Anat Bremler-Barr Hanoch Levy computer science computer science
Interdisciplinary Center Herzliya Tel-Aviv University

• Used by hackers to mount denial of service attacks.
• Denial of service attacks – consume the resources of victim’s network/servers
• Spoofing- forging the source IP of packets.
– Easy to create (4000 attacks per week [MVS01])
– Harder to filter
– Harder to trace back

Attacker
Net B’
ISP B
Src dst
Net A’ victim
Internet
ISP A
Net A’
ISP C
Victim

• Ingress/Egress filtering
– Implementation uRPF,ACL
Net B’
Filter out packets with src not in Net B’ ISP B
Internet
ISP A
– Administrative overhead
– Poor incentive – “good-will” and not self-defensive methods
ISP C

• Self defense method
• Incentive to implement
– Visibility of SPM members
• Stepwise deployment
• Light mechanism

•
Entities : AS
•
Key:
– Function of source AS and destination AS
– Added to each packet by the source AS routers.
• Routers:
– Mark at the original AS the outgoing traffic with key.
– Verify at the destination AS the authenticity of the key on the incoming packets
•
Key distribution: two options:
– By protocol
– Learned passively

Attacker
Net B’
ISP B src dst key
Net A’ victim B

C
ISP C
ISP A
Net A’
Key does not match the src
Filtering spoof traffic
Victim

• Server Traffic:
Server of SPM member domain can filter at attack time:
– Spoofed traffic from other SPM ASs
– Spoofed traffic that spoofs to SPM AS address space
•
Client Traffic:
Client of SPM member domain receives preferential treatment at SPM domain servers
•
Visibility

• Lightweight function not crypto: Random constant 32 bit
• Guessing the key with low probability: reduce the volume
1 of attack by
32
2
• Function of the source and destination AS
– Acquiring the key is hard
• Key remove by routers, Change periodically
– Sniffing is not a likely threat
• Place as an additional IP option

• The key information requires two small tables:
–
AS-out table - marking
–
AS-in table - verification
• Size of each table: 120KB each – future 480KB
2
– AS coded by 2bytes (current 16,000, max 16 )
– Key 4 bytes

• Key information:
–
AS-out: synchronization inside the AS
– AS-in: needs to be learned from various ASes – a key from each AS.
•
Key distribution:
– Protocol: AS server (IRV[GAGIM03], route reflector).
–
Passively : Learn key passively from the regular non spoof traffic
 traffic that comletes the TCP handshake.

•
Marking
– one lookup per destination (combine with IP lookup)

Place only on traffic destined to other SPM members.
• Verification – one lookup per source.

Categorize traffic: Spoofed, non-spoofed, other (no key)

Verification modes:
Conservative verification : peace time (drop spoofed)
Aggressive verification : attack time (drop spoofed + other).
• Implement in Edge Routers:
Combine SPM with ingress/egress filtering

Relative Benefit of SPM
Relative Benefit of Ingress/Egress filtering
1
1
0.8
Ingress/Egress filtering members
Ingress/Egress filtering non members
0.8
0.6
SPM members
SPM non members
0.4
0.6
0.4
0.2
0.2
0
0 5000
Participiants
0
0
10000
2000 4000 6000 8000 10000
Participiants
Relative benefit SPM = Cannot spoof from SPM AS
+Cannot spoof to SPM address (2K/N-(K/N)^2)

SPM members
SPM non members
Relative Benefits of SPM
1
0.8
0.6
0.4
0.2
0
0 2000 4000 6000 8000 10000
Participiants
•Traffic is proportional to the domain size
•Domain size ~ address space allocation ~ zipf distribution
(top 10 ISP – 27.8% of the address space [Fixedorbit]).

• Ingress/Egress filtering – today’s technological solution is economically ineffective
• SPM – economically attractive:
– AS that joins – gains significant relative benefits
(server traffic/client traffic)
– Stepwise deployment
– Visibility
– Simple