Constructing Inter-Domain
Packet Filters to Control IP
Spoofing Based on BGP Updates
Zhenhai Duan, Xin Yuan
Department of Computer Science
Florida State University
Jaideep Chandrashekar
Department of Computer Science
University of Minnesota
• IP spoofing:
B
A
X
Y
C
D
– Forging the source address
– Used by many popular DDOS attacks
– Making it difficulty to defend again attacks.
• Route based packet filtering
B
A
X
Y
C
D
– One can fake the identity, but not the route.
– A router can decide whether it is in the path from the
source to the destination and drop packets that are not
supposed to be there.
– Route based packet filter cannot completely eliminate
IP spoofing, however, it can significantly reduce it.
• Route based packet filtering requirement:
– The router must know the route between any
pair of source and destination addresses.
• Global topology information
• Not available in BGP.
• Is it possible to infer the feasible route
information from BGP updates?
• If it is possible, what is the performance?
• BGP basic:
– Autonomous Systems (AS) are the basic units
• The network can be modeled as an AS graph
• Nodes are ASes and edges are BGP sessions
• Nodes own network prefixes and exchange BGP
route updates to learn the reachability of prefixes
• Attributes associated with routes: AS path, prefix.
• BGP basic:
– An incremental protocol: updates are generated
only in response to network events.
– Policy based routing:
• Import
• Route selection
• Export
• BGP basic:
– AS relationships and routing policy:
• Provider-customer
• Peer-peer
• Sibling-sibling
• BGP basic:
– Property of BGP routes:
• Uphill path: customer-provider edges or sibling-sibling edges
• Downhill path: provider-customer edges or sibling-sibling edge
• Theorem 1 (Gao [17]): If all Ases set their export policies
according to r1-r4, BGP routes belong to one of the following:
–
–
–
–
–
–
An uphill path
A downhill path
An uphill path followed by a downhill path
An uphill path followed by a peer-peer edge
A peer-to-peer edge followed by a downhill path
An uphill path followed by a peer-to-peer edge followed by a
downhill path.
• Inter Domain Packet Filters (IDPF):
– Deciding feasible routes under BGP
– Feasible routes in BGP are constrained by
routing policies (AS relation)
• Inter Domain Packet Filters (IDPF):
– Path constrained by the routing policies
• Assumptions in our scheme:
• Export rules: MUST export
• Import rules:
• Inferring the feasible paths:
– If u is a feasible upstream neighbor of v for
packet M(u, d), node u must have exported to v
its best route to reach s.
• IDPFs:
• Routing policy complication:
– Selective announcements:
– R5: restricted conditional advertisement
• Performance:
– IDPF finds a set of feasible paths instead of one
best route, its performance will not be as good
as the ideal route based filters [Park 2001]
– Important question: How many ASes must
deploy IDPF to be effective?
– IDPF has two effects
• Reducing the number of prefixes that can be spoofed
• Localizing the source of spoofed packets
• Performance metrics:
• Data Set:
– 4 AS graphs from the BGP data achieved by the
Oregon Route Views Project.
• Experimental setting
– Determine the feasible paths based on update
logs.
– Use shortest path as the route (add if the
shortest path is not a feasible path)
– Selecting nodes that deploy IDPF
• Random (rnd30/rnd50)
• Vertex cover
• If not mentioned specifically, IDPF nodes also have
network ingress filtering.
Chance for completely eliminate IP spoofing:
• Conclusion:
– We proposed and studied IDPF
– IDPF can limit the spoofing capability of
attackers even when partially deployed and
improves the accuracy of IP traceback
– IDPF provides local incentives for deployment.