Spoofing Prevention Method

Srikanth T.S.S. Sri Lakshmi Ramya S

Spoofing An attempt to gain access to a system by

posing as an authorized user Attacker forges the source IP of packets –

Spoofing the source IP “Spoofed” IP is an arbitrary IP address selected

randomly or intentionally Major tool used by hackers to mount DoS

attacks

Characteristics of spoofed attacks

Weakens the ability to mitigate an attack

Makes law enforcement harder

Existing mechanisms Ingress / Egress Filtering

Trace Back

Attempts to mitigate the packet at the destination

Existing mechanisms -Ingress and Egress filtering Ingress – An ISP prohibits receiving from its

stub connected networks packets whose source address does not belong to the corresponding stub network address space

Egress – A router or a firewall which is the gateway of a stub network filters out any packet whose source address does not belong to the network address space

Existing mechanisms -Ingress and Egress filtering (contd.) Limitations

Allows Spoofing within a stub network

Not self defensive

Effective only when implemented by large number of networks

Deployment is costly

Incentive for an ISP is very low

Existing mechanisms – Traceback Determines path an attack flow traverses

Two methods of traceback Stamping packets with router signature

Use of a special collector to analyze the path

Existing mechanisms – TCP Intercept Router checks the real host behind the source

address by completing the 3-way handshake If connection with client is established, then

address considered not spoofed

Drawbacks: Applicable only to TCP. Cannot protect UDP traffic or

any other connectionless traffic Poses serious performance penalty

Spoofing Prevention Method (SPM) Unique temporal key K(S,D) associated with

each pair ordered air of source destination networks (AS’s autonomous systems)

Router closer to the destination verify authenticity of the source address of the packet

Effective and provides incentive to ISP’s implementing SPM

Working of SPM Packet leaving a source network S tagged with

Key K(S,D) Destination network upon reception of packet

verifies the packet using the key & then removes the key

Keys are changed periodically

SPM Skeleton Key Structure & its placement

Key Distribution Protocol

Key Updates

SPM Routers

Key 16/32 bit Placed in the ID field in the IP header where the

source address appear Not efficient to place key in IP option field. Simple Memory Lookups – One look up per

packet No cryptographic functions involved

IP Header

Key Selection Methodology Each Source address

Each Source-Destination address pair

Each Source Destination Network pair

Each Source Destination AS pair

AS Out Table & AS In Table AS Out Table

Present in the sending router Maintains keys for marking flows

AS In Table Present in the Destination router Maintains keys for verification of flows

Key Distribution Methods Passive Key Information Distribution

Avoids use of a dedicated Key distribution protocol Keys in the AS-in Table are learned passively from

the tagged keys that come from non spoofed addresses

Can identify a non spoofed traffic if it is TCP traffic

Key Distribution Methods Active Distribution Protocol

Central server to manage key distribution and selection

AS server performs the following tasks Choosing the keys for the AS-out table Distributing the AS-out table to the routers Announcing the keys from AS-out table to other AS

servers Building the AS-in table from other server

announcements Updating the As-in table in the routers in its AS

Changing keys periodically periodical key updates to increase system

security. Method 1 :

Each AS server periodically selects a new set of random keys and distributes it to other AS servers

Keys changed in different AS’es in different times During replacement router holds 2 keys – old & new

Changing keys periodically Method 2 :

Each AS server associated with a pseudo random number generator

AS tables filled at predefined times with random number

SPM Routers Two tasks

Tagging outgoing packets with key

Packet Authentication

SPM Routers - Tagging

Tagging done at Edge Routers Edge Routers - capable of distinguishing

packets originated in its AS and packets outside AS

Requires look up on the destination address Piggybacked on IP lookup process Cost of tagging is minimal

Additional IP Lookup required, hence cost is high

Packets categorization SPM Recognized Spoofed Traffic

SPM Certified Non Spoofed Traffic

All Other Traffic

SPM Routers – Dynamic Authentication Process

SPM Routers –Dynamic Authentication Process (contd.) Types of Verification & Discard modes

Peace Time (Conservative) Only packets of the first category is completely

discarded Packets of Category 1 discarded even if there is no

attack. Attack Time (Aggressive)

When DDoS attack is detected Category 1 & 3 completely discarded Gives greater incentive to SPM deployed traffic

Analysis of Benefits and Incentives of SPM Evaluate amount of damage caused to domain

i due to attacks.

