illegitimate source ip addresses at internet …...illegitimate source ip addresses at internet...
TRANSCRIPT
![Page 1: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/1.jpg)
Illegitimate Source IP Addresses AtInternet Exchange Points@ Connect WG, RIPE 73, Madrid
Franziska Lichtblau, Florian Streibelt, Philipp Richter, Anja Feldmann26.10.2016
TU Berlin
![Page 2: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/2.jpg)
Introduction
![Page 3: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/3.jpg)
What are illegitimate source IP addresses?
• Intentionally spoofed traffic• Internal traffic leaked by mistake• General misconfiguration, unknown…
Packets with source addresses that are not valid within thescope of the public Internet.
1
![Page 4: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/4.jpg)
What are illegitimate source IP addresses?
• Intentionally spoofed traffic• Internal traffic leaked by mistake• General misconfiguration, unknown…
Packets with source addresses that are not valid within thescope of the public Internet.
1
![Page 5: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/5.jpg)
Why looking at illegitimate source IPs?
• Includes attack traffic (DoS, DDoS, …)• Studying unwanted traffic can give insights to come upwith mitigation strategies
• Potentially exposes information about internalinfrastructure
• Utilizes (expensive) bandwidth
2
![Page 6: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/6.jpg)
Illegitimate Traffic: Our Categories
• Bogon: RFC1918, IANA reserved, Multicast, Future Use, etc…• Unrouted: Source IP address is not announced in the”global routing table”
• Invalid: Traffic sent by a network that is not responsiblefor the corresponding prefix
3
![Page 7: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/7.jpg)
What we do…
• Previous studies like the Spoofer Project send probes tocheck for BCP38 compliance
• Our work is a passive approach to check for BCP38deployment
• Provides insights about specific traffic volume andcharacteristics
4
![Page 8: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/8.jpg)
Identifying Traffic
![Page 9: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/9.jpg)
Identifying Bogon and Unrouted
Bogon
• RFC1918, Multicast,Future Use, IANA reserved
Traffic with a source addresswhich is covered by this list isof class Bogon
Unrouted
• Routing information:IXP Route Server, RIPE/RIS,RouteViews
• Compile a list of observedprefixes at all routingsources
Ignored: Announcements larger than /8 and smallerthan /24
Traffic with a source addresswhich is not covered by this listis of class Unrouted
5
![Page 10: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/10.jpg)
Routing Information
We utilize as many data sources as possible to minimize falsepositives
• RIPE/RIS (14 collectors)• RouteViews (16 collectors)• Bogon/Martian prefix list as provided by Team Cymru
6
![Page 11: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/11.jpg)
Bogon And Unrouted Overview
Bogon Prefixes• As defined in RFC1918 andRFC5737
• 2.3M /24• 14% of the IPv4 address space
Unrouted Prefixes• 11.3M validly announce /24(78% of the IPv4 addressspace)
• 3.16M unrouted /24(excluding Bogon)
Fraction of total IPv4 space
Rou
ted
Unr
oute
d
Bog
on
0.0 0.2 0.4 0.6 0.8 1.0
7
![Page 12: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/12.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C AS A Public Internet
8
![Page 13: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/13.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C AS A
traffic with SRC IPannounced by AS A
Public Internet
Assumption: An AS announcing a prefix is also a legitimatesource for traffic originating from this prefix.
9
![Page 14: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/14.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C AS A
traffic with SRC IPannounced by AS A
AS A announcing prefixes p1, p2, p3to the other ASes
Public Internet
10
![Page 15: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/15.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C AS A
p1p2p3...
List of valid prefixesfor AS A
traffic with SRC IPannounced by AS A
AS A announcing prefixes p1, p2, p3to the other ASes
Public Internet
Construct list of valid prefixes for each AS
11
![Page 16: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/16.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C AS A
traffic with SRC IPannounced by
downsteam of AS A
Public Internet
12
![Page 17: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/17.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C
traffic with SRC IPannounced by
downsteam of AS A
AS A
announces p3
announces p4, p5, p6
Public Internet
13
![Page 18: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/18.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C
traffic with SRC IPannounced by
downsteam of AS A
p1p2p3p4p5p6...
