University of Central Florida
CAP 6135: Malware and Software Vulnerability
Spring 2012
Paper Presentation
Dude, where’s that IP? Circumventing measurement-based
IP geolocation
Phillipa Gill, Yashar Ganjali, Bernard Wong, and David Lie
Presenter
Ahmad Alzahrani
Information about the Paper:
Authors:
Phillipa Gill and Yashar Ganjali
Dept. of Computer Science, University of Toronto
David Lie
Dept. of Electrical and Computer Engineering, University of Toronto
Bernard Wong
Dept. of Computer Science, Cornell University
Presented at the 19th USENIX Security Symposium, on
August 12, 2010 in San Jose, CA during the Internet Security
session.
Background
• What is IP Geolocation?
Introduction
Applications benefit from IP Geolocation
– Online advertising
– Search engines
– Restrict access to online content
• Multimedia
– Fraud Preventions
– Geolocation to locate VMs hosted by cloud provider
Motivation
Who has incentive to circumvent IP
geolocation?
Web clients:
– Gain access to content
– Online payment fraud
Cloud service
– Location-based SLAs - cloud providers.
Paper Contributions
• Evaluation of two attacks.
• First to study measurement-based geolocation
of an adversary
• Studied two models of adversarial geolocation
targets (end host & WAN)
Background
Measurement-based geolocation
Delay-based geolocation (e.g. Constraint-based geolocation
Gueye et al. )
Ping!
Ping!
Ping!
courtesy Phillipa
Measurement-based geolocation
Delay-based geolocation (e.g. Constraint-based geolocation
Gueye et al. )
Ping!
Ping!
Ping!
Ping!
courtesy Phillipa
12
courtesy Phillipa
Topology-aware geolocation
• Assume no direct path to target.
• Locate also hops on the way.
• Takes into account circuitous network paths.
Ping!
Ping!
courtesy Phillipa
Measurement-based geolocation
• Delay-based:
– Constraint-based geolocation (CBG) [Gueye et al]
– Accuracy: ~ 78-182 km
• Topology-aware:
–
–
–
–
Octant [Wong et al.]
Delay between hops on path is considered
Locate nodes along the path
Median accuracy: ~ 35-40 km
Two Attacks have been studied:
(1) Delay-adding attack
Increase delay by time to travel the difference
Challenge:
how to map distance to delay?
-
2
i 
2
c
3
- Access to the map function.
L1
L3
g1
L2
g2
Forged
location
Two Attacks have been studied:
(2) Hop-adding attack
d  1
Landmark 1
Target
d  2
Landmark 2
Two Attacks have been studied:
(2) Hop-adding attack
Multiple network entry points
Internal router (each connected to 3)
Forged location
courtesy Phillipa
Evaluation
– Are the attacks effective?
– What is the accuracy achieved by the attacker to mislead
geolocation.
– Can the attacks be detected?
Experiment1 (Delay-adding Attack)
–Collected measurements inputs using 50 PlanetLab nodes.
–Each node of the 50 takes turn as target.
–Each target moved to 50 forged locations.
Delay-adding Attack - Simulation Setup
Delay-adding attack (Detectability?)
Delay-adding attack (How accurate?)
700
M/KM
NYC-SFO
22
Hop-Adding Attack - Simulation Setup
-Targets : 80 nodes (50 in US and 30 in EU)
-Forget Locations : 11 inside above WAN
(4 Gateways, 15 Internal Routers)
Hop-adding attack (Detectability?)
Hop-adding attack (How accurate?)
Best-case(delay adding attack)
Hop adding attack
25
Recap
Simple
Attacker
Sophisticated
Attacker
Delay-based
Attack
1
1
Topology-aware
Attack
1
2
1 – Detectable using region size, accuracy depends on
distance to forged location.
2 – High Accuracy and difficult to detect.
Conclusion
• Measurement-Based Geolocation algorithms are
susceptible to delay-based and topology
measurements.
• Two models of adversaries have been considered.
• Two attacks have been developed and evaluated.
• The more advanced and accurate algorithm is
more susceptible to tampering
Possible Extensions
• Develop secure measurement protocol to reduce
ability of attackers to change measurements .
• Provide real-world results of the proposed attacks
to study the effect of network congestion state on
accuracy.
Qs & As