Evaluation is conducted as follows No defense approach Ingress/Egress filtering approach SPM approach

Analysis of Benefits and Incentives of SPM (contd.) Assume that the Internet consists of N domains,

indexed 1,2,…,N. Let INT = {1,2,…,N} denote this set.

Let be the rate of attacks performed from domain I to domain j where the address of I is spoofed to an address in domain k.

Total attack rate directed at domain i:

)(kjiA

N

k

N

jkiji AA

1 1)(

Analysis of Benefits and Incentives of SPM (contd.) Amount of damage inflicted on servers placed in domain

i is denoted by

Damage reduction is denoted by

Relative damage reduction is denoted by

serveriD

serveriDR

serveri

serveri DDR

Damage (attack rate) under No Defense Total damage to domain I is given by the

overall attack rate at the domain :

iN

k

N

jkij

serveri AAD 1 1

)(

Damage Reduction under Ingress/Egress Filtering Defense Assume a set of domains denoted IE {1,2,…,N}

conducts ingress/egress filtering

Damage Reduction of domain i is given by

IEj INTk

kij

serveri ADR )(

Damage Reduction Under Ingress/Egress Club Defense Domains that implement ingress/egress filtering

conduct it exclusively to traffic destined to domains in IE

Benefits members of IE when compared to non members

Damage reduction is given by

IECLUBiDR

IECLUBiADR

serveri

IECLUBj INTk

kij

serveri

0

)(

Damage Reduction under SPM Defense Assume partners of SPM treat SPM produced and

authenticated packets at higher priority

Damage reduction is expressed in two ways

SPM with ingress/egress filtering :

SPMj SPMINTk

kij

INTj SPMk

kij

serveri AADR )()(

SPMi

;0serveriDR SPMi

SPMj INTk

kij

serveri ADR )( SPMIEi

Comparison to other Methods Fully Symmetric System (identical domain sizes). Let

Assume size of each of the defense sets IE, IECLUB, SPM,

SPMIE is given by K Under no defense: Under ingress/egress filtering:

Under SPM

NkjiNAA kji ,,1/ 3)(

2NAD server

i

IEiNKIEiNK

DDR

serveri

serveri

//

SPMi

SPMiNKNKD

DRserveri

serveri

0//2 22

Comparison of Methods - Results

Ingress/Egress Filtering SMP+Ingress/Egress

Discussion on Results Under ingress/egress filtering the relative

benefit for a participant is identical to that of a non-participant

Under Ingress/Egress club, there is some relative benefit to its participants but if the club is small, there is little incentive

Under SPM, the benefits are always sufficiently larger

Asymmetric System Domain sizes and traffic generated by them are

not identical

Assume that the domain size is distributed in a Zipf* like distribution

Under Zipf distribution, the size of domain i, i = 1,2,…N is Xi = X/i for some constant X

Benefits of SPM plus Ingress/Egress under Asymmetric traffic

The benefit for participating domains grows very rapidly with the SPM size. This is inferred by the fact that large fractions of attacks are directed to large domains

Client Traffic When SPM contains many members and the

defense used by the attacked server is conservative, SPM client derives little advantage

When SPM contains less members and aggressive type of defense is used, clients derive large advantage

Benefits to the domain clients complements the benefits to the domain servers ,hence greater incentive of joining SPM

Concluding Remarks Ingress filtering economically ineffective –poor

incentive for any network SPM most compatible to today’s internet SPM can be used by network routers to

eliminate or reduce spoofing attacks. Significantly greater incentive for a network

deploying SPM Effective even if deployed by fraction of

networks.