AS A
extend prefix list of AS Aby prefixes of
downstream ASes
announces p3
announces p4, p5, p6
Public Internet
Prefix lists are also created for AS B, AS C and AS D (derivedfrom public routing data) and added to the list of AS A
14
![Page 19: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/19.jpg)
AS specific: Identifying Invalid
other ASes
AS B
AS D
AS C
traffic from AS A with SRC IPnot announced by AS A or
its downstream AS
p1p2p3p4p5p6...
AS A Public Internet
p666
p667
p666 and p677not included in
list for AS A
Invalid: Traffic with a SRC IP from a Prefix NOT covered by theprefix list of AS A
15
![Page 20: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/20.jpg)
Identifying Invalid: Limitations
False positives
• No full picture of thecomplete BGP state
• Can not capture directprivate interconnects
False negatives
• AS must just be somewhereon the AS Path to be validsource
Lots of number crunching involvedThe process works completely offline, using a lot of
computation time and memory.
16
![Page 21: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/21.jpg)
Applying our methodology at a LargeEuropean IXP
![Page 22: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/22.jpg)
Flow Data
• Measurements taken at a Large European IXP (LIXP)• More than 700 members and peak traffic up to 5 Tb/s• 5 weeks of uninterrupted IPFIX from2016-01-18 to 2016-02-21
• Sampling rate 1/32K• We only considered IPv4 (until now…no need to queue for this question ;) )
17
![Page 23: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/23.jpg)
Fractions of Bogon, Unrouted, Invalid in terms of total traffic
Absolute traffic Bytes PacketsBogon 28.11 TB 0.004% 0.029%
Unrouted 72.56 TB 0.010% 0.053%Invalid 509.68 TB 0.076% 0.087%
Relative amount is small, but absolutely we have 610TB oftraffic for all 3 classes within one week.
18
![Page 24: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/24.jpg)
Fractions of Bogon, Unrouted, Invalid in terms of total traffic
Absolute traffic Bytes PacketsBogon 28.11 TB 0.004% 0.029%
Unrouted 72.56 TB 0.010% 0.053%Invalid 509.68 TB 0.076% 0.087%
Relative amount is small, but absolutely we have 610TB oftraffic for all 3 classes within one week.
18
![Page 25: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/25.jpg)
Overview: Traffic Classes Over One Week
All Traffic BOGON\1918 RFC1918 INVALID UNROUTED
Pac
kets
per
hou
r (S
ampl
ed)
Hours since 2016−01−18 : TCP
●●●●●●●●●●●●●
●●●●●●●●●
●
●
●●●
●●
●
●●
●
●
●
●●
●●●
●
●●●●●●●●●●●●●●●●●●●●●●●●
●
●
●●●
●●●●●●●
●●●●●●
●●
●●●●●●●●●●●●●●●●●●●●●●
●
●●●
●●●
●●
●
●●●
●●
●
●
●●●
●●●●●
●
●
●●
●●
●●●
●●
●
●
●
●●
●●●●●●●
●●
●●
●●●●●●●
●●
1e+
041e
+06
day
0
day
1
day
2
day
3
day
4
day
5
day
6
day
7
Figure 1: LIXP: TCP – Time series week 2016-01-18
Pac
kets
per
hou
r (S
ampl
ed)
Hours since 2016−01−18 : UDP
●
●●
●
●●●
●●●
●●●
●
●
●●●●
●●
●●
●●●●
●
●●●
●●
●
●●●●●
●●●●
●●●●●●
●●●●
●
●●●
●
●
●
●
●
●
●
●●●
●●
●
●
●
●
●
●
●
●●●●
●●
●●●
●●
●●
●●●●
●●●
●●●●
●●●●●●●●
●
●
●
●●●●
●
●●
●
●
●●●
●
●●●●●
●●●
●●●
●●
●
●
●
●
●●
●
●●
●●
●
●●●
●●●
●●
●
●
●
●
●●●●●
●
●
1e+
041e
+06
day
0
day
1
day
2
day
3
day
4
day
5
day
6
day
7
Figure 2: LIXP: UDP – Time series week 2016-01-18
19
![Page 26: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/26.jpg)
Top 20 UDP Destination Ports
Regular UDP traffic mix
20
![Page 27: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/27.jpg)
Top 20 UDP Destination Ports
"Invalid" UDP traffic mix
Regular UDP traffic mix
21
![Page 28: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/28.jpg)
Top 20 UDP Destination Ports
"Invalid" UDP traffic mix
Regular UDP traffic mix
22
![Page 29: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/29.jpg)
Contribution to invalid by IXP member
Contribution to class INVALID per member (Packets)
1 2 3 4 5 6
0.0 0.2 0.4 0.6 0.8 1.0
80% of the invalid traffic can be attributed to 3 IXP members
23
![Page 30: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/30.jpg)
Member Categorization (Bogon)
Per Member Traffic Volume: TCP SRC | PKTS (SAMPLED)
ContentNSPHosting
ISPNon−Profitother> 10 %
> 1 %
> 0,1 %
> 0,01 %
> 0,001 %
> 0 %
0 %
unwanted
Figure 3: LIXP Bogon
• Majority does not leakanything
• TCP SYNs leaked: Probablymisconfigured NAT
• Mostly low traffic ISPs andsmall hosters
24
![Page 31: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/31.jpg)
Member Categorization (Bogon)
Per Member Traffic Volume: TCP SRC | PKTS (SAMPLED)
ContentNSPHosting
ISPNon−Profitother> 10 %
> 1 %
> 0,1 %
> 0,01 %
> 0,001 %
> 0 %
0 %
unwanted
Figure 3: LIXP Bogon
• Majority does not leakanything
• TCP SYNs leaked: Probablymisconfigured NAT
• Mostly low traffic ISPs andsmall hosters
24
![Page 32: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/32.jpg)
Member Categorization (Unrouted and Invalid)
Per Member Traffic Volume: TCP SRC | PKTS (SAMPLED)
ContentNSPHosting
ISPNon−Profitother> 10 %
> 1 %
> 0,1 %
> 0,01 %
> 0,001 %
> 0 %
0 %
unwanted
Figure 4: LIXP: Unrouted and Invalid
• More members involvedthan in Bogon
• Still lots of members with0%
• High traffic members havelow unwanted level
• Lots of low traffic ISPs andhosters
25
![Page 33: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/33.jpg)
Member Categorization (Unrouted and Invalid)
Per Member Traffic Volume: TCP SRC | PKTS (SAMPLED)
ContentNSPHosting
ISPNon−Profitother> 10 %
> 1 %
> 0,1 %
> 0,01 %
> 0,001 %
> 0 %
0 %
unwanted
Figure 4: LIXP: Unrouted and Invalid
• More members involvedthan in Bogon
• Still lots of members with0%
• High traffic members havelow unwanted level
• Lots of low traffic ISPs andhosters
25
![Page 34: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/34.jpg)
Conclusion
![Page 35: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/35.jpg)
What we found…
Network ingress filtering is not deployed everywhere, but somedo it right…
• Large networks tend to deploy their filtering correctly –(Yes, it can be done!)
• Many small networks lack proper filtering• Only a small amount of members contribute most of theunwanted traffic
Continue the ongoing efforts by the community to educatepeople and get rid of excuses!
26
![Page 36: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/36.jpg)
What we found…
Network ingress filtering is not deployed everywhere, but somedo it right…
• Large networks tend to deploy their filtering correctly –(Yes, it can be done!)
• Many small networks lack proper filtering• Only a small amount of members contribute most of theunwanted traffic
Continue the ongoing efforts by the community to educatepeople and get rid of excuses!
26
![Page 37: Illegitimate Source IP Addresses At Internet …...Illegitimate Source IP Addresses At Internet Exchange Points @ Connect WG, RIPE 73, Madrid Author Franziska Lichtblau, Florian Streibelt,](https://reader033.vdocuments.us/reader033/viewer/2022050109/5f46f83f42d994629f6bc723/html5/thumbnails/37.jpg)
What we found…
Network ingress filtering is not deployed everywhere, but somedo it right…
• Large networks tend to deploy their filtering correctly –(Yes, it can be done!)
• Many small networks lack proper filtering• Only a small amount of members contribute most of theunwanted traffic
Continue the ongoing efforts by the community to educatepeople and get rid of excuses!
26