Spoofing Prevention Method

advertisement
Spoofing Prevention Method
Srikanth T.S.S.
Sri Lakshmi Ramya S
Spoofing
 An attempt to gain access to a systemby
posing as an authorized user
 Attacker forges the source IP of packets –
Spoofing the source IP
 “Spoofed” IP is an arbitrary IP address selected
randomly or intentionally
 Major tool used by hackers to mount DoS
attacks
Characteristics of spoofed attacks
 Weakens the ability to mitigate an attack
 Makes law enforcement harder
Existing mechanisms
 Ingress / Egress Filtering
 Trace Back
 Attempts to mitigate the packet at the
destination
Existing mechanisms -Ingress and
Egress filtering
 Ingress – An ISP prohibits receiving from its
stub connected networks packets whose source
address does not belong to the corresponding
stub network address space
 Egress – A router or a firewall which is the
gateway of a stub network filters out any
packet whose source address does not belong
to the network address space
Existing mechanisms -Ingress and
Egress filtering (contd.)
 Limitations
 Allows Spoofing within a stub network
 Not self defensive
 Effective only when implemented by large number of
networks
 Deployment is costly
 Incentive for an ISP is very low
Existing mechanisms – Traceback
 Determines path an attack flow traverses
 Two methods of traceback
 Stamping packets with router signature
 Use of a special collector to analyze the path
Existing mechanisms – TCP Intercept
 Router checks the real host behind the source
address by completing the 3-way handshake
 If connection with client is established, then
address considered not spoofed
 Drawbacks:
 Applicable only to TCP. Cannot protect UDP traffic or
any other connectionless traffic
 Poses serious performance penalty
Spoofing Prevention Method (SPM)
 Unique temporal key K(S,D) associated with
each pair ordered air of source destination
networks (AS’s autonomous systems)
 Router closer to the destination verify
authenticity of the source address of the
packet
 Effective and provides incentive to ISP’s
implementing SPM
Working of SPM
 Packet leaving a source network S tagged with
Key K(S,D)
 Destination network upon reception of packet
verifies the packet using the key & then
removes the key
 Keys are changed periodically
SPM Skeleton
 Key Structure & its placement
 Key Distribution Protocol
 Key Updates
 SPM Routers
Key
 16/32 bit
 Placed in the ID field in the IP header where
the source address appear
 Not efficient to place key in IP option field.
 Simple Memory Lookups – One look up per
packet
 No cryptographic functions involved
IP Header
Key Selection Methodology
 Each Source address
 Each Source-Destination address pair
 Each Source Destination Network pair
 Each Source Destination AS pair
AS Out Table & AS In Table
 AS Out Table
 Present in the sending router
 Maintains keys for marking flows
 AS In Table
 Present in the Destination router
 Maintains keys for verification of flows
Key Distribution Methods
 Passive Key Information Distribution
 Avoids use of a dedicated Key distribution protocol
 Keys in the AS-in Table are learned passively from
the tagged keys that come from non spoofed
addresses
 Can identify a non spoofed traffic if it is TCP traffic
Key Distribution Methods
 Active Distribution Protocol
 Central server to manage key distribution and
selection
 AS server performs the following tasks
 Choosing the keys for the AS-out table
 Distributing the AS-out table to the routers
 Announcing the keys from AS-out table to other AS
servers
 Building the AS-in table from other server
announcements
 Updating the As-in table in the routers in its AS
Changing keys periodically
 periodical key updates to increase system
security.
 Method 1 :
 Each AS server periodically selects a new set of
random keys and distributes it to other AS servers
 Keys changed in different AS’es in different times
 During replacement router holds 2 keys – old & new
Changing keys periodically
 Method 2 :
 Each AS server associated with a pseudo random
number generator
 AS tables filled at predefined times with random
number
SPM Routers
 Two tasks
 Tagging outgoing packets with key
 Packet Authentication
SPM Routers - Tagging
 Tagging done at Edge Routers
 Edge Routers - capable of distinguishing
packets originated in its AS and packets
outside AS
 Requires look up on the destination address
 Piggybacked on IP lookup process
 Cost of tagging is minimal
SPM Routers –
Dynamic Authentication Process
 Additional IP Lookup required, hence cost is
high
 Packets categorization
 SPM Recognized Spoofed Traffic
 SPM Certified Non Spoofed Traffic
 All Other Traffic
SPM Routers –Dynamic
Authentication Process (contd.)
 Types of Verification & Discard modes
 Peace Time (Conservative)
 Only packets of the first category is completely
discarded
 Packets of Category 1 discarded even if there is no
attack.
 Attack Time (Aggressive)
 When DDoS attack is detected
 Category 1 & 3 completely discarded
 Gives greater incentive to SPM deployed traffic
Analysis of Benefits and Incentives of
SPM
 Evaluate amount of damage caused to domain
i due to attacks.
 Evaluation is conducted as follows
 No defense approach
 Ingress/Egress filtering approach
 SPM approach
Analysis of Benefits and Incentives of
SPM (contd.)
 Assume that the Internet consists of N domains,
indexed 1,2,…,N.
Let INT = {1,2,…,N} denote this set.
(k )
 Let Ai  j be the rate of attacks performed from domain
I to domain j where the address of I is spoofed to an
address in domain k.
 Total attack rate directed at domain i:
k)
Ai  k 1  j 1 A(j 
i
N
N
Analysis of Benefits and Incentives of
SPM (contd.)
 Amount of damage inflicted on servers placed in domain
server
D
i is denoted by i
 Damage reduction is denoted by
DR iserver
 Relative damage reduction is denoted by
DR iserver Diserver
Damage (attack rate) under No
Defense
 Total damage to domain I is given by the
overall attack rate at the domain :
server
i
D
 k 1  j 1 A
N
N
(k )
j i
 Ai
Damage Reduction under
Ingress/Egress Filtering Defense
 Assume a set of domains denoted IE
{1,2,…,N} conducts ingress/egress filtering
 Damage Reduction of domain i is given by
DR iserver 

