Spoofing Prevention Method Srikanth T.S.S. Sri Lakshmi Ramya S Spoofing An attempt to gain access to a systemby posing as an authorized user Attacker forges the source IP of packets – Spoofing the source IP “Spoofed” IP is an arbitrary IP address selected randomly or intentionally Major tool used by hackers to mount DoS attacks Characteristics of spoofed attacks Weakens the ability to mitigate an attack Makes law enforcement harder Existing mechanisms Ingress / Egress Filtering Trace Back Attempts to mitigate the packet at the destination Existing mechanisms -Ingress and Egress filtering Ingress – An ISP prohibits receiving from its stub connected networks packets whose source address does not belong to the corresponding stub network address space Egress – A router or a firewall which is the gateway of a stub network filters out any packet whose source address does not belong to the network address space Existing mechanisms -Ingress and Egress filtering (contd.) Limitations Allows Spoofing within a stub network Not self defensive Effective only when implemented by large number of networks Deployment is costly Incentive for an ISP is very low Existing mechanisms – Traceback Determines path an attack flow traverses Two methods of traceback Stamping packets with router signature Use of a special collector to analyze the path Existing mechanisms – TCP Intercept Router checks the real host behind the source address by completing the 3-way handshake If connection with client is established, then address considered not spoofed Drawbacks: Applicable only to TCP. Cannot protect UDP traffic or any other connectionless traffic Poses serious performance penalty Spoofing Prevention Method (SPM) Unique temporal key K(S,D) associated with each pair ordered air of source destination networks (AS’s autonomous systems) Router closer to the destination verify authenticity of the source address of the packet Effective and provides incentive to ISP’s implementing SPM Working of SPM Packet leaving a source network S tagged with Key K(S,D) Destination network upon reception of packet verifies the packet using the key & then removes the key Keys are changed periodically SPM Skeleton Key Structure & its placement Key Distribution Protocol Key Updates SPM Routers Key 16/32 bit Placed in the ID field in the IP header where the source address appear Not efficient to place key in IP option field. Simple Memory Lookups – One look up per packet No cryptographic functions involved IP Header Key Selection Methodology Each Source address Each Source-Destination address pair Each Source Destination Network pair Each Source Destination AS pair AS Out Table & AS In Table AS Out Table Present in the sending router Maintains keys for marking flows AS In Table Present in the Destination router Maintains keys for verification of flows Key Distribution Methods Passive Key Information Distribution Avoids use of a dedicated Key distribution protocol Keys in the AS-in Table are learned passively from the tagged keys that come from non spoofed addresses Can identify a non spoofed traffic if it is TCP traffic Key Distribution Methods Active Distribution Protocol Central server to manage key distribution and selection AS server performs the following tasks Choosing the keys for the AS-out table Distributing the AS-out table to the routers Announcing the keys from AS-out table to other AS servers Building the AS-in table from other server announcements Updating the As-in table in the routers in its AS Changing keys periodically periodical key updates to increase system security. Method 1 : Each AS server periodically selects a new set of random keys and distributes it to other AS servers Keys changed in different AS’es in different times During replacement router holds 2 keys – old & new Changing keys periodically Method 2 : Each AS server associated with a pseudo random number generator AS tables filled at predefined times with random number SPM Routers Two tasks Tagging outgoing packets with key Packet Authentication SPM Routers - Tagging Tagging done at Edge Routers Edge Routers - capable of distinguishing packets originated in its AS and packets outside AS Requires look up on the destination address Piggybacked on IP lookup process Cost of tagging is minimal SPM Routers – Dynamic Authentication Process Additional IP Lookup required, hence cost is high Packets categorization SPM Recognized Spoofed Traffic SPM Certified Non Spoofed Traffic All Other Traffic SPM Routers –Dynamic Authentication Process (contd.) Types of Verification & Discard modes Peace Time (Conservative) Only packets of the first category is completely discarded Packets of Category 1 discarded even if there is no attack. Attack Time (Aggressive) When DDoS attack is detected Category 1 & 3 completely discarded Gives greater incentive to SPM deployed traffic Analysis of Benefits and Incentives of SPM Evaluate amount of damage caused to domain i due to attacks. Evaluation is conducted as follows No defense approach Ingress/Egress filtering approach SPM approach Analysis of Benefits and Incentives of SPM (contd.) Assume that the Internet consists of N domains, indexed 1,2,…,N. Let INT = {1,2,…,N} denote this set. (k ) Let Ai j be the rate of attacks performed from domain I to domain j where the address of I is spoofed to an address in domain k. Total attack rate directed at domain i: k) Ai k 1 j 1 A(j i N N Analysis of Benefits and Incentives of SPM (contd.) Amount of damage inflicted on servers placed in domain server D i is denoted by i Damage reduction is denoted by DR iserver Relative damage reduction is denoted by DR iserver Diserver Damage (attack rate) under No Defense Total damage to domain I is given by the overall attack rate at the domain : server i D k 1 j 1 A N N (k ) j i Ai Damage Reduction under Ingress/Egress Filtering Defense Assume a set of domains denoted IE {1,2,…,N} conducts ingress/egress filtering Damage Reduction of domain i is given by DR iserver (k ) A j i jIE kINT Damage Reduction Under Ingress/Egress Club Defense Domains that implement ingress/egress filtering conduct it exclusively to traffic destined to domains in IE Benefits members of IE when compared to non members Damage reduction is given by DRiserver (k ) A ji i IECLUB jIECLUB kINT DRiserver 0i IECLUB Damage Reduction under SPM Defense Assume partners of SPM treat SPM produced and authenticated packets at higher priority Damage reduction is expressed in two ways DR iserver (k ) A j i jINT kSPM (k ) A j i i SPM jSPM kINT SPM DR iserver 0; i SPM SPM with ingress/egress filtering : DR iserver (k ) A j i jSPM kINT i SPMIE Comparison to other Methods Fully Symmetric System (identical domain sizes). Let Ai(k )j A / N 31 i, j, k N Assume size of each of the defense sets IE, IECLUB, SPM, SPMIE is given by K Under no defense: D server A i N2 Under ingress/egress filtering: K / Ni IE DRiserver Diserver K / Ni IE Under SPM DRiserver Diserver 2 K / N K 2 / N 2 i SPM 0i SPM Comparison of Methods - Results Ingress/Egress Filtering SMP+Ingress/Egress Discussion on Results Under ingress/egress filtering the relative benefit for a participant is identical to that of a non-participant Under Ingress/Egress club, there is some relative benefit to its participants but if the club is small, there is little incentive Under SPM, the benefits are always sufficiently larger Asymmetric System Domain sizes and traffic generated by them are not identical Assume that the domain size is distributed in a Zipf* like distribution Under Zipf distribution, the size of domain i, i = 1,2,…N is Xi = X/i for some constant X Benefits of SPM plus Ingress/Egress under Asymmetric traffic The benefit for participating domains grows very rapidly with the SPM size. This is inferred by the fact that large fractions of attacks are directed to large domains Client Traffic When SPM contains many members and the defense used by the attacked server is conservative, SPM client derives little advantage When SPM contains less members and aggressive type of defense is used, clients derive large advantage Benefits to the domain clients complements the benefits to the domain servers ,hence greater incentive of joining SPM Concluding Remarks Ingress filtering economically ineffective –poor incentive for any network SPM most compatible to today’s internet SPM can be used by network routers to eliminate or reduce spoofing attacks. Significantly greater incentive for a network deploying SPM Effective even if deployed by fraction of networks.