Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > funding : spoofer : sow-completed.xml
Software Systems for Surveying Spoofing Susceptibility
Sponsored by:
Department of Homeland Security (DHS)
Seeking to minimize Internet's susceptibility to spoofed DDoS attacks, we will develop, build, and operate multiple open-source software tools to assess and report on the deployment of source address validation (SAV) best anti-spoofing practices.

Funding source: DHS S&T contract D15PC00188. Period of performance: August 3, 2015 - March 31, 2017; April 1, 2017 - July 31, 2018 (optional).

|   Statement of Work     Proposal    Spoofer Project Page   |

Statement of Work (Completed)

Period I: Applied Research and Development (8 months, August 1, 2015 - March 31, 2016)

Task 1: Develop and deploy new client-server SAV testing system
1.1Develop an extensible JSON-based structured data communications protocol for negotiating and coordinating complex spoofed packets measurements between the client and our server.

(a) set probing parameters (e.g., where to send spoofed packets, how to encode packets, etc.)
(b) encode traceroute measurements to determine the location of SAV filters
(c) report test results back to the client
1.2Develop and release server software to be easily deployed by network operators for scheduling and coordinating SAV measurements, and transmitting results to a database
1.3Deploy a server instance at CAIDA to support a public view of SAV deployment
1.4Develop and release client software.

(a) can run in the background on Windows, MacOS, and UNIX-like systems
(b) regularly (weekly) test the ability to send and receive spoofed packets
(c) include intuitive GUI to communicate results to the user
(d)support opportunistic measurement by mobile laptops
(e) use link-layer sockets to send spoofed packets as complete Ethernet frames
(f) implement traceroute to help determine the location of SAV filtering
Task 2: Develop and deploy new reporting system to focus SAV compliance attention
2.1Build a reporting engine that will correlate coverage of SAV tests with various characteristics of tested networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance
2.2Generate ingress access lists for all stub ASes that a transit provider could validate and deploy
2.3Identify the fraction of customers of each transit provider in each region that have been observed spoofing packets
2.4Identify transit providers who should be encouraged to deploy our ingress access lists
2.5Build a public website to report per-network test outcomes, highlighting the most recent tests, on the specialized server at CAIDA
2.6Enable privacy-preserving features to anonymize individual IP addresses when necessary
2.7Add a searching functionality to allow any user to query for results for any network
2.8Incorporate our stakeholder-focused analysis into the public website
Task 3: Research use of IXPs as a vantage point for SAV best practice assessment
3.1Investigate methods to automatically build lists of customer cone prefixes belonging to IXP participants
3.2Identify IXP participants with inadequate SAV deployment by analyzing packets captured at anycast DNS root-server instances deployed at IXPs and finding source addresses outside of the customer cones
3.3Demonstrate to IXPs the measurement capabilities that can illuminate the SAV hygiene practices of their participating networks

Milestones and Deliverables (Period I)

1Report: Extensible client-server protocolNov 1, 2015done
2Develop initial prototypes of client and server softwareDec 1, 2015done
3Deploy a supported instance of server software at CAIDAFeb 1, 2016done
4Evaluate utility of DNS root-server data to obtain external view of IXP hygieneReport: Spoofed traffic to DNS root-serversFeb 1, 2016done
5Deploy public website to show outcomes of testsSoftware: Public websiteMar 31, 2016done
6Final ReportMar 31, 2016done

Period II: Development (12 months, April 1, 2016 - March 31, 2017)

Task 1: Refine client-server testing tools and reports according to experiences and feedback
1.1Organize demonstration of software capabilities for DHS at the appropriate site/occasion (DHS site visit to CAIDA, a Program Meeting, or at DHS chosen site)
1.2Deliver completed and tested client and server software to DHS
1.3Publicly release the client-server software
1.4Integrate telescope backscatter data into reporting system to display trends in randomly spoofed DDoS attacks over time

(a) incorporate characteristics of the targeted networks: type (e.g., access, transit), country of operation, IP reputation, their country's transparency of governance
(b) use historic CAIDA data collected since 2004 to provide a baseline for DDoS trends
1.5Add support to client and server tools to determine whether a tested AS discards packets at the edge of its network arriving from outside of the network but purporting to be from inside the network
1.6Adjust probing strategies of client tools based on operational experience to minimize unnecessary tests
Task 2: Research and develop a traceroute SAV-analysis system to infer providers that do not apply SAV to customers
2.1Research methods and develop implementation to infer provider-customer links that imply lack of SAV by the provider
2.2Report our inferences on the spoofer website
2.3Ccontinuously generate customer cone prefixes to enable an up-to-date view of valid customer prefixes for a specified AS
2.4Implement a query interface to dynamically report prefixes in the customer cone of a specified AS for the convenience of IXP operators

Milestones and Deliverables (Period II)

1Presentation: Demonstrating software to DHSAug 1, 2016done
2Provide DHS with completed client and server software, make software publicSoftware: releaseMay 1, 2016done
3Present intermediate results to industry group (e.g., NANOG) Aug 1, 2016done
4Evaluate utility of system that uses traceroute data to infer provider-customer links without deployed best practicesSep 1, 2016done
5Report: Viability of traceroute SAV system Oct 1, 2016done
6Incorporate trends over time and properties of networks that do not filter spoofed packets into the reporting systemSoftware: Updated reporting system Oct 1, 2016done
7Deploy web-based system to return customer cone prefixes for ASesDec 1, 2016done
8Recommend strategies for region-specific SAV focusReport: SAV analysis with new data typesMar 31, 2017done
9Release client-server software that tests ability of client to receive spoofed packetsSoftware: Year-end releaseMar 31, 2017done
  Last Modified: Fri May-26-2017 16:32:43 PDT
  Page URL: