IP Spoofing Defense
1
IP Spoofing Defense
On the State of IP Spoofing Defense
TOBY EHRENKRANZ and JUN LI
University of Oregon
IP Spoofing Defense
Outlines
IP Spoofing
Impersonation
Reflection
Hiding
IP Spoofing Defense
host-based Defense Methods
Cryptographic Solutions
SYN Cookies
IP Puzzles
Router-Based Defense Methods
Ingress/Egress Filtering
Distributed Packet Filtering (DPF)
Source Address Validity Enforcement (SAVE)
Hybrid Defenses
Pi
References
2
IP Spoofing Defense
3
Introduction
IP Spoofing
Definition
Creation of IP packets with source addresses different than those
assigned to that host.
Malicious use of IP Spoofing
Impersonation
• Session hijack or reset
Hiding
• Flood attack
Reflection
• IP reflected attack
IP Spoofing Defense
4
Impersonation
Session hijack or reset
Attacker
Partner
IP spoofed packet
Src: Partner
Dst: Victim
Dst: Partner
Src: Victim
Victim
Assumes the partner has sent a packet,
starts responding
IP Spoofing Defense
5
Hiding
Flood attack
Attacker
Src: Random
Dst: Victim
Victim
IP Spoofing Defense
6
Reflection
Smurf attacks
IP spoofing (reflection)
DNS amplification attacks
DNS query
DNS amplification
Reflector
Attacker
Src: Victim
Dst: Reflector
IP spoofed packet
Victim
A lot of reply without request
Src: Reflector
Dst: Victim
Reply
IP Spoofing Defense
IP Reflected Attacks
7
IP Spoofing Defense
DNS Amplification Attack
8
IP Spoofing Defense
IP Spoofing Defense
Three classes of solutions
1 Host-based solutions
No need to change network infrastructure
Easy to deploy
Too late for their reaction
Router-based solutions
Core or edge solutions
Most effective
Harder to deploy
Hybrid solutions
Routers + hosts
9
IP Spoofing Defense
Host-based solutions
Cryptographic Solutions
Require hand-shaking to set up secret keys between two hosts
Communication between the two hosts can be encrypted
Attacker cannot successfully spoof packets to create connection
Handshaking fails
While IPSec is effective in many cases, it has some drawbacks
It is not feasible to require all hosts to connect through IPSec
Encryption cost( time )
Encryption reduce the performance
10
IP Spoofing Defense
SYN Cookies
Some servers use SYN cookies to prevent opening connections to
spoofed source addresses
The server with SYN cookies does not allocate resources until the
3-way handshake is complete
How Does It Work?
Server sends SYN+ACK with cookies V
When it receives client’s response, it checks the V
If it is cookie value + 1 ⇒ it creates the connection
11
IP Spoofing Defense
12
IP Puzzles
A server sends an IP puzzle to a client
The client solves the puzzle by some computational task
The server allows to connect only after receiving the correct solution.
From the listed hosts ⇒ not the attacker
The puzzle is sent to the listed hosts, not the attacker
IP Spoofing Defense
Router-Based Defense Methods
most host-based methods can be used in routers
IPSec and IP puzzles have been used in routers
13
IP Spoofing Defense
14
Ingress/Egress Filtering
Filtering packets before
coming to local network ⇒ ingress filtering
before leaving local network ⇒ egress filtering
The key is the knowledge of expected IP address at a particular port
It is not easy to obtain this knowledge in some networks with complicated topologies
Reverse Path filtering can help to build this knowledge
A router knows which networks are reachable from any of its interfaces.
• This is routing table
IP Spoofing Defense
15
Ingress/Egress Filtering
Drawbacks:
Hard to deployment
With less than 100% deployment, IEF is ineffective
It can not stop local spoofing
RPF may drop legitimate packets
IP Spoofing Defense
16
Distributed Packet Filtering (DPF)
Routers throughout the network maintain the incoming direction of a packet
through their interfaces
Which interface receives an packet with a particular source address
A router can detect a spoofing packet if it arrives on a different interface
This limits the number of addresses attackers can use
IP Spoofing Defense
Source Address Validity Enforcement (SAVE)
Filters packets based on their incoming direction
Every router maintains and update its own incoming table
SAVE assumes all router deploy SAVE
Not feasible
17
IP Spoofing Defense
Hybrid Defenses
Utilizes both routers and hosts solutions
Routers mark packets as they travel
Hosts can take actions
18
IP Spoofing Defense
19
Path identifier
Path identifier (Pi) was originally designed to defend against DoS attacks
It also provides an IP spoofing defense
Pi uses IP fragmentation field to identify the path a packet traveled
The fragmentation field is marked along the path
Each router along the path sets a bit of the fragmentation field
When a packet reaches its destination the fragmentation field contains
a marking that is almost unique
The end-host does not know the path a packet has traveled, but
if multiple packets have the same marking bits set, then
• it is highly likely that they have traveled the same path
Packets with the same source address, but different marking can be filtered
IP Spoofing Defense
20
Thank you
If you have any questions please email at amjhb@hotmail.com
IP Spoofing Defense
References
On the state of IP spoofing defense.
ACM Transactions on Internet Technology (TOIT), 9(2):6:1–6:??, May 2009.
http://www.wikipedia.org/
Network security class
21