Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > funding : spoofer
Software Systems for Surveying Spoofing Susceptibility
Sponsored by:
Department of Homeland Security (DHS)
Seeking to minimize Internet's susceptibility to spoofed DDoS attacks, we will develop, build, and operate multiple open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices.

Funding source: DHS S&T contract D15PC00188. Period of performance: August 3, 2015 - March 31, 2017; April 1, 2017 - July 31, 2018 (optional).

|   Statement of Work     Proposal    Spoofer Project Page   |

Statement of Work

The proposed effort includes applied research, software development, new data analytics, systems integration, operations and maintenance, and an interactive analysis and reporting service. Tasks and deliverables for the entire project are separated into three periods:
  •  Period I : Applied Research and Development
  •  Period II : Development
  •  Period III : Development and Technology Demonstration

Period I: Applied Research and Development (8 months, August 1, 2015 - March 31, 2016) - completed

Period II: Development (12 months, April 1, 2016 - March 31, 2017)

Task 1: Refine client-server testing tools and reports according to experiences and feedback
1.1Organize demonstration of software capabilities for DHS at the appropriate site/occasion (DHS site visit to CAIDA, a Program Meeting, or at DHS chosen site)
1.2Deliver completed and tested client and server software to DHS
1.3Publicly release the client-server software
1.4Integrate telescope backscatter data into reporting system to display trends in randomly spoofed DDoS attacks over time

(a) incorporate characteristics of the targeted networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance
(b) use historic CAIDA data collected since 2004 to provide a baseline for DDoS trends
1.5Add support to client and server tools to determine whether a tested AS discards packets at the edge of its network arriving from outside of the network but purporting to be from inside the network
1.6Adjust probing strategies of client tools based on operational experience to minimize unnecessary tests
Task 2: Research and develop a traceroute SAV-analysis system to infer providers that do not apply SAV to customers
2.1Research methods and develop implementation to infer provider-customer links that imply lack of SAV by the provider
2.2Report our inferences on the spoofer website
2.3Ccontinuously generate customer cone prefixes to enable an up-to-date view of valid customer prefixes for a specified AS
2.4Implement a query interface to dynamically report prefixes in the customer cone of a specified AS for the convenience of IXP operators

Milestones and Deliverables (Period II)

1Presentation: Demonstrating software to DHSAug 1, 2016done
2Provide DHS with completed client and server software, make software publicSoftware: releaseMay 1, 2016done
3Present intermediate results to industry group (e.g., NANOG) Aug 1, 2016done
4Evaluate utility of system that uses traceroute data to infer provider-customer links without deployed best practicesSep 1, 2016done
5Report: Viability of traceroute SAV system Oct 1, 2016done
6Incorporate trends over time and properties of networks that do not filter spoofed packets into the reporting systemSoftware: Updated reporting system Oct 1, 2016done
7Deploy web-based system to return customer cone prefixes for ASesDec 1, 2016done
8Recommend strategies for region-specific SAV focusReport: SAV analysis with new data typesMar 31, 2017
9Release client-server software that tests ability of client to receive spoofed packetsSoftware: Year-end releaseMar 31, 2017

Period III: Development and Technology Demonstration (16 months, April 1, 2017 - July 31, 2018) - optional

Task 1: Refine client-server SAV testing technology and reports according to experiences and feedback, with continuing releases as necessary
1.1Enhance reporting system to report properties of networks that have received spoofed packets
1.2Share the reports privately with affected networks
1.3Build traffic-analysis software to identify networks forwarding spoofed packets

(a) Combine three data sources: IXP switch traffic data (sFlow records), customer cone information (CAIDA AS Rank), signatures of spoofed traffic (CAIDA darknet traffic analysis)
(b) Provide a view of the apparently spoofed traffic in a privacy-sensitive form excluding last octet of IPv4 addresses and lower half of IPv6 addresses
1.4Support and develop our client-server testing technology based on continuing feedback from network operators, policy makers, and DHS
1.5Incorporate new data into our reporting system
1.6Produce focused reports for network operator groups
1.7Explore additional measurement technologies and data sources suitable for adapting and integrating into a general-purpose network hygiene system (reputation blacklists, presence of possible DDoS amplification vectors: open resolvers, NTP servers, SNMP servers)
Task 2: Develop software client for deployment in resource-constrained open-source home routers
2.1Build functionality to test SAV deployment of access providing networks on a weekly basis into OpenWrt, a Linux-based open-source router firmware
2.2Optimize the client software for resource-constrained home-router environments by incorporating the most relevant features and utilizing libraries designed for embedded environments
2.3Test software in the BISmark home router infrastructure to gain real-world experience before seeking broader deployment
2.4Integrate a web-based SAV reporting engine into the existing web-based interface on OpenWrt routers

Milestones and Deliverables (Period III)

1Include information about clients receiving spoofed packets into the reporting systemSoftware: Updated reporting system Aug 1, 2017
2Release software for inferring participant spoofing at IXPsSoftware: Tool to measure IXP SAV deploymentDec 1, 2017
3Analyze IXPs feedbackReport: feedback received from IXPsApr 1, 2018
4Release OpenWrt client software to test SAV best practices of access providersSoftware: Client for home routers Apr 1, 2018
5Release updated client-server SAV testing softwareSoftware: final releaseJun 1, 2018
6Final report including SAV compliance trends and areas to focus onJul 31 2018

Acknowledgement of awarding agency's support

This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Homeland Security Advanced Research Projects Agency, Cyber Security Division (DHS S&T/HSARPA/CSD) BAA HSHQDC-14-R-B0005, and the Government of United Kingdom of Great Britain and Northern Ireland via contract number D15PC00188.

The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of Department of Homeland Security, the U.S. Government, or the Government of United Kingdom of Great Britain and Northern Ireland.

  Last Modified: Mon Feb-27-2017 14:57:03 PST
  Page URL: