Upload
lissyvarghese
View
221
Download
0
Embed Size (px)
Citation preview
8/6/2019 Idpf [EDocFind[1].Com]
1/24
Constructing Inter-DomainPacket Filters to Control IP
Spoofing Based on BGP Updates
Zhenhai Duan, Xin YuanDepartment of Computer Science
Florida State University
Jaideep Chandrashekar Department of Computer Science
University of Minnesota
8/6/2019 Idpf [EDocFind[1].Com]
2/24
IP spoofing:
Forging the source address
Used by many popular DDOS attacks Making it difficulty to defend again attacks.
A
D
C
B
YX
8/6/2019 Idpf [EDocFind[1].Com]
3/24
R oute based packet filtering
One can fake the identity, but not the route. A router can decide whether it is in the path from the
source to the destination and drop packets that are notsupposed to be there.
R oute based packet filter cannot completely eliminateIP spoofing, however, it can significantly reduce it.
A
D
C
B
YX
8/6/2019 Idpf [EDocFind[1].Com]
4/24
R oute based packet filtering requirement:
The router must know the route between any pair of source and destination addresses.Global topology information
N ot available in BGP.
Is it possible to infer the feasible routeinformation from BGP updates?
If it is possible, what is the performance?
8/6/2019 Idpf [EDocFind[1].Com]
5/24
BGP basic:
Autonomous Systems (AS) are the basic unitsThe network can be modeled as an AS graph
N odes are ASes and edges are BGP sessions N odes own network prefixes and exchange BGP
route updates to learn the reachability of prefixesAttributes associated with routes: AS path, prefix.
8/6/2019 Idpf [EDocFind[1].Com]
6/24
BGP basic:
An incremental protocol: updates are generatedonly in response to network events. Policy based routing:
Import R oute selection E xport
8/6/2019 Idpf [EDocFind[1].Com]
7/24
BGP basic:
AS relationships and routing policy:Provider-customer Peer-peer Sibling-sibling
8/6/2019 Idpf [EDocFind[1].Com]
8/24
BGP basic: Property of BGP routes:
Uphill path: customer-provider edges or sibling-sibling edgesDownhill path: provider-customer edges or sibling-siblingedgeTheorem 1 (Gao [17]): If all Ases set their export policiesaccording to r1-r4, BGP routes belong to one of the following:
An uphill path A downhill path An uphill path followed by a downhill path An uphill path followed by a peer-peer edge A peer-to-peer edge followed by a downhill path An uphill path followed by a peer-to-peer edge followed by a
downhill path.
8/6/2019 Idpf [EDocFind[1].Com]
9/24
Inter Domain Packet Filters (IDPF):
Deciding feasible routes under BGP Feasible routes in BGP are constrained by
routing policies (AS relation)
8/6/2019 Idpf [EDocFind[1].Com]
10/24
Inter Domain Packet Filters (IDPF):
Path constrained by the routing policies
8/6/2019 Idpf [EDocFind[1].Com]
11/24
Assumptions in our scheme: E xport rules: MUST export
Import rules:
8/6/2019 Idpf [EDocFind[1].Com]
12/24
Inferring the feasible paths:
If u is a feasible upstream neighbor of v for packet M(u, d), node u must have exported to vits best route to reach s.
8/6/2019 Idpf [EDocFind[1].Com]
13/24
IDPFs:
8/6/2019 Idpf [EDocFind[1].Com]
14/24
R outing policy complication: Selective announcements:
R5 : restricted conditional advertisement
8/6/2019 Idpf [EDocFind[1].Com]
15/24
Performance:
IDPF finds a set of feasible paths instead of one best route, its performance will not be as goodas the ideal route based filters [Park 2001]
Important question: How many ASes mustdeploy IDPF to be effective?
IDPF has two effects
R educing the number of prefixes that can be spoofed L ocalizing the source of spoofed packets
8/6/2019 Idpf [EDocFind[1].Com]
16/24
Performance metrics:
8/6/2019 Idpf [EDocFind[1].Com]
17/24
Data Set:
4 AS graphs from the BGP data achieved by theOregon R oute Views Project.
8/6/2019 Idpf [EDocFind[1].Com]
18/24
E xperimental setting
Determine the feasible paths based on updatelogs. Use shortest path as the route (add if the
shortest path is not a feasible path)
Selecting nodes that deploy IDPF R andom (rnd30/rnd 5 0)
Vertex cover If not mentioned specifically, IDPF nodes also havenetwork ingress filtering.
8/6/2019 Idpf [EDocFind[1].Com]
19/24
8/6/2019 Idpf [EDocFind[1].Com]
20/24
Chance for completely eliminate IP spoofing:
8/6/2019 Idpf [EDocFind[1].Com]
21/24
8/6/2019 Idpf [EDocFind[1].Com]
22/24
8/6/2019 Idpf [EDocFind[1].Com]
23/24
8/6/2019 Idpf [EDocFind[1].Com]
24/24
Conclusion: We proposed and studied IDPF IDPF can limit the spoofing capability of
attackers even when partially deployed and
improves the accuracy of IP traceback IDPF provides local incentives for deployment.