(k )
A
 j i
jIE kINT
Damage Reduction Under
Ingress/Egress Club Defense
 Domains that implement ingress/egress filtering
conduct it exclusively to traffic destined to
domains in IE
 Benefits members of IE when compared to non
members
 Damage reduction is given by
DRiserver 

(k )
A
 ji i  IECLUB
jIECLUB kINT
DRiserver  0i  IECLUB
Damage Reduction under SPM
Defense
 Assume partners of SPM treat SPM produced and
authenticated packets at higher priority
 Damage reduction is expressed in two ways
DR iserver 

(k )
A
 j i 
jINT kSPM

(k )
A
 j i i  SPM
jSPM kINT  SPM
DR iserver  0;
i  SPM
 SPM with ingress/egress filtering :
DR iserver 

(k )
A
 j i
jSPM kINT
i  SPMIE
Comparison to other Methods
 Fully Symmetric System (identical domain sizes). Let
Ai(k )j  A / N 31  i, j, k  N
 Assume size of each of the defense sets IE, IECLUB,
SPM, SPMIE is given by K
 Under no defense: D server  A
i
N2
 Under ingress/egress filtering:
 K / Ni  IE
DRiserver


Diserver
 K / Ni  IE
 Under SPM
DRiserver
Diserver
2 K / N  K 2 / N 2 i  SPM
 
0i  SPM
Comparison of Methods - Results
Ingress/Egress Filtering
SMP+Ingress/Egress
Discussion on Results
 Under ingress/egress filtering the relative
benefit for a participant is identical to that of a
non-participant
 Under Ingress/Egress club, there is some
relative benefit to its participants but if the
club is small, there is little incentive
 Under SPM, the benefits are always sufficiently
larger
Asymmetric System
 Domain sizes and traffic generated by them are
not identical
 Assume that the domain size is distributed in a
Zipf* like distribution
 Under Zipf distribution, the size of domain i, i
= 1,2,…N is Xi = X/i for some constant X
Benefits of SPM plus Ingress/Egress
under Asymmetric traffic
The benefit for participating domains grows very rapidly with
the SPM size. This is inferred by the fact that large fractions of attacks
are directed to large domains
Client Traffic
 When SPM contains many members and the
defense used by the attacked server is
conservative, SPM client derives little
advantage
 When SPM contains less members and
aggressive type of defense is used, clients
derive large advantage
 Benefits to the domain clients complements the
benefits to the domain servers ,hence greater
incentive of joining SPM
Concluding Remarks
 Ingress filtering economically ineffective –poor
incentive for any network
 SPM most compatible to today’s internet
 SPM can be used by network routers to
eliminate or reduce spoofing attacks.
 Significantly greater incentive for a network
deploying SPM
 Effective even if deployed by fraction of
networks.
Download