS) are the basic unitsThe network can be modeled as an AS graph

N odes are ASes and edges are BGP sessions N odes own network prefixes and exchange BGP

route updates to learn the reachability of prefixesAttributes associated with routes: AS path, prefix.


6/24

BGP basic:

An incremental protocol: updates are generatedonly in response to network events. Policy based routing:

Import R oute selection E xport


7/24

BGP basic:

AS relationships and routing policy:Provider-customer Peer-peer Sibling-sibling


8/24

BGP basic: Property of BGP routes:

Uphill path: customer-provider edges or sibling-sibling edgesDownhill path: provider-customer edges or sibling-siblingedgeTheorem 1 (Gao [17]): If all Ases set their export policiesaccording to r1-r4, BGP routes belong to one of the following:

An uphill path A downhill path An uphill path followed by a downhill path An uphill path followed by a peer-peer edge A peer-to-peer edge followed by a downhill path An uphill path followed by a peer-to-peer edge followed by a

downhill path.


9/24

Inter Domain Packet Filters (IDPF):

Deciding feasible routes under BGP Feasible routes in BGP are constrained by

routing policies (AS relation)


10/24

Inter Domain Packet Filters (IDPF):

Path constrained by the routing policies


11/24

Assumptions in our scheme: E xport rules: MUST export

Import rules:


12/24

Inferring the feasible paths:

If u is a feasible upstream neighbor of v for packet M(u, d), node u must have exported to vits best route to reach s.


13/24

IDPFs:


14/24

R outing policy complication: Selective announcements:

R5 : restricted conditional advertisement


15/24

Performance:

IDPF finds a set of feasible paths instead of one best route, its performance will not be as goodas the ideal route based filters [Park 2001]

Important question: How many ASes mustdeploy IDPF to be effective?

IDPF has two effects

R educing the number of prefixes that can be spoofed L ocalizing the source of spoofed packets


16/24

Performance metrics:


17/24

Data Set:

4 AS graphs from the BGP data achieved by theOregon R oute Views Project.


18/24

E xperimental setting

Determine the feasible paths based on updatelogs. Use shortest path as the route (add if the

shortest path is not a feasible path)

Selecting nodes that deploy IDPF R andom (rnd30/rnd 5 0)

Vertex cover If not mentioned specifically, IDPF nodes also havenetwork ingress filtering.


19/24


20/24

Chance for completely eliminate IP spoofing:


21/24


22/24


23/24


24/24

Conclusion: We proposed and studied IDPF IDPF can limit the spoofing capability of

attackers even when partially deployed and

improves the accuracy of IP traceback IDPF provides local incentives for deployment.

Idpf [EDocFind[1].Com]

Documents

Transcript of Idpf [EDocFind[1].Com]