8/6/2019 Idpf [EDocFind[1].Com]
1/24
Constructing Inter-DomainPacket Filters to Control IP
Spoofing Based on BGP Updates
Zhenhai Duan, Xin YuanDepartment of Computer Science
Florida State University
Jaideep Chandrashekar Department of Computer Science
University of Minnesota
8/6/2019 Idpf [EDocFind[1].Com]
2/24
IP spoofing:
Forging the source address
Used by many popular DDOS attacks Making it difficulty to defend again attacks.
A
D
C
B
YX
8/6/2019 Idpf [EDocFind[1].Com]
3/24
R oute based packet filtering
One can fake the identity, but not the route. A router can decide whether it is in the path from the
source to the destination and drop packets that are notsupposed to be there.
R oute based packet filter cannot completely eliminateIP spoofing, however, it can significantly reduce it.
A
D
C
B
YX
8/6/2019 Idpf [EDocFind[1].Com]
4/24
R oute based packet filtering requirement:
The router must know the route between any pair of source and destination addresses.Global topology information
N ot available in BGP.
Is it possible to infer the feasible routeinformation from BGP updates?
If it is possible, what is the performance?
8/6/2019 Idpf [EDocFind[1].Com]
5/24
BGP basic:
Autonomous Systems (AS) are the basic unitsThe network can be modeled as an AS graph
N odes are ASes and edges are BGP sessions N odes own network prefixes and exchange BGP
route updates to learn the reachability of prefixesAttributes associated with routes: AS path, prefix.
8/6/2019 Idpf [EDocFind[1].Com]
6/24
BGP basic:
An incremental protocol: updates are generatedonly in response to network events. Policy based routing:
Import R oute selection E xport
8/6/2019 Idpf [EDocFind[1].Com]
7/24
BGP basic:
AS relationships and routing policy:Provider-customer Peer-peer Sibling-sibling
8/6/2019 Idpf [EDocFind[1].Com]
8/24
BGP basic: Property of BGP routes:
Uphill path: customer-provider edges or sibling-sibling edgesDownhill path: provider-customer edges or sibling-siblingedgeTheorem 1 (Gao [17]): If all Ases set their export policiesaccording to r1-r4, BGP routes belong to one of the following:
An uphill path A downhill path An uphill path followed by a downhill path An uphill path followed by a peer-peer edge A peer-to-peer edge followed by a downhill path An uphill path followed by a peer-to-peer edge followed by a
downhill path.
8/6/2019 Idpf [EDocFind[1].Com]
9/24
Inter Domain Packet Filters (IDPF):
Deciding feasible routes under BGP Feasible routes in BGP are constrained by
routing policies (AS relation)
8/6/2019 Idpf [EDocFind[1].Com]
10/24
Inter Domain Packet Filters (IDPF):
Path constrained by the routing policies
8/6/2019 Idpf [EDocFind[1].Com]
11/24
Assumptions in our scheme: E xport rules: MUST export
Import rules:
8/6/2019 Idpf [EDocFind[1].Com]
12/24
Inferring the feasible paths:
If u is a feasible upstream neighbor of v for packet M(u, d), node u must have exported to vits best route to reach s.
8/6/2019 Idpf [EDocFind[1].Com]
13/24
IDPFs:
8/6/2019 Idpf [EDocFind[1].Com]
14/24
R outing policy complication: Selective announcements:
R5 : restricted conditional advertisement
8/6/2019 Idpf [EDocFind[1].Com]
15/24
Performance:
IDPF finds a set of feasible paths instead of one best route, its performance will not be as goodas the ideal route based filters [Park 2001]
Important question: How many ASes mustdeploy IDPF to be effective?
IDPF has two effects
R educing the number of prefixes that can be spoofed L ocalizing the source of spoofed packets
8/6/2019 Idpf [EDocFind[1].Com]
16/24
Performance metrics:
8/6/2019 Idpf [EDocFind[1].Com]
17/24
Data Set:
4 AS graphs from the BGP data achieved by theOregon R oute Views Project.
8/6/2019 Idpf [EDocFind[1].Com]
18/24
E xperimental setting
Determine the feasible paths based on updatelogs. Use shortest path as the route (add if the
shortest path is not a feasible path)
Selecting nodes that deploy IDPF R andom (rnd30/rnd 5 0)
Vertex cover If not mentioned specifically, IDPF nodes also havenetwork ingress filtering.
8/6/2019 Idpf [EDocFind[1].Com]
19/24
8/6/2019 Idpf [EDocFind[1].Com]
20/24
Chance for completely eliminate IP spoofing:
8/6/2019 Idpf [EDocFind[1].Com]
21/24
8/6/2019 Idpf [EDocFind[1].Com]
22/24
8/6/2019 Idpf [EDocFind[1].Com]
23/24
8/6/2019 Idpf [EDocFind[1].Com]
24/24
Conclusion: We proposed and studied IDPF IDPF can limit the spoofing capability of
attackers even when partially deployed and
improves the accuracy of IP traceback IDPF provides local incentives for deployment.
Top Related